From 14da7fe848b76a81fa18cc4108c3fd96fe1720e1 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Thu, 3 Nov 2022 16:41:27 -0700 Subject: [PATCH 1/4] Update disable-windows-defender-application-control-policies.md --- ...s-defender-application-control-policies.md | 168 +++++++++++++----- 1 file changed, 124 insertions(+), 44 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 157e08e8e7..28622125de 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -1,5 +1,5 @@ --- -title: Disable Windows Defender Application Control policies (Windows) +title: Remove Windows Defender Application Control policies (Windows) description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -11,86 +11,166 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 05/03/2018 +ms.date: 11/03/2022 ms.technology: itpro-security --- -# Disable Windows Defender Application Control policies +# Remove Windows Defender Application Control (WDAC) policies **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!NOTE] >Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This topic covers how to disable unsigned or signed WDAC policies. +## Removing WDAC policies -## Disable unsigned Windows Defender Application Control policies +There may come a time when you want to remove one or more WDAC policies, or remove all WDAC policies you've deployed. This article describes the various ways to remove WDAC policies. -There may come a time when an administrator wants to disable a Windows Defender Application Control policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart: +> [!IMPORTANT] +> **Signed WDAC policy** +> +> If the policy you are trying to remove is a signed WDAC policy, you must first deploy a signed replacement policy that includes option **6 Enabled:Unsigned System Integrity Policy**. +> +> The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include \. +> +> To take effect, this policy must be signed with a certificate included in the \ section of the original policy you want to replace. +> +> You must then restart the computer so that the UEFI protection of the policy is deactivated. ***Failing to do so will result in a boot start failure.*** -- <EFI System Partition>\\Microsoft\\Boot\\ -- <OS Volume>\\Windows\\System32\\CodeIntegrity\\ +Before removing any policy, you must first disable the method used to deploy it (such as Group Policy or MDM). Otherwise, the policy may redeploy to the computer. ->[!NOTE] -> As of the Windows 10 May 2019 Update (1903), Windows Defender Application Control allows multiple policies to be deployed to a device. To fully disable WDAC when multiple policies are in effect, you must first disable each method being used to deploy a policy. Then delete the {Policy GUID}.cip policy files found in the \CIPolicies\Active subfolder under each of the paths listed above in addition to any SIPolicy.p7b file found in the root directory. +To make a policy effectively inactive before removing it, you can first replace the policy with a new one that includes the following changes: -## Disable signed Windows Defender Application Control policies within Windows +1. Replace the policy rules with "Allow *" rules; +2. Set option **3 Enabled:Audit Mode** to change the policy to audit mode only; +3. Set option **11 Disabled:Script Enforcement**; +4. Allow all COM objects. See [Allow COM object registration in a WDAC policy](/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy#examples); +5. If applicable, remove option **0 Enabled:UMCI** to convert the policy to kernel mode only. -Signed policies protect Windows from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed Windows Defender Application Control policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps. +> [!IMPORTANT] +> After a policy has been removed, you must restart the computer for it to take effect. You can't remove WDAC policies rebootlessly. + +### Remove WDAC policies using CiTool.exe + +Beginning with the Windows 11 2022 Update, you can remove WDAC policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove: + +```powershell + CiTool.exe -rp "{PolicyId GUID}" -json +``` + +Then restart the computer. + +### Remove WDAC policies using MDM solutions like Intune + +You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to remove WDAC policies from client machines using the [ApplicationControl CSP](/windows/client-management/mdm/applicationcontrol-csp). + + +Consult your MDM solution provider for specific information on using the ApplicationControl CSP. -1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. +Then restart the computer. - > [!NOTE] - > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. +### Remove WDAC policies using script -2. Restart the client computer. +To remove WDAC policies using script, your script must delete the policy file(s) from the computer. For **multiple policy format (1903+) WDAC policies**, look for the policy files in the following locations. Be sure to replace the *PolicyId GUID* with the actual PolicyId of the WDAC policy you want to remove. -3. Verify that the new signed policy exists on the client. +- <EFI System Partition>\\Microsoft\\Boot\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip +- <OS Volume>\\Windows\\System32\\CodeIntegrity\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip - > [!NOTE] - > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. +For **single policy format WDAC policies**, in addition to the two locations above, also look for a file called SIPolicy.p7b that may be found in the following locations: -4. Delete the new policy. +- <EFI System Partition>\\Microsoft\\Boot\\SIPolicy.p7b +- <OS Volume>\\Windows\\System32\\CodeIntegrity\\SIPolicy.p7b -5. Restart the client computer. +Then restart the computer. -If the signed Windows Defender Application Control policy has been deployed by using Group Policy, you must complete the following steps: +#### Sample script -1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled. +
+ Expand this section to see a sample script to delete a single WDAC policy - > [!NOTE] - > To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace. +```powershell + # Set PolicyId GUID to the PolicyId from your WDAC policy XML + $PolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}" -2. Restart the client computer. + # Initialize variables + $SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}" + $SinglePolicyFormatFileName = "\SiPolicy.p7b" + $MountPoint = $env:SystemDrive+"\EFIMount" + $SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity" + $EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot" + $MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip" -3. Verify that the new signed policy exists on the client. + # Mount the EFI partition + $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] + if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force } + mountvol $MountPoint $EFIPartition - > [!NOTE] - > If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures. + # Check if the PolicyId to be removed is the system reserved GUID for single policy format. + # If so, the policy may exist as both sipolicy.p7b in the policy path root as well as + # {GUID}.cip in the CiPolicies\Active subdirectory + if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2} + + $Count = 1 + while ($Count -le $NumFilesToDelete) + { + + # Set the $PolicyPath to the file to be deleted, if exists + Switch ($Count) + { + 1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath} + 2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath} + 3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName} + 4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName} + } -4. Set the GPO to disabled. + # Delete the policy file from the current $PolicyPath + Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan + if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue} -5. Delete the new policy. + $Count = $Count + 1 + } -6. Restart the client computer. + # Dismount the EFI partition + mountvol.exe $MountPoint /D +``` -## Disable signed Windows Defender Application Control policies within the BIOS +
-There may be a time when signed Windows Defender Application Control policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it's important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows: +## Remove WDAC policies causing boot stop failures -- <EFI System Partition>\\Microsoft\\Boot\\ -- <OS Volume>\\Windows\\System32\\CodeIntegrity\\ +A WDAC policy that blocks boot critical drivers can cause a boot stop failure (BSOD) to occur, though this can be mitigated by setting option **10 Enabled:Boot Audit On Failure** in your policies. Additionally, signed WDAC policies protect the policy from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies even for administrators. Tampering with or removing a signed WDAC policy will cause a BSOD to occur. + +To remove a policy that is causing boot stop failures: + +1. If the policy is a **signed** WDAC policy, turn off Secure Boot from your [UEFI BIOS menu](/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode?view=windows-11). For help with locating where to turn off Secure Boot within your BIOS menu, consult with your original equipment manufacturer (OEM). +2. Access the Advanced Boot Options menu on your computer and choose the option to **Disable Driver Signature Enforcement**. For instructions on accessing the Advanced Boot Options menu during startup, consult with your OEM. This option will suspend all code integrity checks, including WDAC, for a single boot session. +3. Start Windows normally and sign in. Then, [remove WDAC policies using script](#remove-wdac-policies-using-script). +4. If you turned off Secure Boot in step 1 above and your drive is protected by BitLocker, [suspend BitLocker protection](/troubleshoot/windows-client/windows-security/suspend-bitlocker-protection-non-microsoft-updates) then turn on Secure Boot from your UEFI BIOS menu. +5. Restart the computer. + +> [!NOTE] +> If your drive is protected by Bitlocker, you may need your Bitlocker recovery keys to perform steps 1-2 above. From 7436e8887ff2352c8b4dee25302bcf16a58235f8 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 4 Nov 2022 08:16:31 -0700 Subject: [PATCH 2/4] Fixed links --- ...sable-windows-defender-application-control-policies.md | 2 +- ...dows-defender-application-control-against-tampering.md | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 28622125de..73396ea88e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -166,7 +166,7 @@ A WDAC policy that blocks boot critical drivers can cause a boot stop failure (B To remove a policy that is causing boot stop failures: -1. If the policy is a **signed** WDAC policy, turn off Secure Boot from your [UEFI BIOS menu](/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode?view=windows-11). For help with locating where to turn off Secure Boot within your BIOS menu, consult with your original equipment manufacturer (OEM). +1. If the policy is a **signed** WDAC policy, turn off Secure Boot from your [UEFI BIOS menu](/windows-hardware/manufacture/desktop/boot-to-uefi-mode-or-legacy-bios-mode). For help with locating where to turn off Secure Boot within your BIOS menu, consult with your original equipment manufacturer (OEM). 2. Access the Advanced Boot Options menu on your computer and choose the option to **Disable Driver Signature Enforcement**. For instructions on accessing the Advanced Boot Options menu during startup, consult with your OEM. This option will suspend all code integrity checks, including WDAC, for a single boot session. 3. Start Windows normally and sign in. Then, [remove WDAC policies using script](#remove-wdac-policies-using-script). 4. If you turned off Secure Boot in step 1 above and your drive is protected by BitLocker, [suspend BitLocker protection](/troubleshoot/windows-client/windows-security/suspend-bitlocker-protection-non-microsoft-updates) then turn on Secure Boot from your UEFI BIOS menu. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index e752db3d0d..ca5b20ff1f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 08/15/2022 +ms.date: 11/04/2022 ms.technology: itpro-security --- @@ -42,10 +42,10 @@ Signed Windows Defender Application Control (WDAC) policies give organizations t Before you sign with PKCS #7 and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. -Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. +Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. If you don't currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. -Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). +Before PKCS #7-signing WDAC policies for the first time, ensure you enable rule options **Enabled:Advanced Boot Options Menu** and **10 Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md). To sign a Windows Defender Application Control policy with SignTool.exe, you need the following components: @@ -85,7 +85,7 @@ If you don't have a code signing certificate, see [Optional: Create a code signi > [!NOTE] > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. - Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Disable signed Windows Defender Application Control policies within Windows](disable-windows-defender-application-control-policies.md#disable-signed-windows-defender-application-control-policies-within-windows). + Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Remove WDAC policies](disable-windows-defender-application-control-policies.md). 6. Use [Set-RuleOption](/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: From 54def68f5a35e8d7108807b3d66acaf9b1173242 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 4 Nov 2022 09:17:04 -0700 Subject: [PATCH 3/4] Update disable-windows-defender-application-control-policies.md --- .../disable-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 73396ea88e..70b546136f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -114,7 +114,7 @@ Then restart the computer. ```powershell # Set PolicyId GUID to the PolicyId from your WDAC policy XML - $PolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}" + $PolicyId = "{PolicyId GUID}" # Initialize variables $SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}" From e073ec5252ff43301f2a3150f4ff785fcf6cbbf9 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 4 Nov 2022 11:52:41 -0700 Subject: [PATCH 4/4] Update disable-windows-defender-application-control-policies.md --- ...ndows-defender-application-control-policies.md | 15 +++++++++------ 1 file changed, 9 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index 70b546136f..526551ec0e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 11/03/2022 +ms.date: 11/04/2022 ms.technology: itpro-security --- @@ -100,10 +100,10 @@ To remove WDAC policies using script, your script must delete the policy file(s) - <EFI System Partition>\\Microsoft\\Boot\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip - <OS Volume>\\Windows\\System32\\CodeIntegrity\\CiPolicies\Active\\*\{PolicyId GUID\}*.cip -For **single policy format WDAC policies**, in addition to the two locations above, also look for a file called SIPolicy.p7b that may be found in the following locations: +For **single policy format WDAC policies**, in addition to the two locations above, also look for a file called SiPolicy.p7b that may be found in the following locations: -- <EFI System Partition>\\Microsoft\\Boot\\SIPolicy.p7b -- <OS Volume>\\Windows\\System32\\CodeIntegrity\\SIPolicy.p7b +- <EFI System Partition>\\Microsoft\\Boot\\SiPolicy.p7b +- <OS Volume>\\Windows\\System32\\CodeIntegrity\\SiPolicy.p7b Then restart the computer. @@ -130,7 +130,7 @@ Then restart the computer. mountvol $MountPoint $EFIPartition # Check if the PolicyId to be removed is the system reserved GUID for single policy format. - # If so, the policy may exist as both sipolicy.p7b in the policy path root as well as + # If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as # {GUID}.cip in the CiPolicies\Active subdirectory if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2} @@ -155,11 +155,14 @@ Then restart the computer. } # Dismount the EFI partition - mountvol.exe $MountPoint /D + mountvol $MountPoint /D ``` +> [!NOTE] +> You must run the script as administrator to remove WDAC policies on your computer. + ## Remove WDAC policies causing boot stop failures A WDAC policy that blocks boot critical drivers can cause a boot stop failure (BSOD) to occur, though this can be mitigated by setting option **10 Enabled:Boot Audit On Failure** in your policies. Additionally, signed WDAC policies protect the policy from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies even for administrators. Tampering with or removing a signed WDAC policy will cause a BSOD to occur.