deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #9527 from sewillia-msft/patch-1

Browse Source 
"Disable WDAC Policies": Cleanup formatting
This commit is contained in:
Daniel Simpson
2021-05-17 09:59:31 -07:00
committed by GitHub
parent 5dc0c367b6 c4a3e588e1
commit d5009d9d4a
1 changed files with 11 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
View File

@ -32,7 +32,6 @@ This topic covers how to disable unsigned or signed WDAC policies.
There may come a time when an administrator wants to disable a WDAC policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then simply delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart:
- <EFI System Partition>\\Microsoft\\Boot\\
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\
Note that as of the Windows 10 May 2019 Update (1903), WDAC allows multiple policies to be deployed to a device. To fully disable WDAC when multiple policies are in effect, you must first disable each method being used to deploy a policy. Then delete the {Policy GUID}.cip policy files found in the \CIPolicies\Active subfolder under each of the paths listed above in addition to any SIPolicy.p7b file found in the root directory.
@ -43,21 +42,22 @@ Signed policies protect Windows from administrative manipulation as well as malw
> [!NOTE]
> For reference, signed WDAC policies should be replaced and removed from the following locations:
- <EFI System Partition>\\Microsoft\\Boot\\
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\
>
> * <EFI System Partition>\\Microsoft\\Boot\\
> * <OS Volume>\\Windows\\System32\\CodeIntegrity\\
1. Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
> **Note**  To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
> [!NOTE]
> To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
2. Restart the client computer.
3. Verify that the new signed policy exists on the client.
> **Note**  If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
> [!NOTE]
> If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
4. Delete the new policy.
@ -67,13 +67,15 @@ If the signed WDAC policy has been deployed using by using Group Policy, you mus
1. Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
> **Note**  To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
> [!NOTE]
> To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
2. Restart the client computer.
3. Verify that the new signed policy exists on the client.
> **Note**  If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
> [!NOTE]
> If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
4. Set the GPO to disabled.
@ -86,5 +88,4 @@ If the signed WDAC policy has been deployed using by using Group Policy, you mus
There may be a time when signed WDAC policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
- <EFI System Partition>\\Microsoft\\Boot\\
- <OS Volume>\\Windows\\System32\\CodeIntegrity\\