deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 21:33:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
aa9b1e8552c7a73c4eb885b9e594196c5a181dcd
windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-using-script.md
jsuther1974 aa9b1e8552 Addressed reviewer issues
2021-04-20 12:24:35 -07:00

2.0 KiB
Raw Blame History

title, description, keywords, ms.prod, audience, ms.collection, author, ms.reviewer, ms.author, ms.manager, manager, ms.date, ms.technology, ms.topic, ms.localizationpriority
title description keywords ms.prod audience ms.collection author ms.reviewer ms.author ms.manager manager ms.date ms.technology ms.topic ms.localizationpriority
Deploy Windows Defender Application Control (WDAC) policies using script (Windows 10) Use scripts to deploy Windows Defender Application Control (WDAC) policies. Learn how with this step-by-step guide. security, malware m365-security ITPro M365-security-compliance jsuther1974 jogeurte jogeurte jsuther dansimp 04/14/2021 mde article medium

Deploy WDAC policies using script

Applies to:

  • Windows 10
  • Windows Server 2016 and above

This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use Powershell but can work with any scripting host.

Note

To use this procedure, download and distribute the WDAC policy refresh tool to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.

Script-based deployment process for WDAC policy

  1. Initialize the variables to be used by the script.

    # Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML)
# Single policy format binaries should be named as SiPolicy.p7b.
$PolicyBinary = "<Path to policy binary file to deploy>"
$DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\"
$RefreshPolicyTool = "<Path where RefreshPolicy.exe can be found from managed endpoints>"

  2. Copy WDAC policy binary to the destination folder.

    cp $PolicyBinary $DestinationFolder

  3. Repeat steps 1-2 as appropriate to deploy additional WDAC policies.

  4. Run RefreshPolicy.exe to activate and refresh all WDAC policies on the managed endpoint.

    & $RefreshPolicyTool

  5. If successful, you should see the message Rebootless ConfigCI Policy Refreshing Succeeded!