mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-25 15:23:40 +00:00
6.3 KiB
6.3 KiB
title, description, author, ms.author, ms.service, ms.reviewer, ms.topic, ms.date, ms.custom
| title | description | author | ms.author | ms.service | ms.reviewer | ms.topic | ms.date | ms.custom |
|---|---|---|---|---|---|---|---|---|
| CI Policy, Token, and Miscellaneous Commands | Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands. | valemieux | jgeurten | security | jgeurten | how-to | 08/07/2022 | template-how-to |
Manage WDAC Policies with CI Tool
Generates Policy Commands, Token Commands, and Miscellaneous Commands for user mode code and drivers.
Policy Commands
| Command | Description | Alias |
|---|---|---|
| --update-policy /Path/To/Policy/File | Add or update a policy on the current system | -up |
| --remove-policy PolicyGUID | Remove a policy indicated by PolicyGUID from the system | -rp |
| --list-policies | Dump information about all policies on the system, whether they are active or not | -lp |
Token Commands
| Command | Description | Alias |
|---|---|---|
| --add-token Path/To/Token/File [--token-id ID] | Deploy a token onto the current system, with an optional specific ID. | -at |
| --remove-token ID | Remove a Token indicated by ID from the system. | -rt |
| --list-tokens | Dump information about all tokens on the system | -lt |
Note
Regarding --add-token, if [ID] is specified, a pre-existing token with [ID] should not exist.
Miscellaneous Commands
| Command | Description | Alias |
|---|---|---|
| --device-id | Dump the Code Integrity Device ID | -id |
| --refresh | Attempt to Refresh WDAC Policies | -r |
| --help | Display the tool's help menu | -h |
Examples
Note
The following examples assume you have extracted the policy file {BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip to C:\windows\system32
- Deploy a WDAC policy onto the system
PS C:\windows\system32> .\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip -up
C:\Windows\System32>.\CITool.exe -update-policy \windows\system32\BF61FE40-8929-4FDF-9EC2-F7A767717F0B.cip
Usage: CiTool.exe COMMAND [Command-Options] [-json]
Commands:
----------------------------- Policy Commands ---------------------------------
--update-policy /Path/To/Policy/File
Add or update a policy on the current system
aliases: -up
--remove-policy PolicyGUID
Remove a policy indicated by PolicyGUID from the system
aliases: -rp
--list-policies
Dump information about all policies on the system, whether they be active or not
aliases: -lp
----------------------------- Token Commands ---------------------------------
--add-token Path/To/Token/File [--token-id ID]
Deploy a token onto the current system, with an optional specific ID
If [ID] is specified, a pre-existing token with [ID] should not exist.
aliases:-at
--remove-token ID
Remove a Token indicated by ID from the system.
aliases: -rt
--list-tokens
Dump information about all tokens on the system
aliases: -lt
----------------------------- Misc Commands ---------------------------------
--device-id
Dump the Code Integrity Device Id
aliases: -id
--refresh
Attempt to Refresh CI Policies
aliases: -r
--help
Display this message
aliases: -h
----------------------------- Global Flags---------------------------------
-json
Format output as json and suppress input
- Refresh the WDAC policies in the \Windows\system32\CodeIntegrity\CiPolicies\Active folder
PS C:\Users\[USER] cd \Windows\system32\CodeIntegrity\CiPolicies\Active
PS C:\Windows\System32\CodeIntegrity\CiPolicies\Active>.\CITool --refresh
Operation Successful
- Remove a specific WDAC policy by GUID
PS C:\Users\[USER] cd \windows\system32
PS C:\Windows\System32>.\CITool.exe --remove-policy {BF61FE40-8929-4FDF-9EC2-F7A767717F0B}
Usage: CiTool.exe COMMAND [Command-Options] [-json]
Commands:
----------------------------- Policy Commands ---------------------------------
--update-policy /Path/To/Policy/File
Add or update a policy on the current system
aliases: -up
--remove-policy PolicyGUID
Remove a policy indicated by PolicyGUID from the system
aliases: -rp
--list-policies
Dump information about all policies on the system, whether they be active or not
aliases: -lp
----------------------------- Token Commands ---------------------------------
--add-token Path/To/Token/File [--token-id ID]
Deploy a token onto the current system, with an optional specific ID
If [ID] is specified, a pre-existing token with [ID] should not exist.
aliases:-at
--remove-token ID
Remove a Token indicated by ID from the system.
aliases: -rt
--list-tokens
Dump information about all tokens on the system
aliases: -lt
----------------------------- Misc Commands ---------------------------------
--device-id
Dump the Code Integrity Device Id
aliases: -id
--refresh
Attempt to Refresh CI Policies
aliases: -r
--help
Display this message
aliases: -h
----------------------------- Global Flags---------------------------------
-json
Format output as json and suppress input
Press Enter to Exit
- Display the help menu
PS C:\Users\[USER] cd \windows\system32
PS C:\windows\system32> .\CITool.exe -h
----------------------------- Policy Commands ---------------------------------
--update-policy /Path/To/Policy/File
Add or update a policy on the current system
aliases: -up
--remove-policy PolicyGUID
Remove a policy indicated by PolicyGUID from the system
aliases: -rp
--list-policies
Dump information about all policies on the system, whether they be active or not
aliases: -lp
----------------------------- Token Commands ---------------------------------
--add-token Path/To/Token/File [--token-id ID]
Deploy a token onto the current system, with an optional specific ID
If [ID] is specified, a pre-existing token with [ID] should not exist.
aliases:-at
--remove-token ID
Remove a Token indicated by ID from the system.
aliases: -rt
--list-tokens
Dump information about all tokens on the system
aliases: -lt
----------------------------- Misc Commands ---------------------------------
--device-id
Dump the Code Integrity Device Id
aliases: -id
--refresh
Attempt to Refresh CI Policies
aliases: -r
--help
Display this message
aliases: -h