deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-11 20:17:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
Alekhya Jupudi d140fcbf6a Defender App Guard Link text correction-01 
Change to Learn more about the [Windows Defender Application Control feature availability](feature-availability.md)
2021-09-30 11:22:51 +05:30

4.9 KiB
Raw Blame History

title, description, keywords, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, audience, ms.collection, author, ms.reviewer, ms.author, manager, ms.date, ms.technology
title description keywords ms.assetid ms.prod ms.mktglfcycl ms.sitesec ms.pagetype ms.localizationpriority audience ms.collection author ms.reviewer ms.author manager ms.date ms.technology
Disable Windows Defender Application Control policies (Windows) Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS. security, malware 8d6e0474-c475-411b-b095-1c61adb2bdbb m365-security deploy library security medium ITPro M365-security-compliance jsuther1974 isbrahm dansimp dansimp 05/03/2018 mde

Disable Windows Defender Application Control policies

Applies to:

  • Windows 10
  • Windows 11
  • Windows Server 2016 and above

Note

Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the Windows Defender Application Control feature availability.

This topic covers how to disable unsigned or signed WDAC policies.

Disable unsigned Windows Defender Application Control policies

There may come a time when an administrator wants to disable a WDAC policy. For unsigned WDAC policies, this process is simple. The method used to deploy the policy (such as Group Policy) must first be disabled, then simply delete the SIPolicy.p7b policy file from the following locations, and the WDAC policy will be disabled on the next computer restart:

  • <EFI System Partition>\Microsoft\Boot\
  • <OS Volume>\Windows\System32\CodeIntegrity\

Note that as of the Windows 10 May 2019 Update (1903), WDAC allows multiple policies to be deployed to a device. To fully disable WDAC when multiple policies are in effect, you must first disable each method being used to deploy a policy. Then delete the {Policy GUID}.cip policy files found in the \CIPolicies\Active subfolder under each of the paths listed above in addition to any SIPolicy.p7b file found in the root directory.

Disable signed Windows Defender Application Control policies within Windows

Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps.

Note

For reference, signed WDAC policies should be replaced and removed from the following locations:

  • <EFI System Partition>\Microsoft\Boot\
  • <OS Volume>\Windows\System32\CodeIntegrity\

  1. Replace the existing policy with another signed policy that has the 6 Enabled: Unsigned System Integrity Policy rule option enabled.

    Note

    To take effect, this policy must be signed with a certificate previously added to the UpdatePolicySigners section of the original signed policy you want to replace.

  2. Restart the client computer.

  3. Verify that the new signed policy exists on the client.

    Note

    If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.

  4. Delete the new policy.

  5. Restart the client computer.

If the signed WDAC policy has been deployed using by using Group Policy, you must complete the following steps:

  1. Replace the existing policy in the GPO with another signed policy that has the 6 Enabled: Unsigned System Integrity Policy rule option enabled.

    Note

    To take effect, this policy must be signed with a certificate previously added to the UpdatePolicySigners section of the original signed policy you want to replace.

  2. Restart the client computer.

  3. Verify that the new signed policy exists on the client.

    Note

    If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.

  4. Set the GPO to disabled.

  5. Delete the new policy.

  6. Restart the client computer.

Disable signed Windows Defender Application Control policies within the BIOS

There may be a time when signed WDAC policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:

  • <EFI System Partition>\Microsoft\Boot\
  • <OS Volume>\Windows\System32\CodeIntegrity\