Deploy WDAC policies using script
Note
Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the Application Control feature availability.
This article describes how to deploy Windows Defender Application Control (WDAC) policies using script. The following instructions use PowerShell but can work with any scripting host.
You should now have one or more WDAC policies converted into binary form. If not, follow the steps described in Deploying Windows Defender Application Control (WDAC) policies.
Important
Due to a known issue, you should always activate new signed WDAC Base policies with a reboot on systems with memory integrity enabled. Skip all steps below that use CiTool, RefreshPolicy.exe, or WMI to initiate a policy activation. Instead, copy the policy binary to the correct system32 and EFI locations and then activate the policy with a system restart.
This issue does not affect updates to signed Base policies that are already active on the system, deployment of unsigned policies, or deployment of supplemental policies (signed or unsigned). It also does not affect deployments to systems that are not running memory integrity.
Deploying policies for Windows 11 22H2 and above
You can use the inbox CiTool to apply policies on Windows 11 22H2 with the following commands. Be sure to replace <Path to policy binary file to deploy> in the following example with the actual path to your WDAC policy binary file.
# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML)
$PolicyBinary = "<Path to policy binary file to deploy>"
CiTool --update-policy $PolicyBinary [-json]
Deploying policies for Windows 11, Windows 10 version 1903 and above, and Windows Server 2022 and above
To use this procedure, download and distribute the WDAC policy refresh tool to all managed endpoints. Ensure your WDAC policies allow the WDAC policy refresh tool or use a managed installer to distribute the tool.
Initialize the variables to be used by the script.
# Policy binary files should be named as {GUID}.cip for multiple policy format files (where {GUID} = <PolicyId> from the Policy XML) $PolicyBinary = "<Path to policy binary file to deploy>" $DestinationFolder = $env:windir+"\System32\CodeIntegrity\CIPolicies\Active\" $RefreshPolicyTool = "<Path where RefreshPolicy.exe can be found from managed endpoints>"Copy Windows Defender Application Control (WDAC) policy binary to the destination folder.
Copy-Item -Path $PolicyBinary -Destination $DestinationFolder -ForceRepeat steps 1-2 as appropriate to deploy more WDAC policies.
Run RefreshPolicy.exe to activate and refresh all WDAC policies on the managed endpoint.
& $RefreshPolicyTool
Deploying policies for all other versions of Windows and Windows Server
Use WMI to apply policies on all other versions of Windows and Windows Server.
Initialize the variables to be used by the script.
# Policy binary files should be named as SiPolicy.p7b for Windows 10 versions earlier than 1903 $PolicyBinary = "<Path to policy binary file to deploy>" $DestinationBinary = $env:windir+"\System32\CodeIntegrity\SiPolicy.p7b"Copy Windows Defender Application Control (WDAC) policy binary to the destination.
Copy-Item -Path $PolicyBinary -Destination $DestinationBinary -ForceRefresh and activate WDAC policy using WMI
Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary}
Deploying signed policies
If you're using signed WDAC policies, the policies must be deployed into your device's EFI partition in addition to the locations outlined in the earlier sections. Unsigned WDAC policies don't need to be present in the EFI partition.
Mount the EFI volume and make the directory, if it doesn't exist, in an elevated PowerShell prompt:
$MountPoint = 'C:\EFIMount' $EFIDestinationFolder = "$MountPoint\EFI\Microsoft\Boot\CiPolicies\Active" $EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0] if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force } mountvol $MountPoint $EFIPartition if (-Not (Test-Path $EFIDestinationFolder)) { New-Item -Path $EFIDestinationFolder -Type Directory -Force }Copy the signed policy to the created folder:
Copy-Item -Path $PolicyBinary -Destination $EFIDestinationFolder -ForceRestart the system.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for