Share via

WDAC Signed Policy Not Being Enforced – Need Help Identifying What’s Failing and Where to Check Logs

Shabir Ahmad Magray 20 Reputation points
2025-12-16T09:26:06.6266667+00:00

Hi Everyone,

We are working on applying a signed WDAC (Windows Defender Application Control) policy, but the policy is not getting enforced on the system, even though the policy creation, signing, and deployment steps appear to run without errors.

Below is the PowerShell script we are using to generate and sign the WDAC policy:

$PolicyPath="C:\Temp\WDAC\"
$PolicyName="DefaultWindows_Enforced"
$LamnaServerPolicy=$PolicyPath+$PolicyName+".xml"

cd $PolicyPath

Add-SignerRule -FilePath $LamnaServerPolicy -CertificatePath "C:\AppControl.cer" -Update
Set-RuleOption -FilePath $LamnaServerPolicy -Option 6 -Delete
$PolicyID= Set-CIPolicyIdInfo -FilePath $LamnaServerPolicy  -ResetPolicyID
$PolicyID = $PolicyID.Substring(11)
$CIPolicyBin = "C:\Temp\WDAC\" + $PolicyID + ".cip"
ConvertFrom-CIPolicy $LamnaServerPolicy $CIPolicyBin

& "C:\Program Files (x86)\Windows Kits\10\bin\10.0.26100.0\x64\signtool.exe" sign -v /sha1 56cf1798c06f51bf680ee28628c8131a29ec85ad /sm -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd SHA256 "$CIPolicyBin"

certutil.exe -asn "C:\Temp\WDAC\{3858876e-8f3f-408a-a641-5a85a0f1a7f3}.cip.p7"

$CIPolicyBin = "C:\Temp\WDAC\{3858876e-8f3f-408a-a641-5a85a0f1a7f3}.cip.p7"
Add-Type -AssemblyName 'System.Security'
$SignedCryptoMsgSyntax = New-Object -TypeName System.Security.Cryptography.Pkcs.SignedCms
$SignedCryptoMsgSyntax.Decode([System.IO.File]::ReadAllBytes($CIPolicyBin))
$SignedCryptoMsgSyntax.Certificates | Format-List -Property *

$MountPoint = 'C:\EFIMount'
$EFIDestinationFolder = "$MountPoint\EFI\Microsoft\Boot\CiPolicies\Active"
$EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }
mountvol $MountPoint $EFIPartition
if (-Not (Test-Path $EFIDestinationFolder)) { New-Item -Path $EFIDestinationFolder -Type Directory -Force }

Copy-Item -Path "C:\Temp\WDAC\{3858876e-8f3f-408a-a641-5a85a0f1a7f3}.cip.p7" -Destination $EFIDestinationFolder -Force

What we observe:

  • The policy gets created successfully

Signtool signs the policy without errors

The .cip.p7 file is correctly copied to EFI\Microsoft\Boot\CiPolicies\Active

But after reboot, the WDAC policy is not enforced (no blocking behavior, everything runs normally)

Questions:

What could be preventing the signed policy from being applied/enforced?

Is there a recommended way to verify whether the WDAC policy was parsed/loaded during boot?

Where can I find reliable logs to troubleshoot WDAC policy loading or enforcement failures?

Are there specific Event Viewer paths (CodeIntegrity/Operational, Microsoft-Windows-AppLocker, etc.) I should check?

Could the issue be related to:

Policy ID not matching

  Incorrect P7 signing format

  
     Wrong EFI location

     
        Missing catalog signing

        
           Secure Boot requirements

           
              Certificate trust chain
```I have gone through the documentation, but I’m still unsure where the failure is occurring.

Any guidance on diagnosing WDAC enforcement issues, recommended logs, or validation steps would be greatly appreciated.

Thanks in advance
Windows for business | Windows Client for IT Pros | Devices and deployment | Other
0 comments

Answer accepted by question author

  1. VPHAN 30,935 Reputation points Independent Advisor
    2025-12-17T17:42:44.3466667+00:00

    Hello Shabir Ahmad Magray,

    I am following up to check if renaming the policy file in the EFI partition resolved the enforcement issue. As detailed in the previous response, the Windows bootloader's scanning logic for the EFI\Microsoft\Boot\CiPolicies\Active directory is strictly hardcoded to only parse files ending in .cip. Leaving the .p7 extension generated by the signtool command effectively hides the policy from the boot process, which explains why you observed no blocking behavior despite the signing process completing without errors.

    If you have corrected the extension to {GUID}.cip and still see no enforcement, you should re-verify that the root certificate of the signer is trusted by the system. Even with the correct filename, if the signature chain cannot be validated during the early boot phase, the kernel will discard the policy to prevent a boot loop. You can confirm the status by checking the Microsoft-Windows-CodeIntegrity/Operational log for Event ID 3099, which confirms a successful load, or look for signature validation errors in the same log stream.

    If the issue has been successfully resolved, please consider accepting the answer as it helps other people sharing the same question benefit too. Thank you!

    VP

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VPHAN 30,935 Reputation points Independent Advisor
    2025-12-17T00:53:25.56+00:00

    Hello Shabir Ahmad Magray,

    Based on the script and the symptoms you described, the primary reason your signed WDAC policy is not being enforced is likely a file naming mismatch in the EFI partition. When you use the /p7 switch with signtool.exe, it generates a file with a .p7 extension (in your case, effectively .cip.p7). While this file contains the correctly signed policy data, the Windows bootloader specifically scans the EFI\Microsoft\Boot\CiPolicies\Active directory for files ending in .cip. Because your script copies the file to the EFI partition maintaining the .cip.p7 extension, the bootloader ignores the file entirely during startup, resulting in no enforcement and no blocking behavior.

    To resolve this, you must rename the signed file to match the Policy ID followed by the .cip extension when placing it in the EFI destination. In your script, change the Copy-Item command to rename the destination file. Specifically, ensure the destination path is $EFIDestinationFolder\$PolicyID.cip (or hardcode the GUID if you prefer, but it must end in .cip). Once the file is renamed to {3858876e-8f3f-408a-a641-5a85a0f1a7f3}.cip within the Active folder, the bootloader should parse it upon the next reboot.

    Regarding your question on logs and validation, the most reliable place to troubleshoot WDAC enforcement is the Microsoft-Windows-CodeIntegrity/Operational event log. After the reboot with the renamed file, look for Event ID 3099, which indicates a policy has been successfully loaded. If the policy fails to load (due to signature verification failure or malformed XML), you will typically see Event ID 3073 or similar error events in the same log explaining why the bootloader rejected the policy. The AppLocker logs are not relevant for WDAC policy loading issues.

    One final technical note regarding your signing process: ensure that the certificate you used to sign the policy (referenced in Add-SignerRule) has been correctly added to the policy itself before the ConvertFrom-CIPolicy step. Since you removed Option 6 (Unsigned System Integrity Policy), if the bootloader sees the policy but cannot validate the signature against the signers defined inside the policy (or if the root of that certificate isn't trusted by the firmware/OS depending on your Secure Boot configuration), it may still fail to apply. However, fixing the file extension is the immediate step required to get the bootloader to even attempt to load it.

    I hope you've found something useful here. If it helps you get more insight into the issue, it's appreciated to accept the answer. Should you have more questions, feel free to leave a message. Have a nice day!

    VP

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.