Share via

Default Code Integrity policies on Windows 11 22H2

Sabine Ludewig 1 Reputation point
2023-01-04T09:17:15.663+00:00

Hi all
I hope this is the right forum.

Windows 11 22H2 comes with a bunch of .cip file in the C:\Windows\System32\CodeIntegrity\CiPolicies\Active folder.
Looking at citool.exe -lp some of them are active, some are not.

We want to deploy our own policies, so I'd like to know

  • what's he content of the default policies, so I can determine if they interfere with our rules
  • how can I get rid of these default files. I can't just delete them. And citool.exe -rp 'GUID' doesn't work either

Thanks a lot

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-01-05T07:17:28.01+00:00

    Hi.
    The default policy on Windows 11 22H2 is WDAC.
    For details, please refer to the following official documents:
    https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview
    https://learn.microsoft.com/en-us/hololens/windows-defender-application-control-wdac

    Hope the information is helpful.

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments
  2. Sabine Ludewig 1 Reputation point
    2023-01-06T07:54:49.76+00:00

    Hi HaniaLian

    that's not what I was looking for.

    I know WDAC is the default.
    I want to get rid of the MS provided default policies for WDAC under C:\Windows\System32\CodeIntegrity\CiPolicies\Active
    and replace them by my own policies
    Or at least know, what the default policies content.

    Thanks anyway

    0 comments
  3. Ben Delamotte 0 Reputation points
    2023-02-28T20:28:34.2666667+00:00

    Hi Sabine,

    I believe this is the default implementation of recommended driver block rules that Microsoft introduced in a recent update for Win11. See - https://support.microsoft.com/en-au/topic/kb5020779-the-vulnerable-driver-blocklist-after-the-october-2022-preview-release-3fcbe13a-6013-4118-b584-fcfbc6a09936

    I am running 22H2 and the instructions in the article seem slightly inaccurate. I can disable the memory integrity checks as described for 21H2, the steps for 22H2 don't seem valid for some reason.

    I'm also curious about what happens to these policies if I were to deploy my own WDAC policies. This is something I plan to test at some point because I couldn't find any documentation that describes the behaviour.

    If I do happen to get around to it anytime soon I will post the result here.

    Cheers

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.