![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 22%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETC%3C/text%3E%3C/svg%3E)
3,086 questions
Hello Timothy C,
In fact there are different methods:
- MSINFO
You only need to open MSINFO32.exe and start looking for the Windows defender application control status. As shown below, it’s enforced. - Codeintegrity Folder
Just like with Applocker, device guard has its own folder with the active policy in it.
Before we continue we need to take a look at this folder C:\Windows\System32\CodeIntegrity\ to understand when which file is created
If you have a SiPolicy file in this folder, that means you have selected the single policy format in the WDAC tool instead of the multiple policy format. If you have selected the multiple policy format, the policy is going to be created inside the cipolicies\active folder.
- Event log
Please note only using the default template and rules is going to produce a lot of errors on the device. First, we need to know which kind of event’s can be triggered.
*Don’t be mistaken by these kinds of warnings, because it’s a known problem.
- Powershell
Open a new PowerShell session as admin and copy paste this command
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | FL codeintegrity
If WDAC is enfored the “UserModeCodeIntegrityPolicyEnforcementStatus” needs to have a value of “2”
Hope this helps!