Remove Windows Defender Application Control (WDAC) policies
Note
Some capabilities of Windows Defender Application Control (WDAC) are only available on specific Windows versions. Learn more about the Windows Defender Application Control feature availability.
Removing WDAC policies
There may come a time when you want to remove one or more WDAC policies, or remove all WDAC policies you've deployed. This article describes the various ways to remove WDAC policies.
Important
Signed WDAC policy
If the policy you are trying to remove is a signed WDAC policy, you must first deploy a signed replacement policy that includes option 6 Enabled:Unsigned System Integrity Policy.
The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include <UpdatePolicySigners>.
To take effect, this policy must be signed with a certificate included in the <UpdatePolicySigners> section of the original policy you want to replace.
You must then restart the computer so that the UEFI protection of the policy is deactivated. Failing to do so will result in a boot start failure.
Before removing any policy, you must first disable the method used to deploy it (such as Group Policy or MDM). Otherwise, the policy may redeploy to the computer.
To make a policy effectively inactive before removing it, you can first replace the policy with a new one that includes the following changes:
- Replace the policy rules with "Allow *" rules;
- Set option 3 Enabled:Audit Mode to change the policy to audit mode only;
- Set option 11 Disabled:Script Enforcement;
- Allow all COM objects. See Allow COM object registration in a WDAC policy;
- If applicable, remove option 0 Enabled:UMCI to convert the policy to kernel mode only.
Important
After you remove a policy, restart the computer for it to take effect. You can't remove WDAC policies without restarting the device.
Remove WDAC policies using CiTool.exe
Beginning with the Windows 11 2022 Update, you can remove WDAC policies using CiTool.exe. From an elevated command window, run the following command. Be sure to replace the text PolicyId GUID with the actual PolicyId of the WDAC policy you want to remove:
CiTool.exe -rp "{PolicyId GUID}" -json
Then restart the computer.
Remove WDAC policies using MDM solutions like Intune
You can use a Mobile Device Management (MDM) solution, like Microsoft Intune, to remove WDAC policies from client machines using the ApplicationControl CSP.
Consult your MDM solution provider for specific information on using the ApplicationControl CSP.
Then restart the computer.
Remove WDAC policies using script
To remove WDAC policies using script, your script must delete the policy file(s) from the computer. For multiple policy format (1903+) WDAC policies, look for the policy files in the following locations. Be sure to replace the PolicyId GUID with the actual PolicyId of the WDAC policy you want to remove.
- <EFI System Partition>\Microsoft\Boot\CiPolicies\Active\{PolicyId GUID}.cip
- <OS Volume>\Windows\System32\CodeIntegrity\CiPolicies\Active\{PolicyId GUID}.cip
For single policy format WDAC policies, in addition to the two locations above, also look for a file called SiPolicy.p7b that may be found in the following locations:
- <EFI System Partition>\Microsoft\Boot\SiPolicy.p7b
- <OS Volume>\Windows\System32\CodeIntegrity\SiPolicy.p7b
Then restart the computer.
Sample script to delete a single WDAC policy
# Set PolicyId GUID to the PolicyId from your WDAC policy XML
$PolicyId = "{PolicyId GUID}"
# Initialize variables
$SinglePolicyFormatPolicyId = "{A244370E-44C9-4C06-B551-F6016E563076}"
$SinglePolicyFormatFileName = "\SiPolicy.p7b"
$MountPoint = $env:SystemDrive+"\EFIMount"
$SystemCodeIntegrityFolderRoot = $env:windir+"\System32\CodeIntegrity"
$EFICodeIntegrityFolderRoot = $MountPoint+"\EFI\Microsoft\Boot"
$MultiplePolicyFilePath = "\CiPolicies\Active\"+$PolicyId+".cip"
# Mount the EFI partition
$EFIPartition = (Get-Partition | Where-Object IsSystem).AccessPaths[0]
if (-Not (Test-Path $MountPoint)) { New-Item -Path $MountPoint -Type Directory -Force }
mountvol $MountPoint $EFIPartition
# Check if the PolicyId to be removed is the system reserved GUID for single policy format.
# If so, the policy may exist as both SiPolicy.p7b in the policy path root as well as
# {GUID}.cip in the CiPolicies\Active subdirectory
if ($PolicyId -eq $SinglePolicyFormatPolicyId) {$NumFilesToDelete = 4} else {$NumFilesToDelete = 2}
$Count = 1
while ($Count -le $NumFilesToDelete)
{
# Set the $PolicyPath to the file to be deleted, if exists
Switch ($Count)
{
1 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$MultiplePolicyFilePath}
2 {$PolicyPath = $EFICodeIntegrityFolderRoot+$MultiplePolicyFilePath}
3 {$PolicyPath = $SystemCodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
4 {$PolicyPath = $EFICodeIntegrityFolderRoot+$SinglePolicyFormatFileName}
}
# Delete the policy file from the current $PolicyPath
Write-Host "Attempting to remove $PolicyPath..." -ForegroundColor Cyan
if (Test-Path $PolicyPath) {Remove-Item -Path $PolicyPath -Force -ErrorAction Continue}
$Count = $Count + 1
}
# Dismount the EFI partition
mountvol $MountPoint /D
Note
You must run the script as administrator to remove WDAC policies on your computer.
Remove WDAC policies causing boot stop failures
A WDAC policy that blocks boot critical drivers can cause a boot stop failure (BSOD) to occur, though this can be mitigated by setting option 10 Enabled:Boot Audit On Failure in your policies. Additionally, signed WDAC policies protect the policy from administrative manipulation and malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies even for administrators. Tampering with or removing a signed WDAC policy will cause a BSOD to occur.
To remove a policy that is causing boot stop failures:
- If the policy is a signed WDAC policy, turn off Secure Boot from your UEFI BIOS menu. For help with locating where to turn off Secure Boot within your BIOS menu, consult with your original equipment manufacturer (OEM).
- Access the Advanced Boot Options menu on your computer and choose the option to Disable Driver Signature Enforcement. For instructions on accessing the Advanced Boot Options menu during startup, consult with your OEM. This option will suspend all code integrity checks, including WDAC, for a single boot session.
- Start Windows normally and sign in. Then, remove WDAC policies using script.
- If you turned off Secure Boot in step 1 above and your drive is protected by BitLocker, suspend BitLocker protection then turn on Secure Boot from your UEFI BIOS menu.
- Restart the computer.
Note
If your drive is protected by Bitlocker, you may need your Bitlocker recovery keys to perform steps 1-2 above.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for