Forum Discussion
WDAC not applying via Group Policy
Hello and greetings from Portugal!
I'm trying to implement WDAC via group policy.
I've used WDAC Wizard and if I copy the *.cip file to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" I see that WDAC get enabled, for example using the MSInfo32.
But, I cannot enable WDAC via GPO. I've converted the *.xml to *.bin and enable the "Deploy Windows Defender Application Control".
I see the event id 7010 "Device Guard successfully processed the Group Policy: Configurable Code Integrity Policy = Enabled" but the thing is MSInfo still doesn't show that WDAC is activated.
Can someone please help?
- Hi,
What if you try with a single policy format (.p7b) file?
There is also the script method for deployment, a built-in tool in Windows 11 22H2 and above makes it very easy.
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-policies-for-windows-11-22h2-and-above
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/operations/citool-commands
if it's a signed WDAC policy, it needs to be deployed with script:
https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script#deploying-signed-policies- Hi and thanks for the help!
I was using a deprecated way to do this via GPO. Instead of using the bin file, just need to copy the *.cip file to "C:\Windows\System32\CodeIntegrity\CiPolicies\Active" ๐
Best regards,
Diogo Sousa- Glad you sorted it out ๐
btw I created a bunch of wiki posts on Github regarding WDAC, signed WDAC etc., all referenced to Microsoft websites, feel free to check it out, learned a lot myself while making it
https://github.com/HotCakeX/Harden-Windows-Security/wiki/Introduction
