Activating rule 16 of WDAC doesnt allow to apply policy without rebooting

Question

I'm applying wdac using commands when I have enforced mode I try changing it to enforced mode but it doesn't work without the reboot with the Rule 16 activated, I have tried using gpupdate /force but it doesn't work either, any ideas?

(W10 version 1809)

The policy is correctly enabled

This is the code I'm using:

$Policy="C:\Policies\Policy.xml"
$DeviceGuardPolicy="C:\Policies\DeviceGuardPolicy.bin"
$LGPOTxt="C:\Policies\LGPO\LGPO.txt" #Txt generated after lgpo backup
$WL="C:\Policies"
$SIPolicy="C:\Windows\System32\CodeIntegrity\SiPolicy.p7b"

  Disable-WdacPolicy
  rm $SiPolicy
  Set-RuleOption -FilePath $Policy -Option 3 
  ConvertFrom-CIPolicy $Policy $DeviceGuardPolicy
  ConvertFrom-CIPolicy -XmlFilePath $Policy -BinaryFilePath $SIPolicy 
  Enable-WdacPolicy

$ActivatePolicy="Computer`r`nSOFTWARE\Policies\Microsoft\Windows\DeviceGuard`r`nDeployConfigCIPolicy`r`nDWORD:1`r`n`r`nComputer`r`nSOFTWARE\Policies\Microsoft\Windows\DeviceGuard`r`nConfigCIPolicyFilePath`r`nSZ:C:\\WL\\politicas\\DeviceGuardPolicy.bin"
$DesactivatePolicy="Computer`r`nSOFTWARE\Policies\Microsoft\Windows\DeviceGuard`r`nDeployConfigCIPolicy`r`nDELETE`r`n`r`nComputer`r`nSOFTWARE\Policies\Microsoft\Windows\DeviceGuard`r`nConfigCIPolicyFilePath`r`nDELETE"

function Enable-WdacPolicy
{
  (Get-Content -path $LGPOTxt -Raw).replace($DesactivatePolicy, $ActivatePolicy) | Set-Content -Path $LGPOTxt
    cd $WL
    .\LGPO.exe /t $LGPOTxt
    ConvertFrom-CIPolicy -XmlFilePath $Policy -BinaryFilePath $SIPolicy 
    gpupdate /force
  }
}

function Disable-WdacPolicy
{
    (Get-Content -path $LGPOTxt -Raw).replace($ActivatePolicy, $DesactivatePolicy) | Set-Content -Path $LGPOTxt
    cd $WL
    .\LGPO.exe /t $LGPOTxt
    gpupdate /force
  }
}

The description for rule 16 says it would "allow **future** WDAC policy updates to apply without requiring a system reboot." It's not enabled by default, so you have to restart at least the first time you set the policy. Or is it not working even after that rule has been enabled? — Cpt.Whale, Oct 28 '21 at 14:29
@Cpt.Whale I have tried rebooting and the policy is enabled, I verified in msinfo32.exe — marcosagni98, Oct 29 '21 at 10:58

score 1 · Accepted Answer · answered Nov 22 '21 at 07:18

I found this solution

Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = $DestinationBinary}

Adding this line of code after gpupdate /force refresh the policy in msinfo32.exe

score 0 · Answer 2 · answered Apr 01 '23 at 15:45

Starting with Windows 11 22H2, using CITool, you can deploy and activate policies (Sigend and unsigned) rebootlessly, only removing policies need a reboot.

You can use the same tool to refresh WDAC policies, remove them, list them etc.

Signed WDAC policies which have increased security and provide tamper protection even against system administrator, are deployed in EFI partition.

You can rebootlessly modify already deployed (Sigend and unsigned) WDAC policies as well, you just need the policy XML file of them and in the case of Signed policies, the certificate (with private keys) used to sign them.

If you want to read more about Windows Defender Application Control

Activating rule 16 of WDAC doesnt allow to apply policy without rebooting

2 Answers2