Windows fails to boot after deploying a signed WDAC policy

Question

I am trying to deploy a signed WDAC policy on a windows machine. On the first boot after deployment everything is fine but on the next boot I am sent to the UEFI firmware configuration screen

I have followed the signing guide exactly as it was written at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering

I have tried what this person had suggested Windows Defender Application Control prevents Windows to boot after second restart (signed policy). I changed the policy GUIDs to those. I still didn't get it to boot after the second reboot

I've tried disabling HVCI but that hasn't worked either as I found here https://docs.microsoft.com/en-us/answers/questions/391500/do-secure-boot-keys-need-to-be-included-in-wdac-po.html

Answer 1

A lot has changed related to WDAC, which is now called Application Control policies. The certificate now supports UTF-8 characters in the subject and other certificate fields, which would previous case boot failure.

There is also no longer a limit on how many policies you can deploy on the system, which again would cause boot failure if you exceeded 32 policies.

If you want to create a certificate compatible with Application Control signing (WDAC) then you can refer to this which is an open-source Windows app i made that simplifies it. You can use it to deploy the signed policy as well. I've implemented many guardrails around signed policy deployment and removal and eliminate any user-related accidents that could lead to boot failure.

https://github.com/HotCakeX/Harden-Windows-Security/wiki/Build-New-Certificate

If you prefer the manual way, here is my guide on how to do it using Windows Server certificate authority: https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-and-Deploy-a-Signed-WDAC-Policy-Windows-Defender-Application-Control

Answer 2

It seems that WDAC doesn't have proper support for code signing certificates or something is just wrong with mine. I generated a self signed code signing certificate following Microsoft official documentation and now I am able to boot windows with my signed policy