none
How to disable Device Guard (Code Integrity Policy / Windows Defender Application Control) Feature RRS feed

  • Question

  • Hi Team,

    I have followed all the steps provided here https://www.petri.com/enabling-windows-10-device-guard to test the device guard feature on my Windows 10 1803 VM and i was able to test the feature successfully. But now i want to revert this, and for this i have disabled the policy in gpedit & rebooted OS but it still blocking the installer files.

    Can someone please help me disable this feature.

    Note: One change i noticed while following the steps mentioned in above link was the Policy name, in the link policy name mentioned as "Computer Configuration\Administrative Templates\System\Device Guard\Deploy Code Integrity Policy" but in Windows 10 1803 VM policy name is "Computer Configuration\Administrative Templates\System\Device Guard\Deploy Windows Defender Application Control".

    Thanks,


    MayurG

    Friday, July 19, 2019 1:33 PM

Answers

  • Hi, 

    The link you referred used the previous system version build, I suspect it might be Windows 10 1511. So the new released system version such as 1803 and my system 1903 all show as "Deploy Windows Defender Application Control"

    For disable "Deploy Windows Defender Application Control", please see the description of the policy.

    As it says, it is not available to remove the feature by disabling the policy. So please try the suggestion recorded in the policy as the capture shows.

    By the way, the policy you configured is located in C:\Windows\schemas\CodeIntegrity. We could download the default policy from the link below, and then enable the policy, and upload default .xml file to the Code Integrity policy file path. Reboot computer. At last, choose disable tab and reboot.

    Default Code Integrity policy for Windows Server

    If my information is useful for you, please mark it as answer.

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 22, 2019 5:15 AM
    Moderator

All replies

  • Hi, 

    The link you referred used the previous system version build, I suspect it might be Windows 10 1511. So the new released system version such as 1803 and my system 1903 all show as "Deploy Windows Defender Application Control"

    For disable "Deploy Windows Defender Application Control", please see the description of the policy.

    As it says, it is not available to remove the feature by disabling the policy. So please try the suggestion recorded in the policy as the capture shows.

    By the way, the policy you configured is located in C:\Windows\schemas\CodeIntegrity. We could download the default policy from the link below, and then enable the policy, and upload default .xml file to the Code Integrity policy file path. Reboot computer. At last, choose disable tab and reboot.

    Default Code Integrity policy for Windows Server

    If my information is useful for you, please mark it as answer.

    Bests, 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, July 22, 2019 5:15 AM
    Moderator
  • Thanks a lot Joy,

    I configured "Deploy Windows Defender Application Control" policy with C:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml file and i am able to execute all the installer files now.


    MayurG

    Monday, July 22, 2019 10:09 AM