I am deploying a signed WDAC policy to a Dell Latitude 7200 running Windows Enterprise (20H2 at the time this question was written) which includes TPM 2.0 with Secure Boot. The policy is being added to the target system using the Application Control CSP. It's based on the DefaultWindows_Enforced policy from C:\Windows\schemas\CodeIntegrity\ExamplePolicies. When deployed, it predictably blocks unsigned code. After restarting once, it still works. Restarting a third time results in a boot failure (Dell detects boot failures and drops you into an OS recovery mode). The only way to get around this is to disable Secure Boot. After disabling Secure Boot, I am able to boot into Windows and, taking a look at the WDAC events, nothing appears to have been blocked (not surprising as it may be blocking some kernel mode drivers and I don't know of an event for those being blocked). I've also tried scanning the entire target system using New-CIPolicy but it results in the same boot failure. Even if I put the policy in "Boot Audit on Failure" it still fails to boot.
Since this is a Dell manufactured device, they have OEM Secure Boot keys. Do these need to be included in a WDAC policy somehow? I would have assumed these would be detected with New-CIPolicy if they were required, but perhaps not. I would test this but I don't know how to add these. I am able to export them from the BIOS as text files and I can see the (presumably) key names among the keys' data bytes: Dell Inc. Key Exchange Key; Dell Inc. UEFI DB; Dell Inc. Platform Key. I was thinking maybe the policy needs to be signed by the PK or KEK or something that has a chain back to these but I haven't found a way to do that. Maybe also the signer I used to sign the policy needs to be added to the Secure Boot DB but I haven't found a clear way to do that either. I couldn't find much information on Microsoft's WDAC documentation concerning this so any guidance is greatly appreciated.