Merge Windows Defender Application Control (WDAC) policies

Applies to:

  • Windows 10
  • Windows 11
  • Windows Server 2016 and above

Note

Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the Windows Defender Application Control feature availability.

This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases.

Note

Prior to Windows version 1903, including Windows Server 2019 and earlier, only one WDAC policy can be active on a system at a time. If you need to use WDAC on systems running these earlier versions of Windows, you must merge all policies before deploying.

Merge multiple WDAC policy XML files together

There are many scenarios where you may want to merge two or more policy files together. For example, if you use audit events to create WDAC policy rules, you can merge those rules with your existing WDAC base policy. To merge the two WDAC policies referenced in that article, complete the following steps in an elevated Windows PowerShell session.

  1. Initialize the variables that will be used:

    $PolicyName= "Lamna_FullyManagedClients_Audit"
    $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml"
    $EventsPolicy=$env:userprofile+"\Desktop\EventsPolicy.xml"
    $MergedPolicy=$env:userprofile+"\Desktop\"+$PolicyName+"_Merged.xml"
    
  2. Use Merge-CIPolicy to merge two policies and create a new WDAC policy:

    Merge-CIPolicy -PolicyPaths $LamnaPolicy,$EventsPolicy -OutputFilePath $MergedPolicy
    

    Note

    You can merge additional policies with the Merge-CIPolicy step above by adding them to the -PolicyPaths parameter separated by commas. The new policy file specified by -OutputFilePath will have the Policy information from the first policy in the list. For example, in the above example, the $MergedPolicy will inherit the policy type, ID, name, and version information from $LamnaPolicy. To change any of those values, use Set-CIPolicyIdInfo and Set-CIPolicyVersion.

Merge WDAC rules directly into a policy XML

Besides merging multiple policy XML files, you can also merge rules created with the New-CIPolicyRule cmdlet directly into an existing WDAC policy XML file. Directly merging rules is a convenient way to update your policy without creating extra policy XML files. For example, to add rules that allow the WDAC Wizard and the WDAC RefreshPolicy.exe tool, follow these steps:

  1. Install the WDAC Wizard packaged MSIX app.

  2. Download the Refresh Policy tool for your processor architecture and save it to your desktop as RefreshPolicy.exe.

  3. From a PowerShell session, run the following commands to create packaged app allow rules for the WDAC Wizard:

    $PackageInfo = Get-AppxPackage -Name Microsoft.WDAC.WDACWizard
    $Rules = New-CIPolicyRule -Package $PackageInfo
    
  4. Add FilePublisher rules for the RefreshPolicy.exe:

    $Rules += New-CIPolicyRule -DriverFilePath $env:USERPROFILE\Desktop\RefreshPolicy.exe -Level FilePublisher
    
  5. Use Merge-CIPolicy to merge the new rules directly into the MergedPolicy file created in the previous procedure's final step:

    Merge-CIPolicy -PolicyPaths $MergedPolicy -OutputFilePath $MergedPolicy -Rules $Rules
    

Convert and deploy merged policy to managed endpoints

Now that you have your new, merged policy, you can convert and deploy the policy binary to your managed endpoints.

  1. Use ConvertFrom-CIPolicy to convert the WDAC policy to a binary format:

    $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin"
    ConvertFrom-CIPolicy -XMLFilePath $MergedPolicy -BinaryFilePath $WDACPolicyBin
    

    Note

    In the sample commands above, for policies targeting Windows 10 version 1903+ or Windows 11, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces { }) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name.

  2. Upload your merged policy XML and the associated binary to the source control solution you are using for your WDAC policies. such as GitHub or a document management solution such as Office 365 SharePoint.

  3. Deploy the merged policy using your preferred deployment solution. See Deploying Windows Defender Application Control (WDAC) policies