Deploy Code Integrity Policy

Deploy Code Integrity PolicyThis policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine.If you deploy a Code Integrity Policy Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. To enable this policy the machine must be rebooted. The file path must be either a UNC path (for example -> -> ServerName -> ShareName -> SIPolicy.p7b) or a locally valid path (for example C: -> FolderName -> SIPolicy.p7b). The local machine account (LOCAL SYSTEM) must have access permission to the policy file. If using a signed and protected policy then disabling this policy setting doesn’t remove the feature from the computer. Instead you must either: 1) first update the policy to a non-protected policy and then disable the setting or 2) disable the setting and then remove the policy from each computer with a physically present user.

    The policy is located under of Local Group Policy Editor.

Additional Information

  1. Registry path is:

    HKLM -> SOFTWARE -> Policies -> Microsoft -> Windows -> DeviceGuard!DeployConfigCIPolicy; HKLM -> SOFTWARE -> Policies -> Microsoft -> Windows -> DeviceGuard!ConfigCIPolicyFilePath

  2. The Administrative Template path is:

    System -> Device Guard


* Making mistakes while changing registry values can affect your system adversely. We recommend you to create a System Restore point before making registry manipulation. If you're new to Registry Editor, read this beginner's guide.
** To locate the registry and administrative template path, checkout beginner's guide.
You're here :
Checkout Kapil Sparks™