WDAC: Choose Multi Policy or Single Policy

When choosing your path for WDAC, it’s important to be familiar with the technical limitations of the different implementation methods. So let’s dive into it!

OS Support

WDAC starts it support in Windows 10 and Windows server 2016. Single Policy format is the go-to deployment method for these versions. This will be a single “SiPolicy.p7b” file that is packed from an XML and deployed to the machine. If you need to support WS2016-2019 for the unforseen future, Single Policy format is probably the route to go. And to be clear, Single policy also support newer OS editions.

From versions Windows 10 1903 and Windows Server 2022 and above, WDAC starts supporting the Multi-Policy format. This enables layered policy structure instead of one mega-policy.

Multi-Policy example

This means you can create multiple policies with different rules that are combined together dynamically by the OS.

• Base Policy
  • Allows Windows Default necessary modules
  • Adds recommended block rules for kernel and user mode
• Supplemental Policy 1:
  • Allow platform software that everyone will use
    • SOC agent, Sysmon, EDR, etc.
• Supplemental Policy 2:
  • Allow common Client software
    • Office software, email, browsers, pdf-readers, etc.
• Supplemental Policy 3:
  • Allow workload specific exceptions

As an example of how multi-policy could be applied to a real world scenario I added the below table to showcase how multi-policy format makes it easier to reuse standard policy sets across different workloads.

Full list of feature support by versions here.

I dont think i have to explain to you why single-policy can get a bit messy to manage in a complex infrastructure with very different requirements.

Deployment options for each model

For the Single Policy format, simply place the “SiPolicy.p7b” in the folder: “C:/Windows/System32/CodeIntegrity/SiPolicy.p7b” and reboot the machine for the policy to be inn effect.

Single-policy format can be deployed with GPO, Script, Intune or SCCM. Technically, you could deploy by simply drag&dropping the “SiPolicy.p7b” file into the correct folder.

When it comes to Multi-Policy format, GPO is no longer a supported deployment method, but Script, Intune (and SCCM – kinda) are still valid deployment methods.

For Intune, deployment of Multi-Policy format is still in Public Preview as of writing. Intune multi-policy is deployed by renaming your “{GUID}.cip” files to “.bin” and uploading them to Intune to roll them out. Full documentation on this here.

SCCM has an entirely built-in management feature where you build the policy within the SCCM panel according to Microsofts documentation. I will be honest and say that I am not familiar with SCCM , but Microsoft states in the documentation that if SCCMs built-in panel is limited in functionality, you can use script functionality through SCCM to achieve your goals.

In the end, both single and multi-policy formats support deployment through script for applicable endpoints. This is the route that I will go down for managing my endpoints with WDAC. And because all of my infrastructure is newer than W10 1903 and WS2022, Multi-Policy format will be the most flexible and the easiest to maintain.

Follow along in the next blog to learn more about the WDAC Wizard and policy building!