Despite Group Policy Edit, WDAC Policy Still Enforced

Hi,

This is my very first post - there are many like it but this one is mine.

Like what's been alluded to in the title, Why is it that despite settting Group Policy under: Administrative Templates --> System --> Device Guard - `Deploy Windows Defender Application Control` to `Disabled`, according to msinfo32, `Windows Defender Application Control Policy` and `Windows Defender Application Control user mode policy` are both reporting `enforced`?

Version 23H2 (OS Build 22631.4890)

Did you follow the process here to remove the policy? Remove App Control for Business policies

neemobeer said:

Did you follow the process here to remove the policy? Remove App Control for Business policies

Click to expand...

Thanks for that!

From the article:
"There may come a time when you want to remove one or more App Control policies, or remove all App Control policies you've deployed. This article describes the various ways to remove App Control policies."

and:

"Signed Base App Control policy

If the base policy you are trying to remove is a signed App Control policy, you must first deploy a signed replacement policy that includes option 6 Enabled:Unsigned System Integrity Policy.

The replacement policy must have the same PolicyId as the one it's replacing and a version that's equal to or greater than the existing policy. The replacement policy must also include <UpdatePolicySigners>.

To take effect, this policy must be signed with a certificate included in the <UpdatePolicySigners> section of the original policy you want to replace.

You must then restart the computer so that the UEFI protection of the policy is deactivated. Failing to do so will result in a boot start failure."

also:

"Before removing any policy, you must first disable the method used to deploy it (such as Group Policy or MDM). Otherwise, the policy may redeploy to the computer."

This article sounds like it's geared toward machines in an enterprise environment. The environment type in this case is my bedroom.

This is a brand-new stock build of Win 11 Pro and the only Group Policy edits that have been done are the one I mentioned above and also in the same path:

`Administrative Templates --> System --> Device Guard --> Turn on Virtualization Based Security`, which I set to `Disabled`.

Unless Group Policy edits are just for show, WDAC shouldn't even be functioning at this point.

Maybe I'm misunderstanding something but what's happening doesn't seem logical.

Just as I suspected all along, it was SAC that was responsible for enforcing a policy, essentially "masquerading" as a WDAC policy.

All better with the flip of a switch.