![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 34%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello,
Your troubleshooting has correctly pointed to the interaction between your signed policy and Secure Boot. Let's walk through what's happening and how to resolve it correctly.
The root cause of this issue is that your system's UEFI firmware does not trust the certificate you used to sign the WDAC policy.
Here is the sequence of events during boot:
- You turn on your computer.
- The UEFI firmware initializes and Secure Boot is activated.
- Secure Boot checks the signature of the Windows Boot Manager. This is trusted by default (signed by Microsoft).
- The Windows Boot Manager then tries to load your WDAC policy (SiPolicy.p7b).
- Secure Boot intervenes again and checks the signature on your WDAC policy file. It looks for the public key of the signing certificate in its trusted database (the db store).
- Because your company's certificate is not in that trusted database, Secure Boot considers the policy untrustworthy and blocks it from loading, which results in a boot failure or pushes you into the UEFI settings screen.
Why your workarounds worked:
Without Secure Boot: The signature check by the firmware (step 5) is skipped, so the policy loads without issue once Windows takes over.
With the "Unsigned Policy" rule (Option 6: Unsigned System Integrity Policy): This rule essentially tells the Windows Boot Manager, "Even if Secure Boot rejects this policy's signature, please load it anyway."
Solution: Enroll Your Signing Certificate into the Secure Boot Database
Step 1: Export the Public Certificate (.cer file)
First, you need the public key certificate (.cer format) from the certificate you used for signing. If you have the .pfx file, you can export it. A simpler way is to extract it directly from your signed policy file.
Run this PowerShell command on a machine where your signed .p7b policy file is located:
# Path to your signed policy file
$signedPolicyPath = "C:\Path\To\Your\SignedPolicy.p7b"
# Path where you want to save the public certificate
$certPath = "C:\Path\To\Your\WDAC_Signer.cer"
# Get the signer information and export the certificate
$signer = Get-AuthenticodeSignature -FilePath $signedPolicyPath
Write-Host "Certificate exported to $certPath"
You will now have a WDAC_Signer.cer file.
Step 2: Enroll the Certificate into UEFI Firmware
- Copy the .cer file you just created to a FAT32-formatted USB drive.
- Restart the computer and enter the UEFI/BIOS settings (usually by pressing F2, F10, or Del during boot).
- Navigate to the Security or Boot section and find Secure Boot settings.
- Look for an option like Key Management, Custom Keys, or Append to DB.
- Select the option to add a new signature to the Authorized Signatures database (db).
- Browse to your USB drive and select the WDAC_Signer.cer file.
- Save the changes and exit the UEFI settings.
The machine should now boot successfully with the signed policy and Secure Boot enabled.
Recovery Plan
If a machine ever fails to boot due to a bad policy, you can recover it by:
Restarting the machine and entering the UEFI/BIOS settings.
Disabling Secure Boot temporarily.
Booting into Windows.
Deleting the active policy file from C:\Windows\System32\CodeIntegrity\SiPolicy.p7b.
Re-enabling Secure Boot.
Let us know if you have any more questions. If you find this solution helpful, please accept the answer.
Best regards,
Brian Huynh