What Is a Code Integrity Policy?

Updated on August 14, 2025

Code integrity policies shift endpoint security from reactive threat detection to proactive application control. These policies determine which code can run on Windows systems, blocking potential threats before they execute.

A Code Integrity Policy is a set of rules enforced by the operating system to allow only trusted applications, drivers, and scripts. Trust is based on criteria like digital signatures, file hashes, or file paths, ensuring only approved code runs.

This technology works through Windows Defender Application Control (WDAC), creating trust boundaries and blocking unauthorized execution at the kernel level.

Definition and Core Concepts

Code integrity policies rely on several foundational components that work together to establish and maintain system trust.

• Digital Signature serves as a cryptographic signature from a trusted publisher that verifies both the authenticity and integrity of code. These signatures use public key infrastructure (PKI) to ensure that code originates from a legitimate source and has not been modified since signing.
• File Hash creates a unique cryptographic fingerprint of a file using algorithms like SHA-256. This hash ensures the file has not been tampered with or corrupted. Any modification to the file, no matter how minor, produces a completely different hash value.
• Windows Defender Application Control (WDAC) is the Microsoft technology framework used to create and enforce Code Integrity policies. WDAC replaced the older AppLocker technology and provides more comprehensive control over both kernel-mode and user-mode code execution.
• Kernel and User Mode represent the two primary execution environments where policies apply. Kernel-mode policies control driver loading and system-level code execution, while user-mode policies govern application and script execution in user space.

How Code Integrity Policies Work

The enforcement process follows a systematic workflow that begins with policy creation and culminates in real-time execution decisions.

• Policy Creation starts when an administrator uses PowerShell cmdlets like New-CIPolicy to generate an XML policy file. The policy can be created in Audit Mode, which allows testing of the policy’s impact without blocking any applications. This XML file contains all the rules that define trusted code criteria.
• Policy Conversion transforms the human-readable XML policy into a binary format (.bin file) using the ConvertFrom-CIPolicy cmdlet. This binary format is optimized for system enforcement and cannot be easily modified without proper authorization.
• Deployment distributes the binary policy to target computers through enterprise management tools like Microsoft Intune, Group Policy, or System Center Configuration Manager. The policy file is typically placed in the `%windir%\System32\CodeIntegrity\CiPolicies\Active` directory.
• Enforcement occurs when users or system processes attempt to run applications or load drivers. The operating system’s Code Integrity component intercepts these execution requests and evaluates them against the active policy rules.
• Execution Decision determines the final outcome based on policy evaluation. If code matches a trusted rule—such as being signed by an approved publisher or matching an authorized file hash—execution is allowed. Code that fails to meet policy requirements is blocked, and the system logs an event in the Windows Event Log for administrative review.

Key Features and Components

Code Integrity policies offer several sophisticated capabilities that enable precise security control.

• Granular Control allows administrators to define trust based on multiple factors including publisher certificates, product names, file versions, file hashes, or combinations of these criteria. This flexibility enables policies that can be as broad or restrictive as organizational needs require.
• Audit Mode provides a non-enforcing evaluation mode that logs policy violations without blocking code execution. This feature is essential for testing policy effectiveness and identifying potential compatibility issues before full enforcement begins.
• Virtualization-based Security (VBS) integration protects the Code Integrity policy from tampering by malware or unauthorized users. When VBS is enabled, the policy enforcement mechanism operates in a protected environment that even kernel-level malware cannot compromise.
• Policy Supplementation enables administrators to add rules to existing policies without creating entirely new policy files. Supplemental policies can be deployed alongside base policies to accommodate new software requirements or address specific organizational needs.
• Multiple Policy Support allows systems to enforce several policies simultaneously, enabling complex scenarios where different rules apply to different user groups or system components.

Use Cases and Applications

Organizations deploy Code Integrity policies to address specific security and compliance requirements.

• Malware Protection represents the primary security application, preventing malicious executables, scripts, and unsigned drivers from executing on protected systems. This approach is particularly effective against zero-day attacks and fileless malware that traditional signature-based solutions might miss.
• Endpoint Hardening locks down systems to a known, trusted state by allowing only pre-approved applications to run. This significantly reduces the attack surface available to potential attackers and limits the impact of successful breaches.
• Compliance Requirements help organizations meet regulatory mandates that require strict application control, such as those found in financial services, healthcare, or government environments. Code Integrity policies provide auditable proof of application control implementation.
• Privileged Access Management can restrict administrative users to only approved administrative tools, preventing the use of unauthorized utilities that might compromise system security or bypass monitoring.

Advantages and Trade-offs

Code Integrity policies deliver significant security benefits while introducing operational considerations.

• Strong Security provides robust defense against diverse attack vectors by blocking execution at the kernel level. This approach is effective against both known malware and unknown threats that lack proper digital signatures from trusted publishers.
• Attack Surface Reduction dramatically limits available attack vectors by implementing a default-deny posture for code execution. Attackers must work within the constraints of approved applications, significantly limiting their operational capabilities.
• Tamper Resistance becomes particularly strong when combined with VBS, making the policy enforcement mechanism highly resistant to being disabled or bypassed by malware, even with administrative privileges.
• Administrative Complexity can be substantial, especially in dynamic environments with frequent software changes. Creating comprehensive policies requires detailed inventory of all legitimate software and ongoing maintenance as applications are updated or replaced.
• Application Compatibility issues may arise when policies are too restrictive or when legitimate applications lack proper digital signatures. Poorly configured policies can block critical business applications or system components, leading to operational disruptions.
• Performance Impact is generally minimal but can become noticeable during policy evaluation of large numbers of files or when multiple policies are active simultaneously.

Troubleshooting and Considerations

Successful Code Integrity policy implementation requires careful planning and systematic troubleshooting approaches.

• Event Log Analysis relies heavily on the Windows Event Viewer’s CodeIntegrity operational log, which records all policy violations and enforcement actions. These logs are essential for identifying blocked applications and understanding policy impact.
• Audit Mode Testing should always precede enforcement deployment. Running policies in audit mode for extended periods allows administrators to identify all legitimate applications that require policy exceptions before blocking begins.
• Managed Installer Rules can significantly simplify policy management by automatically trusting applications installed through approved software deployment tools like System Center Configuration Manager or Windows Installer.
• Driver Compatibility requires special attention since blocked kernel drivers can prevent system startup. All necessary hardware drivers and security software components must be explicitly trusted in the policy before enforcement begins.
• Policy Versioning and rollback capabilities are crucial for managing policy updates and addressing compatibility issues that may arise after deployment.
• Performance Monitoring helps identify systems where policy evaluation may be impacting performance, particularly in high-transaction environments or systems with limited processing resources.