Inbox App Control policies

Note

Some capabilities of App Control for Business are only available on specific Windows versions. Learn more about App Control feature availability.

This article describes the App Control for Business policies that ship inbox with Windows and may be active on your devices. To see which policies are active on your device, use citool.exe or check the CodeIntegrity - Operational event log for 3099 policy activation events.

Inbox App Control Policies

Policy Name Policy ID Policy Type Description
Microsoft Windows Driver Policy {d2bda982-ccf6-4344-ac5b-0b44427b6816} Kernel-only Base policy This policy blocks known vulnerable or malicious kernel drivers. It's active by default on Windows 11 22H2, Windows in S mode, Windows 11 SE, and anywhere memory integrity (also known as hypervisor-protected code integrity (HVCI)) is on. Its policy binary file is found at %windir%\System32\CodeIntegrity\driversipolicy.p7b and in the EFI system partition at <EFI System Partition>\Microsoft\Boot\driversipolicy.p7b.
Windows10S_Lockdown_Policy_Supplementable {5951a96a-e0b5-4d3d-8fb8-3e5b61030784} Base policy This policy is active on devices running Windows in S mode. Its policy binary file is found in the EFI system partition at <EFI System Partition>\Microsoft\Boot\winsipolicy.p7b.
WindowsE_Lockdown_Policy {82443e1e-8a39-4b4a-96a8-f40ddc00b9f3} Base policy This policy is active on devices running Windows 11 SE. Its policy binary file is found in the EFI system partition at <EFI System Partition>\Microsoft\Boot\CIPolicies\Active\{82443e1e-8a39-4b4a-96a8-f40ddc00b9f3}.cip.
WindowsE_Lockdown_Flight_Policy_Supplemental {5dac656c-21ad-4a02-ab49-649917162e70} Supplemental policy This policy is active on devices running Windows 11 SE that are enrolled in the Windows Insider program. Its policy binary file is found in the EFI system partition at <EFI System Partition>\Microsoft\Boot\CIPolicies\Active\{5dac656c-21ad-4a02-ab49-649917162e70}.cip.
WindowsE_Lockdown_Test_Policy_Supplemental {CDD5CB55-DB68-4D71-AA38-3DF2B6473A52} Supplemental policy This policy is active on devices running Windows 11 SE with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found in the EFI system partition at <EFI System Partition>\Microsoft\Boot\CIPolicies\Active\{CDD5CB55-DB68-4D71-AA38-3DF2B6473A52}.cip.
VerifiedAndReputableDesktop {0283ac0f-fff1-49ae-ada1-8a933130cad6} Base policy This policy is active on devices running Windows 11 with Smart App Control turned on. Its policy binary file is found at %windir%\System32\CodeIntegrity\CIPolicies\Active\{0283ac0f-fff1-49ae-ada1-8a933130cad6}.cip.
VerifiedAndReputableDesktopFlightSupplemental {1678656c-05ef-481f-bc5b-ebd8c991502d} Supplemental policy This policy is active on devices running Windows 11 with Smart App Control turned on and enrolled in the Windows Insider program. Its policy binary file is found at %windir%\System32\CodeIntegrity\CIPolicies\Active\{1678656c-05ef-481f-bc5b-ebd8c991502d}.cip.
VerifiedAndReputableDesktopTestSupplemental {0939ED82-BFD5-4D32-B58E-D31D3C49715A} Supplemental policy This policy is active on devices running Windows 11 with Smart App Control turned on and with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found at %windir%\System32\CodeIntegrity\CIPolicies\Active\{0939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip.
VerifiedAndReputableDesktopEvaluation {1283ac0f-fff1-49ae-ada1-8a933130cad6} Base policy This policy is active on devices running Windows 11 with Smart App Control in evaluation mode. Its policy binary file is found at %windir%\System32\CodeIntegrity\CIPolicies\Active\{1283ac0f-fff1-49ae-ada1-8a933130cad6}.cip.
VerifiedAndReputableDesktopEvaluationFlightSupplemental {2678656c-05ef-481f-bc5b-ebd8c991502d} Supplemental policy This policy is active on devices running Windows 11 with Smart App Control in evaluation mode and enrolled in the Windows Insider program. Its policy binary file is found at %windir%\System32\CodeIntegrity\CIPolicies\Active\{2678656c-05ef-481f-bc5b-ebd8c991502d}.cip.
VerifiedAndReputableDesktopEvaluationTestSupplemental {1939ED82-BFD5-4D32-B58E-D31D3C49715A} Supplemental policy This policy is active on devices running Windows 11 with Smart App Control in evaluation mode and with Secure Boot disabled and TESTSIGNING on. Its policy binary file is found at %windir%\System32\CodeIntegrity\CIPolicies\Active\{1939ED82-BFD5-4D32-B58E-D31D3C49715A}.cip.