Option 4 — Disabled Signing#

Table of Contents#

What It Does
Why It Exists
Visual Anatomy — Policy Evaluation Stack
How to Set It (PowerShell)
XML Representation
Interaction with Other Options
When to Enable vs Disable
Real-World Scenario — End-to-End Walkthrough
What Happens If You Get It Wrong
Valid for Supplemental Policies?
OS Version Requirements
Summary Table

1. What It Does#

Disabled:Flight Signing removes the implicit trust that WDAC / App Control for Business policies grant to Windows Insider build (flight) certificates. In the default WDAC configuration, binaries signed with Microsoft’s Windows Insider / Flighting signing certificates are treated as trusted — the same way production Windows binaries are trusted. This makes sense for Insider Program participants who need pre-release Windows components to function alongside an enforced WDAC policy. However, for organizations that operate exclusively on stable, released Windows builds and have no need to run prerelease Microsoft components, this trust extension is unnecessary and represents a slightly expanded trust surface.

When Disabled:Flight Signing is set in the policy, binaries carrying only the Windows Insider/Flighting certificate chain are not trusted and will be blocked (or logged in audit mode). Binaries that carry dual signatures — one from the Insider/Flight certificate and one from a production Microsoft certificate — will still pass because the production certificate remains trusted. This option is targeted at production-locked environments that want to close the flight-signing trust pathway entirely.

2. Why It Exists#

Windows Insider Program and Flight Signing#

Microsoft’s Windows Insider Program delivers pre-release builds of Windows, system components, inbox apps, and OS features to volunteer testers. These builds are signed with a separate Microsoft certificate chain — the Windows Flighting/Insider signing certificate — distinct from the production Microsoft Windows certificate chain used for publicly released builds.

The Security Rationale#

1
flowchart TD
2
    classDef secure fill:#0d1f12,color:#86efac,stroke:#166534
3
    classDef risk fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
4
    classDef neutral fill:#162032,color:#58a6ff,stroke:#1e3a5f
5
    classDef option fill:#1a1a0d,color:#fde68a,stroke:#713f12
6

7
    subgraph Production_Trust["Production Trust (Always Needed)"]
8
        direction TB
9
        A1([Microsoft Windows Production\nCertificate Chain]) --> B1([Released OS components\nInbox apps\nDrivers]):::secure
10
        B1 --> C1([Trusted by all WDAC policies]):::secure
11
    end
12

13
    subgraph Flight_Trust["Flight Trust (Optional — may be unneeded)"]
14
        direction TB
15
        A2([Microsoft Flight/Insider\nCertificate Chain]) --> B2([Pre-release OS builds\nInsider-only components\nBeta features]):::neutral
16
        B2 --> C2([Trusted by DEFAULT unless\nDisabled:Flight Signing is set]):::risk
17
    end
18

19
    D([Option 4\nDisabled:Flight Signing]) --> E([Removes Flight Trust\nProduction Trust unaffected]):::option
20
    E --> F([Only fully-released\nbinaries trusted]):::secure

Why Organizations Want This#

Compliance and change control: Organizations subject to strict change management (financial services, healthcare, government) require all software running on endpoints to have gone through the vendor’s full release process. Prerelease binaries, by definition, have not.
Stability requirements: Flight-signed OS components are pre-release and may contain bugs, incomplete features, or regressions. Blocking them from running on production systems prevents accidental installation.
Supply chain integrity: Restricting trust to the narrowest necessary set of certificate chains is a foundational supply-chain security principle (zero-trust philosophy applied to code signing).
Preventing Insider Program misuse: An employee who opts into the Windows Insider Program on a corporate device would begin receiving flight-signed components. Without Option 4, those prerelease binaries are trusted by the WDAC policy. With Option 4, they are blocked, enforcing the policy that production endpoints must run released software only.

3. Visual Anatomy — Policy Evaluation Stack#

1
flowchart TD
2
    classDef kernel fill:#162032,color:#58a6ff,stroke:#1e3a5f
3
    classDef usermode fill:#0d1f12,color:#86efac,stroke:#166534
4
    classDef option fill:#1a1a0d,color:#fde68a,stroke:#713f12
5
    classDef allow fill:#0d1f12,color:#86efac,stroke:#166534
6
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
7
    classDef neutral fill:#1c1c2e,color:#a5b4fc,stroke:#3730a3
8

9
    A([Binary Execution Request]) --> B[Code Integrity Engine]:::kernel
10
    B --> C{Extract signer\ncertificate chain}
11

12
    C --> D{Production Microsoft\ncertificate chain?}
13
    D -- Yes --> E([ALLOWED — production cert\nAlways trusted]):::allow
14

15
    D -- No --> F{Flight / Insider\ncertificate chain?}
16
    F -- No match anywhere --> G([Check other policy rules\nFile/Hash/Publisher rules]):::neutral
17

18
    F -- Yes --> H{Option 4\nDisabled:Flight Signing\npresent?}:::option
19
    H -- No DEFAULT --> I([ALLOWED — flight cert trusted\nby default]):::allow
20
    H -- Yes OPTION 4 SET --> J{Binary has DUAL signature?\nFlight cert + Production cert?}
21
    J -- Yes dual-signed --> K([ALLOWED — production cert\nstill satisfies policy]):::allow
22
    J -- No, only flight cert --> L([BLOCKED — flight cert trust\nremoved by Option 4]):::block
23
    L --> M[(Event ID 3076/3077\nlogged to event log)]:::block

Certificate Trust Hierarchy with Option 4#

1
flowchart LR
2
    classDef allow fill:#0d1f12,color:#86efac,stroke:#166534
3
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
4
    classDef root fill:#162032,color:#58a6ff,stroke:#1e3a5f
5
    classDef option fill:#1a1a0d,color:#fde68a,stroke:#713f12
6

7
    MSRoot([Microsoft Root\nCertificate Authority]):::root
8

9
    MSRoot --> ProdChain([Production Windows\nCode Signing Chain]):::allow
10
    MSRoot --> FlightChain([Windows Insider /\nFlight Signing Chain]):::block
11

12
    ProdChain --> ProdBinaries([Windows Released\nComponents — TRUSTED]):::allow
13
    FlightChain --> FlightBinaries([Windows Insider Build\nComponents])
14

15
    FlightBinaries --> DualSigned([Dual-signed binaries\nFlight + Production — TRUSTED]):::allow
16
    FlightBinaries --> FlightOnly([Flight-only signed binaries\nBLOCKED by Option 4]):::block
17

18
    Option4([Option 4\nDisabled:Flight Signing]):::option -->|"Removes trust"| FlightChain

4. How to Set It (PowerShell)#

Enable the Option (Disable Flight Signing Trust)#

1
# Disable trust for Windows Insider / Flight-signed binaries
2
# NOTE: The option is named "Disabled:Flight Signing"
3
# Setting it = flight signing is DISABLED (trust removed)
4
Set-RuleOption -FilePath "C:\Policies\MyBasePolicy.xml" -Option 4

Remove the Option (Restore Default Flight Signing Trust)#

1
# Remove Option 4 = flight signing is TRUSTED again (default behavior)
2
Set-RuleOption -FilePath "C:\Policies\MyBasePolicy.xml" -Option 4 -Delete

Verify Option State#

1
[xml]$Policy = Get-Content "C:\Policies\MyBasePolicy.xml"
2
$ns = New-Object System.Xml.XmlNamespaceManager($Policy.NameTable)
3
$ns.AddNamespace("si", "urn:schemas-microsoft-com:sipolicy")
4
$rules = $Policy.SelectNodes("//si:Rule/si:Option", $ns) | Select-Object -ExpandProperty '#text'
5

6
if ($rules -contains "Disabled:Flight Signing") {
7
    Write-Host "Option 4 SET: Flight/Insider-signed binaries are NOT trusted" -ForegroundColor Red
8
    Write-Host "Only production Microsoft-signed binaries are trusted" -ForegroundColor Green
9
} else {
10
    Write-Host "Option 4 NOT SET: Flight/Insider-signed binaries are trusted (default)" -ForegroundColor Yellow
11
}

Check Whether Any Running Processes Use Flight-Signed Binaries#

1
# Scan loaded modules for Insider/Flight signatures
2
$Processes = Get-Process
3
foreach ($Process in $Processes) {
4
    try {
5
        $Modules = $Process.Modules
6
        foreach ($Module in $Modules) {
7
            $Sig = Get-AuthenticodeSignature -FilePath $Module.FileName -ErrorAction SilentlyContinue
8
            if ($Sig -and $Sig.SignerCertificate.Subject -match "(?i)insider|flight|prerelease") {
9
                [PSCustomObject]@{
10
                    ProcessName = $Process.Name
11
                    PID         = $Process.Id
12
                    Module      = $Module.FileName
13
                    Signer      = $Sig.SignerCertificate.Subject
14
                }
15
            }
16
        }
17
    } catch {}
18
} | Format-Table -AutoSize

Determine If Device Is Enrolled in Windows Insider Program#

1
# Check Insider Program enrollment
2
$InsiderReg = Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\WindowsSelfHost\UI\Selection" -ErrorAction SilentlyContinue
3
if ($InsiderReg) {
4
    Write-Host "Device is enrolled in Windows Insider Program" -ForegroundColor Yellow
5
    Write-Host "Branch: $($InsiderReg.UIContentType)" -ForegroundColor Yellow
6
    Write-Host "Option 4 (Disabled:Flight Signing) will block Insider components on next policy enforcement" -ForegroundColor Red
7
} else {
8
    Write-Host "Device is NOT enrolled in Windows Insider Program" -ForegroundColor Green
9
    Write-Host "Option 4 has no operational impact on this device" -ForegroundColor Green
10
}

Full Policy with Option 4 (Production-Locked Environment)#

1
$PolicyPath = "C:\Policies\Production_Locked.xml"
2

3
# Start from DefaultWindows template
4
Copy-Item "$env:SystemRoot\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml" $PolicyPath
5

6
# Configure production-locked options
7
Set-RuleOption -FilePath $PolicyPath -Option 0  # UMCI
8
Set-RuleOption -FilePath $PolicyPath -Option 2  # WHQL (optional, additional hardening)
9
Set-RuleOption -FilePath $PolicyPath -Option 3  # Audit Mode (remove when enforcing)
10
Set-RuleOption -FilePath $PolicyPath -Option 4  # Disable Flight Signing
11

12
# Set identity
13
Set-CIPolicyIdInfo -FilePath $PolicyPath `
14
    -PolicyName "Corp Production-Locked Baseline" `
15
    -PolicyId (New-Guid).Guid
16

17
# Compile
18
ConvertFrom-CIPolicy -XmlFilePath $PolicyPath -BinaryFilePath "C:\Policies\Production_Locked.cip"

5. XML Representation#

Option 4 Set (Flight Signing Disabled)#

1
<?xml version="1.0" encoding="utf-8"?>
2
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy">
3

4
  <VersionEx>10.0.0.0</VersionEx>
5
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
6
  <PlatformID>{2E07F7E4-194C-4D20-B96C-1498495910E7}</PlatformID>
7

8
  <Rules>
9
    <Rule>
10
      <Option>Enabled:UMCI</Option>
11
    </Rule>
12

13
    <Rule>
14
      <Option>Enabled:Audit Mode</Option>
15
    </Rule>
16

17
    <Rule>
18
      <Option>Disabled:Flight Signing</Option>
19
    </Rule>
20

21
  </Rules>
22

23
</SiPolicy>

Option 4 Absent (Default — Flight Signing Trusted)#

1
<Rules>
2
  <Rule>
3
    <Option>Enabled:UMCI</Option>
4
  </Rule>
5
</Rules>

Important Naming Convention Note: The name Disabled:Flight Signing follows the Disabled: prefix convention, which means the feature being described (Flight Signing trust) is disabled when this option is present. This is the inverse of Enabled: options where the feature is enabled when present. When reviewing policy XML, a Disabled: option present means that feature is turned OFF.

6. Interaction with Other Options#

Option Relationship Matrix#

Option	Name	Relationship with Disabled Signing
0	Enabled	Prerequisite for meaningful effect — without UMCI, only kernel-mode binaries are checked and flight-signed user-mode binaries run freely
2	Required	Synergistic — both restrict non-standard Microsoft signing; WHQL tightens kernel, Option 4 tightens prerelease
3	Enabled Mode	Use during rollout — audit which flight-signed binaries exist before blocking them
5	Enabled Default Policy	Neutral — policy inheritance unaffected by flight signing trust
14	Enabled Intelligence	Independent — cloud reputation check applies after signing check

Naming Convention Diagram#

1
flowchart LR
2
    classDef enabled fill:#0d1f12,color:#86efac,stroke:#166534
3
    classDef disabled fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
4
    classDef neutral fill:#162032,color:#58a6ff,stroke:#1e3a5f
5

6
    subgraph Enabled_Options["Enabled: options — Feature is ON when present"]
7
        direction TB
8
        E1(["Enabled:UMCI\n→ User-mode CI is ON"]):::enabled
9
        E2(["Enabled:Audit Mode\n→ Audit mode is ON"]):::enabled
10
        E3(["Enabled:Boot Menu Protection\n→ Protection is ON (future)"]):::enabled
11
    end
12

13
    subgraph Disabled_Options["Disabled: options — Feature is OFF when present"]
14
        direction TB
15
        D1(["Disabled:Flight Signing\n→ Flight trust is OFF"]):::disabled
16
        D2(["Disabled:Script Enforcement\n→ Script checks are OFF"]):::disabled
17
    end
18

19
    note1(["Presence of Disabled: option = that trust/feature is DISABLED\nAbsence = that trust/feature remains at DEFAULT (usually enabled)"]):::neutral

7. When to Enable vs Disable#

1
flowchart TD
2
    classDef yes fill:#0d1f12,color:#86efac,stroke:#166534
3
    classDef no fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
4
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
5
    classDef question fill:#162032,color:#58a6ff,stroke:#1e3a5f
6

7
    Start([Should I set Option 4\nDisabled:Flight Signing?]) --> Q1{Do any endpoints run\nWindows Insider builds?}:::question
8
    Q1 -- No --> Q2{Are any production\nendpoints ever expected\nto run Insider builds?}:::question
9
    Q2 -- No --> SET([Set Option 4\nNo operational impact; tightens trust]):::yes
10
    Q2 -- Yes --> WARN1([Do not set Option 4\nInsider builds would break]):::warn
11

12
    Q1 -- Yes --> Q3{Are these endpoints\nmanaged corporate devices?}:::question
13
    Q3 -- Yes --> Q4{Should Insider builds be\nallowed on corp devices?}:::question
14
    Q4 -- No per policy --> SET2([Set Option 4 AND\nunenroll from Insider Program]):::yes
15
    Q4 -- Yes for testing --> NOSET([Do not set Option 4 on\nInsider-enrolled test devices]):::no
16
    Q3 -- No personal devices --> NOSET2([Option 4 N/A for personal devices]):::no
17

18
    START2([Should I REMOVE Option 4?]) --> R1{Is a device being\nenrolled in Insider Program?}:::question
19
    R1 -- Yes --> REMOVE([Remove Option 4 from\ndevice-specific policy]):::no
20
    R1 -- No --> KEEP([Keep Option 4 set\nno reason to remove]):::yes

Decision Reference Table#

Scenario	Recommendation
Corporate production fleet (no Insider Program)	Set Option 4 — no impact, tightens trust surface
Windows Insider Program test machines	Do NOT set Option 4 — would block prerelease components
Regulated industry (finance, healthcare, gov)	Set Option 4 — only released software permitted
Developer machines testing Windows features	Do NOT set Option 4 — flight components needed
Kiosk / fixed-function devices	Set Option 4 — maximum restriction appropriate
Hybrid fleet with some Insider devices	Set Option 4 in separate policy for non-Insider ring

8. Real-World Scenario — End-to-End Walkthrough#

Scenario A: Employee Accidentally Enrolls Corporate Laptop in Insider Program#

An employee joins the Windows Insider Program on their corporate laptop to get early access to a new Windows feature. The laptop begins receiving pre-release flight-signed OS components. With Option 4 set, WDAC blocks these components, generating events and surfacing the unauthorized enrollment.

1
sequenceDiagram
2
    autonumber
3
    actor Employee
4
    participant Laptop as Corporate Laptop
5
    participant InsiderService as Windows Insider Service
6
    participant WindowsUpdate as Windows Update
7
    participant FlightBinary as Flight-Signed Component
8
    participant WDAC as WDAC Policy Engine
9
    participant EventLog as Event Log
10
    participant SIEM as SIEM / SOC
11

12
    Employee ->> Laptop: Enroll in Windows Insider Program (Dev channel)
13
    Laptop ->> InsiderService: Register device for flight updates
14
    InsiderService -->> WindowsUpdate: Push pre-release build components
15
    WindowsUpdate ->> Laptop: Download flight-signed component (e.g., Shell32.dll preview)
16
    Laptop ->> FlightBinary: Attempt to load FlightComponent.dll
17
    FlightBinary ->> WDAC: Request load — present flight certificate chain
18
    WDAC ->> WDAC: Check policy: Option 4 (Disabled:Flight Signing) is SET
19
    WDAC -->> Laptop: BLOCK — flight certificate not trusted
20
    WDAC ->> EventLog: Event ID 3077 (enforcement) or 3076 (audit)
21
    EventLog ->> SIEM: Forward event with file path and certificate details
22
    SIEM -->> SOC: Alert: Insider-signed binary blocked on production device
23
    SOC ->> Employee: Unenroll device from Insider Program
24
    SOC ->> Employee: Remediation ticket opened

Scenario B: Financial Institution Production-Locking Policy Deployment#

A financial institution deploys WDAC with Option 4 to ensure all endpoints run only production-released Microsoft software, satisfying their change management policy.

1
sequenceDiagram
2
    autonumber
3
    actor CISOReg as CISO / Compliance Team
4
    actor Admin as IT Admin
5
    participant PolicyXML as WDAC Policy XML
6
    participant MDM as Microsoft Intune
7
    participant Fleet as 2000 Endpoints
8
    participant AuditLog as Audit Event Log
9
    participant ComplianceReport as Compliance Report
10

11
    CISOReg ->> Admin: Requirement: No prerelease software on production endpoints
12
    Admin ->> PolicyXML: Set Option 0 (UMCI) + Option 3 (Audit) + Option 4 (Disable Flight Signing)
13
    Admin ->> MDM: Deploy audit policy to pilot ring (100 devices)
14
    Fleet ->> AuditLog: Collect audit events for 2 weeks
15
    AuditLog -->> Admin: Zero Event 3076 with flight-signed binaries on non-Insider devices
16
    Admin ->> PolicyXML: Remove Option 3 (Audit Mode) — policy ready for enforcement
17
    Admin ->> MDM: Deploy enforced policy to full fleet (2000 devices)
18
    Fleet -->> Admin: Zero enforcement blocks — all devices running production-only builds
19
    Admin ->> ComplianceReport: Generate policy compliance report
20
    ComplianceReport -->> CISOReg: 100% compliance — no prerelease software detected
21
    CISOReg -->> Admin: Change control requirement satisfied

Scenario C: Identifying Impact Before Setting Option 4#

1
sequenceDiagram
2
    autonumber
3
    actor Admin
4
    participant TestVM as Test VM (Insider-enrolled)
5
    participant PolicyXML as Policy XML
6
    participant EventLog as Event Log
7
    participant Report as Impact Report
8

9
    Admin ->> PolicyXML: Set Option 4 + Option 3 (Audit) — no Option 0 yet
10
    Admin ->> TestVM: Deploy audit policy to Insider-enrolled VM
11
    TestVM ->> EventLog: Generate 3076 events for flight-signed binaries
12
    Admin ->> EventLog: Query and export Event ID 3076 with flight cert chain
13
    EventLog -->> Report: 12 unique flight-signed binaries would be blocked
14
    Admin ->> Report: All 12 are Windows Insider build components — expected
15
    Admin ->> PolicyXML: Confirm: Option 4 safe to deploy to non-Insider fleet
16
    Admin ->> PolicyXML: Remove Option 3 (Audit) for production deployment

9. What Happens If You Get It Wrong#

Scenario A: Set Option 4 on Windows Insider Program Devices#

1
flowchart TD
2
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
3
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
4
    classDef ok fill:#0d1f12,color:#86efac,stroke:#166534
5

6
    A([Option 4 deployed to Insider-enrolled device]) --> B{Device receives\nInsider build update}
7
    B --> C([Flight-signed components downloaded]):::block
8
    C --> D([WDAC blocks flight-signed DLLs]):::block
9
    D --> E([Core Windows components fail to load]):::block
10
    E --> F([System instability / boot loop]):::block
11
    F --> G([Emergency policy removal required]):::warn
12
    G --> H([Rollback via WinRE or recovery media]):::warn

Scenario B: Fail to Set Option 4 on Production-Locked Environment#

1
flowchart TD
2
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
3
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
4
    classDef ok fill:#0d1f12,color:#86efac,stroke:#166534
5

6
    A([Option 4 not set — flight signing trusted]) --> B{Employee joins\nInsider Program}:::warn
7
    B --> C([Flight builds deployed to endpoint]):::warn
8
    C --> D([Prerelease components run on production]):::block
9
    D --> E([Potential instability from prerelease code]):::block
10
    D --> F([Change control policy violated]):::block
11
    D --> G([Compliance audit finding]):::block
12
    E --> H([Incident — blamed on WDAC policy]):::warn

Misconfig Consequences Summary#

Mistake	Impact	Severity
Deploy Option 4 to Insider-enrolled devices	Flight components blocked; potential system instability	High — may require recovery
Forget to set Option 4 on production fleet	Insider builds can run unchecked on corporate endpoints	Medium — policy/compliance violation
Set Option 4 without auditing first	Unknown if any flight-signed components are in use	Medium
Confuse “Disabled Signing present” with flight signing being enabled	Policy posture misread	Medium — documentation/training issue

10. Valid for Supplemental Policies?#

No. Disabled:Flight Signing is a base-policy-level trust configuration. It modifies the fundamental set of trusted certificate chains recognized by the Code Integrity engine. Supplemental policies cannot remove or add to the list of inherently trusted certificate authorities — they can only add allow rules for specific publishers, hashes, or file paths on top of the base policy’s signing trust configuration. The decision about whether to trust flight certificates must be made at the base policy level, where it applies uniformly across the entire policy set.

11. OS Version Requirements#

Windows Version	Option 4 Support
Windows 10 1507	Not available
Windows 10 1607	Available
Windows 10 1703+	Full support
Windows 10 1903+	Stable
Windows 11 (all)	Full support
Windows Server 2016+	Supported; Insider builds not typically enrolled on servers
Windows Server 2019+	Supported

Note for Server Environments: Windows Server is not enrolled in the Windows Insider Program in the same way as Windows Client. However, if an organization uses Windows Server Insider Preview builds in any environment (e.g., lab, pre-production testing), Option 4 on a WDAC policy would block flight-signed server components on those builds. In fully production-locked server environments where Insider Preview builds are prohibited, setting Option 4 adds a technical enforcement layer to the administrative prohibition.

Flight Signing Certificate Characteristics#

The Microsoft Windows Insider / Flighting signing certificates are identifiable by their OID and subject name patterns. While the exact certificate details are subject to Microsoft’s internal certificate rotation policies, the distinguishing pattern is typically in the enhanced key usage (EKU) values and the issuing CA chain, which leads to a different intermediate CA than production Windows binaries. When reviewing Event 3076/3077 details, flight-certificate-blocked binaries will show an issuer chain that differs from the standard Microsoft Windows Production PCA chain.

12. Summary Table#

Attribute	Value
Rule Option Name	`Disabled:Flight Signing`
Rule Option Index	4
Default State	Not set (flight signing trusted by default)
Effect when Set (Option Present)	Flight / Windows Insider signed binaries are NOT trusted and will be blocked
Effect when Not Set (Option Absent)	Flight / Windows Insider signed binaries are trusted (default)
Valid in Base Policy	Yes
Valid in Supplemental Policy	No
Requires Reboot on Change	No — takes effect on next policy update cycle
Primary Use Case	Production-locked environments; compliance environments requiring released-only software
Target: Who Is Affected	Windows Insider Program participants; devices receiving pre-release OS components
Impact on Dual-Signed Binaries	No impact — dual-signed (flight + production) binaries remain trusted via production cert
Impact on Production Windows	None — production Microsoft certificates unaffected
Prerequisite for Full Effect	Option 0 (UMCI) must be set; otherwise user-mode flight binaries run unchecked
Event ID (Audit — Option 4 violation)	3076
Event ID (Enforce — Option 4 violation)	3077
Event Log	`Microsoft-Windows-CodeIntegrity/Operational`
Risk of Misdeployment	System instability if deployed to Insider-enrolled devices
PowerShell Cmdlet (Set)	`Set-RuleOption -FilePath <xml> -Option 4`
PowerShell Cmdlet (Remove)	`Set-RuleOption -FilePath <xml> -Option 4 -Delete`
Naming Convention	`Disabled:` prefix — option PRESENT means trust is DISABLED
Security Framework Alignment	NIST SP 800-167 (Allowlisting), change management frameworks, supply-chain integrity
Recommended for	All production corporate fleets not enrolled in Windows Insider Program