Merge pull request #9736 from jgeurten/jogeurte-add-TS-wdac-docs

Added references to Trusted Signing in the WDAC Documentation
2025-05-12 13:27:23 +00:00 · 2024-04-01 16:17:09 -07:00 · 2024-04-01 16:17:09 -07:00 · 38751ff9d5
commit 38751ff9d5
parent d1c63e0d9b 5c18c37e39
3 changed files with 5 additions and 5 deletions
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/create-code-signing-cert-for-wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/create-code-signing-cert-for-wdac.md
@ -11,7 +11,7 @@ ms.date: 12/01/2022
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](../feature-availability.md).

-As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need a publicly issued code signing certificate or an internal CA. If you've purchased a code-signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](wdac-deployment-guide.md).
+As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this signing, you'll either need to use [Microsoft's Trusted Signing service](/azure/trusted-signing/), a publicly issued code signing certificate or an internal CA. If you've purchased a code signing certificate, you can skip this article, and instead follow other articles listed in the [Windows Defender Application Control Deployment Guide](wdac-deployment-guide.md).

 If you have an internal CA, complete these steps to create a code signing certificate.

@ -20,7 +20,7 @@ If you have an internal CA, complete these steps to create a code signing certif
 >
 > - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
 > - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
-> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256.
+> - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA256.
 > - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.

 1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.
--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/deploy-catalog-files-to-support-wdac.md
@ -75,7 +75,7 @@ When finished, the tool saves the files to your desktop. You can view the `*.cdf

 ## Sign your catalog file

-Now that you've created a catalog file for your app, you're ready to sign it.
+Now that you've created a catalog file for your app, you're ready to sign it. It is recommended to use [Microsoft's Trusted Signing service](/azure/trusted-signing/) for catalog signing. Optionally, you can manually sign the catalog using Signtool using the following instructions.

 ### Catalog signing with SignTool.exe

--- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-code-signing-for-better-control-and-protection.md
@ -38,6 +38,6 @@ For more information on using signed policies, see [Use signed policies to prote

 Some ways to obtain code signing certificates for your own use, include:

+- Use Microsoft's [Trusted Signing service](/azure/trusted-signing/).
 - Purchase a code signing certificate from one of the [Microsoft Trusted Root Program participants](/security/trusted-root/participants-list).
- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-wdac.md).
- Use Microsoft's [Azure Code Signing (ACS) service](https://aka.ms/AzureCodeSigning).
+- To use your own digital certificate or public key infrastructure (PKI) to issue code signing certificates, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-wdac.md).