From 586961a3879649d4522b1b67c0f51b4e8dc0fe79 Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Tue, 26 Nov 2019 13:59:55 -0800 Subject: [PATCH 1/3] Update LOB Win32 on S w/ correct order of PShell cmds Should add a signer before signing the policy --- .../LOB-win32-apps-on-s.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index d1fde8548c..80aeff6ba0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -54,6 +54,11 @@ The general steps for expanding the S mode base policy on your devices are to ge Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete ``` This deletes the ‘audit mode’ qualifier. + - Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to section 2. Sign policy below. Use Add-SignerRule to add the signing certificate to the WDAC policy: + + ```powershell + Add-SignerRule -FilePath -CertificatePath -User -Update` + ``` - Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) ```powershell @@ -64,11 +69,6 @@ The general steps for expanding the S mode base policy on your devices are to ge Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA. - Once your policy is signed, you must authorize the signing certificate you used to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. Use Add-SignerRule to add the signing certificate to the WDAC policy: - - ```powershell - Add-SignerRule -FilePath -CertificatePath -User -Update` - ``` Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML 3. Deploy the signed supplemental policy using Microsoft Intune From 0b9d6616bbad61ef91fceede6569ebf06c4262cd Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Mon, 2 Dec 2019 10:00:12 -0800 Subject: [PATCH 2/3] Update windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md Minor grammatical change Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../windows-defender-application-control/LOB-win32-apps-on-s.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 80aeff6ba0..a23f20c4df 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -69,7 +69,7 @@ The general steps for expanding the S mode base policy on your devices are to ge Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA. - Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML + Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML. 3. Deploy the signed supplemental policy using Microsoft Intune From 156a06d3e65219c003f71d8f5703697bf8d4c06a Mon Sep 17 00:00:00 2001 From: isbrahm <43386070+isbrahm@users.noreply.github.com> Date: Mon, 2 Dec 2019 10:00:30 -0800 Subject: [PATCH 3/3] Update windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md Minor grammatical change #2 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../windows-defender-application-control/LOB-win32-apps-on-s.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index a23f20c4df..a585ea19cd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -54,7 +54,7 @@ The general steps for expanding the S mode base policy on your devices are to ge Set-RuleOption -FilePath "\SupplementalPolicy.xml>" -Option 3 –Delete ``` This deletes the ‘audit mode’ qualifier. - - Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to section 2. Sign policy below. Use Add-SignerRule to add the signing certificate to the WDAC policy: + - Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy: ```powershell Add-SignerRule -FilePath -CertificatePath -User -Update`