deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #5530 from isbrahm/patch-8

Browse Source 
Update LOB Win32 on S w/ correct order of PShell cmds
This commit is contained in:
Daniel Simpson 2019-12-03 06:57:15 -08:00 committed by GitHub
commit 6342da87c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
View File

@ -54,6 +54,11 @@ The general steps for expanding the S mode base policy on your devices are to ge
Set-RuleOption -FilePath "<path>\SupplementalPolicy.xml>" -Option 3 Delete Set-RuleOption -FilePath "<path>\SupplementalPolicy.xml>" -Option 3 Delete
``` ```
This deletes the audit mode qualifier. This deletes the audit mode qualifier.
- Since you'll be signing your policy, you must authorize the signing certificate you will use to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. For more information, refer to Section 2, Sign policy. Use Add-SignerRule to add the signing certificate to the WDAC policy:
```powershell
Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User -Update`
```
- Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) - Convert to .bin using [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
```powershell ```powershell
@ -64,12 +69,7 @@ The general steps for expanding the S mode base policy on your devices are to ge
Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA. Supplemental S mode policies must be digitally signed. To sign your policy, you can choose to use the Device Guard Signing Service or your organization's custom Public Key Infrastructure (PKI). Refer to [Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md) for guidance on using DGSS and [Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md) for guidance on signing using an internal CA.
Once your policy is signed, you must authorize the signing certificate you used to sign the policy and optionally one or more additional signers that can be used to sign updates to the policy in the future. Use Add-SignerRule to add the signing certificate to the WDAC policy: Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML.
```powershell
Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User -Update`
```
Rename your policy to "{PolicyID}.p7b" after you've signed it. PolicyID can be found by inspecting the Supplemental Policy XML
3. Deploy the signed supplemental policy using Microsoft Intune 3. Deploy the signed supplemental policy using Microsoft Intune