From 8554f5470ba9ad49ddbed41a1476ea84d636aac7 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Thu, 23 May 2024 01:39:54 +0300 Subject: [PATCH] Added PowerShell command for verifying signed binaries --- ...-signed-policies-to-protect-wdac-against-tampering.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md index 91903fcb90..b013b9b57a 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md @@ -103,12 +103,19 @@ When complete, the commands should output a signed policy file with a `.p7` exte ## Verify and deploy the signed policy -You can use certutil.exe to verify the signed file. Review the output to confirm the signature algorithm and encoding for certificate fields, like 'subject common name' and 'issuer common name' as described in the Warning at the top of this article. +You can use certutil.exe or PowerShell to verify the signed file. Review the output to confirm the signature algorithm as described in the Warning at the top of this article. ```powershell certutil.exe -asn ``` +```powershell +$CIPolicyBin = 'path to signed policy file' +$SignedCryptoMsgSyntax = New-Object -TypeName System.Security.Cryptography.Pkcs.SignedCms +$SignedCryptoMsgSyntax.Decode((Get-Content -LiteralPath $CIPolicyBin -AsByteStream -Raw)) +$SignedCryptoMsgSyntax.Certificates | Format-List -Property * +``` + Thoroughly test the signed policy on a representative set of computers before proceeding with deployment. Be sure to reboot the test computers at least twice after applying the signed WDAC policy to ensure you don't encounter a boot failure. Once you've verified the signed policy, deploy it using your preferred deployment method. For more information about deploying policies, see [Deploying Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide).