From b6ba405980cb95b018ec5ba354bfdb5272c5d310 Mon Sep 17 00:00:00 2001 From: Joe Henry Date: Tue, 28 Sep 2021 19:14:56 -0400 Subject: [PATCH] Update use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md Added a note that all policies must be PKCS 7 signed --- ...t-windows-defender-application-control-against-tampering.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 11d3f0df1e..3ceb3636e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -46,6 +46,9 @@ To sign a WDAC policy with SignTool.exe, you need the following components: - An internal CA code signing certificate or a purchased code signing certificate +> [!NOTE] +> All policies (base and supplemental and single-policy format) must be pkcs7 signed. [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652) + If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session: 1. Initialize the variables that will be used: