From 8554f5470ba9ad49ddbed41a1476ea84d636aac7 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Thu, 23 May 2024 01:39:54 +0300 Subject: [PATCH 1/3] Added PowerShell command for verifying signed binaries --- ...-signed-policies-to-protect-wdac-against-tampering.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md index 91903fcb90..b013b9b57a 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md @@ -103,12 +103,19 @@ When complete, the commands should output a signed policy file with a `.p7` exte ## Verify and deploy the signed policy -You can use certutil.exe to verify the signed file. Review the output to confirm the signature algorithm and encoding for certificate fields, like 'subject common name' and 'issuer common name' as described in the Warning at the top of this article. +You can use certutil.exe or PowerShell to verify the signed file. Review the output to confirm the signature algorithm as described in the Warning at the top of this article. ```powershell certutil.exe -asn ``` +```powershell +$CIPolicyBin = 'path to signed policy file' +$SignedCryptoMsgSyntax = New-Object -TypeName System.Security.Cryptography.Pkcs.SignedCms +$SignedCryptoMsgSyntax.Decode((Get-Content -LiteralPath $CIPolicyBin -AsByteStream -Raw)) +$SignedCryptoMsgSyntax.Certificates | Format-List -Property * +``` + Thoroughly test the signed policy on a representative set of computers before proceeding with deployment. Be sure to reboot the test computers at least twice after applying the signed WDAC policy to ensure you don't encounter a boot failure. Once you've verified the signed policy, deploy it using your preferred deployment method. For more information about deploying policies, see [Deploying Windows Defender Application Control policies](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide). From 752df9d9d17592429d6a631bb04cad0e35effe73 Mon Sep 17 00:00:00 2001 From: Violet Hansen Date: Thu, 23 May 2024 19:43:38 +0300 Subject: [PATCH 2/3] Made the PowerShell code work in Windows PowerShell --- .../use-signed-policies-to-protect-wdac-against-tampering.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md index b013b9b57a..a7f4170ab2 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md @@ -111,8 +111,9 @@ certutil.exe -asn ```powershell $CIPolicyBin = 'path to signed policy file' +Add-Type -AssemblyName 'System.Security' $SignedCryptoMsgSyntax = New-Object -TypeName System.Security.Cryptography.Pkcs.SignedCms -$SignedCryptoMsgSyntax.Decode((Get-Content -LiteralPath $CIPolicyBin -AsByteStream -Raw)) +$SignedCryptoMsgSyntax.Decode([System.IO.File]::ReadAllBytes($CIPolicyBin)) $SignedCryptoMsgSyntax.Certificates | Format-List -Property * ``` From 66d15a520df803c125e3ba812ea4c2b5ca54de4e Mon Sep 17 00:00:00 2001 From: Chandra Kumar Date: Fri, 24 May 2024 10:59:11 +0530 Subject: [PATCH 3/3] Update temporary-enterprise-feature-control.md Fix typo in EnableDevDrive link --- windows/whats-new/temporary-enterprise-feature-control.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/temporary-enterprise-feature-control.md b/windows/whats-new/temporary-enterprise-feature-control.md index cebfc291a6..cfc161dd97 100644 --- a/windows/whats-new/temporary-enterprise-feature-control.md +++ b/windows/whats-new/temporary-enterprise-feature-control.md @@ -74,4 +74,4 @@ The following features introduced through the monthly cumulative updates allow p | **Recommended** section added to File Explorer Home for users signed into Windows with an Azure AD account. | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes | **CSP**:./Device/Vendor/MSFT/Policy/Config/FileExplorer/[DisableGraphRecentItems](/windows/client-management/mdm/policy-csp-fileexplorer#disablegraphrecentitems)

**Group Policy**: Computer Configuration\Administrative Templates\Windows Components\File Explorer\\**Turn off files from Office.com in Quick Access View**

**Note**: This control disables additional items beyond the **Recommended** items. Review the policy before implementing this control. | | Transfer files to another PC using WiFi direct|[September 2023 - KB5030310](https://support.microsoft.com/kb/5030310)|Yes|**CSP**: ./Device/Vendor/MSFT/Policy/Config/Wifi/[AllowWiFiDirect](/windows/client-management/mdm/policy-csp-wifi#allowwifidirect)| | Copilot in Windows | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSP**: ./User/Vendor/MSFT/Policy/Config/WindowsAI/[TurnOffWindowsCopilot](/windows/client-management/mdm/policy-csp-windowsai#turnoffwindowscopilot)

**Group Policy**: User Configuration\Administrative Templates\Windows Components\Windows Copilot\\**Turn off Windows Copilot**| -|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**:
- ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enableeeverive)
- ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy)

**Group Policies**:
- Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive**
- Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**| +|Dev Drive | [September 2023 - KB5030310](https://support.microsoft.com/kb/5030310) | Yes |**CSPs**:
- ./Device/Vendor/MSFT/Policy/Config/FileSystem/[EnableDevDrive](/windows/client-management/mdm/policy-csp-filesystem#enabledevdrive)
- ./Device/Vendor/MSFT/Policy/Config/FileSystem/[DevDriveAttachPolicy](/windows/client-management/mdm/policy-csp-filesystem#devdriveattachpolicy)

**Group Policies**:
- Computer Configuration\Administrative Templates\System\FileSystem\\**Enable dev drive**
- Computer Configuration\Administrative Templates\System\FileSystem\\**Dev drive filter attach policy**|