deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-18 16:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Addressed comments

Browse Source
This commit is contained in:
jsuther1974 2022-12-02 09:10:50 -08:00
parent c3ae4b9500
commit aca581fbca
2 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
View File

@ -35,13 +35,12 @@ As you deploy Windows Defender Application Control (WDAC), you might need to sig
If you have an internal CA, complete these steps to create a code signing certificate.
> [!WARNING]
> Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
> When creating signing certificates for WDAC policy signing, Boot failure (blue screen) may occur if your signing certificate does not follow these rules:
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA SHA-256 only. ECDSA isn't supported.
> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
> - Only use SHA-256 as the digest algorithm.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
> - Keys must be less than or equal to 4K key size
>
1. Open the Certification Authority Microsoft Management Console (MMC) snap-in, and then select your issuing CA.

4
windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
View File

@ -38,9 +38,9 @@ If you don't currently have a code signing certificate you can use to sign your
> Boot failure (blue screen) may occur if your signing certificate doesn't follow these rules:
>
> - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652).
> - Use RSA SHA-256 only. ECDSA isn't supported.
> - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported.
> - Only use SHA-256 as the digest algorithm.
> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING.
> - Keys must be less than or equal to 4K key size.
Before you attempt to deploy signed WDAC policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).