From cfac9b77b9104f510a232a055df71a9772948b57 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Fri, 21 May 2021 10:36:43 -0700 Subject: [PATCH 1/3] Update add-unsigned-app-to-code-integrity-policy.md Update DGSSv1 retirement date. --- .../add-unsigned-app-to-code-integrity-policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/store-for-business/add-unsigned-app-to-code-integrity-policy.md b/store-for-business/add-unsigned-app-to-code-integrity-policy.md index b269d9356a..454b74a767 100644 --- a/store-for-business/add-unsigned-app-to-code-integrity-policy.md +++ b/store-for-business/add-unsigned-app-to-code-integrity-policy.md @@ -18,12 +18,12 @@ ms.date: 03/10/2021 # Add unsigned app to code integrity policy > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy @@ -117,4 +117,4 @@ Catalog signing is a vital step to adding your unsigned apps to your code integr When you use the Device Guard signing portal to sign a catalog file, the signing certificate is added to the default policy. When you download the signed catalog file, you should also download the default policy and merge this code integrity policy with your existing code integrity policies to protect machines running the catalog file. You need to do this step to trust and run your catalog files. For more information, see the Merging code integrity policies in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). 6. Open the root certificate that you downloaded, and follow the steps in **Certificate Import wizard** to install the certificate in your machine's certificate store. -7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). \ No newline at end of file +7. Deploy signed catalogs to your managed devices. For more information, see Deploy catalog files with Group Policy, or Deploy catalog files with Microsoft Endpoint Manager in the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). From 431a5e5d0f76b5cea2ee8753b48068bb89ad9b25 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Fri, 21 May 2021 10:36:57 -0700 Subject: [PATCH 2/3] Update device-guard-signing-portal.md Update DGSSv1 retirement date. --- store-for-business/device-guard-signing-portal.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 19b24783d0..6ad01e0f88 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -18,12 +18,12 @@ ms.date: 10/17/2017 # Device Guard signing > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy @@ -32,7 +32,7 @@ ms.date: 10/17/2017 > - Download root cert > - Download history of your signing operations > -> For any questions, please contact us at DGSSMigration@microsoft.com. +> For any questions, please contact us at DGSSMigration@microsoft.com. **Applies to** @@ -72,4 +72,4 @@ Catalog and policy files have required files types. Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role. ## Device Guard signing certificates -All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline. \ No newline at end of file +All certificates generated by the Device Guard signing service are unique per customer and are independent of the Microsoft production code signing certificate authorities. All Certification Authority (CA) keys are stored within the cryptographic boundary of Federal Information Processing Standards (FIPS) publication 140-2 compliant hardware security modules. After initial generation, root certificate keys and top level CA keys are removed from the online signing service, encrypted, and stored offline. From 09500541cbc480fcab3883b390caf00e4d90c1a0 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Fri, 21 May 2021 10:37:11 -0700 Subject: [PATCH 3/3] Update sign-code-integrity-policy-with-device-guard-signing.md Update DGSSv1 retirement date. --- .../sign-code-integrity-policy-with-device-guard-signing.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index ef38349ddd..ffdff3f7c1 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -18,12 +18,12 @@ ms.date: 10/17/2017 # Sign code integrity policy with Device Guard signing > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until June 9, 2021 to transition to DGSS v2. On June 9, 2021, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by June 9, 2021. > > Following are the major changes we are making to the service: > - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). -> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. +> - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired, you will no longer be able to download the leaf certificates used to sign your files. > > The following functionality will be available via these PowerShell cmdlets: > - Get a CI policy @@ -58,4 +58,4 @@ Before you get started, be sure to review these best practices: 4. After the files are uploaded, click **Sign** to sign the code integrity policy. 5. Click **Download** to download the signed code integrity policy. - When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy. \ No newline at end of file + When you sign a code integrity policy with the Device Guard signing portal, the signing certificate is added to the policy. This means you can't modify this policy. If you need to make changes, make them to an unsigned version of the policy, and then resign the policy.