From d539bcaa48811349bf6416214f2592866d7d34d3 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Fri, 2 Dec 2022 09:19:59 -0800 Subject: [PATCH] Update use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md --- ...ct-windows-defender-application-control-against-tampering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index b619d2bba0..2be27b87e5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -70,7 +70,7 @@ Before you attempt to deploy signed WDAC policy, you should first deploy an unsi cd $PolicyPath ``` -3. Add an **<UpdatePolicySigner>** rule to the WDAC policy for your policy signing certificate. If you're using the Device Guard Signing Service v2 (DGSS) to sign your policy, you can find the policy signer rule in your tenant's default policy, which you can download from [Get-DefaultPolicy](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#get-defaultpolicy). +3. If your WDAC policy doesn't already include an **<UpdatePolicySigner>** rule for your policy signing certificate, you must add it. At least one **<UpdatePolicySigner>** rule must exist to convert your WDAC policy XML with [ConvertFrom-CiPolicy](/powershell/module/config-ci/convertfrom-cipolicy). If you're using the Device Guard Signing Service v2 (DGSS) to sign your policy, you can find the policy signer rule in your tenant's default policy, which you can download from [Get-DefaultPolicy](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#get-defaultpolicy). Otherwise, use [Add-SignerRule](/powershell/module/configci/add-signerrule) and create an **<UpdatePolicySigner>** rule from your certificate file (.cer). DGSS users can download the root certificate file from [Get-RootCertificate](/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business#get-rootcertificate). If you purchased a code signing certificate or issued one from your own public key infrastructure (PKI), you can export the certificate file.