From 3e2f3642d6f8169153ca20d3ca0083a5efd805d3 Mon Sep 17 00:00:00 2001 From: Violet Date: Thu, 25 Apr 2024 20:00:49 +0300 Subject: [PATCH] Removed notice about not using UTF-8 encoding The UTF-8 encoding can totally be used for certificate subject names when deploying a signed WDAC policy and no problem such as boot failures occurs as a result of that. I've tested this for long periods of time and continue to use it daily. --- .../use-signed-policies-to-protect-wdac-against-tampering.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md index 72139cebfa..91903fcb90 100644 --- a/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md +++ b/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering.md @@ -21,7 +21,6 @@ If you don't currently have a code signing certificate you can use to sign your > - All policies, including base and supplemental, must be signed according to the [PKCS 7 Standard](https://datatracker.ietf.org/doc/html/rfc5652). > - Use RSA keys with 2K, 3K, or 4K key size only. ECDSA isn't supported. > - You can use SHA-256, SHA-384, or SHA-512 as the digest algorithm on Windows 11, as well as Windows 10 and Windows Server 2019 and above after applying the November 2022 cumulative security update. All other devices only support SHA-256. -> - Don't use UTF-8 encoding for certificate fields, like 'subject common name' and 'issuer common name'. These strings must be encoded as PRINTABLE_STRING, IA5STRING or BMPSTRING. Before you attempt to deploy a signed policy, you should first deploy an unsigned version of the policy to uncover any issues with the policy rules. We also recommend you enable rule options **9 - Enabled:Advanced Boot Options Menu** and **10 - Enabled:Boot Audit on Failure** to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath -Option 9`, even if you're not sure whether the option is already enabled. If so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](../design/select-types-of-rules-to-create.md).