Share via

Unable to sign WDAC policy file(bin or p7b) file.

Verma, Vikram 10 Reputation points
2023-01-23T12:01:37.4233333+00:00

Hi,

To sign our WDAC policy file we are following Microsoft article Use signed policies to protect Windows Defender Application Control. In order to sign SIPolicy file we need to have code signing certificate. We need few clarifications which are described below:

  1. As per above mentioned link, it specifically needs ContosoSigningCert code signing certificate to sign the WDAC policy, below is the mentioned command. As we are unable to get this certificate, can you please provide us this certificate. Or in case we can sign it with some other certificate, please share information regarding that.

<Path to signtool.exe> sign -v -n "ContosoSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin

  1. We also checked about Device Guard Signing Service v2 (DGSS) is a code signing service. But information available over the web is too generic to apply for our case. In order to sign our WDAC policy file can we get some concrete steps wise information or any other related information regarding this.

Regards,

Vikram Verma

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
Windows for business | Windows Client for IT Pros | User experience | Other

Locked Question. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. HotCakeX 91 Reputation points MVP
    2023-05-14T21:56:40.12+00:00

    Hi,

    I've created a PowerShell module called WDACConfig that automates all of the WDAC related tasks including signing and deploying a signed WDAC policy.

    You can check it out on my GitHub: https://github.com/HotCakeX/Harden-Windows-Security/wiki/WDACConfig

    How to Create and Deploy a Signed WDAC Policy Windows Defender Application Control (Videos included):

    https://github.com/HotCakeX/Harden-Windows-Security/wiki/How-to-Create-and-Deploy-a-Signed-WDAC-Policy-Windows-Defender-Application-Control

    Was this answer helpful?

    1 person found this answer helpful.
    0 comments
  2. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

  3. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more