This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EES%3C/text%3E%3C/svg%3E)
I'm performing some internal tests around migrating WDAC CI policies from a local CA instance to the Azure signing backend using the documentation provided and I'm hitting a bit of a brick wall.
We're able to sign the existing base policies using the powershell commandlets and get back the new signed binaries which report back as being succesfully signed, but SecureBoot is actively preventing us from using them with Secure Boot on several machines. Versioning between the policies has been maintained.
With secure boot disabled, the policies are being loaded and enforced. Sadly there isn't much debug output or direction regarding validating the signed CIP before loading it onto a system.
Has anyone gotten the CI policies with Azure signing running using Windows 10 at this point?
Based on the provided context, it is recommended to verify that the CI policy file is well-formed and successfully signed. If the policy file is not well-formed or successfully signed, the policy will not be activated, and the machine will not reboot successfully. Additionally, it is important to confirm that Code Integrity event 3099 is showing after the machine reboots, which means the new CI policy is activated. If the event is not showing, it is recommended to restart from step 1 and ensure that the CI policy file is well-formed and successfully signed before proceeding.
As for the issue with Secure Boot preventing the use of signed binaries, it is recommended to ensure that the signed binaries are properly signed using Trusted Signing and that the signing certificate is trusted by the machines. It is also important to ensure that the signed binaries are compatible with Secure Boot.
References: