Having issues debugging CI Policy signature transition from Local CA -Windows 10

Evan Sorenson 0 Reputation points
2024-10-01T22:14:02.5333333+00:00

I'm performing some internal tests around migrating WDAC CI policies from a local CA instance to the Azure signing backend using the documentation provided and I'm hitting a bit of a brick wall.

We're able to sign the existing base policies using the powershell commandlets and get back the new signed binaries which report back as being succesfully signed, but SecureBoot is actively preventing us from using them with Secure Boot on several machines. Versioning between the policies has been maintained.

With secure boot disabled, the policies are being loaded and enforced. Sadly there isn't much debug output or direction regarding validating the signed CIP before loading it onto a system.

Has anyone gotten the CI policies with Azure signing running using Windows 10 at this point?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,907 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Q&A Assist
    2024-10-01T22:14:02.55+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Based on the provided context, it is recommended to verify that the CI policy file is well-formed and successfully signed. If the policy file is not well-formed or successfully signed, the policy will not be activated, and the machine will not reboot successfully. Additionally, it is important to confirm that Code Integrity event 3099 is showing after the machine reboots, which means the new CI policy is activated. If the event is not showing, it is recommended to restart from step 1 and ensure that the CI policy file is well-formed and successfully signed before proceeding.

    As for the issue with Secure Boot preventing the use of signed binaries, it is recommended to ensure that the signed binaries are properly signed using Trusted Signing and that the signing certificate is trusted by the machines. It is also important to ensure that the signed binaries are compatible with Secure Boot.

    References:

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.