Add-HgsAttestationCIPolicy
Authorizes a trusted code integrity policy to be used by hosts attesting against HGS.
Syntax
Add-HgsAttestationCIPolicy
[-InputObject] <Byte[]>
-Name <String>
[-PolicyVersion <PolicyVersion>]
[-Stage]
[-WhatIf]
[-Confirm] Add-HgsAttestationCIPolicy
[-Path] <String>
[-Name <String>]
[-PolicyVersion <PolicyVersion>]
[-Stage]
[-WhatIf]
[-Confirm] Description
The Add-HgsAttestationCIPolicy cmdlet adds an attestation policy based on a trusted code integrity policy to HGS. When HGS is configured to use TPM attestation, hosts will need to use one of the code integrity policies registered with HGS to successfully pass attestation. Use the New-CIPolicy and ConvertFrom-CIPolicy cmdlets to create a binary code integrity policy that can be passed to this cmdlet.
HGS will not know which software is allowed or disallowed by your policy, nor will it know which policy rules (e.g. enforced CI, reboot actions) are configured in the policy. You should choose a descriptive name for your policy to ensure you know what your policy covers for future reference when reviewing authorized policies.
Examples
Example 1
PS C:\> Add-HgsAttestationCIPolicy -Path C:\temp\WS2016-Enforced.p7b -Name "Windows Server 2016 Enforced CI Policy"Adds the binary code integrity policy file to HGS and names the policy "Windows Server 2016 Enforced CI Policy"
Parameters
-Confirm
Prompts you for confirmation before running the cmdlet.
| Type: | SwitchParameter |
| Aliases: | cf |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-InputObject
Byte array containing the contents of a binary code integrity policy file.
| Type: | Byte[] |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Name
Friendly name for the code integrity policy.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Path
Specifies the path of a file that contains the code integrity policy, in binary form. The file typically has a .p7b or .bin extension.
| Type: | String |
| Aliases: | FilePath, PSPath |
| Position: | 0 |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | True |
| Accept wildcard characters: | False |
-PolicyVersion
Reserved for future use.
| Type: | PolicyVersion |
| Accepted values: | None, PolicyVersion1503, PolicyVersion1704 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Stage
Reserved for future use.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
| Type: | SwitchParameter |
| Aliases: | wi |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
Byte[], System.String
This cmdlet accepts a code integrity policy as a Byte array or filename.
Outputs
AttestationPolicyInfo
This cmdlet returns attestation policy information.