Improvements for Device Guard management
1. Using the Microsoft knowledge base for Device Guard, I would like to create a new CI policy by using New-CIPolicy. Then, I want to merge it with the Configuration Manager Code Integrity policy (Merge-CIPolicy). This should be possible from the gui as well.
2. Adding other trust rule methods via gui. (ie. PCACertificate, hash)
3. Deploy device guard trusted installer policies via osd. This would allow policies to be active immediately after domain join and before any software is installed.
4. This one is key but is heavily dependent on #2:
a) Use case 1: An executive needs to join a video conference with a third party. They are currently out of the office and the video conference software is blocked by Device Guard
b) Use case 2: Packaging an application that has an installer does not currently work with managed installer enabled.
c) Use case 3: Trusting an application that automatically updates itself.
d) Potential solution: Use Client Notification to set a client temporarily into an audit mode policy for a defined period of time. During this time period, capture all audit failures into a catalog file and send them to the management point. Allow reviewing, signing and deployment of this catalog file to the C:\Windows\CatRoot folder, or meging with a defined enforce policy