Improvements for Device Guard management
- Using the Microsoft knowledge base for Device Guard, I would like to create a new CI policy by using New-CIPolicy. Then, I want to merge it with the Configuration Manager Code Integrity policy (Merge-CIPolicy). This should be possible from the gui as well.
- Adding other trust rule methods via gui. (ie. PCACertificate, hash)
- Deploy device guard trusted installer policies via osd. This would allow policies to be active immediately after domain join and before any software is installed.
- This one is key but is heavily dependent on #2:
a) Use case 1: An executive needs to join a video conference with a third party. They are currently out of the office and the video conference software is blocked by Device Guard
b) Use case 2: Packaging an application that has an installer does not currently work with managed installer enabled.
c) Use case 3: Trusting an application that automatically updates itself.
d) Potential solution: Use Client Notification to set a client temporarily into an audit mode policy for a defined period of time. During this time period, capture all audit failures into a catalog file and send them to the management point. Allow reviewing, signing and deployment of this catalog file to the C:\Windows\CatRoot folder, or meging with a defined enforce policy