Add-HgsAttestationCIPolicy

Authorizes a trusted code integrity policy to be used by hosts attesting against HGS.

Syntax

Add-HgsAttestationCIPolicy
   [-InputObject] <Byte[]>
   -Name <String>
   [-PolicyVersion <PolicyVersion>]
   [-Stage]
   [-WhatIf]
   [-Confirm]
Add-HgsAttestationCIPolicy
   [-Path] <String>
   [-Name <String>]
   [-PolicyVersion <PolicyVersion>]
   [-Stage]
   [-WhatIf]
   [-Confirm]

Description

The Add-HgsAttestationCIPolicy cmdlet adds an attestation policy based on a trusted code integrity policy to HGS. When HGS is configured to use TPM attestation, hosts will need to use one of the code integrity policies registered with HGS to successfully pass attestation. Use the New-CIPolicy and ConvertFrom-CIPolicy cmdlets to create a binary code integrity policy that can be passed to this cmdlet.

HGS will not know which software is allowed or disallowed by your policy, nor will it know which policy rules (e.g. enforced CI, reboot actions) are configured in the policy. You should choose a descriptive name for your policy to ensure you know what your policy covers for future reference when reviewing authorized policies.

Examples

Example 1

PS C:\> Add-HgsAttestationCIPolicy -Path C:\temp\WS2016-Enforced.p7b -Name "Windows Server 2016 Enforced CI Policy"

Adds the binary code integrity policy file to HGS and names the policy "Windows Server 2016 Enforced CI Policy"

Parameters

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-InputObject

Byte array containing the contents of a binary code integrity policy file.

Type:Byte[]
Position:0
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Name

Friendly name for the code integrity policy.

Type:String
Position:Named
Default value:None
Required:True
Accept pipeline input:False
Accept wildcard characters:False

-Path

Specifies the path of a file that contains the code integrity policy, in binary form. The file typically has a .p7b or .bin extension.

Type:String
Aliases:FilePath, PSPath
Position:0
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

-PolicyVersion

Reserved for future use.

Type:PolicyVersion
Accepted values:None, PolicyVersion1503, PolicyVersion1704
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Stage

Reserved for future use.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

Inputs

Byte[], System.String

This cmdlet accepts a code integrity policy as a Byte array or filename.

Outputs

AttestationPolicyInfo

This cmdlet returns attestation policy information.