Signing MSIX using device guard

%3CLINGO-SUB%20id%3D%22lingo-sub-1035679%22%20slang%3D%22en-US%22%3ESigning%20MSIX%20using%20device%20guard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1035679%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20John%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20was%20watching%20one%20of%20your%20slide%20where%20you%20spoke%20about%20using%20device%20guard%20signing%20.%20I%20am%20in%20middle%20of%20testing%20msix%20and%20wanted%20to%20check%20if%20your%20sign-packages-wdgss.ps1%20file%20is%20placed%20at%20github%20for%20us%20to%20use%20.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20also%20like%20to%20know%20by%20using%20this%20method%20we%20do%20not%20have%20to%20place%20any%20certificate%20on%20client%20as%20our%20MSIX%20is%20already%20signed%20by%20MS%20as%20we%20are%20in%20Azure%20tenant%20.%20Is%20my%20understanding%20correct%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1036480%22%20slang%3D%22en-US%22%3ERe%3A%20Signing%20MSIX%20using%20device%20guard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1036480%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F144842%22%20target%3D%22_blank%22%3E%40Amit%20Kumar%3C%2FA%3E%26nbsp%3BThere%20still%20needs%20to%20a%20root%20certificate%20installed%20to%20your%20client.%26nbsp%3B%20Each%20tenant%20has%20a%20unique%20root.%26nbsp%3B%20This%20way%20Fabrikam's%20apps%20are%20not%20trusted%20by%20Contoso.%26nbsp%3B%20You%20can%20enable%20the%20Device%20Guard%20Signer%20role%20and%20download%20the%20root%20certificate%20from%20the%20Microsoft%20Store%20for%20Business%20web%20portal.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EJohn%20(%40jvintzel)%3C%2FP%3E%0A%3CP%3EPM%20Lead%2C%20MSIX%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hi John,

 

I was watching one of your slide where you spoke about using device guard signing . I am in middle of testing msix and wanted to check if your sign-packages-wdgss.ps1 file is placed at github for us to use .

 

I would also like to know by using this method we do not have to place any certificate on client as our MSIX is already signed by MS as we are in Azure tenant . Is my understanding correct ?

1 Reply

@Amit Kumar There still needs to a root certificate installed to your client.  Each tenant has a unique root.  This way Fabrikam's apps are not trusted by Contoso.  You can enable the Device Guard Signer role and download the root certificate from the Microsoft Store for Business web portal.

 

John (@jvintzel)

PM Lead, MSIX