Windows Supply Chain Security Guide

Guide

Practical guidance for protecting Windows workstations against supply chain attacks. Covers Authenticode verification, WDAC policy creation, Windows Update integrity, and driver signing verification.

Key Features

Home Baseline Features

View Full Feature Page Contact Us

Securing the Windows Supply Chain

Windows workstations face unique supply chain risks from driver signing, update mechanisms, and the broad software ecosystem.

Step 1: Verify Code Signatures

Always check Authenticode signatures before running executables:

Get-AuthenticodeSignature -FilePath .\installer.exe

Step 2: Create WDAC Policies

Start with a restrictive WDAC policy in audit mode:

New-CIPolicy -Level Publisher -FilePath .\policy.xml -UserPEs

Step 3: Verify Windows Update Integrity

Ensure Windows Update is communicating with legitimate Microsoft servers and that updates are properly signed.

Step 4: Monitor Driver Loading

Use HVCI (Hypervisor-Protected Code Integrity) to prevent unsigned drivers from loading into the kernel.

Step 5: Enforce Script Signing

Configure PowerShell execution policy to AllSigned and sign all internal scripts with a code signing certificate.

Resources

Videos

Securing the Software Supply Chain with Code Signing

Encryption Consulting's webinar connects the dots between code signing, PKI, hardware security modules, and the supply chain attacks that made headlines (looking at you, Kaseya VSA). It's a 36-minute masterclass in understanding why that little digital signature on your software isn't just bureaucratic overhead; it's the difference between deploying trusted code and rolling out someone else's backdoor.

Everything about code signing and how not to use it

Raimund Andree's PowerShell.org talk is the refreshingly honest take on code signing that most tutorials skip: when it works, when it doesn't, and all the spectacular ways people get it wrong. Nearly 50 minutes of practical wisdom from someone who's seen the signing mishaps firsthand, this one's essential viewing for anyone who thinks "I signed it, so it's secure" is the end of the conversation.

More in Windows Workstations

Need expert help?

Our team can help you implement these security practices.

Contact Us