fixing acrolinx and adding ci policy guide

Author: microsoftshawarma

articles/trusted-signing/faq.yml

@@ -17,7 +17,7 @@ summary: |
 sections:
   - name: Onboarding
     questions:
-      - question: What Windows versions does Trusted Signing support? # Question.
+      - question: What Windows versions do Trusted Signing support? # Question.
         answer: | 
           Refer to the [Trusted Signing Program Windows Support](https://support.microsoft.com/topic/kb5022661-windows-support-for-the-azure-code-signing-program-4b505a31-fa1e-4ea6-85dd-6630229e8ef4) page for details about Windows support for Trusted Signing.
           The service is supported on all currently supported versions of:
@@ -49,10 +49,10 @@ sections:
           If more documentation is required for identity validation, you're asked to provide those documents on the Azure portal. Otherwise, we recommend checking for an email sent to the listed address for email validation. However, if your organization fails identity validation we can't onboard you to Trusted Signing. We recommend you delete your Trusted Signing account so you don't get billed for unused resources.
       - question: What is the cost of using Trusted Signing?
         answer: | 
-          For the beginning of Public Preview until June 2024 Trusted Signing will be free. You will still be prompted to select a Basic or Premium SKU when you create your account and we will throttle signing requests.
+          For the beginning of Public Preview until June 2024 Trusted Signing is free. You'll still be prompted to select a Basic or Premium SKU when you create your account and we throttle signing requests.
       - question: What are my support options when onboarding to Trusted Signing?
         answer: | 
-          If you are a managed customer on Azure and have a support plan you can create a support ticket with the service on the Azure portal to be assisted by Azure customer support. Otherwise, we recommend you go to Microsoft Q&A or StackOverflow under the tag Trusted-Signing to ask questions.  
+          If you're a managed customer on Azure, and have a support plan you can create a support ticket with the service on the Azure portal and be assisted by Azure customer support. Otherwise, we recommend you go to Microsoft Q&A or StackOverflow under the tag Trusted-Signing to ask questions.  
   - name: Certificate Profiles
     questions:
       - question: What if my Trusted Signing subject name is different than my old cert and my MSIX's package name is now different? 

articles/trusted-signing/how-to-sign-ci-policy.md

@@ -0,0 +1,68 @@
+---
+title: Signing CI Policies #Required; page title is displayed in search results. Include the brand.
+description: Learn how to sign new CI policies with Trusted Signing. #Required; article description that is displayed in search results. 
+author: microsoftshawarma #Required; your GitHub user alias, with correct capitalization.
+ms.author: rakiasegev #Required; microsoft alias of author; optional team alias.
+ms.service: azure-code-signing #Required; service per approved list. slug assigned by ACOM.
+ms.topic: how-to #Required; leave this attribute/value as-is.
+ms.date: 04/04/2024 #Required; mm/dd/yyyy format.
+ms.custom: template-how-to-pattern #Required; leave this attribute/value as-is.
+---
+
+# Sign CI Policies with Trusted Signing
+
+To sign new CI policies with the service first install several prerequisites. 
+
+
+Prerequisites: 
+* A Trusted Signing account, Identity Validation, and Certificate Profile.
+* Ensure there are proper individual or group role assignments for signing (“Trusted Signing Certificate Profile Signer” role).
+* [Azure PowerShell on Windows](https://learn.microsoft.com/en-us/powershell/azure/install-azps-windows?view=azps-9.7.1&tabs=powershell&pivots=windows-msi) installed 
+* [Az.CodeSigning](https://learn.microsoft.com/en-us/powershell/module/az.codesigning/?view=azps-11.4.0) module downloaded
+
+Overview of steps:
+1. ⁠Unzip the Az.CodeSigning module to a folder
+2. ⁠Open Windows PowerShell [PowerShell 7](https://github.com/PowerShell/PowerShell/releases/latest)
+3. In the Az.CodeSigning folder, run 
+```Import-Module .\Az.CodeSigning.psd1
+``` 
+4. Optionally you can create a `metadata.json` file:
+```
+Endpoint "https://scus.codesigning.azure.net/" 
+CodeSigningAccountName "youracsaccount" 
+CertificateProfileName "youracscertprofile" 
+```
+5. [Get the root certificate](https://learn.microsoft.com/en-us/powershell/module/az.codesigning/get-azcodesigningrootcert?view=azps-11.4.0) to be added to the trust store
+```
+Get-AzCodeSigningRootCert -AccountName TestAccount -ProfileName TestCertProfile -EndpointUrl https://xxx.codesigning.azure.net/ -Destination c:\temp\root.cer
+```
+Or using a metadata.json
+```
+Get-AzCodeSigningRootCert -MetadataFilePath C:\temp\metadata.sample.scus.privateci.json https://xxx.codesigning.azure.net/ -Destination c:\temp\root.cer 
+```
+6. To get the EKU (Extended Key Usage) to insert into your policy:
+```
+Get-AzCodeSigningCustomerEku -AccountName acstestcanary -ProfileName acstestcanaryCert1 -EndpointUrl https://xxx.codesigning.azure.net/ 
+```
+Or
+
+```
+Get-AzCodeSigningCustomerEku -MetadataFilePath C:\temp\metadata.sample.scus.privateci.json 
+```
+7. To sign your policy, you run the invoke command:
+``` 
+Invoke-AzCodeSigningCIPolicySigning -accountName acstestcanary -profileName acstestcanaryCert1 -endpointurl "https://xxx.codesigning.azure.net/" -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com 
+```
+ 
+Or use a `metadata.json` file and the following command: 
+
+```
+Invoke-AzCodeSigningCIPolicySigning -MetadataFilePath C:\temp\metadata.sample.scus.privateci.json -Path C:\Temp\defaultpolicy.bin -Destination C:\Temp\defaultpolicy_signed.bin -TimeStamperUrl: http://timestamp.acs.microsoft.com 
+```
+
+## Creating and Deploying a CI Policy
+
+For steps on creating and deploying your CI policy refer to:
+* [Use signed policies to protect Windows Defender Application Control against tampering](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/deployment/use-signed-policies-to-protect-wdac-against-tampering)
+* [Windows Defender Application Control design guide](https://learn.microsoft.com/en-us/windows/security/application-security/application-control/windows-defender-application-control/design/wdac-design-guide)
+

articles/trusted-signing/how-to-signing-integrations.md

@@ -5,7 +5,7 @@ author: microsoftshawarma #Required; your GitHub user alias, with correct capita
 ms.author: rakiasegev #Required; microsoft alias of author; optional team alias.
 ms.service: azure-code-signing #Required; service per approved list. slug assigned by ACOM.
 ms.topic: how-to #Required; leave this attribute/value as-is.
-ms.date: 03/21/2024 #Required; mm/dd/yyyy format.
+ms.date: 04/04/2024 #Required; mm/dd/yyyy format.
 ms.custom: template-how-to-pattern #Required; leave this attribute/value as-is.
 ---
 
@@ -17,7 +17,8 @@ Trusted Signing currently supports the following signing integrations:
 * ADO Task
 * PowerShell for Authenticode
 * Azure PowerShell - App Control for Business CI Policy
-We constantly work to support more signing integrations and will update the above list if/when more are available. 
+
+We constantly work to support more signing integrations and update the above when more become available. 
 
 This article explains how to set up each of the above Trusted Signing signing integrations.
 
@@ -119,6 +120,6 @@ This section explains how to set up other not [SignTool](#set-up-signtool-with-t
 
 * PowerShell for Authenticode – To use PowerShell for Trusted Signing, visit [PowerShell Gallery | Trusted Signing 0.3.8](https://www.powershellgallery.com/packages/TrustedSigning/0.3.8) to install the PowerShell module. 
 
-* Azure PowerShell – App Control for Business CI Policy - App Control for Windows [link to CI policy signing tutorial].
+* Azure PowerShell: App Control for Business CI Policy – To use Trusted Signing for CI policy signing follow the instructions at [Signing a New CI policy](./how-to-sign-ci-policy.md) and visit the [Az.CodeSigning PowerShell Module](https://learn.microsoft.com/en-us/powershell/module/az.codesigning/?view=azps-11.4.0).
 
 * Trusted Signing SDK – To create your own signing integration our [Trusted Signing SDK](https://www.nuget.org/packages/Azure.CodeSigning.Sdk) is publicly available.

articles/trusted-signing/tutorial-assign-roles.md

@@ -27,11 +27,18 @@ The Identity Verified role specifically is needed to manage Identity Validation
 
 ## Assign roles in Trusting Signing
 Complete the following steps to assign roles in Trusted Signing.
+
 1.	Navigate to your Trusted Signing account on the Azure portal and select the **Access Control (IAM)** tab in the left menu. 
 2.	Select on the **Roles** tab and search "Trusted Signing". You can see in the screenshot below the two custom roles.
 ![Screenshot of Azure portal UI with the Trusted Signing custom RBAC roles.](./media/trusted-signing-rbac-roles.png)
 
-3. To assign these roles, select on the **Add** drop down and select **Add role assignment**. Follow the [Assign roles in Azure](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal?tabs=current) guide to assign the relevant roles to your identities. _Note that you will need at least a Contributor role to create a Trusted Signing account and certificate profile._
+3. To assign these roles, select on the **Add** drop down and select **Add role assignment**. Follow the [Assign roles in Azure](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal?tabs=current) guide to assign the relevant roles to your identities. _You'll need at least a Contributor role to create a Trusted Signing account and certificate profile._
+4. For more granular access control on the certificate profile level, you can use the Azure CLI to assign roles. The following commands can be used to assign the _Code Signing Certificate Profile Signer_ role to users/service principles to sign files. 
+```
+az role assignment create --assignee <objectId of user/service principle> 
+--role "Code Signing Certificate Profile Signer" 
+--scope "/subscriptions/<subscriptionId>/resourceGroups/<resource-group-name>/providers/Microsoft.CodeSigning/codeSigningAccounts/<codesigning-account-name>/certificateProfiles/<profileName>" 
+```
 
 ## Related content 
 * [What is Azure role-based access control (RBAC)?](../role-based-access-control/overview.md)