none
Device Guard policy isn't getting applied on physical machine RRS feed

  • Question

  • Hi all,

    I'm currently testing with Device Guard and have followed all the different steps from this technet page to deploy a device guard policy in audit mode. In short, I have followed these steps:

    • Enabled group policy settings to activate device guard (Turn On virtualization based security: Secure Boot and DMA protection + Enable virtualization based protected of code). msinfo32.exe output:
    • New-CIPolicy -level PcaCertificate -filepath C:\InitialScan.xml –s C:\scpy –UserPEs
    • ConvertFrom-CIPolicy C:\InitialScan.xml C:\InitialScan.bin
    • Copy Initialscan.bin to C:\Windows\System32\CodeIntegrity
    • Used gpedit.msc to edit the policy "Deploy Code Integrity Policy" and point to "C:\Windows\System32\CodeIntegrity\Initialscan.bin"
    • Restarted the system

    I don't see any audit events in the eventviewer log when I start different installations of 7-zip/google chrome/firefox/...

    When I remove the "audit level" from the policy and apply the enforced policy, nothing gets blocked also.

    Can someone help me troubleshoot this please?

    PS: I'm running UEFI + Secure boot + all virtualization extensions enabled on a Windows 10 Enterprise Build 1511 x64.

    Edit: I just applied the same policies to a Generation 2 VM in the demo environment and this is working:

    Thx!


    • Edited by Silencer0001 Saturday, November 28, 2015 10:33 AM Added information VM
    Saturday, November 28, 2015 10:14 AM

Answers

  • Hi guys,

    Just wanted to let you know that I managed to resolve the issue. But actually it's really strange.. Anyways, here is what I have tried:

    • Set BIOS Password
    • Uncheck "Windows boot manager" from the UEFI boot options
    • Unchecked + rechecked all the virtualization options
    • rebooted as my life depended on it.
    • Changed path of the policy.bin to a share with full permission for everybody

    Nothing worked but when I executed the following command and pointed to the .p7b file, it was working:

    cp C:\MergedPolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b

    To make sure this was the solution, I moved the file to another location with the original .bin-file and it was still working... So it's not a real fix, but guess I'll be using the p7b files based om my experience..

    • Marked as answer by Silencer0001 Sunday, November 29, 2015 1:19 PM
    Sunday, November 29, 2015 1:19 PM