none
Device Guard conversion to .bin Error RRS feed

  • Question

  • I have scanned a "golden machine" and placed it in a c:\ location - seems to have gone fine, no errors

    When I try to convert it to a usable .bin file I get the below error. Any Help would be appreciated.

    Convert<g class="gr_ gr_160 gr-alert gr_gramm gr_inline_cards gr_run_anim Style multiReplace" data-gr-id="160" id="160">From-CIPolicy :</g> An item with the same key has already been added.
    At line:1 char:1
    + ConvertFrom-CIPolicy -XmlFilePath C:\MyCIPolicy\123_Initial_Policy.xm ...
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [ConvertFrom-CIPolicy], ArgumentExce 
       ption
        + FullyQualifiedErrorId : System.ArgumentException,Microsoft.SecureBoot.UserConf 
       ig.ConvertFromCIPolicyCommand

    Wednesday, September 6, 2017 9:33 PM

All replies

  • Hi Debi,

    Could you give us a screenshot of the whole your PowerShell command and its output?

    Since I can convert it without problem as below:


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 7, 2017 9:59 AM
    Moderator
  • The first time I try to convert it, I get an error about the XML document at 17,61 which is 

    <Option>Enabled:Enabled:Boot Audit On Failure</Option>

    If I remove that rule and retry I get the error "An item with the same key has already been added".

    I am scanning the machine and merging the .xml with the <g class="gr_ gr_337 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="337" id="337">microsoft</g>.xml that has the items that they recommend excluding bash.exe etc. (See below for partial <g class="gr_ gr_446 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="446" id="446">xml</g>)

    <FileRules>
        <Deny  ID="ID_DENY_BGINFO"        FriendlyName="bginfo.exe"         FileName="BGINFO.Exe" MinimumFileVersion = "4.21.0.0" />
        <Deny  ID="ID_DENY_CBD"           FriendlyName="cdb.exe"            FileName="CDB.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_KD"            FriendlyName="kd.exe"             FileName="kd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_NTKD"          FriendlyName="ntkd.exe"           FileName="ntkd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_WINDBG"        FriendlyName="windbg.exe"         FileName="windbg.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_MSBUILD"       FriendlyName="MSBuild.exe"        FileName="MSBuild.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_CSI"           FriendlyName="csi.exe"            FileName="csi.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_DNX"           FriendlyName="dnx.exe"            FileName="dnx.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_RCSI"          FriendlyName="rcsi.exe"           FileName="rcsi.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_NTSD"          FriendlyName="ntsd.exe"           FileName="ntsd.Exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_LXSS"          FriendlyName="LxssManager.dll"    FileName="LxssManager.dll" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_BASH"          FriendlyName="bash.exe"           FileName="bash.exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_FSI"           FriendlyName="fsi.exe"            FileName="fsi.exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_FSI_ANYCPU"    FriendlyName="fsiAnyCpu.exe"      FileName="fsiAnyCpu.exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_MSHTA"         FriendlyName="mshta.exe"          FileName="mshta.exe" MinimumFileVersion = "65535.65535.65535.65535" />
        <Deny  ID="ID_DENY_SMA"           FriendlyName="System.Management.Automation.dll" FileName="System.Management.Automation.dll" MinimumFileVersion = "10.0.16215.999" />

    Thursday, September 7, 2017 4:52 PM
  • Hi,

    Please give here the screenshot of first error when you attempt to convert the .xml to .bin file in order to know the exact error massage.

    Meanwhile, upload your rule option part or the whole .xml file to OneDrive, share the link here for analysis.

    In addition, please note that Enabled:Boot Audit on Failure is used when the code integrity policy is in enforcement mode. When a driver fails during startup, the code integrity policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 8, 2017 8:53 AM
    Moderator
  • Here is the screenshot and the <g class="gr_ gr_19 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="19" id="19">xml</g> is located here - https://1drv.ms/f/s!ApajsX-XCnr_qy9TDtN4S1wiGyGM



    Friday, September 8, 2017 4:15 PM
  • Hi,

    After analyze your .XML file, I found there is duplicate entry:

    Please right click .xml file, edit it with notepad. Delete one of them.

    And then convert it again as below:

    As you see, succeed. Please try it.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 11, 2017 10:19 AM
    Moderator
  • Hi Debi,

    Was your issue resolved?

    If yes, please mark the helpful reply as answer in order that other community members could find the helpful reply quickly.

    If no, please reply and tell us the current situation in order to provide further help.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 13, 2017 11:33 AM
    Moderator
  • Hi,

    Was your issue resolved?

    If yes, we will archive this thread temporarily.

    If no, please reply and tell us the current situation.

    If you have any other question, feel free to contact us. We will try our best to help you.


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 15, 2017 9:24 AM
    Moderator
  • Hi Karen,

    In my case it solved the issue, but the error seems to be caused by the Merge-CIPolicy command. The result from the merge is a duplicate entry for kd.exe, while it is only once in the source XML.

    You can try this yourself by scanning an initial XML from a system and then merge it with the recommended deny list from the Device Guard deployment instructions @docs

    The resulting XML contains the same duplicate entry as shown above.


    Ray - Author of Windows 7 for XP Professionals

    Sunday, September 17, 2017 6:11 PM