locked
Enablement of Device Guard RRS feed

  • Question

  • Hello!

    One more question on Device Guard:

    https://technet.microsoft.com/itpro/windows/keep-secure/device-guard-deployment-guide?f=255&MSPPError=-2147217396#config-code


    The only way to enable a code integrity policy is as follows:

    As you see on the picture above "Deploy Code Integrity policy" setting sits in the Device Guard policy container so

    1) how in this case enabling code integrity policy is possible WITHOUT enabling at least part of Device Guard?

    2) what does mean "the enablement of Device Guard" ?

    Thank you in advance,

    Michael


    • Edited by MF47 Wednesday, April 20, 2016 8:43 AM
    Wednesday, April 20, 2016 8:43 AM

Answers

  • MF47,

    They both should be consided as the feature of Device Guard in Windows 10.

    What should be noticed is the code Integrity policy is already used before Device Guard first published.

    That's my understanding.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by MF47 Wednesday, April 27, 2016 1:13 PM
    Wednesday, April 27, 2016 9:28 AM

All replies

  • Hi MF47,

    I don't think

    Alternatively, configurable code integrity is available without the enablement of Device Guard.

    means

    enabling code integrity policy is possible WITHOUT enabling at least part of Device Guard.

    I think the meaning here is we could re-configure the code integrity if it is not satisfying.

    I will discuss this with my teammates, and will share more information if available.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 21, 2016 7:00 AM
  • Hi Michael,

    Thank you for the reply!

    "I think the meaning here is we could re-configure the code integrity if it is not satisfying." - ... but what's the difference???

    The question is very easy: the main guide on DG states  Alternatively, configurable code integrity is available without the enablement of Device Guard. - and I don't know any other meaning of the word "without" except "~not using smth". So the next two question that arise here -

    1) what is "the enablement of Device Guard"?

    2) if one must navigate through the Device Guard section of a group policy template to reach the code integrity configuration setting - either for the initial configuration or re-configuration - shouldn't it be called "enabling  device guard"?

    Regards,

    Michael


    • Edited by MF47 Thursday, April 21, 2016 1:15 PM
    Thursday, April 21, 2016 7:43 AM
  • Hi MF47,

    You can implement configurable code integrity without enabling Device Guard, but it is intended to run in conjunction with Device Guard when supported hardware is available. For more information about how to configure, deploy, and manage code integrity policies, see the Code integrity policies section.

    This is copied from the technet article you referenced.

    So to your first question, "the enablement of Device Guard" should means without Device Guard.

    2. This article is writen under the assumption that you are running code integrity policy with Device Guard, so I don't think they would be conflict. For code integrity, as the description already told, UMCI has been available only in Windows RT and on Windows Phone devices, and those devices didn't have Device Guard available.

    Or you may consider leave comments on the TechNet page by clicking the No:

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, April 22, 2016 10:40 AM
  • Hi Michael,

    I've already written feedback on various articles but it doesn't mean MS would update them because of my feedback.

    "So to your first question, "the enablement of Device Guard" should means without Device Guard." - ???

    "This article is writen under the assumption that you are running code integrity policy with Device Guard" - how can run CI policy WITHOUT Device Guard? What should be enabled (what features) to have a reason to say "the Device Guard" is enabled? I failed to find the answers to these easiest questions... The quality of documentation on MS software sometimes is just awful...

    Regards,

    Michael

    Friday, April 22, 2016 11:59 AM
  • Hi MF47,

    Well, I would agree that sometimes the documents is not clear enough.

    Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications.

    under: https://technet.microsoft.com/en-us/itpro/windows/whats-new/device-guard-overview

    So without Device Guard, should means without all the components, only configure the configurable code integrity, doesn't mean Device Manager is enabled.

    configurable code integrity is focused on the code integrity, for Device guard, it locks the code integrity down to sepcific device. That's what I understand, through the documentation.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, April 25, 2016 1:45 AM
  • Hi Michael,

    "So without Device Guard, should means without all the components"... "That's what I understand, through the documentation." - so do I... Have you ever seen the list of these "hardware and software security features"?

    How one be sure whether or not something is enabled without knowing what does this something consist of?

    Regards,

    Michael

    Monday, April 25, 2016 9:16 AM
  • MF47,

    Please check the Required hardware and software part, in the article below:

    https://technet.microsoft.com/en-us/itpro/windows/whats-new/device-guard-overview

    Which I posted in my last reply.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, April 25, 2016 9:55 AM
  • ...this is what I can't understand: this table does not contain Code Integrity policies, it means they are NOT a "feature of DG". In this case why do CI policies  get configured in the Device Guard section of the group policy?

    Monday, April 25, 2016 10:52 AM
  • MF47,

    I think you missed the top one, Windows 10 Enterprise.

    Device Guard is considered as a Windows feature, to enable it, the system need the support from the hardware resources and the technology based on the hardware, such as the Virtualization related.

    And you could configure the code Integrity without those required hardware resources. For Device guard, that is the one which is considered as a new feature on Windows 10, not code Integrity policy.

    code Integrity policy only protect the software part, keep the system away from running bad codes (or saying in this way, the code that system can't recognized), once together with hardware resources, then it should keep the protection together with the device, in a much deeper level.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, April 26, 2016 1:27 AM
  • Hi Michael,

    Sorry, don't understand it: "I think you missed the top one, Windows 10 Enterprise. " - it does not negate the fact that Device Guard itself consists of several hardware/software features and the problem is (at least for me) that I don't perceive why one of the two settings located under the DeviceGuard node is concidered to be the "feature of the Device Guard" - Turn on VirtualizationBased Security - whilst the other - Deploy Code Integrity Policy is NOT?

    By the way, as far as I see all software-based DG features sit inside the only policy setting - Turn on VirtualizationBased Security (including enabelment of Credential Manager that is NOT a feature of DG). If I hadn't read any documentation on Device Guard and had just taken a look at the Device Guard policy settings I would have thought that ALL DG-related settings are located insidethe Device Guard node (without dividing these setting on "features" and "not-features" of DG). Wouldn't it be right to assume that all the one can configure in DG (its "software part") is inside the Device Guard node?

    Regards,

    Michael

    Tuesday, April 26, 2016 8:03 AM
  • MF47,

    They both should be consided as the feature of Device Guard in Windows 10.

    What should be noticed is the code Integrity policy is already used before Device Guard first published.

    That's my understanding.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    • Marked as answer by MF47 Wednesday, April 27, 2016 1:13 PM
    Wednesday, April 27, 2016 9:28 AM
  • "They both should be consided as the feature of Device Guard in Windows 10." - yes, they should, but all documentation I've read so far say "~ Device Guard AND Code Integrity...".

    Hope the future documentation will clear it up.

    Thank you for the help!

    Regards,

    Michael

    Wednesday, April 27, 2016 1:13 PM
  • You're welcome.

    Me too. The documentation confuses a lot. And I think it should also be the reason that the new feature is a little hard to define.

    Hope the documentation update will make it clear enough.

    Regards


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Thursday, April 28, 2016 2:57 AM
  • AnyOne, Can You please tell me how to include the signing certificate in COde Integrity Policy ??
    Monday, June 20, 2016 6:11 AM
  • Here are the steps copied from this TechNet link: "https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integrity-policies-steps#signing-code-integrity-policies-with-signtoolexe"

    1. Initialize the variables that will be used:

    $CIPolicyPath=$env:userprofile+"\Desktop\"

    $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"

    $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"

      1. Note  This example uses the code integrity policy that you created in the Create a code integrity policy from a golden computer section. If you are signing another policy, be sure to update the $CIPolicyPath and $CIPolicyBin variables with the correct information.
    1. Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the code integrity policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in Optional: Create a code signing certificate for code integrity policies.

    2. Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.

    3. Navigate to your desktop as the working directory:

      cd $env:USERPROFILE\Desktop

    4. Use Add-SignerRule to add an update signer certificate to the code integrity policy:

      Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update

        

      Notes<Path to exported .cer certificate> should be the full path to the certificate that you exported in step 3.

      Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed code integrity policies, see the Disable signed code integrity policies within Windows section.

    5. Use Set-RuleOption to remove the unsigned policy rule option:

      Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete

    6. Use ConvertFrom-CIPolicy to convert the policy to binary format:

      ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin

    7. Sign the code integrity policy by using SignTool.exe:

      <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin

      Note  The <Path to signtool.exe> variable should be the full path to the SignTool.exe utility. ContosoDGSigningCert is the subject name of the certificate that will be used to sign the code integrity policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.

    8. Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy code integrity policies, see Deploy and manage code integrity policies with Group Policy.

    • Proposed as answer by Dhanraj B Tuesday, January 31, 2017 6:24 AM
    Wednesday, January 25, 2017 6:38 PM
  • Thanks, Jane
    Tuesday, January 31, 2017 6:24 AM