none
Device Guard blocking Windows Store Apps from running RRS feed

  • Question

  • Hello everyone,

    I'm a PC enthusiast, running Windows 10 Pro on my home computer, and I've been exploring the possibilities of the built-in security features as an alternative to buying an antivirus license from other established vendors.

    I've been experimenting with Device Guard on my PC, had it enabled and running, and then two things popped up:

    First, there were some devices with incompatible drivers that wouldn't function after enabling DG, and from elsewhere I've come to understand that this is due to the hardware vendors not writing drivers that would be compliant to a set of driver compatibility requirements:

    • Opt-in to NX by default
    • Use NX APIs/flags for memory allocation - NonPagedPoolNx
    • Don’t use sections that are both writable and executable
    • Don’t attempt to directly modify executable system memory
    • Don’t use dynamic code in kernel  
    • Don’t load data files as executable
    • Section Alignment must be a multiple of 0x1000 (PAGE_SIZE). E.g. DRIVER_ALIGNMENT=0x1000

    Source: https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/

    No way around it, so I accepted it as it is.

    The second thing upsets me more, Device Guard keeps my Windows Store Apps from running at all, it doesn't interfere with any other software I have installed. I like the MSN Weather app and Netflix and MS News and Google News, but after starting them they instantly crash back down. I've tried to do the re-registering of the apps via the Get-AppXpackage cmdlet as described in online tutorials, even did a WSReset, to no avail, until I discovered that it was indeed DG blocking them, so I disabled it again.

    Now there's a ton of articles about Windows Defender Application Control policies, but when I try to run the New-CIPolicy cmdlet, it exits with an error about an unsupported Windows edition, I presume this is possible only on Windows 10 Enterprise:
    New-CIPolicy : Device Guard is not available in this edition of Windows.

    Is there any way for me to unblock Windows Store apps from running, or do I have to live with them being unavailable, or would anyone suggest posting this as a kind of bug report/feature request to Microsoft? Device Guard along with Windows Defender looks very promising to me, wouldn't want to ditch it altogether.

    Thanks alot for any answers


    System Specs: Windows 10 Pro v1803, Intel Core i7-7700k, 32GB RAM, Gigabyte GA-Z270-HD3P Motherboard, Gigabyte GeForce GTX1060 Ti 6GB

    Thursday, October 18, 2018 1:09 PM

All replies

  • I have seen many of the security features for Windows 10, well at least in terms of application control and such not work without an enterprise version, there is also the possibility that the apps are not working due to the incompatible drivers.  
    Thursday, October 18, 2018 2:59 PM
  • Hi,
    Device Guard is one of Windows security features that is a combination of enterprise-related hardware, firmware, and software security features. When configured together, it will lock down a device so that it can only run trusted applications.

    Maybe because the configuration of device guard, Windows Store Apps are not trusted applications for Windows system.
    According to your description, we have enabled the Device Guard and configured it, its configuration has taken effect, so Windows store Apps cannot run, so now we disable it, Windows store Apps still can not run. It is recommended to back up all important data and reinstall the operating system.

    Reference:
    Device Guard and Credential Guard
    https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/device-guard-and-credential-guard

    Tip: If we run the experiment on any computer in the future, we can back up your operating system in advance, so if there is a problem that is difficult to fix, we can use the backup operating system.

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Friday, October 19, 2018 4:10 AM
  • Hi,
    If this question has any update? Also, for the question, is there any other assistance we could provide?
    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 23, 2018 12:25 PM
  • Hello, the above post doesn't look like an answer to me, I was able to restore the apps after disabling Device Guard, and I'm still curious whether there's a setting I've overlooked to get them running with DG enabled...

    Secondly, if there's no way to solve this with the current setup and situation, would it be possible to somehow forward this to Microsoft?

    Regards

    Dex


    System Specs: Windows 10 Pro v1803, Intel Core i7-7700k, 32GB RAM, Gigabyte GA-Z270-HD3P Motherboard, Gigabyte GeForce GTX1060 Ti 6GB

    Thursday, October 25, 2018 9:41 AM
  • Hi,
    I am sorry, we can not forward this to Microsoft, but we can reopen a case to Microsoft or call the Microsoft in the following link.

    https://support.microsoft.com/en-in/gp/contactus81?forceorigin=esmc&Audience=Commercial

    https://support.microsoft.com/en-us/help/4051701/global-customer-service-phone-numbers

    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 25, 2018 10:20 AM