none
Windows Defender Application Control prevents Windows booting after second restart RRS feed

  • Question

  • Hy everyone!

    I want to lock down some Windows 10 Terminals so that they can only run approved Software but keep the possibility to update this software.

    My plan was to make use of the new Feature of Windows 10 1903 that allows the use of Multiple CI Policies (as described here: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies ). To test this, I placed a signed policy under "C:\Windows\System32\CodeIntegrity\CIPolicies\Active\{PolicyID}.cip" in a VMware virtual Machine running Windows 10 1903. After the first boot, the policy gets activated and prevents all applications (except the permited ones) from being executed. However, if I reboot the system again, VMWare fails to boot Windows until I disable Secure Boot.
    Using the same policy without the signature works fine, but I want to make sure that the administrators on those terminals don't tamper with the policy or delete it, that's why I want to sign the policy.

    To sign it, I generated a CodeSigning Certificate as described here: https://blogs.technet.microsoft.com/ukplatforms/2017/05/04/create-code-integrity-signing-certificate/
    After that, I added the certificate to the policy using following command: Add-SignerRule -FilePath .\policy.xml -CertificatePath .\codeSigningCertificate.cer -Update
    With the Signer Rule in place, I removed the Option to accept unsigned policies using: Set-RuleOption -FilePath .\policy.xml -Option 6 -Delete
    Finally, to sign the Policy, I used the signtool with following parameters: signtool.exe sign -v /n CodeSigningCertificate -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 .\policy.cip
    I copied the resulting "policy.cip.p7" file to a fresh installation under "C:\Windows\System32\CodeIntegrity\CIPolicies\Active\{PolicyID}.cip" and got the described behavior.

    Here's some stuff I also tried:
    Using "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b" to deploy one policy: That worked fine, but Windows did not care when I deleted the policy. It just got deactivated. My understanding of using a signed policy is, that Windows should throw some kind of error or prevent a boot when someone tampers with it.

    Checking if the virtual Machine supports the Device Guard functionality: I used the dgreadiness tool to test if the VM meets the criteria to use device guard. The tool reported the following lines:

    PS C:\Users\User\Downloads\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Capable
    ###########################################################################
    Readiness Tool Version 3.4 Release.
    Tool to check if your device is capable to run Device Guard and Credential Guard.
    ###########################################################################
    ###########################################################################
    OS and Hardware requirements for enabling Device Guard and Credential Guard
     1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
     2. Hardware: Recent hardware that supports virtualization extension with SLAT
    To learn more please visit: https://aka.ms/dgwhcr
    ###########################################################################
    
    Checking if the device is DG/CG Capable
     ====================== Step 1 Driver Compat ======================
    Driver verifier already enabled
    Verifying each module please wait ....
    Completed scan. List of Compatible Modules can be found at C:\DGLogs\DeviceGuardCheckLog.txt
    No Incompatible Drivers found
     ====================== Step 2 Secure boot present ======================
    Secure Boot is present
     ====================== Step 3 MS UEFI HSTI tests ======================
    Copying HSTITest.dll
    HSTI Duple Count: 0
    HSTI Blob size: 0
    String:
    HSTIStatus: False
    HSTI is absent
     ====================== Step 4 OS Architecture ======================
    64 bit arch.....
     ====================== Step 5 Supported OS SKU ======================
    This PC edition is Supported for DeviceGuard
     ====================== Step 6 Virtualization Firmware ======================
    Virtualization firmware check passed
     ====================== Step 7 TPM version ======================
    get-tpm : Object was not found. (Exception from HRESULT: 0x80090011)
    At C:\Users\User\Downloads\dgreadiness_v3.6\DG_Readiness_Tool_v3.6.ps1:818 char:21
    +     $TPMLockout = $(get-tpm).LockoutCount
    +                     ~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [Get-Tpm], TpmWmiException
        + FullyQualifiedErrorId : Microsoft.Tpm.Commands.TpmWmiException,Microsoft.Tpm.Commands.GetTpmCommand
    
    TPM is absent or not ready for use
     ====================== Step 8 Secure MOR ======================
    Secure MOR is available
     ====================== Step 9 NX Protector ======================
    NX Protector is available
     ====================== Step 10 SMM Mitigation ======================
    SMM Mitigation is available
     ====================== End Check ======================
     ====================== Summary ======================
    Device Guard / Credential Guard can be enabled on this machine.
    
    The following additional qualifications, if present, can enhance the security of Device Guard / Credential Guard on this system:
    HSTI is absent
    TPM is absent or not ready for use
    
    To learn more about required hardware and software please visit: https://aka.ms/dgwhc

    Installing the CA of the code signing certificate as a trusted root certificate to the machines Certificate Store: This did not change anything on the behavior.

    Does someone have any suggestions what I can do about this or has some ideas what I did wrong?

    Thanks for your Help

    Martin

    Thursday, October 10, 2019 3:30 PM

Answers

  • Hi,

    I guess the main Problem is, that the multiple policy feature still has a lot of bugs and does not work as intended. The Problem with the PC not booting up was solved with giving the base policy the GUID of {A244370E-44C9-4C06-B551-F6016E563076}, which seems kind of random but that was the only thing that worked. With that set, WDAC works as expected with not allowing changes to the policy except the new policy has a higher version and is signed.

    However, supplemental policies won't show this behavior (as I would have expected them to do), so I don't see any benefits from using multiple policies instead of just signing .cat files, which I ended up doing for now.

    Best regards,
    Martin

    • Marked as answer by ggottii Wednesday, October 16, 2019 7:27 AM
    Wednesday, October 16, 2019 7:25 AM

All replies

  • Hi,

    Use signed policies to protect Windows Defender Application Control against tampering,do the steps in the below link:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering

    Best regards,

    Charlotte Tang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 11, 2019 8:39 AM
  • Hi,

    Thanks for your feedback. The Link describes exactly what I did to sign the policy (I actually used it to initially figure out how to sign it). However, my setup to deploy the policy differs a bit from the described way at the end of the page:

    • The Terminals are not part of a Domain. When I use the local group policy editor to enable the policy, my Policy gets copied to "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b" but does not activate.
    • I would prefer to use multiple policies as described in this page: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies

    Best regards,

    Martin

    Friday, October 11, 2019 9:11 AM
  • Hi,
    Just want to confirm the current situations.
    Please feel free to let us know if you need further assistance.
    Best Regards,
    Charlotte Tang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 15, 2019 7:08 AM
  • Hi,

    I guess the main Problem is, that the multiple policy feature still has a lot of bugs and does not work as intended. The Problem with the PC not booting up was solved with giving the base policy the GUID of {A244370E-44C9-4C06-B551-F6016E563076}, which seems kind of random but that was the only thing that worked. With that set, WDAC works as expected with not allowing changes to the policy except the new policy has a higher version and is signed.

    However, supplemental policies won't show this behavior (as I would have expected them to do), so I don't see any benefits from using multiple policies instead of just signing .cat files, which I ended up doing for now.

    Best regards,
    Martin

    • Marked as answer by ggottii Wednesday, October 16, 2019 7:27 AM
    Wednesday, October 16, 2019 7:25 AM
  • Hi,

    I am glad to hear that your issue was successfully resolved\I am pleased to know that the information is helpful to you. If there is anything else we can do for you, please feel free to post in the forum.<o:p>

    Best Regards,

    Charlotte Tang


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, October 16, 2019 9:49 AM