none
Code Integrity Policy Active: Fail - Shielded VM -Windows 2019 RRS feed

  • Question

  • Hi, I am trying to setup a Guarded Host with TPM mode, and I having issue on Code Integrity policy active.

    

    When I do the command, Get-HgsTrace -RunDiagnostic -Detailed, this is the result.

    For the Code Integrity Policy Active: Fail

    I have Enable virtualization-based protection of code integrity apply GPO, as Host have done  gpupdate /sync and verified policy been applied.

    as for HGS server Get-HgsTrace result.

    article I have reference 

    https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-tpm-trusted-attestation-capturing-hardware#create-and-apply-a-code-integrity-policy

    Please guide me on resolve Code Integrity for Shielded VM.

    Thank you.

    Yours sincerely,

    Lee Leng

    Tuesday, October 15, 2019 7:41 AM

All replies

  • Hi,

    Based on the screenshots, I assume that you might not reboot the server after applied the GPO, am I right?

     

    If I'm right, then we should reboot the server to let new policy be effective.

     

    Please check the following notification:

     

    Best Regards,

    William

     


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 16, 2019 6:51 AM
  • Hi William,

    I have done few time server reboot, and check the GPO policy applied, but the result still same. 


    Thursday, October 17, 2019 1:49 AM
  • Hi,

    Maybe you can check the following articles, then try to register an unsigned copy of the same policy to see if it helps.
    If it's not working, please create a new thread in Hyper-V or cluster forum to see if some one could help to troubleshooting the issue.

    https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-upgrade-to-2019
    https://docs.microsoft.com/en-us/windows-server/security/guarded-fabric-shielded-vm/guarded-fabric-add-host-information-for-tpm-trusted-attestation

    Best Regards,
    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 17, 2019 9:43 AM
  • Hi,

     

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

     

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 21, 2019 10:03 AM
  • Hi,

    With pleasure if you would help on the issue.

    And thank for the articles you provided was helpful unfortunately doesn't resolved Code Integrity Policy Active. 

    FYI, my environment are Windows server 2019 dc.

    I have try manually install code integrity policy to Host by copy file to "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b"  and reboot, no luck on result.


    Tuesday, October 22, 2019 2:10 AM
  • Hi,

    I found another article, it seems it's an expected behavior that an event 7010 is logged and prompt us a restart is required when we run diagnostic command.

    We can try to run an application for further verify.

    https://www.fortynorthsecurity.com/building-a-windows-defender-application-control-lab/

     

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.


    Please understand that I also not familar with Device Guard


    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Tuesday, October 22, 2019 10:42 AM
  • Hi,

     

    Just want to confirm the current situations.

     

    Please feel free to let us know if you need further assistance.

     

    Best Regards,

    William


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 25, 2019 8:51 AM
  • Hi,

     

    Was your issue resolved?

     

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

     

    Best Regards,

    William

     


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 30, 2019 10:15 AM