Device Guard primarily prevents unsigned code from running on Windows. It’s like AppLocker on steroids. When configured properly, it virtually eliminates all virus and malware threats. It’s not for everyone, however, and can really mess up your computers if not configured correctly. You should test Device Guard policies extensively before deployment.
To activate Device Guard, you must be running Windows 10 Enterprise or Education 64-bit. It MUST be the Enterprise or Education SKU – it is not available on Pro. Next, your systems must boot with UEFI and have Secure Boot enabled. Though not required, you should also password-protect your firmware and prevent the device from booting from anything other than the hard drive.
If you have your own line-of-business applications, you will need a code signing certificate to sign these apps.
How it Works
Essentially, Device Guard prevents anything that is not signed from running. You specify which certificates are valid code-signing certs, which prevents running just anything that is signed. You sign your LOB apps with these certificates, and they can execute. For example, if I enable device guard but don’t trust the certificate that the Mozilla Firefox installer is signed with, I will not be able to install it.
You define a code integrity policy that gets deployed to your machines, either by Group Policy or some other method. This policy is defined using an XML file, which you can also sign, making it even more secure. The XML file can be deployed as part of a CAB to your machines.
Create Code Integrity Policy
To create a policy, configure a “master” machine with all of your required software installed. You only need a few commands to create the policy. First, create it by using:
New-CIPolicy -Level PcaCertificate -FilePath <path to store XML file> -UserPEs 3
Next, covert it to a binary format:
ConvertFrom-CIPolicy -XmlFilePath <path to created XML file> -BinaryFilePath <output binary file>
You will need the binary file for your deployment. You need hold on to the XML though, as you’ll need it later.
Auditing Code Integrity Policy
You should always run these policies in audit mode first to determine if you missed anything. To run a policy in audit mode, copy the outputted binary to C:\Windows\system32\CodeIntegrity.
Next, open your local group policy editor by running gpedit.msc. Navigate to Computer Configuration > Administrative Templates > System > Device Guard. Enable the “Define Code Integrity Policy” setting and set it to the path mentioned above:
When creating a policy, it’s set to audit mode by default. To put the policy in enforcement mode, run this command from PowerShell:
Set-RuleOption -Option3 -FilePath <path to XML file> -Delete
This cmdlet deletes a line from the XML file (called Enable:Audit Mode) and makes the policy enforceable. After this command, run the command to convert it back to binary and redeploy.
All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.