Article author - Andrey Kaptelin, member of the IT community

Device Guard is a set of software and hardware protection technologies available for devices with Windows 10. The article is devoted to one of the components of Device Guard - the Code Integrity (CI) policy. Details on how to configure and use CI can be found here .

Purpose of Device Guard

In the modern world, cyberthreats are developing very quickly. Protection technologies no longer keep pace with the development of malicious programs, both in their number and in the expanding range of attacks.

Viruses from fun for loners have grown into organized cybercrime. Automation and the low cost of complex attacks leave no chance even for small companies to go unnoticed.



The classic solution is based on three main conditions: installed updates, updated antivirus, and lack of administrative privileges. This is a long-established approach. However, a program that is completely legal from the point of view of antivirus can perform unwanted actions and not use software vulnerabilities. This view of security casts suspicion on any program. You can no longer rely on a list of antivirus signatures, and analyzing the actions of all programs is quite difficult.

New threats require new security solutions, and they already exist in Windows 10. One solution is to run only approved software. This approach has been successfully tested on the mobile platforms Windows and Apple. In them, absolutely all the software is tested and has a digital signature, based on which the device allows its launch. On Windows, this function is provided by the Code Integrity (CI) mechanism for checking code integrity.



Already at the stage of starting the computer, you can control the launch of software signed with trusted certificates. Further, having a list of your software, you can prevent the launch of something else, and the security task has been solved. The list of trusted certificates used to sign executable files is a file policy that guides the operating system.

But the world of Windows software is very diverse, and not all programs have digital signatures, and many will never receive them. For this, the Code Integrity mechanism can use directories signed by your certificate — lists of program files and their hash codes.

As a result, in order to use the new mechanism, it is required to create a policy containing a list of trusted certificates and hash codes of unsigned files and, if necessary, supplement it with catalog files of allowed software.

The easiest way to use Device Guard will be for new or existing jobs with a fixed list of software. It is enough to formulate a code integrity policy and activate the functionality, after that nothing extraneous can start on these computers.

There is also the possibility of creating policies based on several possible job options and merging them into a single policy, which is subsequently assigned to all jobs.

For advanced users who choose and install programs themselves, an audit mode is sufficient. The log of running applications will come in handy in the future to determine the necessary and unnecessary programs.

Note, Device Guard with Code Integrity and Virtualization Based Security (VBS) mechanisms is only available in Windows 10 Enterprise.

Configure Code Integrity Policies

Configuring Device Guard in User Mode Code Integrity is closest to the usual tasks of restricting software startup.
To create a Code Integrity policy on a reference computer, you will need to create a shadow copy of the disk and run the file scan cmdlet. In this case, a shadow copy allows you to get the scanning process access to all files, including those open at the time of scanning.

#Create a ShadowCopy to avoid locks
$s1 = (gwmi -List Win32_ShadowCopy).Create("C:\","ClientAccessible")
$s2 = gwmi Win32_ShadowCopy | ? { $_.ID -eq $s1.ShadowID }
$d  = $s2.DeviceObject + "\"
cmd /c mklink /d C:\scpy "$d"

The resulting disk snapshot, mounted in the C: \ scpy folder , can be scanned with the following cmdlet:

New-CIPolicy -Level PcaCertificate -Fallback Hash -FilePath C:\BasePolicy.xml -ScanPath C:\scpy -UserPEs

This command will create a list of signatures (certificates) found on the reference computer and calculate the hash codes of executable files that do not have a signature. The result will be an XML file containing the following parameters:

Enabled:Audit Mode

An option that includes the operation of the Code Integrity module in audit mode, in which all executable files that do not fall under the generated policy are written to the audit log.

An example of a discovered certificate. All executable files signed by him will be executed without restrictions.

An example of a detected file without a digital signature. If the hash code matches, this file will be launched.

The resulting XML file must be compiled into a binary format and placed in the system folder C: \ Windows \ System32 \ CodeIntegrity \ .

ConvertFrom-CIPolicy C:\BasePolicy.xml C:\SIPolicy.bin 
cp C:\SIPolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b 

After the computer restarts, the Code Integrity mechanism will start working in audit mode. After checking the launch and operation of all the necessary programs, you can supplement the policy with data collected by the audit by running the following command.

New-CIPolicy -Level PcaCertificate -Fallback Hash C:\AuditPolicy.xml -Audit

The -Audit switch indicates that you need to create a policy based on the entries in the audit log.
The AuditPolicy.xml file is similar in structure to the BasePolicy.xml file generated earlier.
To combine the results of the initial scan and the information collected in the audit mode, there is a team for combining policies.

Merge-CIPolicy –OutputFilePath C:\Final.xml –PolicyPaths C:\ BasePolicy.xml,C:\AuditPolicy.xml

To enable enforcement of the policy, we turn off audit mode in the resulting file.

Set-RuleOption -Option 3 -FilePath C:\Final.xml -Delete

As a result, the Enabled: Audit Mode entry is deleted from the XML file, and such a policy will block all software unaccounted for in it.

Next, compile the XML file into a binary format by running the command again

ConvertFrom-CIPolicy C:\Final.xml C:\SIPolicy.bin

You can distribute the policy to the target computers either by copying the SIPolicy.bin file in a convenient way, or by using the Windows 10 Group Policy in the Computer Configuration \ Administrative Templates \ System \ Device Guard section .

Creating a directory file

Code Integrity policy is a monolithic list of allowed software, which is not always convenient. To use new or updated programs, if they cannot be verified with an electronic signature, you can create a catalog file.

For example, take the 7zip program , for which we will create a catalog file containing both data about the distribution kit and all the executable files after installing the distribution kit.

To do this, at the station without an active Device Guard, we will launch the PackageInspector monitoring utility (included with Windows 10 Enterprise), specifying the drive letter for monitoring and the program distribution file to be launched as parameters.

.\PackageInspector.exe start C: -path c:\Distr\7z1508-x64.exe

After the installation of 7zip is completed, we check its launch and operation and stop monitoring with the command

.\PackageInspector.exe stop c: -name C:\Distr\7zip.cat -cdfpath c:\Distr\7zip.cdf

The 7zip.cdf file will show all executable files that have been monitored.
The 7zip.cat file contains compiled information for Device Guard.

In order for the created catalog file to be trusted for Device Guard, we will sign it with our digital signature.

If the administrator already has an imported certificate with the purpose of Code Sign, you can use it to sign directly from PowerShell by specifying the SHA256 hash algorithm required for Device Guard.

Get-ChildItem cert:\CurrentUser\My -codesign
Set-AuthenticodeSignature -HashAlgorithm SHA256 7zip-osnova.cat @(Get-ChildItem cert:\CurrentUser\My -codesign)[0] 

The certificate must be issued by a trusted certificate authority whose root certificate has been imported to the reference computer before creating the policy.

Next, you need to put the generated and signed directory file on the necessary computers, copying it to the directory store along the path
C: \ Windows \ System32 \ CatRoot \ {F750E6C3-38EE-11D1-8Force-00C04FC295EE}

Unlike the policy, the directory files are applied immediately and without rebooting . Now installation and operation of 7zip on the computer is allowed.

More detailed documentation is available on the TechNet portal at:
https://technet.microsoft.com/en-us/library/mt463091(v=vs.85).aspx