1. Hardware Prerequisite

Support HYPERV et SLAT + Secure Boot + UEFI

2. Software Prerequisite

Only for the Windows 10 Enterprise version!

HyperV (the platform, not necessarily the management tools)

Isolated user mode

3. Create GPO/GPO Pack

a. Create a GPO for device Guard

Make appropriate choices in accordance with material capacity and desired configuration. Confirm and link the GPO on a test O.U. Then do a GPUPDATE / FORCE.

In this case, I used a local GPEDIT.MSC, but the system stays the same…

b. Creating a GPOPack

GPO Pack ‘s system allows you to deploy the exact same settings on non-domain joined PCs, through a script or from a TS MDT/SCCM.

In my case the purpose was to deploy automatically that GPOPack during MDT deployment.

To do so, you’ll have to export those settings with LocalGPO tool (included in SCM 3.0):

Cscript localgpo.wsf /Path:D: /export /GPOPack

This creates a file, on D, containing the included settings in the local GPO created here

Exporting Local Policy… this process can take a few moments.

Local Policy Exported to D:\{5179D33A-64A1-4432-AD76-D5D1BAE898FE}

Rename the file (for example WINGPOPACK1), then copy it in your MDT tree view

(C:\DeploymentShare\Templates\GPOPacks)

You’re good to go! You’ll just have to list it in CS.INI:

ApplyGPOPack=YES

GPOPackPath=WINGPOPACK1

During TS, there is a step called Apply Local GPO Packs that will apply your GPO Pack in deployment.

We can also produce a commandline as to manage/deploy several GPOPacks in a much more granular way:

cscript localgpo.wsf /Path:D:\{5179D33A-64A1-4432-AD76-D5D1BAE898FE}

4. Create a basic rule (certificate based)

Administrator mode in Windows PowerShell

New-CIPolicy -Level PcaCertificate -FilePath C:\ScanDeBase.xml -userPEs 3> C:\ScanDeBaseLog.txt

Checking for Catalog Signers…

Generating Rules…

Unable to generate rules for all scanned files at the requested level. A list of files not covered by the current policy can be found at C:\Users\Administrateur\AppData\Local\Temp\tmp550C.tmp. A more complete policy may be created using the -fallback switch

5. Convert in binary format

ConvertFrom-CIPolicy C:\ScanDeBase.xml C:\CIPolicydeBase.bin

6. Copy in CodeIntegrity folder

xcopy C:\CIPolicydeBase.bin C:\Windows\System32\CodeIntegrity\SIPolicy.p7b /y

7. Restart your computer and test

8. Audit Device Guard mode

Eventvwr : CodeIntegrity Events 3076

9. Create the rule based on the audit (hash on detected exceptions)

New-CIPolicy -Audit -Level Hash -FilePath C:\ScanAuditBase.xml -UserPEs 3> CIAuditPolicylog.txt

10. Merging both rules

Merge-CIPolicy -PolicyPaths C:\ScanDeBase.xml, C:\ScanAuditBase.xml -OutputFilePath C:\ScanMerged.xml

11. Convert, copy…and restart

ConvertFrom-CIPolicy C:\ScanMerged.xml C:\ScanMerged.bin

xcopy C:\ ScanMerged.bin C:\Windows\System32\CodeIntegrity\SIPolicy.p7b /y

Restart once again.

12. Second audit for verification

13. If conclusive: go on mode PROD.

To do so, you must uncheck the audit strategy option:

Set-ruleoption -Option 3 -delete C:\ScanMerged.xml

Compile and copy the file, then restart.

To deploy it with MDT/SCCM, you’ll just have to insert a copy stage of your SIPolicy.p7b in your TS MDT/SCCM if necessary:

(ex : xcopy \\DC01\DeviceGuard\ScanMerged.bin C:\Windows\System32\CodeIntegrity\SIPolicy.p7b /y)

14. Conclusions

Device Guard allows you to achieve optimum security for your sensitive machines. It is not a tool you would apply on all machines, only on those you really want to secure!

@RioJoubert