diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index ae6eec1804..215f9a8b8f 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -1,9 +1,6 @@ # [Keep Windows 10 secure](index.md) ## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) -## [Device Guard certification and compliance](device-guard-certification-and-compliance.md) -### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md) -### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md) ## [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) ### [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) ### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md) @@ -14,6 +11,16 @@ ## [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) ## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) +## [Device Guard deployment guide](device-guard-deployment-guide.md) +### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) +### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) +### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) +### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +#### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) +#### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md) +#### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) +#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) +### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) ## [Protect derived domain credentials with Credential Guard](credential-guard.md) ## [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) ### [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md) @@ -815,16 +822,6 @@ ###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) -### [Device Guard deployment guide](device-guard-deployment-guide.md) -#### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) -#### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) -#### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) -#### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) -##### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) -##### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md) -##### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) -##### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) -#### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) ### [Microsoft Passport guide](microsoft-passport-guide.md) ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ### [Windows 10 security overview](windows-10-security-guide.md) diff --git a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md index a1b2db57b3..fdf497e545 100644 --- a/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md +++ b/windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md @@ -1,112 +1,5 @@ --- title: Create a Device Guard code integrity policy based on a reference device (Windows 10) -description: To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device. -ms.assetid: 6C94B14E-E2CE-4F6C-8939-4B375406E825 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +redirect_url: device-guard-deployment-guide.md --- -# Create a Device Guard code integrity policy based on a reference device -**Applies to** -- Windows 10 - -To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device. - -## Create a Device Guard code integrity policy based on a reference device - -To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices. For information on how to sign applications, see [Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md). -> **Note:**  Before creating a code integrity policy, make sure your reference device is clean of viruses and malware. -  -**To create a code integrity policy based on a reference device** - -1. On your reference device, start PowerShell as an administrator. -2. In PowerShell, initialize variables by typing: - ``` syntax - $CIPolicyPath=$env:userprofile+"\Desktop\" - $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" - $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin" - ``` -3. Scan your device for installed applications and create a new code integrity policy by typing: - ``` syntax - New-CIPolicy -Level -FilePath $InitialCIPolicy -UserPEs -Fallback Hash 3> Warningslog.txt - ``` - Where *<RuleLevel>* can be set to any of the following options: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Rule levelDescription

Hash

Specifies individual hash values for each discovered app. Each time an app is updated the hash value will change and you will need to update your policy.

FileName

Currently unsupported.

SignedVersion

Currently unsupported.

Publisher

This level is a combination of the PCA certificate and the common name (CN) on the leaf certificate. When a PCA certificate is used to sign apps from multiple companies (such as VeriSign), this rule level allows you to trust the PCA certificate but only for the company whose name is on the leaf certificate.

FilePublisher

Currently unsupported.

LeafCertificate

Adds trusted signers at the individual signing certificate level. When an app is updated, the hash value is modified but the signing certificate stays the same. You will only need to update your policy if the signing certificate for an app changes.

-
- Note  Leaf certificates have much shorter validity periods than PCA certificates. You will need to update your policy if a certificate expires. -
-
-   -

PcaCertificate

Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, as the scan does not validate anything above the presented signature by going online or checking local root stores.

RootCertificate

Currently unsupported.

WHQL

Currently unsupported.

WHQLPublisher

Currently unsupported.

WHQLFilePublisher

Currently unsupported.

-   -4. Type the following to convert the code integrity policy to a binary format: - ``` syntax - ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin - ``` -Once you have completed these steps, the Device Guard policy binary file (DeviceGuardPolicy.bin) and original xml file (InitialScan.xml) will be available on your desktop. ->**Note:**  We recommend that you keep a copy of InitialScan.xml to use if you need to merge this code integrity policy with another policy, or update policy rule options. -  -## Related topics -[Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md) -  -  diff --git a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md index 626a9a939b..a20497761c 100644 --- a/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md +++ b/windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy author: brianlic-msft --- -# Deploy catalog files to support code integrity policies (Windows 10) +# Deploy catalog files to support code integrity policies **Applies to** - Windows 10 diff --git a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md index 6710758326..f9cae0de10 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md +++ b/windows/keep-secure/deploy-code-integrity-policies-policy-rules-and-file-rules.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy author: brianlic-msft --- -# Deploy code integrity policies: policy rules and file rules (Windows 10) +# Deploy code integrity policies: policy rules and file rules **Applies to** - Windows 10 diff --git a/windows/keep-secure/deploy-code-integrity-policies-steps.md b/windows/keep-secure/deploy-code-integrity-policies-steps.md index e754b2139e..d9fa657c72 100644 --- a/windows/keep-secure/deploy-code-integrity-policies-steps.md +++ b/windows/keep-secure/deploy-code-integrity-policies-steps.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy author: brianlic-msft --- -# Deploy code integrity policies: steps (Windows 10) +# Deploy code integrity policies: steps **Applies to** - Windows 10 diff --git a/windows/keep-secure/deploy-device-guard-deploy-code-integrity-policies.md b/windows/keep-secure/deploy-device-guard-deploy-code-integrity-policies.md index 6a0dfeabe2..02ce631862 100644 --- a/windows/keep-secure/deploy-device-guard-deploy-code-integrity-policies.md +++ b/windows/keep-secure/deploy-device-guard-deploy-code-integrity-policies.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy author: brianlic-msft --- -# Deploy Device Guard: deploy code integrity policies (Windows 10) +# Deploy Device Guard: deploy code integrity policies **Applies to** - Windows 10 diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index 85ae77b74a..9eda4d82c8 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy author: brianlic-msft --- -# Deploy Device Guard: enable virtualization-based security (Windows 10) +# Deploy Device Guard: enable virtualization-based security **Applies to** - Windows 10 diff --git a/windows/keep-secure/device-guard-certification-and-compliance.md b/windows/keep-secure/device-guard-certification-and-compliance.md index 6ac463047e..5e60c5e980 100644 --- a/windows/keep-secure/device-guard-certification-and-compliance.md +++ b/windows/keep-secure/device-guard-certification-and-compliance.md @@ -1,107 +1,4 @@ --- title: Device Guard certification and compliance (Windows 10) -description: Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. -ms.assetid: 94167ECA-AB08-431D-95E5-7A363F42C7E3 -ms.pagetype: security -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -author: brianlic-msft +redirect_url: device-guard-deployment-guide.md --- -# Device Guard certification and compliance -**Applies to** -- Windows 10 - -Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. -Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. -For details on how to implement Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). -## Why use Device Guard -With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise. -Device Guard also helps protect against [zero day attacks](http://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](http://go.microsoft.com/fwlink/p/?LinkId=534210). - -### Advantages to using Device Guard - -You can take advantage of the benefits of Device Guard, based on what you turn on and use: -- Helps provide strong malware protection with enterprise manageability -- Helps provide the most advanced malware protection ever offered on the Windows platform -- Offers improved tamper resistance - -## How Device Guard works - -Device Guard restricts the Windows 10 operating system to only running code that’s signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including: -- User Mode Code Integrity (UMCI) -- New kernel code integrity rules (including the new Windows Hardware Quality Labs (WHQL) signing constraints) -- Secure Boot with database (db/dbx) restrictions -- Virtualization-based security to help protect system memory and kernel mode apps and drivers from possible tampering. -- Optional: Trusted Platform Module (TPM) 1.2 or 2.0 -Device Guard works with your image-building process, so you can turn the virtualization-based security feature on for capable devices, configure your Code Integrity policy, and set any other operating system settings you require for Windows 10. After that, Device Guard works to help protect your devices: -1. Your device starts up using Universal Extensible Firmware Interface (UEFI) Secure Boot, so that boot kits can’t run and so that Windows 10 starts before anything else. -2. After securely starting up the Windows boot components, Windows 10 can start the Hyper-V virtualization-based security services, including Kernel Mode Code Integrity. These services help protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup. -3. Device Guard uses UMCI to make sure that anything that runs in User mode, such as a service, a Universal Windows Platform (UWP) app, or a Classic Windows application is trusted, allowing only trusted binaries to run. -4. At the same time that Windows 10 starts up, so too does the trusted platform module (TPM). TPM provides an isolated hardware component that helps protect sensitive information, such as user credentials and certificates. -## Required hardware and software -The following table shows the hardware and software you need to install and configure to implement Device Guard. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
RequirementDescription

Windows 10 Enterprise

The PC must be running Windows 10 Enterprise.

UEFI firmware version 2.3.1 or higher with UEFI Secure Boot and Platform Secure Boot

UEFI Secure Boot ensures that the device boots only authorized code. Additionally, Boot Integrity, also known as Platform Secure Boot must be supported. You can validate it against the following Windows Hardware Compatibility Program requirements:

-
    -

  • [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)

    • -

  • [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby)

    • -

Virtualization extensions

The following virtualization extensions are required to support virtualization-based security:

-
    -
  • Intel VT-x or AMD-V
    • -
  • Second Level Address Translation
    • -

Firmware lock

    -

  • The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings.

    • -

  • Work with your hardware manufacturer to ensure that the devices are Device Guard ready

    • -

  • You should require a firmware password or higher authentication to change firmware settings.

    • -

x64 architecture

The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.

A VT-d or AMD-Vi IOMMU (Input/output memory management unit)

In Windows 10, an IOMMU enhances system resiliency against memory attacks.

Secure firmware update process

To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.

Device Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes.

Signed processor microcode updates

If the processor supports it, you must require signed microcode updates.

-  -## Related topics -[Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md) -[Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md) -  -  diff --git a/windows/keep-secure/device-guard-deployment-guide.md b/windows/keep-secure/device-guard-deployment-guide.md index 85dec6ce25..e82f511105 100644 --- a/windows/keep-secure/device-guard-deployment-guide.md +++ b/windows/keep-secure/device-guard-deployment-guide.md @@ -8,7 +8,7 @@ ms.mktglfcycl: deploy author: brianlic-msft --- -# Device Guard deployment guide (Windows 10) +# Device Guard deployment guide **Applies to** - Windows 10 diff --git a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md index 42e7d1cff1..542e85c56f 100644 --- a/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md +++ b/windows/keep-secure/getting-apps-to-run-on-device-guard-protected-devices.md @@ -1,256 +1,4 @@ --- title: Get apps to run on Device Guard-protected devices (Windows 10) -description: Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard. -ms.assetid: E62B68C3-8B9F-4842-90FC-B4EE9FF8A67E -keywords: Package Inspector, packageinspector.exe, sign catalog file -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -author: brianlic-msft +redirect_url: device-guard-deployment-guide.md --- - -# Get apps to run on Device Guard-protected devices - -**Applies to** -- Windows 10 - -Windows 10 introduces several new features and settings that when combined all equal what we're calling, Device Guard. Device Guard can help to protect your enterprise devices against the accidental running of malicious apps by requiring all of your apps to be signed by a trusted entity. - -To use Device Guard in an enterprise, you must be able to get your existing line-of-business and Independent Software Vendor (ISV)-developed apps to run on a protected device. Unfortunately, many line-of-business apps aren't signed, and in many cases, aren't even being actively developed. Similarly, you may have unsigned software from an ISV that you want to run, or you want to run certain applications from an ISV while not trusting all applications from that ISV. As part of the Device Guard features, Windows 10 includes a new tool called Package Inspector. Package Inspector scans your unsigned apps, and creates catalog files of the installed and running binaries, which can then be signed by the Sign Tool Windows SDK utility and distributed using Group Policy so that your apps will run on Device Guard-protected devices. - -## What you need to run your apps on Device-Guard protected devices - -Before you can get your apps to run on Device Guard-protected devices, you must have: - -- A device running Windows 10 Enterprise, Windows 10 Education, or Windows Server 2016 Technical Preview. -- Determined which unsigned apps you need to include in your catalog file. -- Created a code integrity policy for use by Device Guard. -- A [code signing certificate](http://go.microsoft.com/fwlink/p/?LinkId=619282), created using an internal public key infrastructure (PKI). -- [SignTool]( http://go.microsoft.com/fwlink/p/?LinkId=619283). A command-line tool that digitally signs files, verifies signatures in files, or time stamps files. The tool is installed in the \\Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path. - -## Create a catalog file for unsigned apps - -You must run Package Inspector on a device that's running a temporary Code Integrity Policy in audit mode, created explicitly for this purpose. Audit mode lets this policy catch any binaries missed by the inspection tool, but because it's audit mode, allows everything to continue running. -> **Important:**  This temporary policy, shouldn't be used for normal business purposes. -  -**To create a catalog file for an existing app** -1. Start PowerShell as an administrator, and create your temporary policy file by typing: - ``` syntax - mkdir temp - New-CIPolicy -l FileName -f .\tempdeny.xml -s .\temp -u - ConvertFrom-CIPolicy .\tempdeny.xml .\tempdeny.bin - cp .\tempdeny.bin C:\Windows\System32\CodeIntegrity\SIPolicy.p7b - ``` -2. Restart your device. -3. Start PowerShell as an administrator, and start scanning your file system by typing: - ``` syntax - PackageInspector.exe start c: - ``` - Where: - - - - - - - - - - - - - - - - - - - - - -
OptionDescription

start <drive_letter>:

Specifies to start a scan. For example, starting to scan the C: drive.

-path

File path to the package being inspected.

-   -4. Copy the app installation media to your C:\\ drive, and then install and run the program. - - Copying the media to your local drive helps to make sure that the installer and its related files are included in your catalog file. If you miss the install files, your Code Integrity Policy might trust the app to run, but not to install. After you've installed the app, you should check for updates. If updates happen while the app is open, you should close and restart the app to make sure everything is caught during the inspection process. - - > **Note:**  Because the Package Inspector creates a log entry in the catalog for every binary laid down on the file system, we recommend that you don't run any other installations or updates during the scanning process. -   -5. **Optional:** If you want to create a multi-app catalog (many apps included in a single catalog file), you can continue to run Steps 2-3 for each additional app. After you've added all of the apps you want to add, you can continue to Step 5. - > **Note: **  To streamline your process, we suggest: - - **Actively supported and updated apps.** Create a single catalog file for each app. - - **Legacy apps, non-active or not updated.** Create a single catalog file for all of your legacy apps. -   -6. Stop the scanning process and create the .\\InspectedPackage.cat and InspectedPackage.cdf files for your single app in your specified location, by typing: - ``` syntax - PackageInspector.exe stop c: - ``` -You can also use the `scan` command in place of using both `start` and `stop` if you want to create a catalog of files that are already present on your hard drive. The `scan` command recursively scans a specified directory and includes all signable files in the catalog. You can scan a specified directory by typing: -``` syntax -PackageInspector.exe scan c:\ -``` -The following table shows the available options for both the `scan` and `stop` commands. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionDescription

stop <drive_letter>:

Specifies that a scan of the specified location is complete, creating either a catalog or a definition file. For example, C:

scan <path to scan>

Specifies a directory path to scan. This command recursively scans a specified directory and includes all signable files in the catalog.

-out

Specifies what type of info should be created by the tool. You can use either CAT for a catalog file, CDF for a catalog definition file or list for a delimited list of files.

-listpath

Specifies the location where the installer will output the list of files for -out list.

-cdfPath <file_name>

Specifies where the tool should put the created .cdf file. If you use this option, you must also specify the file name.

-

We recommend that you use the full path to the file. However, relative paths are supported.

-resdir

This option isn't currently supported.

-name

This option isn't currently supported.

-ph [true|false]

Specifies whether to include page hashes in the catalog. You can use either True to add the hashes or False to not add the hashes.

-en

Specifies the catalog's encoding type. By default, it's PKCS_7_ASN_ENCODING | X509_ASN_ENCODING, 0x00010001.

-ca1

Specifies the CATATTR1 in the catalog and catalog definition files.

-ca2

Specifies the CATATTR2 in the catalog and catalog definition files.

-  -You can add additional parameters to your catalog beyond what's listed here. For more info, see the [MakeCat](http://go.microsoft.com/fwlink/p/?LinkId=618024) topic. - -## Sign your catalog file using Sign Tool - -You can sign your catalog file using Sign Tool, located in the Windows 7 or later Windows Software Development Kit (SDK) or by using the Device Guard signing portal. For details on using the Device Guard signing portal, see [Device Guard signing](http://go.microsoft.com/fwlink/p/?LinkID=698760). -This process shows how to use a password-protected Personal Information Exchange (.pfx) file to sign the catalog file. - -> **Important:**  To use this tool, you must have an internal certificate authority code signing certificate, or a code signing certificate issued by an external third-party certificate authority. -  -**To use Sign Tool** - -1. Check that your code signing certificates have been imported into your certificate store or that they're on the file system. -2. Open SignTool.exe and sign the catalog file, based on where your certificate is stored. - If you are using the PFX from a file system location: - ``` syntax - signtool sign /f <\\SignCertLocation> /p <\\password> /fd sha256 /v - ``` - If you have imported the certificate into your cert store: - ``` syntax - signtool sign /n <\\CertSubjectName> /fd sha256 /v - ``` - Where: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionDescription

signtool

Specifies the full path location to SignTool.exe.

sign

Digitally signs files. For a list of the options supported by the sign command, see the [SignTool options](http://go.microsoft.com/fwlink/p/?LinkId=619283).

/n SubjectName

Specifies the name of the subject of the signing certificate. This value can be a substring of the entire subject name.

/f SignCertFileLocation

Specifies the signing certificate in a file.

-

If the file is in .pfx format and protected by a password, use the /p option to specify the password. If the file does not contain private keys, use the /csp and /k options to specify the .csp and private key container name.

/p Password

Specifies the password to use when opening a PFX file. (Use the /f option to specify a PFX file.)

/fd Algorithm

Specifies the file digest algorithm to use for creating file signatures. The default is SHA2.

/v

Displays verbose output regardless of whether the command runs successfully or fails, and displays warning messages.

-   - For more detailed info and examples using the available options, see the [SignTool.exe (Sign Tool)](http://go.microsoft.com/fwlink/p/?LinkId=618026) topic. - -3. In File Explorer, right-click your catalog file, click **Properties**, and then click the **Digital Signatures** tab to make sure your catalog file's digital signature is accurate. -4. Copy your catalog file to C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} and test the file. - - >**Note:**  For testing purposes, you can manually copy your file to this location. However, we recommend that you use Group Policy to copy the catalog file to all of your devices for large-scale implementations. - -## Troubleshooting the Package Inspector - -If you see "Error 1181" while stopping the Package Inspector, you'll need to increase your USN journal size and then clear all of the cached data before re-scanning the impacted apps. - -You must make sure that you clear the cache by creating and setting a new temporary policy. If you reuse the same policy, the Package Inspector will fail. - -**To increase your journal size** -1. Open a command-prompt window, and then type: - ``` syntax - fsutil usn createjournal m=0x8000000 a=0x800000 C: - ``` - Where the "m" value needs to be increased. We recommend that you change the value to at least 4 times the default value of m=0x2000000. -2. Re-run the failed app installation(s). - -**To clear your cached data and re-scan your apps** - -1. Delete the SIPolicy.p7b file from the C:\\Windows\\System32\\CodeIntegrity\\ folder. -2. Create a new temporary Code Integrity Policy to clear all of the cached data by starting Windows Powershell as an administrator and typing: - ``` syntax - mkdir temp - cp C:\Windows\System32\PackageInspector.exe .\temp\ - New-CIPolicy -l Hash -f .\DenyPackageInspector.xml -s .\temp -u -deny - ConvertFrom-CIPolicy .\DenyPackageInspector.xml .\DenyPackageInspector.bin - cp .\DenyPackageInspector.bin C:\Windows\System32\SIPolicy.p7b - ``` -3. Restart your device and follow the steps in the [Create a catalog file for unsigned apps](#create-a-catalog-file-for-unsigned-apps) section. - -## Related topics - -[Download SignTool]( http://go.microsoft.com/fwlink/p/?LinkId=619283) diff --git a/windows/keep-secure/index.md b/windows/keep-secure/index.md index c400267003..08feae0e2e 100644 --- a/windows/keep-secure/index.md +++ b/windows/keep-secure/index.md @@ -18,18 +18,18 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure. | - | - | | [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) | This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md). | | [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. | -| [Device Guard certification and compliance](device-guard-certification-and-compliance.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. | | [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md) | In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN. | | [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) | Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. | | [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) | In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. | | [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) | Digital certificates bind the identity of a user or computer to a pair of keys that can be used to encrypt and sign digital information. Certificates are issued by a certification authority (CA) that vouches for the identity of the certificate holder, and they enable secure client communications with websites and services. | +| [Device Guard deployment guide](device-guard-deployment-guide.md) | Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. | | [Protect derived domain credentials with Credential Guard](credential-guard.md) | Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets. | | [Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md) | With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage. | | [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) | Learn about an approach to collect events from devices in your organization. This article talks about events in both normal operations and when an intrusion is suspected. | | [VPN profile options](vpn-profile-options.md) | Virtual private networks (VPN) let you give your users secure remote access to your company network. Windows 10 adds useful new VPN profile options to help you manage how users connect. | | [Windows security baselines](windows-security-baselines.md) | Learn why you should use security baselines in your organization. | | [Security technologies](security-technologies.md) | Learn more about the different security technologies that are available in Windows 10 and Windows 10 Mobile. | -| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. | +| [Enterprise security guides](windows-10-enterprise-security-guides.md) | Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. |   ## Related topics diff --git a/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md b/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md index 55f3a36e0e..f915647f15 100644 --- a/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md +++ b/windows/keep-secure/optional-create-a-code-signing-certificate-for-code-integrity-policies.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy author: brianlic-msft --- -# Optional: Create a code signing certificate for code integrity policies (Windows 10) +# Optional: Create a code signing certificate for code integrity policies **Applies to** - Windows 10 diff --git a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md index 9b96e7267b..2715141f20 100644 --- a/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md +++ b/windows/keep-secure/planning-and-getting-started-on-the-device-guard-deployment-process.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy author: brianlic-msft --- -# Planning and getting started on the Device Guard deployment process (Windows 10) +# Planning and getting started on the Device Guard deployment process **Applies to** - Windows 10 diff --git a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md index 0cfc7f0b0e..2c6b76c490 100644 --- a/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md +++ b/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy author: brianlic-msft --- -# Requirements and deployment planning guidelines for Device Guard (Windows 10) +# Requirements and deployment planning guidelines for Device Guard **Applies to** - Windows 10 diff --git a/windows/keep-secure/windows-10-enterprise-security-guides.md b/windows/keep-secure/windows-10-enterprise-security-guides.md index 30f130d499..a5c487491c 100644 --- a/windows/keep-secure/windows-10-enterprise-security-guides.md +++ b/windows/keep-secure/windows-10-enterprise-security-guides.md @@ -1,6 +1,6 @@ --- title: Enterprise security guides (Windows 10) -description: Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. +description: Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. ms.assetid: 57134f84-bd4b-4b1d-b663-4a2d36f5a7f8 ms.prod: w10 ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ author: challum ## Purpose -Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Device Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. +Get proven guidance to help you better secure and protect your enterprise by using technologies such as Credential Guard, Microsoft Passport, and Windows Hello. This section offers technology overviews and step-by-step guides. ## In this section @@ -34,10 +34,6 @@ Get proven guidance to help you better secure and protect your enterprise by usi

[Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)

This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.

- -

[Device Guard deployment guide](device-guard-deployment-guide.md)

-

Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. Windows 10 employs Device Guard as well as code integrity and advanced hardware features such as CPU virtualization extensions, Trusted Platform Module, and second-level address translation to offer comprehensive modern security to its users. This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them.

-

[Microsoft Passport guide](microsoft-passport-guide.md)

This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.

diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md index c96f390c98..28e92f028b 100644 --- a/windows/whats-new/device-guard-overview.md +++ b/windows/whats-new/device-guard-overview.md @@ -18,94 +18,16 @@ author: brianlic-msft - Windows Server 2016 Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. If the app isn’t trusted it can’t run, period. It also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code after the computer restarts because of how decisions are made about what can run and when. + Device Guard uses the new virtualization-based security in Windows 10 Enterprise to isolate the Code Integrity service from the Microsoft Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. + For details on how to implement Device Guard, see [Device Guard deployment guide](../keep-secure/device-guard-deployment-guide.md). + ## Why use Device Guard With thousands of new malicious files created every day, using traditional methods like signature-based detection to fight against malware provides an inadequate defense against new attacks. Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solutions, to a mode where the operating system trusts only apps authorized by your enterprise. Device Guard also helps protect against [zero day attacks](http://go.microsoft.com/fwlink/p/?linkid=534209) and works to combat the challenges of [polymorphic viruses](http://go.microsoft.com/fwlink/p/?LinkId=534210). -### Advantages to using Device Guard -You can take advantage of the benefits of Device Guard, based on what you turn on and use: -- Helps provide strong malware protection with enterprise manageability -- Helps provide the most advanced malware protection ever offered on the Windows platform -- Offers improved tamper resistance -## How Device Guard works -Device Guard restricts the Windows 10 Enterprise operating system to only running code that’s signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including: -- User Mode Code Integrity (UMCI) -- New kernel code integrity rules (including the new Windows Hardware Quality Labs (WHQL) signing constraints) -- Secure Boot with database (db/dbx) restrictions -- Virtualization-based security to help protect system memory and kernel mode apps and drivers from possible tampering. -- **Optional:** Trusted Platform Module (TPM) 1.2 or 2.0 -Device Guard works with your image-building process, so you can turn the virtualization-based security feature on for capable devices, configure your Code Integrity policy, and set any other operating system settings you require for Windows 10 Enterprise. After that, Device Guard works to help protect your devices: -1. Your device starts up using Universal Extensible Firmware Interface (UEFI) Secure Boot, so that boot kits can’t run and so that Windows 10 Enterprise starts before anything else. -2. After securely starting up the Windows boot components, Windows 10 Enterprise can start the Hyper-V virtualization-based security services, including Kernel Mode Code Integrity. These services help protect the system core (kernel), privileged drivers, and system defenses, like anti-malware solutions, by preventing malware from running early in the boot process, or in kernel after startup. -3. Device Guard uses UMCI to make sure that anything that runs in User mode, such as a service, a Universal Windows Platform (UWP) app, or a Classic Windows application is trusted, allowing only trusted binaries to run. -4. At the same time that Windows 10 Enterprise starts up, so too does the trusted platform module (TPM). TPM provides an isolated hardware component that helps protect sensitive information, such as user credentials and certificates. -## Required hardware and software -The following table shows the hardware and software you need to install and configure to implement Device Guard. - ---- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
RequirementDescription

Windows 10 Enterprise

The PC must be running Windows 10 Enterprise.

UEFI firmware version 2.3.1 or higher and Secure Boot

To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](http://msdn.microsoft.com/library/windows/hardware/dn932807.aspx#system-fundamentals-firmware-cs-uefisecureboot-connectedstandby) Windows Hardware Compatibility Program requirement.

Virtualization extensions

The following virtualization extensions are required to support virtualization-based security:

-
    -
  • Intel VT-x or AMD-V
    • -
  • Second Level Address Translation
    • -

Firmware lock

The firmware setup should be locked to prevent other operating systems from starting and to prevent changes to the UEFI settings. You should also disable boot methods other than from the hard drive.

x64 architecture

The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.

A VT-d or AMD-Vi IOMMU (Input/output memory management unit)

In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹

Secure firmware update process

To verify that the firmware complies with the secure firmware update process, you can validate it against the [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) Windows Hardware Compatibility Program requirement.

Device Guard relies on the security of the underlying hardware and firmware. It is critical to keep the firmware updated with the latest security fixes.

-  -## Before using Device Guard in your company -Before you can successfully use Device Guard, you must set up your environment and your policies. -### Signing your apps -Device Guard mode supports both UWP apps and Classic Windows applications. Trust between Device Guard and your apps happen when your apps are signed using a signature that you determine to be trustworthy. Not just any signature will work. -This signing can happen by: -- **Using the Windows Store publishing process.** All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own. -- **Using your own digital certificate or public key infrastructure (PKI).** ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers. -- **Using a non-Microsoft signing authority.** ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications. -- **Use the Device Guard signing portal**. Available in the Windows Store for Business, you can use a Microsoft web service to sign your Classic Windows applications. For more info, see [Device Guard signing](../manage/device-guard-signing-portal.md). -### Code Integrity policy -Before you can use the app protection included in Device Guard, you must create a Code Integrity policy using tools provided by Microsoft, but deployed using your current management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. This policy restricts what code can run on a device. -For the Device Guard feature, devices should only have Code Integrity pre-configured if the settings are provided by a customer for a customer-provided image. -**Note**  This XML document can be signed in Windows 10 Enterprise, helping to add additional protection against administrative users changing or removing this policy. -  -### Virtualization-based security using Windows 10 Enterprise Hypervisor -Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer. -**Important**  Device Guard devices that run Kernel Code Integrity with virtualization-based security must have compatible drivers - legacy drivers can be updated - and have all virtualization capabilities turned on. This includes virtualization extensions and input/output memory management unit (IOMMU) support. -  -  -  +## Virtualization-based security using Windows 10 Enterprise Hypervisor + +Windows 10 Enterprise Hypervisor introduces new capabilities around virtual trust levels, which helps Windows 10 Enterprise services to run in a protected environment, in isolation from the running operating system. Windows 10 Enterprise virtualization-based security helps protect kernel code integrity and helps to provide credential isolation for the local security authority (LSA). Letting the Kernel Code Integrity service run as a hypervisor-hosted service increases the level of protection around the root operating system, adding additional protections against any malware that compromises the kernel layer. + +>**Important**  Device Guard devices that run Kernel Code Integrity with virtualization-based security (VBS) must have compatible drivers (legacy drivers can be updated) and meet requirements for the hardware and firmware that support virtualization-based security. For more information, see [Hardware, firmware, and software requirements for Device Guard](../keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-device-guard)