deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 10:23:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

adding ms.pagetype back

Browse Source
This commit is contained in:
Brian Lich
2016-05-10 12:12:23 -07:00
parent f6f4c2d1b9
commit e9d723e3c5
479 changed files with 491 additions and 25927 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
windows/keep-secure/creating-a-device-guard-policy-for-signed-apps.md
View File

@ -2,50 +2,33 @@
title: Create a Device Guard code integrity policy based on a reference device (Windows 10)
description: To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device.
ms.assetid: 6C94B14E-E2CE-4F6C-8939-4B375406E825
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
---
# Create a Device Guard code integrity policy based on a reference device
**Applies to**
- Windows 10
To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device.
## <a href="" id="create-a-device-guard-code-integrity-policy-based-on--a-reference-device"></a>Create a Device Guard code integrity policy based on a reference device
To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices. For information on how to sign applications, see [Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md).
**Note**  Before creating a code integrity policy, make sure your reference device is clean of viruses and malware.
 
**To create a code integrity policy based on a reference device**
1. On your reference device, start PowerShell as an administrator.
2. In PowerShell, initialize variables by typing:
``` syntax
$CIPolicyPath=$env:userprofile+"\Desktop\"
$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"
$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"
```
3. Scan your device for installed applications and create a new code integrity policy by typing:
``` syntax
New-CIPolicy -Level <RuleLevel> -FilePath $InitialCIPolicy -UserPEs -Fallback Hash 3> Warningslog.txt
```
Where *&lt;RuleLevel&gt;* can be set to any of the following options:
<table>
<colgroup>
<col width="50%" />
@ -110,31 +93,15 @@ To create a code integrity policy, you'll first need to create a reference image
</tr>
</tbody>
</table>
 
4. Type the following to convert the code integrity policy to a binary format:
``` syntax
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
```
Once you have completed these steps, the Device Guard policy binary file (DeviceGuardPolicy.bin) and original xml file (InitialScan.xml) will be available on your desktop.
**Note**  We recommend that you keep a copy of InitialScan.xml to use if you need to merge this code integrity policy with another policy, or update policy rule options.
 
## Related topics
[Getting apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md)