5.4 KiB
title, description, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, author
| title | description | ms.assetid | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | author |
|---|---|---|---|---|---|---|---|
| Create a Device Guard code integrity policy based on a reference device (Windows 10) | To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device. | 6C94B14E-E2CE-4F6C-8939-4B375406E825 | w10 | deploy | library | security | brianlic-msft |
Create a Device Guard code integrity policy based on a reference device
Applies to
- Windows 10
To implement Device Guard app protection, you will need to create a code integrity policy. Code integrity policies determine what apps are considered trustworthy and are allowed to run on a protected device.
Create a Device Guard code integrity policy based on a reference device
To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices. For information on how to sign applications, see Getting apps to run on Device Guard-protected devices.
Note: Before creating a code integrity policy, make sure your reference device is clean of viruses and malware. To create a code integrity policy based on a reference device
- On your reference device, start PowerShell as an administrator.
- In PowerShell, initialize variables by typing:
$CIPolicyPath=$env:userprofile+"\Desktop\" $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin" - Scan your device for installed applications and create a new code integrity policy by typing:
Where <RuleLevel> can be set to any of the following options:New-CIPolicy -Level <RuleLevel> -FilePath $InitialCIPolicy -UserPEs -Fallback Hash 3> Warningslog.txtRule level Description Hash
Specifies individual hash values for each discovered app. Each time an app is updated the hash value will change and you will need to update your policy.
FileName
Currently unsupported.
SignedVersion
Currently unsupported.
Publisher
This level is a combination of the PCA certificate and the common name (CN) on the leaf certificate. When a PCA certificate is used to sign apps from multiple companies (such as VeriSign), this rule level allows you to trust the PCA certificate but only for the company whose name is on the leaf certificate.
FilePublisher
Currently unsupported.
LeafCertificate
Adds trusted signers at the individual signing certificate level. When an app is updated, the hash value is modified but the signing certificate stays the same. You will only need to update your policy if the signing certificate for an app changes.
Note Leaf certificates have much shorter validity periods than PCA certificates. You will need to update your policy if a certificate expires.PcaCertificate
Adds the highest certificate in the provided certificate chain to signers. This is typically one certificate below the root certificate, as the scan does not validate anything above the presented signature by going online or checking local root stores.
RootCertificate
Currently unsupported.
WHQL
Currently unsupported.
WHQLPublisher
Currently unsupported.
WHQLFilePublisher
Currently unsupported.
- Type the following to convert the code integrity policy to a binary format:
ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
Once you have completed these steps, the Device Guard policy binary file (DeviceGuardPolicy.bin) and original xml file (InitialScan.xml) will be available on your desktop.
Note: We recommend that you keep a copy of InitialScan.xml to use if you need to merge this code integrity policy with another policy, or update policy rule options.