Hello!
Help me please clear up how Device Guard works:
The page that starts the explanation of Device Guard - https://technet.microsoft.com/en-us/library/mt219733%28v=vs.85%29.aspx - says:
"How Device Guard works
Device Guard restricts the Windows 10 operating system to only running code thats signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including:..."
The second page - https://technet.microsoft.com/en-us/library/mt158214%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396 - describes how to sign
catalog files:
"Get apps to run on Device Guard-protected
Package Inspector scans your unsigned apps, and creates catalog files of the installed and running binaries, which can then be signed by the Sign Tool Windows SDK utility and distributed using Group Policy so that your apps will run on Device Guard-protected devices."
And the last one - https://technet.microsoft.com/en-us/library/mt243445%28v=vs.85%29.aspx - says:
"Create a Device Guard code integrity policy based on a reference device
Create a Device Guard code integrity policy based on a reference device
To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices...."
...I just can't put all these pages together: if, by definition from page 1, "Device Guard restricts the Windows 10 operating system to only running code thats signed by trusted signers" then my goal should be to sign all unsigned applications and provide the list of such "approved" apps to all enterprise devices, but the page 2 says I must find all UNsigned applications and sign a catalog file that contains them (not the apps themselves!) whilst page 3 states once again I "need to create a reference image that includes the signed applications you want".
Q1) Page1 - What does mean the term "running code" - is it a (signed) application or an UNsigned application from the signed catalog file?
Q2) How page 3 relates to page 2? - I mean the page 2 ends up with the catalog file being signed and copied to C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} - is it enough to enable Device Guard given that MS says "Copy your catalog file to C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} and test the file?" How to test?
Q3) Page 3 - "To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices. For information on how to sign applications, see Getting apps to run on Device Guard-protected devices." - the link posted here ("Getting apps to run on Device Guard-protected devices") gets us to the page 2 that explains how to "Create a catalog file for unsigned apps" - either it should read "that include the UNsigned applications" or Page 3 contradicts Page 2... ???
Q4) Page 3 - "Scan your device for installed applications and create a new code integrity policy by typing:
"New-CIPolicy -Level <RuleLevel> -FilePath $InitialCIPolicy -UserPEs -Fallback Hash 3> Warningslog.txt" -
how this policy is connected with the signed catalog file created on Page 2?
Thank you in advance,
Michael
- Edited by MF47 16 hours 59 minutes ago