Hello!

Help me please clear up how Device Guard works:

The page that starts the explanation of  Device Guard - https://technet.microsoft.com/en-us/library/mt219733%28v=vs.85%29.aspx - says:

"How Device Guard works

Device Guard restricts the Windows 10 operating system to only running code thats signed by trusted signers, as defined by your Code Integrity policy through specific hardware and security configurations, including:..."

The second page - https://technet.microsoft.com/en-us/library/mt158214%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396 - describes how to sign catalog files:

"Get apps to run on Device Guard-protected

Package Inspector scans your unsigned apps, and creates catalog files of the installed and running binaries, which can then be signed by the Sign Tool Windows SDK utility and distributed using Group Policy so that your apps will run on Device Guard-protected devices."

And the last one - https://technet.microsoft.com/en-us/library/mt243445%28v=vs.85%29.aspx - says:

"Create a Device Guard code integrity policy based on a reference device

Create a Device Guard code integrity policy based on a reference device

To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices...."

...I just can't put all these pages together: if, by definition from page 1, "Device Guard restricts the Windows 10 operating system to only running code thats signed by trusted signers" then my goal should be to sign all unsigned applications and provide the list of such "approved" apps to all enterprise devices, but the page 2 says I must find all UNsigned applications and sign a catalog file that contains them (not the apps themselves!) whilst page 3 states once again I "need to create a reference image that includes the signed applications you want".

Q1) Page1 - What does mean the term "running code" - is it a (signed) application or an UNsigned application from the signed catalog file?

Q2) How page 3 relates to page 2? - I mean the page 2 ends up with the catalog file being signed and copied to C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} - is it enough to enable Device Guard given that MS says "Copy your catalog file to C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} and test the file?" How to test?

Q3) Page 3 - "To create a code integrity policy, you'll first need to create a reference image that includes the signed applications you want to run on your protected devices. For information on how to sign applications, see Getting apps to run on Device Guard-protected devices." - the link posted here ("Getting apps to run on Device Guard-protected devices") gets us to the page 2 that explains how to "Create a catalog file for unsigned apps" - either it should read "that include the UNsigned applications" or Page 3 contradicts Page 2... ???

Q4) Page 3 - "Scan your device for installed applications and create a new code integrity policy by typing:  "New-CIPolicy -Level <RuleLevel> -FilePath $InitialCIPolicy -UserPEs -Fallback Hash 3> Warningslog.txt" - how this policy is connected with the signed catalog file created on Page 2?

Thank you in advance,

Michael

• Edited by MF47 16 hours 59 minutes ago

Hello MF47,

I will take a try to explain here.

====

To your first question, I think the running code here, is the behavior of any applications.

When sign up any application using Device Guide, as part of the Device Guard features, Windows 10 includes a new tool called Package Inspector. Package Inspector  scans your unsigned apps,  and  creates catalog files of the installed and running binaries, which can then be signed by the Sign Tool Windows SDK utility and distributed using Group Policy so  that your apps will run on Device Guard-protected devices.

Which in my opition, when the signed app runs, the files needed to make it running are all could be recognised by the Device Guides, so that any unknown files can't be excuted at this time.

====

To your second question, the test should be the catalog file, to make sure whether it is successfully edited;

To test whether it could work, choose the signed apps and the unsigned apps and run them under the same Device.

====

To your third question, I think the sentence I quoted in question 1 answers your question here.

The process described in page 2 should be the process to make the unsigned app into the signed app.

====

Well, I also don't know the process how the policy gather the catalog files here, But I think the information should be collected within the two files generated, with the sepcial powershell command.

Regards

Hello Michael,

Thank you for your reply!

"The process described in page 2 should be the process to make the unsigned app into the signed app." - page 2 describes how to sign catalog files - NOT the apps files! This is the main problem in MS's explanation - the only thing that is being signed on page1-page3 is the CATALOG file. In this case what MS call "signed application" or "UNsigned application"???

"Well, I also don't know the process how the policy gather the catalog files here, But I think the information should be collected within the two files generated, with the sepcial powershell command." - neither of the three aforementioned pages on technet explains how signed catalog files relate to the policy so I don't know how to configure Device Guard based on this explanation.

Regards,

Michael