Skip to content

Enterprise Mobility + Security


We are excited to share information on how to deploy Device Guard on Windows 10 devices managed by Configuration Manager, using existing capabilities in System Center 2012 R2 Configuration Manager SP1.

Why Device Guard?

Device Guard is a new feature of Windows 10 that provides better security against malware and zero-day attacks by blocking anything other than trusted apps. You are in control of what apps Device Guard considers trustworthy, either via vendor or Windows Store digital signatures, or via an easy process by which you can sign apps to be trusted by Device Guard.

Device Guard can use hardware technology and virtualization to further isolate the Windows components which determine whether apps are trustworthy, which helps provide protection from attackers or malware that have elevated privileges. This gives Device Guard a significant advantage over traditional anti-malware and app control technologies like AppLocker, which can be subject to tampering by elevated users or processes.

See the following article for more information on Windows 10 Device Guard: https://msdn.microsoft.com/en-us/library/dn986865.aspx.

Manage Device Guard with Configuration Manager

You can use Configuration Manager today to help deploy Device Guard and Device Guard-enabled apps in your environment. Configuration Manager assists with the following scenarios:

  • Determine which clients meet the prerequisites to support Device Guard
  • Enable Device Guard settings
  • Deploy Device Guard policy
  • Deploy Device Guard-enabled apps

Let’s look each of these in more detail.


Determine applicable systems

Windows 10 clients must have specific properties to ensure that they will successfully enable Device Guard. These system attributes can be reported using a Compliance Baseline or custom hardware inventory. We’ll use the latter to show what is needed.

  • Open the Configuration Manager Console, switch to the Administration workspace, and select Client Settings. For purposes of this demonstration, let’s just open properties of the Default Client Settings (but understand that you could create a custom client device setting for this purpose).
  • Select the Hardware Inventory group, and then click Set Classes.
  • Device Guard includes a WMI class to query its configuration and management state, which can be added as a custom hardware inventory class. Click Add.
  • Click Connect. If you are running the console on a Windows 10 client, then keep the local computer name. Otherwise, you will need to specify the name of a remote Windows 10 client. In either case, the WMI namespace is rootMicrosoftWindowsDeviceGuard
  • Select the Win32_DeviceGuard class
  • Click OK to save everything.

Once clients run the hardware inventory cycle they will start reporting back the new Device Guard class. You can see it in Resource Explorer against a Windows 10 client:

With this inventory data you can build custom reports or create collections.  Having a collection is beneficial as that can then be used to target deployments.

SELECT SMS_R_SYSTEM.ResourceID, SMS_R_SYSTEM.ResourceType, SMS_R_SYSTEM.Name, SMS_R_SYSTEM.SMSUniqueIdentifier, SMS_R_SYSTEM.ResourceDomainORWorkgroup, SMS_R_SYSTEM.Client FROM SMS_R_System INNER JOIN SMS_G_System_DEVICE_GUARD ON SMS_G_System_DEVICE_GUARD.ResourceId = SMS_R_System.ResourceId WHERE (SMS_G_System_DEVICE_GUARD.AvailableSecurityProperties like “%1%” and SMS_G_System_DEVICE_GUARD.AvailableSecurityProperties like “%3%”)


Deploy Device Guard Configurations

Device Guard configurations can be applied to a device during initial deployment of Windows 10, or can be deployed to a Windows 10 device that is already operational. There are two primary ways to accomplish this: write a script and deploy that via a package or application, or use the Configuration Manager task sequence. We recommend including the configuration steps into your Windows 10 deployment task sequence so that Device Guard is enabled by default.

The first prerequisite is Hyper-V Hypervisor (Microsoft-Hyper-V-Hypervisor feature), which is used by Device Guard to protect and isolate specific Windows components and processes from the high-level OS. Currently, the task sequence does not support installation of the Hyper-V Hypervisor feature because it requires two restarts. Your options for enabling the Hyper-V Hypervisor prerequisite are:

  • If you have a custom image of Windows 10, enable Hyper-V Hypervisor in the captured image
  • Enable the Hyper-V Hypervisor feature in a custom Unattend.xml answer file during the Windows 10 deployment
  • For an operational system that does not already have this feature enabled, create a simple script which calls DISM to enable the Hyper-V Hypervisor feature, and deploy that script as a package or application.

(NOTE: you do not need the entire Hyper-V feature or even the entire Hyper-V Platform, just the Hyper-V Hypervisor feature.)

The second requirement is generating the Device Guard policy. See the Device Guard documentation for more information on this process. From here on out, this policy file is SIPolicy.p7b.

Once the Hyper-V Hypervisor is installed, the following task sequence steps are needed to enable Device Guard settings and apply the Device Guard policy.

Device Guard Task Sequence Steps:

All of the following steps except the last are of type Run Command Line.

  • Enable Isolated User Mode Feature
    dism.exe /NoRestart /Online /Enable-Feature:IsolatedUserMode /All
  • Enable Virtualization Based Security
    reg.exe add “HKLMSYSTEMCurrentControlSetControlDeviceGuard” /v “EnableVirtualizationBasedSecurity” /t REG_DWORD /d 1 /f
  • Require Platform Security Features
    reg.exe add “HKLMSYSTEMCurrentControlSetControlDeviceGuard” /v “RequirePlatformSecurityFeatures” /t REG_DWORD /d 2 /f
  • Enable Hypervisor-Enforced Code Integrity
    reg.exe add “HKLMSYSTEMCurrentControlSetControlDeviceGuard” /v “HypervisorEnforcedCodeIntegrity” /t REG_DWORD /d 1 /f
  • Install Code Integrity Policy
    xcopy \servershareSIPolicy.p7b C:Windowssystem32CodeIntegrity /y

    • NOTE: you will need to put the SIPolicy.p7b file on a real file share and update the path accordingly. Also remember that the task sequence runs under the context of Local System, so you need to make sure that the computer account (for example, domaincomputername$) has permissions to the share and file.
  • Restart Computer
    • Be sure to set the option, “The currently installed default operating system”
    • You can configure the notification and timer options as needed.

NOTE: ongoing management and enforcement of these settings and the policy file can be configured via Active Directory group policy under Computer Configuration > Administrative Templates > System > Device Guard.


Deploy a Device Guard-enabled App

Once Device Guard is enabled and the policy applied, Windows 10 will now restrict the apps that can launch on the device. (NOTE: Applications that are signed by the Windows Store are not subject to Code Integrity policy. To whitelist/blacklist Windows Store signed apps, use AppLocker.) For applications that are not digitally signed or signed with a certificate that is not include in the Code Integrity policy, the Device Guard documentation details a process by which you can generate a catalog file that defines the app for Device Guard. This catalog can then be signed and distributed along with the app to allow it to run on a Device Guard-protected system.

You can easily distribute signed catalogs by leveraging the inherent capabilities of a Configuration Manager application. Put the catalog into the same directory as the app installation source.

  • Create the application (in this demonstration we’re using 7-Zip)
  • Create one deployment type with the command line to install the app per normal
  • Create a second deployment type (script) using the same content directory with the following command line:
    cmd /c xcopy 7Zip-InspectedPackage.cat C:Windowssystem32catroot{F750E6C3-38EE-11D1-85E5-00C04FC295EE} /y
  • Other options that can be configured on this DT to fully leverage the capabilities of the Configuration Manager application model:
    • Detection Method: the catalog file exists in the catroot folder
    • Requirements: Operating system is Windows 10
  • Make the first “install” DT dependent upon the second DT. This will cause the catalog to be copied and then the setup command line run

Conclusion

As we said above this can be used right now with in-market versions of Configuration Manager to support Device Guard. We are investigating more integrated support for Device Guard in a future release of Configuration Manager.


Contributors:

  • Aaron Czechowski, Senior Program Manager, Enterprise Client Management
  • Dune Desormeaux, Program Manager, Enterprise Client Management
  • Nazmus Sakib, Program Manager, Windows Enterprise and Security
  • Jeffrey Sutherland, Principal Program Manager Lead, Windows Enterprise and Security


C
onfiguration Manager Resources

Documentation Library for System Center 2012 Configuration Manager

System Center 2012 Configuration Manager Forums

System Center 2012 Configuration Manager Survival Guide

System Center Configuration Manager Support

Submit Configuration Manager Product Ideas

Report Configuration Manager Product Issues

This posting is provided “AS IS” with no warranties and confers no rights.