UJP - 技術情報2 : Windows 10 Professionalで,Device GuardとCredential Guardを有効にしたり無効にしたりする Windows10/DeviceGuard_CredentialGuard

Life is fun and easy!

不正IP報告数

Okan Sensor
 
メイン
ログイン
ブログ カテゴリ一覧

Page Top

はじめに anchor.png Edit

  2015年のWindows 10のアップデートから,Device Guardという機能が追加されているそうだ.この機能は,管理者が指定したアプリケーションしか動作しなくなる.

 一般ユーザが許可してないアプリを起動できなくなるし,許可してないマルウェアも実行できなくなるということかな.

 ただし,動作させるためには諸条件をクリアする必要がある.

  • Windows 10 EnterpriseやWindows 10 Education
  • Windows 10は64bit版に限る
  • Windows 10 1607以降
  • BIOS UEFI 2.3.1
  • TPM2.0
  • BIOSロックダウン
  • セキュアブート

 これらはCredentilal Guardというセキュリティフレームワークの必要要件.Device GuardはCredential Guardが必要ということだそうです.

 Credential GuardはMicrosoftの仮想化機能のHyper-Vを使って,認証情報を管理するだけの仮想マシンを作るそうだ.

 今回は,Device Guard and Credential Guard hardware readiness toolというツールを使って,Device Guard(DG)やCredential Guard(CG)を有効にしてみる.

Page Top

入手 anchor.png Edit

 以下のURLからダウンロードする.

Device Guard and Credential Guard hardware readiness tool https://www.microsoft.com/en-us/download/details.aspx?id=53337

 ファイルを展開すると,次のようなディレクトリ&ファイル構成.

index.php?page=view&file=6577&DeviceGuardAndCredentialGuardHardwareReadinessTool.jpg

 ツールはPowerShellで作成されていることがわかる.

Page Top

Usageを確認 anchor.png Edit

 PowerShellを起動する.  入手したDG_Readiness_Toolそのまま実行すると,次のようになる.

PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
How to read the output:
 1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG
 2. Yellow Warnings: This device can be used to enable and use DG/CG, but additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr
 3. Green Messages: This device is fully compliant with DG/CG requirements

###########################################################################
Hardware requirements for enabling Device Guard and Credential Guard
 1. Hardware: Recent hardware that supports virtualization extension with SLAT
###########################################################################

Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path
Log file with details is found here: C:\DGLogs

To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used
Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to the SIPolicy.p7b>

To Enable only HVCI🈁
Usage: DG_Readiness.ps1 -Enable -HVCI

To Enable only CG🈁
Usage: DG_Readiness.ps1 -Enable -CG

To Verify if DG/CG is enabled🈁
Usage: DG_Readiness.ps1 -Ready

To Disable DG/CG.🈁
Usage: DG_Readiness.ps1 -Disable

To Verify if DG/CG is disabled🈁
Usage: DG_Readiness.ps1 -Ready

To Verify if this device is DG/CG Capable
Usage: DG_Readiness.ps1 -Capable
To Verify if this device is HVCI Capable
Usage: DG_Readiness.ps1 -Capable -HVCI
To Auto reboot with each option
Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot
###########################################################################
Readiness Tool with '-capable' is run the following RegKey values are set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities
CG_Capable
DG_Capable
HVCI_Capable
Value 0 = not possible to enable DG/CG/HVCI on this device
Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI
Value 2 = fully compatible for DG/CG/HVCI
###########################################################################

Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running 
with Windows 10, version 1703 or later with English localization.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
Page Top

Enable HVCI anchor.png Edit

 Windows 10でハイパーバイザーで保護されているコード整合性 (HVCI) を有効にする.

 HVCIには次ような機能がある.

  • コード フロー ガード (CFG) ビットマップの変更を保護する
  • Credential Guard などその他の Truslets に有効な証明書があることを確認する
  • HVCI をサポートしたEV (拡張検証) 証明書が最新のデバイス ドライバにあることを確認できる.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -HVCI🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Enabling Device Guard and Credential Guard🈁
Setting RegKeys to enable DG/CG🈁
Enabling Hyper-V and IOMMU
Enabling Hyper-V failed please check the log file
Please reboot the machine, for settings to be applied.🈁
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 Device GuardとCredential Guardが有効になった模様.リブートが必要.

Page Top

状態を確認 anchor.png Edit

 HVCIを有効にしたが,現在の状態を確認してみる.

PS C:\Users\ujpadmin> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Not an Admin user, pls execute this script as an Admin user exiting...🈁
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 Admin権限のないユーザで実行した場合にエラーがでている.  PowerShellを管理者権限で実行して,再度コマンドを投入する.

PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Credential-Guard is not running.🈁
HVCI is not running.🈁
Config-CI is not running. (Not Enabled)
Not all services are running.🈁
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 動作してなかった模様...

Page Top

Enable -CG anchor.png Edit

 Enable -CGによって,Credential Guardのみ有効にしてみる.

PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -CG🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Enabling Device Guard and Credential Guard
Setting RegKeys to enable DG/CG
Enabling Hyper-V and IOMMU
Enabling Hyper-V failed please check the log file
Please reboot the machine, for settings to be applied.🈁
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 リブートすることで有効になる.

Page Top

Enableを実行 anchor.png Edit

 DGおよびCGを有効にする.

PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -enable🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Enabling Device Guard and Credential Guard
Setting RegKeys to enable DG/CG
Enabling Hyper-V and IOMMU
Enabling Hyper-V failed please check the log file
Please reboot the machine, for settings to be applied.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 確認してみる.

PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Credential-Guard is not running.
HVCI is not running.
Config-CI is enabled and running. (Enforced mode)🈁
Not all services are running.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 やっと動いた.


トップ   編集 差分 バックアップ 添付 複製 名前変更 リロード   ページ新規作成 全ページ一覧 単語検索 最新ページの一覧   ヘルプ   最新ページのRSS 1.0 最新ページのRSS 2.0 最新ページのRSS Atom
Counter: 1702, today: 2, yesterday: 0
最終更新: 2020-01-09 (木) 22:04:20 (JST) (1530d) by nobuaki

広告スペース
Google