UJP - 技術情報2 : Windows 10 Professionalで,Device GuardとCredential Guardを有効にしたり無効にしたりする Windows10/DeviceGuard_CredentialGuard

I hope this helps.

不正IP報告数

Okan Sensor
 
メイン
ログイン
ブログ カテゴリ一覧

Page Top

はじめに anchor.png Edit

  2015年のWindows 10のアップデートから,Device Guardという機能が追加されているそうだ.この機能は,管理者が指定したアプリケーションしか動作しなくなる.

 一般ユーザが許可してないアプリを起動できなくなるし,許可してないマルウェアも実行できなくなるということかな.

 ただし,動作させるためには諸条件をクリアする必要がある.

  • Windows 10 EnterpriseやWindows 10 Education
  • Windows 10は64bit版に限る
  • Windows 10 1607以降
  • BIOS UEFI 2.3.1
  • TPM2.0
  • BIOSロックダウン
  • セキュアブート

 これらはCredentilal Guardというセキュリティフレームワークの必要要件.Device GuardはCredential Guardが必要ということだそうです.

 Credential GuardはMicrosoftの仮想化機能のHyper-Vを使って,認証情報を管理するだけの仮想マシンを作るそうだ.

 今回は,Device Guard and Credential Guard hardware readiness toolというツールを使って,Device Guard(DG)やCredential Guard(CG)を有効にしてみる.

Page Top

入手 anchor.png Edit

 以下のURLからダウンロードする.

Device Guard and Credential Guard hardware readiness tool https://www.microsoft.com/en-us/download/details.aspx?id=53337

 ファイルを展開すると,次のようなディレクトリ&ファイル構成.

index.php?page=view&file=6577&DeviceGuardAndCredentialGuardHardwareReadinessTool.jpg

 ツールはPowerShellで作成されていることがわかる.

Page Top

Usageを確認 anchor.png Edit

 PowerShellを起動する.  入手したDG_Readiness_Toolそのまま実行すると,次のようになる.

PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
How to read the output:
 1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG
 2. Yellow Warnings: This device can be used to enable and use DG/CG, but additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr
 3. Green Messages: This device is fully compliant with DG/CG requirements

###########################################################################
Hardware requirements for enabling Device Guard and Credential Guard
 1. Hardware: Recent hardware that supports virtualization extension with SLAT
###########################################################################

Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path
Log file with details is found here: C:\DGLogs

To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used
Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to the SIPolicy.p7b>

To Enable only HVCI🈁
Usage: DG_Readiness.ps1 -Enable -HVCI

To Enable only CG🈁
Usage: DG_Readiness.ps1 -Enable -CG

To Verify if DG/CG is enabled🈁
Usage: DG_Readiness.ps1 -Ready

To Disable DG/CG.🈁
Usage: DG_Readiness.ps1 -Disable

To Verify if DG/CG is disabled🈁
Usage: DG_Readiness.ps1 -Ready

To Verify if this device is DG/CG Capable
Usage: DG_Readiness.ps1 -Capable
To Verify if this device is HVCI Capable
Usage: DG_Readiness.ps1 -Capable -HVCI
To Auto reboot with each option
Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot
###########################################################################
Readiness Tool with '-capable' is run the following RegKey values are set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities
CG_Capable
DG_Capable
HVCI_Capable
Value 0 = not possible to enable DG/CG/HVCI on this device
Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI
Value 2 = fully compatible for DG/CG/HVCI
###########################################################################

Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running 
with Windows 10, version 1703 or later with English localization.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
Page Top

Enable HVCI anchor.png Edit

 Windows 10でハイパーバイザーで保護されているコード整合性 (HVCI) を有効にする.

 HVCIには次ような機能がある.

  • コード フロー ガード (CFG) ビットマップの変更を保護する
  • Credential Guard などその他の Truslets に有効な証明書があることを確認する
  • HVCI をサポートしたEV (拡張検証) 証明書が最新のデバイス ドライバにあることを確認できる.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -HVCI🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Enabling Device Guard and Credential Guard🈁
Setting RegKeys to enable DG/CG🈁
Enabling Hyper-V and IOMMU
Enabling Hyper-V failed please check the log file
Please reboot the machine, for settings to be applied.🈁
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 Device GuardとCredential Guardが有効になった模様.リブートが必要.

Page Top

状態を確認 anchor.png Edit

 HVCIを有効にしたが,現在の状態を確認してみる.

PS C:\Users\ujpadmin> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Not an Admin user, pls execute this script as an Admin user exiting...🈁
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 Admin権限のないユーザで実行した場合にエラーがでている.  PowerShellを管理者権限で実行して,再度コマンドを投入する.

PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Credential-Guard is not running.🈁
HVCI is not running.🈁
Config-CI is not running. (Not Enabled)
Not all services are running.🈁
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 動作してなかった模様...

Page Top

Enable -CG anchor.png Edit

 Enable -CGによって,Credential Guardのみ有効にしてみる.

PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -CG🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Enabling Device Guard and Credential Guard
Setting RegKeys to enable DG/CG
Enabling Hyper-V and IOMMU
Enabling Hyper-V failed please check the log file
Please reboot the machine, for settings to be applied.🈁
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 リブートすることで有効になる.

Page Top

Enableを実行 anchor.png Edit

 DGおよびCGを有効にする.

PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -enable🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Enabling Device Guard and Credential Guard
Setting RegKeys to enable DG/CG
Enabling Hyper-V and IOMMU
Enabling Hyper-V failed please check the log file
Please reboot the machine, for settings to be applied.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 確認してみる.

PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Credential-Guard is not running.
HVCI is not running.
Config-CI is enabled and running. (Enforced mode)🈁
Not all services are running.
PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

 やっと動いた.


Front page   Edit Diff Backup Upload Copy Rename Reload   New Page Page list Search Recent changes   Help   RSS of recent changes (RSS 1.0) RSS of recent changes (RSS 2.0) RSS of recent changes (RSS Atom)
Counter: 987, today: 1, yesterday: 0
Last-modified: 2020-01-09 (Thu) 22:04:20 (JST) (945d) by nobuaki

広告スペース
Google