UJP - 技術情報2 編集 : Windows10/DeviceGuard

Windows10/DeviceGuard_CredentialGuard の編集

詳細な入力項目を表示

ページタイトル( 空白で自動設定 ):
ページ頭文字読み: ページ並び順( 0-9 小数可標準:1 ):
ページ別名(複数は[改行]で区切る):

ページ内容:

*Windows 10 Professionalで，Device GuardとCredential Guardを有効にしたり無効にしたりする [#j2bdbd6f]

**はじめに [#a4f22a63]

2015年のWindows 10のアップデートから，Device Guardという機能が追加されているそうだ．この機能は，管理者が指定したアプリケーションしか動作しなくなる．

一般ユーザが許可してないアプリを起動できなくなるし，許可してないマルウェアも実行できなくなるということかな．

ただし，動作させるためには諸条件をクリアする必要がある．

-Windows 10 EnterpriseやWindows 10 Education
-Windows 10は64bit版に限る
-Windows 10 1607以降
-BIOS UEFI 2.3.1
-TPM2.0
-BIOSロックダウン
-セキュアブート

これらはCredentilal Guardというセキュリティフレームワークの必要要件．Device GuardはCredential Guardが必要ということだそうです．

Credential GuardはMicrosoftの仮想化機能のHyper-Vを使って，認証情報を管理するだけの仮想マシンを作るそうだ．

今回は，Device Guard and Credential Guard hardware readiness toolというツールを使って，Device Guard(DG)やCredential Guard(CG)を有効にしてみる．

**入手 [#od258193]

以下のURLからダウンロードする．

Device Guard and Credential Guard hardware readiness tool
https://www.microsoft.com/en-us/download/details.aspx?id=53337

ファイルを展開すると，次のようなディレクトリ＆ファイル構成．

#ref(site://modules/xelfinder/index.php?page=view&file=6577&DeviceGuardAndCredentialGuardHardwareReadinessTool.jpg,center)

ツールはPowerShellで作成されていることがわかる．

**Usageを確認 [#v50f512c]

PowerShellを起動する．
　入手したDG_Readiness_Toolそのまま実行すると，次のようになる．

PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1🆑
 ###########################################################################
 Readiness Tool Version 3.4 Release.
 Tool to check if your device is capable to run Device Guard and Credential Guard.
 ###########################################################################
 How to read the output:
  1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG
  2. Yellow Warnings: This device can be used to enable and use DG/CG, but additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr
  3. Green Messages: This device is fully compliant with DG/CG requirements
 
 ###########################################################################
 Hardware requirements for enabling Device Guard and Credential Guard
  1. Hardware: Recent hardware that supports virtualization extension with SLAT
 ###########################################################################
 
 Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path
 Log file with details is found here: C:\DGLogs
 
 To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used
 Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to the SIPolicy.p7b>
 
 To Enable only HVCI🈁
 Usage: DG_Readiness.ps1 -Enable -HVCI
 
 To Enable only CG🈁
 Usage: DG_Readiness.ps1 -Enable -CG
 
 To Verify if DG/CG is enabled🈁
 Usage: DG_Readiness.ps1 -Ready
 
 To Disable DG/CG.🈁
 Usage: DG_Readiness.ps1 -Disable
 
 To Verify if DG/CG is disabled🈁
 Usage: DG_Readiness.ps1 -Ready
 
 To Verify if this device is DG/CG Capable
 Usage: DG_Readiness.ps1 -Capable
 To Verify if this device is HVCI Capable
 Usage: DG_Readiness.ps1 -Capable -HVCI
 To Auto reboot with each option
 Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot
 ###########################################################################
 Readiness Tool with '-capable' is run the following RegKey values are set:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities
 CG_Capable
 DG_Capable
 HVCI_Capable
 Value 0 = not possible to enable DG/CG/HVCI on this device
 Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI
 Value 2 = fully compatible for DG/CG/HVCI
 ###########################################################################
 
 Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running 
 with Windows 10, version 1703 or later with English localization.
 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

**Enable HVCI [#o00213b5]

Windows 10でハイパーバイザーで保護されているコード整合性 (HVCI) を有効にする．

HVCIには次ような機能がある．

-コード フロー ガード (CFG) ビットマップの変更を保護する
-Credential Guard などその他の Truslets に有効な証明書があることを確認する
-HVCI をサポートしたEV (拡張検証) 証明書が最新のデバイス ドライバにあることを確認できる．

PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -HVCI🆑
 ###########################################################################
 Readiness Tool Version 3.4 Release.
 Tool to check if your device is capable to run Device Guard and Credential Guard.
 ###########################################################################
 Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
 ###########################################################################
 OS and Hardware requirements for enabling Device Guard and Credential Guard
  1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
  2. Hardware: Recent hardware that supports virtualization extension with SLAT
 To learn more please visit: https://aka.ms/dgwhcr
 ###########################################################################
 
 Enabling Device Guard and Credential Guard🈁
 Setting RegKeys to enable DG/CG🈁
 Enabling Hyper-V and IOMMU
 Enabling Hyper-V failed please check the log file
 Please reboot the machine, for settings to be applied.🈁
 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

Device GuardとCredential Guardが有効になった模様．リブートが必要．

**状態を確認 [#ra2dab64]

HVCIを有効にしたが，現在の状態を確認してみる．

PS C:\Users\ujpadmin> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
 ###########################################################################
 Readiness Tool Version 3.4 Release.
 Tool to check if your device is capable to run Device Guard and Credential Guard.
 ###########################################################################
 Not an Admin user, pls execute this script as an Admin user exiting...🈁
 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

Admin権限のないユーザで実行した場合にエラーがでている．
　PowerShellを管理者権限で実行して，再度コマンドを投入する．

PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
 ###########################################################################
 Readiness Tool Version 3.4 Release.
 Tool to check if your device is capable to run Device Guard and Credential Guard.
 ###########################################################################
 Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
 ###########################################################################
 OS and Hardware requirements for enabling Device Guard and Credential Guard
  1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
  2. Hardware: Recent hardware that supports virtualization extension with SLAT
 To learn more please visit: https://aka.ms/dgwhcr
 ###########################################################################
 
 Credential-Guard is not running.🈁
 HVCI is not running.🈁
 Config-CI is not running. (Not Enabled)
 Not all services are running.🈁
 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

動作してなかった模様．．．

**Enable -CG [#e6a209fa]

Enable -CGによって，Credential Guardのみ有効にしてみる．

PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -CG🆑
 ###########################################################################
 Readiness Tool Version 3.4 Release.
 Tool to check if your device is capable to run Device Guard and Credential Guard.
 ###########################################################################
 Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
 ###########################################################################
 OS and Hardware requirements for enabling Device Guard and Credential Guard
  1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
  2. Hardware: Recent hardware that supports virtualization extension with SLAT
 To learn more please visit: https://aka.ms/dgwhcr
 ###########################################################################
 
 Enabling Device Guard and Credential Guard
 Setting RegKeys to enable DG/CG
 Enabling Hyper-V and IOMMU
 Enabling Hyper-V failed please check the log file
 Please reboot the machine, for settings to be applied.🈁
 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

リブートすることで有効になる．

**Enableを実行 [#sea5dcd5]

DGおよびCGを有効にする．

PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -enable🆑
 ###########################################################################
 Readiness Tool Version 3.4 Release.
 Tool to check if your device is capable to run Device Guard and Credential Guard.
 ###########################################################################
 Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
 ###########################################################################
 OS and Hardware requirements for enabling Device Guard and Credential Guard
  1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
  2. Hardware: Recent hardware that supports virtualization extension with SLAT
 To learn more please visit: https://aka.ms/dgwhcr
 ###########################################################################
 
 Enabling Device Guard and Credential Guard
 Setting RegKeys to enable DG/CG
 Enabling Hyper-V and IOMMU
 Enabling Hyper-V failed please check the log file
 Please reboot the machine, for settings to be applied.
 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

確認してみる．

PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
 ###########################################################################
 Readiness Tool Version 3.4 Release.
 Tool to check if your device is capable to run Device Guard and Credential Guard.
 ###########################################################################
 Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
 ###########################################################################
 OS and Hardware requirements for enabling Device Guard and Credential Guard
  1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
  2. Hardware: Recent hardware that supports virtualization extension with SLAT
 To learn more please visit: https://aka.ms/dgwhcr
 ###########################################################################
 
 Credential-Guard is not running.
 HVCI is not running.
 Config-CI is enabled and running. (Enforced mode)🈁
 Not all services are running.
 PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>

やっと動いた．

編集の要約:

Q & A 認証: ページ更新時は次の質問にお答えください。(プレビュー時は必要ありません)
Q: 日本の首都は？(漢字で)
A:

お名前: タイムスタンプを変更しない