- 現在との差分 を表示
- ソース を表示
- Windows10/DeviceGuard_CredentialGuard へ行く。
1: 2019-12-26 (木) 02:19:59 nobuaki | |||
---|---|---|---|
Line 1: | Line 1: | ||
+ | *Windows 10 Professionalで,Device GuardとCredential Guardを有効にしたり無効にしたりする [#j2bdbd6f] | ||
+ | **はじめに [#a4f22a63] | ||
+ | |||
+ | 2015年のWindows 10のアップデートから,Device Guardという機能が追加されているそうだ.この機能は,管理者が指定したアプリケーションしか動作しなくなる. | ||
+ | |||
+ | 一般ユーザが許可してないアプリを起動できなくなるし,許可してないマルウェアも実行できなくなるということかな. | ||
+ | |||
+ | ただし,動作させるためには諸条件をクリアする必要がある. | ||
+ | |||
+ | -Windows 10 EnterpriseやWindows 10 Education | ||
+ | -Windows 10は64bit版に限る | ||
+ | -Windows 10 1607以降 | ||
+ | -BIOS UEFI 2.3.1 | ||
+ | -TPM2.0 | ||
+ | -BIOSロックダウン | ||
+ | -セキュアブート | ||
+ | |||
+ | これらはCredentilal Guardというセキュリティフレームワークの必要要件.Device GuardはCredential Guardが必要ということだそうです. | ||
+ | |||
+ | Credential GuardはMicrosoftの仮想化機能のHyper-Vを使って,認証情報を管理するだけの仮想マシンを作るそうだ. | ||
+ | |||
+ | 今回は,Device Guard and Credential Guard hardware readiness toolというツールを使って,Device Guard(DG)やCredential Guard(CG)を有効にしてみる. | ||
+ | |||
+ | **入手 [#od258193] | ||
+ | |||
+ | 以下のURLからダウンロードする. | ||
+ | |||
+ | Device Guard and Credential Guard hardware readiness tool | ||
+ | https://www.microsoft.com/en-us/download/details.aspx?id=53337 | ||
+ | |||
+ | ファイルを展開すると,次のようなディレクトリ&ファイル構成. | ||
+ | |||
+ | #ref(site://modules/xelfinder/index.php?page=view&file=6577&DeviceGuardAndCredentialGuardHardwareReadinessTool.jpg,center) | ||
+ | |||
+ | ツールはPowerShellで作成されていることがわかる. | ||
+ | |||
+ | **Usageを確認 [#v50f512c] | ||
+ | |||
+ | PowerShellを起動する. | ||
+ | 入手したDG_Readiness_Toolそのまま実行すると,次のようになる. | ||
+ | |||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1🆑 | ||
+ | ########################################################################### | ||
+ | Readiness Tool Version 3.4 Release. | ||
+ | Tool to check if your device is capable to run Device Guard and Credential Guard. | ||
+ | ########################################################################### | ||
+ | How to read the output: | ||
+ | 1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG | ||
+ | 2. Yellow Warnings: This device can be used to enable and use DG/CG, but additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr | ||
+ | 3. Green Messages: This device is fully compliant with DG/CG requirements | ||
+ | |||
+ | ########################################################################### | ||
+ | Hardware requirements for enabling Device Guard and Credential Guard | ||
+ | 1. Hardware: Recent hardware that supports virtualization extension with SLAT | ||
+ | ########################################################################### | ||
+ | |||
+ | Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path | ||
+ | Log file with details is found here: C:\DGLogs | ||
+ | |||
+ | To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used | ||
+ | Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to the SIPolicy.p7b> | ||
+ | |||
+ | To Enable only HVCI🈁 | ||
+ | Usage: DG_Readiness.ps1 -Enable -HVCI | ||
+ | |||
+ | To Enable only CG🈁 | ||
+ | Usage: DG_Readiness.ps1 -Enable -CG | ||
+ | |||
+ | To Verify if DG/CG is enabled🈁 | ||
+ | Usage: DG_Readiness.ps1 -Ready | ||
+ | |||
+ | To Disable DG/CG.🈁 | ||
+ | Usage: DG_Readiness.ps1 -Disable | ||
+ | |||
+ | To Verify if DG/CG is disabled🈁 | ||
+ | Usage: DG_Readiness.ps1 -Ready | ||
+ | |||
+ | To Verify if this device is DG/CG Capable | ||
+ | Usage: DG_Readiness.ps1 -Capable | ||
+ | To Verify if this device is HVCI Capable | ||
+ | Usage: DG_Readiness.ps1 -Capable -HVCI | ||
+ | To Auto reboot with each option | ||
+ | Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot | ||
+ | ########################################################################### | ||
+ | Readiness Tool with '-capable' is run the following RegKey values are set: | ||
+ | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities | ||
+ | CG_Capable | ||
+ | DG_Capable | ||
+ | HVCI_Capable | ||
+ | Value 0 = not possible to enable DG/CG/HVCI on this device | ||
+ | Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI | ||
+ | Value 2 = fully compatible for DG/CG/HVCI | ||
+ | ########################################################################### | ||
+ | |||
+ | Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running | ||
+ | with Windows 10, version 1703 or later with English localization. | ||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> | ||
+ | |||
+ | |||
+ | **Enable HVCI [#o00213b5] | ||
+ | |||
+ | Windows 10でハイパーバイザーで保護されているコード整合性 (HVCI) を有効にする. | ||
+ | |||
+ | HVCIには次ような機能がある. | ||
+ | |||
+ | -コード フロー ガード (CFG) ビットマップの変更を保護する | ||
+ | -Credential Guard などその他の Truslets に有効な証明書があることを確認する | ||
+ | -HVCI をサポートしたEV (拡張検証) 証明書が最新のデバイス ドライバにあることを確認できる. | ||
+ | |||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -HVCI🆑 | ||
+ | ########################################################################### | ||
+ | Readiness Tool Version 3.4 Release. | ||
+ | Tool to check if your device is capable to run Device Guard and Credential Guard. | ||
+ | ########################################################################### | ||
+ | Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. | ||
+ | ########################################################################### | ||
+ | OS and Hardware requirements for enabling Device Guard and Credential Guard | ||
+ | 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home | ||
+ | 2. Hardware: Recent hardware that supports virtualization extension with SLAT | ||
+ | To learn more please visit: https://aka.ms/dgwhcr | ||
+ | ########################################################################### | ||
+ | |||
+ | Enabling Device Guard and Credential Guard🈁 | ||
+ | Setting RegKeys to enable DG/CG🈁 | ||
+ | Enabling Hyper-V and IOMMU | ||
+ | Enabling Hyper-V failed please check the log file | ||
+ | Please reboot the machine, for settings to be applied.🈁 | ||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> | ||
+ | |||
+ | Device GuardとCredential Guardが有効になった模様.リブートが必要. | ||
+ | |||
+ | **状態を確認 [#ra2dab64] | ||
+ | |||
+ | HVCIを有効にしたが,現在の状態を確認してみる. | ||
+ | |||
+ | PS C:\Users\ujpadmin> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑 | ||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑 | ||
+ | ########################################################################### | ||
+ | Readiness Tool Version 3.4 Release. | ||
+ | Tool to check if your device is capable to run Device Guard and Credential Guard. | ||
+ | ########################################################################### | ||
+ | Not an Admin user, pls execute this script as an Admin user exiting...🈁 | ||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> | ||
+ | |||
+ | Admin権限のないユーザで実行した場合にエラーがでている. | ||
+ | PowerShellを管理者権限で実行して,再度コマンドを投入する. | ||
+ | |||
+ | PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑 | ||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑 | ||
+ | ########################################################################### | ||
+ | Readiness Tool Version 3.4 Release. | ||
+ | Tool to check if your device is capable to run Device Guard and Credential Guard. | ||
+ | ########################################################################### | ||
+ | Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. | ||
+ | ########################################################################### | ||
+ | OS and Hardware requirements for enabling Device Guard and Credential Guard | ||
+ | 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home | ||
+ | 2. Hardware: Recent hardware that supports virtualization extension with SLAT | ||
+ | To learn more please visit: https://aka.ms/dgwhcr | ||
+ | ########################################################################### | ||
+ | |||
+ | Credential-Guard is not running.🈁 | ||
+ | HVCI is not running.🈁 | ||
+ | Config-CI is not running. (Not Enabled) | ||
+ | Not all services are running.🈁 | ||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> | ||
+ | |||
+ | 動作してなかった模様... | ||
+ | |||
+ | **Enable -CG [#e6a209fa] | ||
+ | |||
+ | Enable -CGによって,Credential Guardのみ有効にしてみる. | ||
+ | |||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -CG🆑 | ||
+ | ########################################################################### | ||
+ | Readiness Tool Version 3.4 Release. | ||
+ | Tool to check if your device is capable to run Device Guard and Credential Guard. | ||
+ | ########################################################################### | ||
+ | Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. | ||
+ | ########################################################################### | ||
+ | OS and Hardware requirements for enabling Device Guard and Credential Guard | ||
+ | 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home | ||
+ | 2. Hardware: Recent hardware that supports virtualization extension with SLAT | ||
+ | To learn more please visit: https://aka.ms/dgwhcr | ||
+ | ########################################################################### | ||
+ | |||
+ | Enabling Device Guard and Credential Guard | ||
+ | Setting RegKeys to enable DG/CG | ||
+ | Enabling Hyper-V and IOMMU | ||
+ | Enabling Hyper-V failed please check the log file | ||
+ | Please reboot the machine, for settings to be applied.🈁 | ||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> | ||
+ | |||
+ | リブートすることで有効になる. | ||
+ | |||
+ | |||
+ | **Enableを実行 [#sea5dcd5] | ||
+ | |||
+ | DGおよびCGを有効にする. | ||
+ | |||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -enable🆑 | ||
+ | ########################################################################### | ||
+ | Readiness Tool Version 3.4 Release. | ||
+ | Tool to check if your device is capable to run Device Guard and Credential Guard. | ||
+ | ########################################################################### | ||
+ | Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. | ||
+ | ########################################################################### | ||
+ | OS and Hardware requirements for enabling Device Guard and Credential Guard | ||
+ | 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home | ||
+ | 2. Hardware: Recent hardware that supports virtualization extension with SLAT | ||
+ | To learn more please visit: https://aka.ms/dgwhcr | ||
+ | ########################################################################### | ||
+ | |||
+ | Enabling Device Guard and Credential Guard | ||
+ | Setting RegKeys to enable DG/CG | ||
+ | Enabling Hyper-V and IOMMU | ||
+ | Enabling Hyper-V failed please check the log file | ||
+ | Please reboot the machine, for settings to be applied. | ||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> | ||
+ | |||
+ | 確認してみる. | ||
+ | |||
+ | PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6 | ||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready | ||
+ | ########################################################################### | ||
+ | Readiness Tool Version 3.4 Release. | ||
+ | Tool to check if your device is capable to run Device Guard and Credential Guard. | ||
+ | ########################################################################### | ||
+ | Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization. | ||
+ | ########################################################################### | ||
+ | OS and Hardware requirements for enabling Device Guard and Credential Guard | ||
+ | 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home | ||
+ | 2. Hardware: Recent hardware that supports virtualization extension with SLAT | ||
+ | To learn more please visit: https://aka.ms/dgwhcr | ||
+ | ########################################################################### | ||
+ | |||
+ | Credential-Guard is not running. | ||
+ | HVCI is not running. | ||
+ | Config-CI is enabled and running. (Enforced mode)🈁 | ||
+ | Not all services are running. | ||
+ | PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> | ||
+ | |||
+ | やっと動いた. |
- Windows10/DeviceGuard_CredentialGuard のバックアップ一覧
- Windows10/DeviceGuard_CredentialGuard のバックアップ差分(No. All)
- 1: 2019-12-26 (木) 02:19:59 nobuaki
- 現: 2020-01-09 (木) 22:04:20 nobuaki
Counter: 1734,
today: 2,
yesterday: 0