UJP - 技術情報2 バックアップ : Windows10/DeviceGuard_CredentialGuard のバックアップ差分(No.1)

Life is fun and easy!
不正IP報告数

Okan Sensor
Home Information Service Tech(Free) Tech(Member) Blog FAQ
 
メイン
ログイン

ユーザー名:


パスワード:





パスワード再発行手続き  |無料会員入会手続へ...
ブログ カテゴリ一覧
1: 2019-12-26 (木) 02:19:59 nobuaki ソース バックアップ No.1 を復元して編集
Line 1: Line 1:
 +*Windows 10 Professionalで,Device GuardとCredential Guardを有効にしたり無効にしたりする [#j2bdbd6f]
 +**はじめに [#a4f22a63]
 +
 +  2015年のWindows 10のアップデートから,Device Guardという機能が追加されているそうだ.この機能は,管理者が指定したアプリケーションしか動作しなくなる.
 +
 + 一般ユーザが許可してないアプリを起動できなくなるし,許可してないマルウェアも実行できなくなるということかな.
 +
 + ただし,動作させるためには諸条件をクリアする必要がある.
 +
 +-Windows 10 EnterpriseやWindows 10 Education
 +-Windows 10は64bit版に限る
 +-Windows 10 1607以降
 +-BIOS UEFI 2.3.1
 +-TPM2.0
 +-BIOSロックダウン
 +-セキュアブート
 +
 + これらはCredentilal Guardというセキュリティフレームワークの必要要件.Device GuardはCredential Guardが必要ということだそうです.
 +
 + Credential GuardはMicrosoftの仮想化機能のHyper-Vを使って,認証情報を管理するだけの仮想マシンを作るそうだ.
 +
 + 今回は,Device Guard and Credential Guard hardware readiness toolというツールを使って,Device Guard(DG)やCredential Guard(CG)を有効にしてみる.
 +
 +**入手 [#od258193]
 +
 + 以下のURLからダウンロードする.
 +
 +Device Guard and Credential Guard hardware readiness tool
 +https://www.microsoft.com/en-us/download/details.aspx?id=53337
 +
 + ファイルを展開すると,次のようなディレクトリ&ファイル構成.
 +
 +#ref(site://modules/xelfinder/index.php?page=view&file=6577&DeviceGuardAndCredentialGuardHardwareReadinessTool.jpg,center)
 +
 + ツールはPowerShellで作成されていることがわかる.
 +
 +**Usageを確認 [#v50f512c]
 +
 + PowerShellを起動する.
 + 入手したDG_Readiness_Toolそのまま実行すると,次のようになる.
 +
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1🆑
 + ###########################################################################
 + Readiness Tool Version 3.4 Release.
 + Tool to check if your device is capable to run Device Guard and Credential Guard.
 + ###########################################################################
 + How to read the output:
 +  1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG
 +  2. Yellow Warnings: This device can be used to enable and use DG/CG, but additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr
 +  3. Green Messages: This device is fully compliant with DG/CG requirements
 +
 + ###########################################################################
 + Hardware requirements for enabling Device Guard and Credential Guard
 +  1. Hardware: Recent hardware that supports virtualization extension with SLAT
 + ###########################################################################
 +
 + Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path
 + Log file with details is found here: C:\DGLogs
 +
 + To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used
 + Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to the SIPolicy.p7b>
 +
 + To Enable only HVCI🈁
 + Usage: DG_Readiness.ps1 -Enable -HVCI
 +
 + To Enable only CG🈁
 + Usage: DG_Readiness.ps1 -Enable -CG
 +
 + To Verify if DG/CG is enabled🈁
 + Usage: DG_Readiness.ps1 -Ready
 +
 + To Disable DG/CG.🈁
 + Usage: DG_Readiness.ps1 -Disable
 +
 + To Verify if DG/CG is disabled🈁
 + Usage: DG_Readiness.ps1 -Ready
 +
 + To Verify if this device is DG/CG Capable
 + Usage: DG_Readiness.ps1 -Capable
 + To Verify if this device is HVCI Capable
 + Usage: DG_Readiness.ps1 -Capable -HVCI
 + To Auto reboot with each option
 + Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot
 + ###########################################################################
 + Readiness Tool with '-capable' is run the following RegKey values are set:
 + HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities
 + CG_Capable
 + DG_Capable
 + HVCI_Capable
 + Value 0 = not possible to enable DG/CG/HVCI on this device
 + Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI
 + Value 2 = fully compatible for DG/CG/HVCI
 + ###########################################################################
 +
 + Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running
 + with Windows 10, version 1703 or later with English localization.
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
 +
 +
 +**Enable HVCI [#o00213b5]
 +
 + Windows 10でハイパーバイザーで保護されているコード整合性 (HVCI) を有効にする.
 +
 + HVCIには次ような機能がある.
 +
 +-コード フロー ガード (CFG) ビットマップの変更を保護する
 +-Credential Guard などその他の Truslets に有効な証明書があることを確認する
 +-HVCI をサポートしたEV (拡張検証) 証明書が最新のデバイス ドライバにあることを確認できる.
 +
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -HVCI🆑
 + ###########################################################################
 + Readiness Tool Version 3.4 Release.
 + Tool to check if your device is capable to run Device Guard and Credential Guard.
 + ###########################################################################
 + Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
 + ###########################################################################
 + OS and Hardware requirements for enabling Device Guard and Credential Guard
 +  1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 +  2. Hardware: Recent hardware that supports virtualization extension with SLAT
 + To learn more please visit: https://aka.ms/dgwhcr
 + ###########################################################################
 +
 + Enabling Device Guard and Credential Guard🈁
 + Setting RegKeys to enable DG/CG🈁
 + Enabling Hyper-V and IOMMU
 + Enabling Hyper-V failed please check the log file
 + Please reboot the machine, for settings to be applied.🈁
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
 +
 + Device GuardとCredential Guardが有効になった模様.リブートが必要.
 +
 +**状態を確認 [#ra2dab64]
 +
 + HVCIを有効にしたが,現在の状態を確認してみる.
 +
 + PS C:\Users\ujpadmin> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
 + ###########################################################################
 + Readiness Tool Version 3.4 Release.
 + Tool to check if your device is capable to run Device Guard and Credential Guard.
 + ###########################################################################
 + Not an Admin user, pls execute this script as an Admin user exiting...🈁
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
 +
 + Admin権限のないユーザで実行した場合にエラーがでている.
 + PowerShellを管理者権限で実行して,再度コマンドを投入する.
 +
 + PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6🆑
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready🆑
 + ###########################################################################
 + Readiness Tool Version 3.4 Release.
 + Tool to check if your device is capable to run Device Guard and Credential Guard.
 + ###########################################################################
 + Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
 + ###########################################################################
 + OS and Hardware requirements for enabling Device Guard and Credential Guard
 +  1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 +  2. Hardware: Recent hardware that supports virtualization extension with SLAT
 + To learn more please visit: https://aka.ms/dgwhcr
 + ###########################################################################
 +
 + Credential-Guard is not running.🈁
 + HVCI is not running.🈁
 + Config-CI is not running. (Not Enabled)
 + Not all services are running.🈁
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
 +
 + 動作してなかった模様...
 +
 +**Enable -CG [#e6a209fa]
 +
 + Enable -CGによって,Credential Guardのみ有効にしてみる.
 +
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Enable -CG🆑
 + ###########################################################################
 + Readiness Tool Version 3.4 Release.
 + Tool to check if your device is capable to run Device Guard and Credential Guard.
 + ###########################################################################
 + Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
 + ###########################################################################
 + OS and Hardware requirements for enabling Device Guard and Credential Guard
 +  1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 +  2. Hardware: Recent hardware that supports virtualization extension with SLAT
 + To learn more please visit: https://aka.ms/dgwhcr
 + ###########################################################################
 +
 + Enabling Device Guard and Credential Guard
 + Setting RegKeys to enable DG/CG
 + Enabling Hyper-V and IOMMU
 + Enabling Hyper-V failed please check the log file
 + Please reboot the machine, for settings to be applied.🈁
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
 +
 + リブートすることで有効になる.
 +
 +
 +**Enableを実行 [#sea5dcd5]
 +
 + DGおよびCGを有効にする.
 +
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -enable🆑
 + ###########################################################################
 + Readiness Tool Version 3.4 Release.
 + Tool to check if your device is capable to run Device Guard and Credential Guard.
 + ###########################################################################
 + Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
 + ###########################################################################
 + OS and Hardware requirements for enabling Device Guard and Credential Guard
 +  1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 +  2. Hardware: Recent hardware that supports virtualization extension with SLAT
 + To learn more please visit: https://aka.ms/dgwhcr
 + ###########################################################################
 +
 + Enabling Device Guard and Credential Guard
 + Setting RegKeys to enable DG/CG
 + Enabling Hyper-V and IOMMU
 + Enabling Hyper-V failed please check the log file
 + Please reboot the machine, for settings to be applied.
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
 +
 + 確認してみる.
 +
 + PS C:\WINDOWS\system32> cd C:\Users\ujpadmin\Desktop\dgreadiness_v3.6
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready
 + ###########################################################################
 + Readiness Tool Version 3.4 Release.
 + Tool to check if your device is capable to run Device Guard and Credential Guard.
 + ###########################################################################
 + Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization.
 + ###########################################################################
 + OS and Hardware requirements for enabling Device Guard and Credential Guard
 +  1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 +  2. Hardware: Recent hardware that supports virtualization extension with SLAT
 + To learn more please visit: https://aka.ms/dgwhcr
 + ###########################################################################
 +
 + Credential-Guard is not running.
 + HVCI is not running.
 + Config-CI is enabled and running. (Enforced mode)🈁
 + Not all services are running.
 + PS C:\Users\ujpadmin\Desktop\dgreadiness_v3.6>
 +
 + やっと動いた.
トップ   編集 差分 バックアップ 添付 複製 名前変更 リロード   ページ新規作成 全ページ一覧 単語検索 最新ページの一覧   ヘルプ   最新ページのRSS 1.0 最新ページのRSS 2.0 最新ページのRSS Atom
Counter: 1734, today: 2, yesterday: 0
ページ別名: 未設定
ページ作成: nobuaki
サイト管理: administrator
広告スペース
Google