Search

Always Patch Before Applocker or Device Guard are Deployed.

Updated: Mar 28

Labs don't tend to follow best practice or any security standards, they're quick dirty installations for developing and messing around. Here's some food for thought the next time you're wanting to test Applocker or Windows Defender Application Control (WADC) aka Device Guard, you may wish to at least patch. For the most part deploying Domain Infrastructure, scripts and services works great, until Device Guard is deployed to an unpatched Windows 11 client.


Firstly the steps how to configure Device Guard, then the fun... DeviceGuardBasic.ps1 script can be downloaded from (here).

Run the script as Admin and point the Local GPO to Initial.bin following the help.

Device Guard is set to enforced, no audit mode for me, that's for wimps, been here hundreds of times......what's the worse that can happen..... arrghhhhh.


The first indication Windows 11 had issues was 'Settings' crashed upon opening. This isn't my first rodeo, straight to the eventlogs.


Ah, a bloodbath of red Code Integrity errors complaining that a file hasn't been signed correctly. How could this be.... the files are Microsoft files.

This doesn't look good, the digital signature can't be verified meaning the signing certificate isn't in the Root Certificate Store for the Computer.

This is not the first time I've seen the 'Microsoft Development PCA 2014' certificate. A few years back a sub-optimal Office 2016 update prevented Word, PowerPoint and Excel launching. It was Applocker protecting me from the Microsoft Development certificate that time.

Well done Microsoft, I see your test and release cycle hasn’t improved. A Windows update and all is fine….right.....as if.


I'm unable to click on the install updates button, its part of Settings and no longer accessible. Bring back Control Panel.


No way I’m waiting for Windows to get around to installing the updates by itself. The choices: Disable Device Guard by removing the GPO and deleting the SIPolicyp7b file. Create an additional policy based on hashes. Start again, 2 hours effort, most of that waiting for updates to install. Creating an additional policy based on hashes and then merging into the ‘initial’ policy allows testing Device Guard's behaviour.


Does Device Guard prevent untrusted and poorly signed files from running when hashes are present. Observed behaviour is for Device Guard policy to create hashes for unsigned files as a fallback. The new and improved Device Guard script, aptly named 'DeviceGuard-withMerge.ps1' can be downloaded from (here). The only additional lines of note are the New-CIPolicy to create only hashes for the “C\Windows\SystemApps” directory and to merge the 2 xml policy files.

New-CIPolicy -Level Hash -FilePath $HashCIPolicy -UserPEs 3> $HashCIPolicyTxt -ScanPath "C:\Windows\SystemApps\" Merge-CIPolicy -PolicyPaths $IntialCIPolicy,$HashCIPolicy -OutputFilePath $MergedCIPolicy The result, 'Settings' now works despite Microsoft's best effort to ruin my day. Creating Device Guard policies based on hashes for files incorrectly signed by Microsoft's internal development CA is resolved.


Below is the proof, 'Settings' is functional even with those dodgy files.

Conclusion: This may come as a shock to some….. Microsoft do make mistakes and release files incorrectly sighed… shocking. Device Guard will allow files to run providing the hashes are present even when incorrectly signed. Did I learn something, hell yeah. always patch before deploying Device Guard or Applocker. The time spent faffing resolving the issue far exceeded the time it would have taken to patch in the first place.

8 views0 comments

Recent Posts

See All