Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Thursday, June 23, 2016 4:37 AM
I ran these steps in generation 1 VM & in an old laptop Dell Latitude D620
$s1 = (gwmi -List Win32_ShadowCopy).Create("c:\,"ClientAccessible")
$s2 = gwmi win32_shadowcopy |? {$_.id -eq $s1.ShadowID}
$d = $s2.deviceObject + "\
Cmd /C mklink /d c:\scpy "$d"
New-CIPolicy -l PcaCertificate -f C:\IgnitePolicy.xml –s C:\scpy –u
*** Set-RuleOption –option 3 –FilePath C:\ IgnitePolicy.xml
ConvertFrom-CIPolicy C:\IgnitePolicy.xml C:\IgnitePolicy.bin
***in AUDIT MODE
*** cp C:\IgnitePolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b***
****gpedit->Computer Configuration-->Administrative template->System->Device Guard->Deploy Code Integrity Policy->Enabled
provide code Integrity Policy file path: (UNC or Local)
C:\Windows\System32\CodeIntegrity\SIPolicy.p7b
in ENFORCE MODE
Set-RuleOption –option 3 –FilePath C:\ IgnitePolicy.xml -delete
ConvertFrom-CIPolicy C:\IgnitePolicy.xml C:\IgnitePolicy.bin
cp C:\IgnitePolicy.bin c:\Windows\System32\CodeIntegrity\SIPolicy.p7b
Restarted the machine to get the result & run an unsigned app," An error in the system binary was detected...." which should not appear,
I am not getting "this program was blocked as it violates code integrity policy ....."
*** ***
***Am I missing any configuration in generation1 Vm , or in Laptop? 4 months ago, I was configuring CIPolicy in Generation 2 Vm , that time it worked, Now it is not?? Confused !! :(
All replies (5)
Saturday, June 25, 2016 4:19 AM ✅Answered
So, I guess this warning message is issue in windows 10 1511 which appears after setting up device guard in enforced mode, but this issue is not there in windows 10 10240 version which give the normal device guard blocking message.
Hopefully This issue should not disturb the signing cat file & running third party app
Tuesday, June 28, 2016 3:53 AM ✅Answered
Hi Kate Li,
I created the CI Policy within 1511 itself.
It has been observed by me that no matter how I create my CIPolicy, its the same error message in windows 10 1511.
Microsoft should be aware of this issue
Monday, June 27, 2016 11:51 AM
Hi,
I just would like to confirm that if you create your code integrity policy on the machine with 1511 installed before this deployment.
Since there could be some changes from 10240 to 1511, please re-create the code integrity policy on the reference device with 1511, then try again in your test machine:
Please mark the reply as an answer if you find it is helpful.
If you have feedback for TechNet Support, contact [email protected]
Tuesday, June 28, 2016 4:38 AM
Hi,
Thanks for your testing, please post your issue on Windows Feedback App and also I will also submit this feedback in our channel.
Thanks for your feedback on this issue.
Please mark the reply as an answer if you find it is helpful.
If you have feedback for TechNet Support, contact [email protected]
Tuesday, June 28, 2016 4:53 PM
OK Kate Lee, I will do that, that should be corrected, as it may lead IT admin to think that there is some error in device guard enforcement ,,but it is not