Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, March 7, 2018 8:47 PM
I created a device guard policy using the following command
New-CIPolicy -Level FilePublisher -FilePath C:\MyCIPolicy\My_Initial_CI_Policy.xml -ScanPath C:\ -UserPEs -Fallback Hash
I set the level to FilePublisher based on the recommendation that trusting all signed apps from an ISV is not best practice. After switching the policy to Enforcement mode I ran windows update. Two updates were available.
1. Cumulative Update for Windows
2. Definition Update for Windows Defender Antivirus
After the cumulative update was applied Cortana no longer worked. The event log shows the following
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\backgroundTaskHost.exe) attempted to load \Device\HarddiskVolume4\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h4txyewy\Cortana.Core.dll that did not meet the Enterprise signing level requirements or violated code integrity policy.
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\backgroundTaskHost.exe) attempted to load \Device\HarddiskVolume4\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h4txyewy\CortanaApi.dll that did not meet the Enterprise signing level requirements.
The definition update failed to install. The event log shows the following
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\wuauclt.exe) attempted to load \Device\HarddiskVolume4\Windows\SoftwareDistribution\Download\Install\AM_Delta_Patch_1.263.223.0.exe that did not meet the Enterprise signing level requirements or violated code integrity policy.
I know I can add these to the Device Guard policy but I don't want to do that every time Microsoft releases a new antivirus update or cumulative patch.
Is there a way to allow Windows Updates to function properly without having to constantly update the Device Guard policy?
Thanks,
Scott
All replies (3)
Friday, March 9, 2018 1:32 AM
Hi Scott,
Yes, you have noticed this point, once software is installed, it is important that you launch and configure so that all activity is captured. Failing to do this will result in your software being allowed to install but not to run.
Try to create a CI Policy from our gold machine Audit Logs
Detailed steps here:
Create a code integrity policy that captures audit information from the event log
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Friday, March 9, 2018 4:22 AM
Teemo,
I'm not sure you understand the problem.
The issue is with the monthly cumulative updates Microsoft deploys. After the last cumulative update Cortana no longer works because device guard is blocking the DLL from loading because it's not signed by Microsoft.
There has to be a way to allow windows update to work without having to scan a gold image every month.
Scott
Friday, March 16, 2018 6:55 PM
Just tried applying the March patches and it failed to install two of them
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\wuauclt.exe) attempted to load \Device\HarddiskVolume4\Windows\SoftwareDistribution\Download\Install\NIS_Delta_Patch.exe that did not meet the Enterprise signing level requirements or violated code integrity policy.
Code Integrity determined that a process (\Device\HarddiskVolume4\Windows\System32\wuauclt.exe) attempted to load \Device\HarddiskVolume4\Windows\SoftwareDistribution\Download\Install\Windows-KB890830-x64-V5.58-delta.exe that did not meet the Enterprise signing level requirements or violated code integrity policy.
How can I get this issue resolved without having to update the Device Guard policy every month?