Windows 10 Device Guard

Device Guard primarily prevents unsigned code from running on Windows. It’s like AppLocker on steroids. When configured properly, it virtually eliminates all virus and malware threats. It’s not for everyone, however, and can really mess up your computers if not configured correctly. You should test Device Guard policies extensively before deployment.

System Requirements

To activate Device Guard, you must be running Windows 10 Enterprise or Education 64-bit. It MUST be the Enterprise or Education SKU – it is not available on Pro. Next, your systems must boot with UEFI and have Secure Boot enabled. Though not required, you should also password-protect your firmware and prevent the device from booting from anything other than the hard drive.

If you have your own line-of-business applications, you will need a code signing certificate to sign these apps.

How it Works

Essentially, Device Guard prevents anything that is not signed from running. You specify which certificates are valid code-signing certs, which prevents running just anything that is signed. You sign your LOB apps with these certificates, and they can execute. For example, if I enable device guard but don’t trust the certificate that the Mozilla Firefox installer is signed with, I will not be able to install it.

You define a code integrity policy that gets deployed to your machines, either by Group Policy or some other method. This policy is defined using an XML file, which you can also sign, making it even more secure. The XML file can be deployed as part of a CAB to your machines.

Create Code Integrity Policy

To create a policy, configure a “master” machine with all of your required software installed. You only need a few commands to create the policy. First, create it by using:

New-CIPolicy -Level PcaCertificate -FilePath <path to store XML file> -UserPEs 3

Next, covert it to a binary format:

ConvertFrom-CIPolicy -XmlFilePath <path to created XML file> -BinaryFilePath <output binary file>

You will need the binary file for your deployment. You need hold on to the XML though, as you’ll need it later.

Auditing Code Integrity Policy

You should always run these policies in audit mode first to determine if you missed anything. To run a policy in audit mode, copy the outputted binary to C:\Windows\system32\CodeIntegrity.

Next, open your local group policy editor by running gpedit.msc. Navigate to Computer Configuration > Administrative Templates > System > Device Guard. Enable the “Define Code Integrity Policy” setting and set it to the path mentioned above:


When creating a policy, it’s set to audit mode by default. To put the policy in enforcement mode, run this command from PowerShell:

Set-RuleOption -Option3 -FilePath <path to XML file> -Delete

This cmdlet deletes a line from the XML file (called Enable:Audit Mode) and makes the policy enforceable. After this command, run the command to convert it back to binary and redeploy.


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

WME Cybersecurity Briefings No. 004
Cyber Security

WME Security Briefing 11 April 2024

Mispadu Trojan Exploits Windows Vulnerability to Target Financial Data Overview The Mispadu banking trojan has intensified its operations as it’s exploiting an already patched Windows SmartScreen flaw. Since its initial identification in 2019, Mispadu has primarily preyed on

Read More »
WME Cybersecurity Briefings No. 003
Cyber Security

WME Security Briefing 29 March 2024

Russian hackers escalating their cyber warfare, deploying TinyTurla-NG to breach European NGOs. Cisco Talos reveals a targeted attack against organizations advocating democracy and supporting Ukraine. With their sophisticated methods, these cyber attackers are bypassing antivirus defenses

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.