Windows 10 Device Guard

Device Guard primarily prevents unsigned code from running on Windows. It’s like AppLocker on steroids. When configured properly, it virtually eliminates all virus and malware threats. It’s not for everyone, however, and can really mess up your computers if not configured correctly. You should test Device Guard policies extensively before deployment.

System Requirements

To activate Device Guard, you must be running Windows 10 Enterprise or Education 64-bit. It MUST be the Enterprise or Education SKU – it is not available on Pro. Next, your systems must boot with UEFI and have Secure Boot enabled. Though not required, you should also password-protect your firmware and prevent the device from booting from anything other than the hard drive.

If you have your own line-of-business applications, you will need a code signing certificate to sign these apps.

How it Works

Essentially, Device Guard prevents anything that is not signed from running. You specify which certificates are valid code-signing certs, which prevents running just anything that is signed. You sign your LOB apps with these certificates, and they can execute. For example, if I enable device guard but don’t trust the certificate that the Mozilla Firefox installer is signed with, I will not be able to install it.

You define a code integrity policy that gets deployed to your machines, either by Group Policy or some other method. This policy is defined using an XML file, which you can also sign, making it even more secure. The XML file can be deployed as part of a CAB to your machines.

Create Code Integrity Policy

To create a policy, configure a “master” machine with all of your required software installed. You only need a few commands to create the policy. First, create it by using:

New-CIPolicy -Level PcaCertificate -FilePath <path to store XML file> -UserPEs 3

Next, covert it to a binary format:

ConvertFrom-CIPolicy -XmlFilePath <path to created XML file> -BinaryFilePath <output binary file>

You will need the binary file for your deployment. You need hold on to the XML though, as you’ll need it later.

Auditing Code Integrity Policy

You should always run these policies in audit mode first to determine if you missed anything. To run a policy in audit mode, copy the outputted binary to C:\Windows\system32\CodeIntegrity.

Next, open your local group policy editor by running gpedit.msc. Navigate to Computer Configuration > Administrative Templates > System > Device Guard. Enable the “Define Code Integrity Policy” setting and set it to the path mentioned above:


When creating a policy, it’s set to audit mode by default. To put the policy in enforcement mode, run this command from PowerShell:

Set-RuleOption -Option3 -FilePath <path to XML file> -Delete

This cmdlet deletes a line from the XML file (called Enable:Audit Mode) and makes the policy enforceable. After this command, run the command to convert it back to binary and redeploy.


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.