Windows 10 Security: Device Guard and Credential Guard – Part 2

This part two of a blog about Device Guard. For part one, which configures only Credential Guard, see this post: Windows 10 Security: Device Guard and Credential Guard – Part 1 – (

In this part, we are going to configure a Device Guard rule. Device Guard rules protect your machine from un-verified code. Device Guard, like Credential Guard, runs from a protected Hyper-V container, ensuring that your devices remain from malware.

Enabling Device Guard

At the end of part one, we configured Credential Guard using this registry key:


To enable Device Guard, set the middle selection box to “Enabled without Lock”.


Next, you need feed the setting “Deploy Code Integrity Policy” a policy. This policy can be in a .bin format (unsigned file) or a .p7 format (signed file). Open this setting, and type in the path and file name. The file can exist on the local computer, or a network share.


Create Device Guard Policy

Creating a Device Guard policy is pretty simple, actually. You start with a gold master. This master should have the software that can run installed on it, and only that software. From this computer, run this series of PowerShell commands. The path in lines three and four must exist prior to executing those commands. The commands will not create the path, and will error if its not there.

$dg_policy = “c:\dg\dg_policy.xml”

$dg_policyBIN = “c:\dg\dg_policy.bin”

new-cipolicy -level pcacertificate -filepath $dg_policy -userpes

convertfrom-cipolicy $dg_policy $dg_policyBIN

Note that the new-cipolicy step takes quite a while to run. After it completes, you should have your BIN file at C:\dg.

Remember that a device can only have one policy applied to it. I recommend keeping your gold master in a VM that you power on and regenerate this policy if needed. It is possible to merge policies, but that is out of the scope of this post. Additional documentation is available here:


All content provided on this blog is for information purposes only. Windows Management Experts, Inc makes no representation as to accuracy or completeness of any information on this site. Windows Management Experts, Inc will not be liable for any errors or omission in this information nor for the availability of this information. It is highly recommended that you consult one of our technical consultants, should you need any further assistance.



Contact Us

On Key

More Posts

Mastering Azure AD Connect - A Comprehensive Guide by WME
Active Directory

Mastering Azure AD Connect – A Comprehensive Guide

Modern businesses are fast moving toward cloud-based infrastructure. In fact, cloud-based business is not just a trend anymore but a strategic necessity. Microsoft’s Azure Active Directory (Azure AD) has become a frontrunner in this domain. It

Read More »
Security Best Practices in SharePoint
Office 365

Security Best Practices in SharePoint

Microsoft SharePoint is an online collaboration platform that integrates with Microsoft Office. You can use it to store, organize, share, and access information online. SharePoint enables collaboration and content management and ultimately allows your teams to

Read More »
The Ultimate Guide to Microsoft Intune - Article by WME
Active Directory

The Ultimate Guide to Microsoft Intune

The corporate world is evolving fast. And with that, mobile devices are spreading everywhere. As we venture into the year 2024, they have already claimed a substantial 55% share of the total corporate device ecosystem. You

Read More »
Protecting Microsoft 365 from on-Premises Attacks
Cloud Security

How to Protect Microsoft 365 from On-Premises Attacks?

Microsoft 365 is diverse enough to enrich the capabilities of many types of private businesses. It complements users, applications, networks, devices, and whatnot. However, Microsoft 365 cybersecurity is often compromised and there are countless ways that

Read More »
Be assured of everything

Get WME Services

Stay ahead of the competition with our Professional IT offerings.