Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
General Security Discussions
Firmware Protection Windows 1809 - How to turn it on?
Message
<blockquote data-quote="DeepWeb" data-source="post: 779128" data-attributes="member: 63811"><p>I think it's interesting that it says that we disabled it in Group policy. There's still no documentation about System Guard and what Group policy item govern it. Apparently it only works on clean installs anyway... I'm doing some experiments to see if I can enable it.</p><p></p><p>I managed to enable Firmware protection. It cancels boot up when one of your drivers is unknown so I wasn't able to boot even after turning virtualization off in BIOS. It reminds me of the Early Launch Antimalware policy that broke Kaspersky for me. Unfortunately I have to stop here because it is too time consuming to restore backup again. But I know you have to go into system32\CodeIntegrity check when your SIPolicy.p7b was created. It might be incompatible with the newer version of Windows 10. Mine was from 2017. After I updated it, things started to work. There's a Powershell script to create a new policy I will link it here in a moment.</p><p></p><p>More complicated actually. You have to create your own policy if you want to make sure it boots up. The first thing you have to do is run Device Guard Hardware Readiness Tool:</p><p><a href="https://www.microsoft.com/en-us/download/details.aspx?id=53337" target="_blank">Download Device Guard and Credential Guard hardware readiness tool from Official Microsoft Download Center</a></p><p></p><p>And lo and behold a few interesting drivers showed up:</p><p>ambakdrv.sys - AOMEI Backupper (yes I have had issues with this when Hyper-V was on)</p><p>rtsper.sys - Realtek PCIe Card Driver</p><p>isctd64.sys - Intel Smart Connect (wtf even Intel is not compatible with Microsoft's new experiment)</p><p>stwrt64.sys - IDT Audio Driver</p><p>cpumcupdate64.sys - CPU Microcode Update Driver (vasudev and I have talked about this for a while)</p><p></p><p>So what I will try to do is create a SIpolicy that includes these drivers and then check if it works again following the instructions here:</p><p><a href="https://blogs.technet.microsoft.com/ukplatforms/2017/04/04/getting-started-with-windows-10-device-guard-part-1-of-2/" target="_blank">Getting Started with Windows 10 Device Guard – Part 1 of 2</a></p><p></p><p>Here are all the things you will lose when you enable hypervisor enforced code integrity and Windows Defender System Guard in Kaspersky:</p><p><a href="https://support.kaspersky.co.uk/14300?cid=KTS_19.0&utm_source=interceptor&utm_medium=product&utm_campaign=KTS_19.0#block2" target="_blank">Compatibility of Kaspersky Total Security 19 with Windows 10</a></p><p></p><p>Other AVs have similar issues. You are giving up your AV's security in favor of Microsoft's security. Depending on which you trust more I would go with that.</p><p></p><p>OK I think I figured out why Firmware protection was set to disabled. Did you download your SIPolicy.p7b from the Internet? It might be set to Audit instead of Enforced. I managed to set it to Enforced but even after whitelisting many drivers I still had issues making it work. The most convenient way to enable all of these features is to do a clean install. :/</p></blockquote><p></p>
[QUOTE="DeepWeb, post: 779128, member: 63811"] I think it's interesting that it says that we disabled it in Group policy. There's still no documentation about System Guard and what Group policy item govern it. Apparently it only works on clean installs anyway... I'm doing some experiments to see if I can enable it. I managed to enable Firmware protection. It cancels boot up when one of your drivers is unknown so I wasn't able to boot even after turning virtualization off in BIOS. It reminds me of the Early Launch Antimalware policy that broke Kaspersky for me. Unfortunately I have to stop here because it is too time consuming to restore backup again. But I know you have to go into system32\CodeIntegrity check when your SIPolicy.p7b was created. It might be incompatible with the newer version of Windows 10. Mine was from 2017. After I updated it, things started to work. There's a Powershell script to create a new policy I will link it here in a moment. More complicated actually. You have to create your own policy if you want to make sure it boots up. The first thing you have to do is run Device Guard Hardware Readiness Tool: [URL='https://www.microsoft.com/en-us/download/details.aspx?id=53337']Download Device Guard and Credential Guard hardware readiness tool from Official Microsoft Download Center[/URL] And lo and behold a few interesting drivers showed up: ambakdrv.sys - AOMEI Backupper (yes I have had issues with this when Hyper-V was on) rtsper.sys - Realtek PCIe Card Driver isctd64.sys - Intel Smart Connect (wtf even Intel is not compatible with Microsoft's new experiment) stwrt64.sys - IDT Audio Driver cpumcupdate64.sys - CPU Microcode Update Driver (vasudev and I have talked about this for a while) So what I will try to do is create a SIpolicy that includes these drivers and then check if it works again following the instructions here: [URL="https://blogs.technet.microsoft.com/ukplatforms/2017/04/04/getting-started-with-windows-10-device-guard-part-1-of-2/"]Getting Started with Windows 10 Device Guard – Part 1 of 2[/URL] Here are all the things you will lose when you enable hypervisor enforced code integrity and Windows Defender System Guard in Kaspersky: [URL='https://support.kaspersky.co.uk/14300?cid=KTS_19.0&utm_source=interceptor&utm_medium=product&utm_campaign=KTS_19.0#block2']Compatibility of Kaspersky Total Security 19 with Windows 10[/URL] Other AVs have similar issues. You are giving up your AV's security in favor of Microsoft's security. Depending on which you trust more I would go with that. OK I think I figured out why Firmware protection was set to disabled. Did you download your SIPolicy.p7b from the Internet? It might be set to Audit instead of Enforced. I managed to set it to Enforced but even after whitelisting many drivers I still had issues making it work. The most convenient way to enable all of these features is to do a clean install. :/ [/QUOTE]
Insert quotes…
Verification
Post reply
Top
