about:blank
Unit 4
A New Era of Threat Resistance for the Windows 10
Platform
Contents:
Lab: Configuring Device Guard, Windows SmartScreen, and Windows
Defender
Lab: Device Guard,
SmartScreen, Windows Defender
Scenario
Your company is getting ready to deploy new systems that are running Windows 10.
As an enterprise support technician, you are tasked with understanding the new
functionality of Device Guard. Your security team is excited about this feature and
asked you to test it out and document the features.
Objectives
After be able to:
• Explain Device Guard.
o Run Device Guard in the enforcement mode.
1 of 11 03-Jun-19, 10:22 AM
� about:blank
o Run Device Guard in the audit mode.
• Configure Windows SmartScreen.
• Configure Windows Defender.
Lab
Estimated
Start directions of the instructor.
Lists of virtual machines used in this lab
Virtual Machines Description
40332A-LON-CL4 Windows 10 system. Device Guard PowerShell scripts included. Note:
access is required for this
the Microsoft Virtual for
the videos at:
Additional Reading: http://www.aka.ms/win10worksohp
Exercise 1: Running Device Guard in Audit and Enforcement Mode
Scenario
There Guard, the audit mode, software to be
installed, the enforcement software
that is untrustworthy from being installed. will enable
both modes for Device Guard.
2 of 11 03-Jun-19, 10:22 AM
� about:blank
Note: Because there is no certificate or device policy installed, this exercise
uses the default policy, Audit, and you must create the hash files in the catalog
directory.
The main tasks for this exercise are as follows:
1. Device Guard
2. policy
3. that is downloaded from the
4. Explore the audit logs created by the Device Guard audit mode
5. Enable the enforcement mode for Device Guard
Task for Device Guard
To enable perform the following steps:
1. Sign on to LON-CL4 as Admin with the password Pa$$w0rd
2. Click the Start button.
3. In the left column of the Start menu, click the All apps icon.
4. shortcut opens on the This
numbers and letters. enabled
installed in that category. numbers
that there are no apps letters or
5. Click W. One of the options under this category is Windows PowerShell.
3 of 11 03-Jun-19, 10:22 AM
� about:blank
6. Click the drop-down arrow next to Windows PowerShell, right-click Windows
PowerShell ISE, and then click Run as administrator. Click Yes to confirm
that you want this app to be able to make system changes. An Administrator
Windows PowerShell ISE window should display.
7. In the Windows PowerShell ISE window, click File, click Open. If the insert
click cancel, and then to .txt.
8. and then select Device_Guard_Full_Scan Click
9. commands that are system,
Guard policy, and then place policy desktop. This
scan will create a checksum or hash for each binary in the system. This is
called the system catalog. Select all the lines in the ISE script pane, and then
press the F8 key. Make sure that you selected all the lines before you press F8.
This and 30 minutes to would
normally the Golden or master enterprise.
New-CIPolicy is one of the new Device that creates
Device Guard policies. Because this is not a Windows PowerShell course, the
scripts are not covered here.
Task policy
To view perform the following
1. to C:\Windows\System32\CatRoot\{F750E6C3-38EE-
11D1-85E5- 00C04FC295EE}.
4 of 11 03-Jun-19, 10:22 AM
� about:blank
2. The folder contains a system catalog, which is created by the scan that was
performed in Task 1. Review the contents of the catalog.
3. On the desktop, locate the file that is named InitialScanPolicy.xml, and then
open it in Internet Explorer by right-clicking the file, and then clicking Open
with Internet Explorer.
4. policy file that extracted for all
and created a policy
Review the sections Rules
that the audit mode was
will always generate a policy mode enabled.
5. Restart LON-CL4 and then sign in as Admin with the password of Pa$$w0rd.
Note: We recommend testing code integrity policies in the audit mode before
Task is downloaded from
To download the 7-Zip utility for Windows from http://www.7-zip.org/, perform the
following steps:
1. In Internet Explorer, go to http://www.7-zip.org/
2. download the 64
3. complete, double-click The
located in Downloads directory.
4. To run 7-zip, click the Start button, and then click All apps. 7-zip displays at the
5 of 11 03-Jun-19, 10:22 AM
� about:blank
top of the App list.
5. Click 7-zip File Manager to run it. Now that the app is working, close the app.
Task created by the Device
To explore by the Device Guard the
following
1. To open Event Viewer, type Event Viewer in the Cortana search box. Click the
Event Viewer desktop app. Event viewer is Microsoft Management Console
snap-in.
2. In the Event Viewer window, expand Application and Services Logs, expand
Windows, expand CodeIntegrity, Operational.
3. executed processes, information
of three ways: Error Information. In
click the Level column
to find the events designated circular
Information icon.
4. Look for an entry about the binary from 7-zip. After you locate it, click the log
entry.
5. panel below the events that ends
integrity auditing policy, allowed to
6. view the full path to the name and
7. Close Event Viewer.
6 of 11 03-Jun-19, 10:22 AM
� about:blank
Note: In production, you might re-run the New-CIPolicy cmdlet to create
a new audit policy that could be merged with the original policy by using
the new Merge-CLIPolicy cmdlet. A new XML file would be created.
This file includes both the original policy and the audit policy and the
permission to allow the installation of 7-zip. In addition to merging from
audit events, you can merge policies from different kinds of computers to
comprehensive policy for the diversity supported
8. the downloaded installer folder. To
the Start button, click Program , locate 7-Zip,
select 7-Zip, and then click Uninstall.
9. Confirm that you want to uninstall 7-Zip.
Task enforcement mode for Device
At this that Adatum’s corporate locked
down greatly reduce the change getting installed.
To enable enforcement mode for Device Guard, following steps.
1. Repeat steps 4 through 7 from Task 1, but this time select the file
Device_Guard_Set_Enforcement_mode.txt.
2. ISE script pane, and Make sure
the lines before you system
from the audit mode. After
are not from a trusted have an
catalog cannot be installed.
3. Restart LON-CL4, and then sign in as Admin with the password of Pa$$w0rd.
7 of 11 03-Jun-19, 10:22 AM
� about:blank
4. Repeat the installation of 7-Zip by following the steps in Task 3. A message
indicating that the system administrator has set policies to prevent the
installation appears. This is because trying to install a new untrusted app,
violates the Device Guard code integrity policy.
At this cannot be install on LON-CL4. greater
flexibility, integrity policies at a values, you
will discover applications. To include these
integrity sign, and deploy a are lists
of individual values. If the scanned application updated, new
catalog created. That said, binary signing highly
recommended for any future applications so that catalog files are not needed.
Exercise 2: Providing Additional Protection Against Malware
Scenario
Windows support the two important SmartScreen
and Windows which help to protect your malware.
Windows SmartScreen
The Windows SmartScreen safety feature was introduced in Windows 8, and is a part
of Windows 10 security. Windows SmartScreen helps protect your computer from
apps or perform unwanted run an
app, uses the Microsoft SmartScreen databases to
determine If the app is malicious, SmartScreen
warns app. This is especially Device
Guard
The SmartScreen Filter that is built into Windows 10 and Internet Explorer scans the
incoming files, in addition to the visited sites, to determine if the content of the files
8 of 11 03-Jun-19, 10:22 AM
� about:blank
might compromise your computer. If the content poses a risk, Windows SmartScreen
displays a warning indicating that the content or the site might be unsafe.
Windows Defender
Windows Defender helps to protect your computer from spyware, malware, and
viruses. It was released with Windows 8. Windows Defender uses definitions to
determine is unwanted and risks. To
keep Windows Defender
definitions
In Windows you can run a Quick, Full, or you suspect that
spyware has infected a specific area of your computer, you can customize a scan by
selecting specific drives and folders. You also can configure the schedule that
Windows Defender uses.
The main tasks for this exercise are as follows:
1. SmartScreen settings
2. options in Windows Defender
Task 1: Configure Windows SmartScreen settings
To configure Windows SmartScreen settings, perform the following steps:
1. Admin with the password
2. type SmartScreen
3. Filter on or off for
4. Under the Privacy - General section, ensure that Turn on SmartScreen Filter
is on.
9 of 11 03-Jun-19, 10:22 AM
� about:blank
5. Repeat step 2, and then click Change SmartScreen Settings.
6. On the left side of the Security and Maintenance panel, click Change
Windows SmartScreen settings. The What do you want to do with
unrecognized apps? dialog box appears.
7. Verify that Get administrator approval before running is selected.
8.
9. and the Security and
Note: When you enable Windows SmartScreen, one of the features is
domain name highlighting in the address bar. In Internet Explorer 11, go
to any website and notice the slight difference in the domain name and
the rest of the URL. This highlighting will help to call attention to the
actual domain you accessing.
Task scanning options in Windows
To configure the scanning options in Windows Defender, perform the following steps:
1. Right-click the Start button, and then click Control Panel.
2. icons.
3.
4. that the Quick scan
5. tab, and then click Update.
6. Click the Home tab, click Scan now, and then review the results in the History
10 of 11 03-Jun-19, 10:22 AM
� about:blank
tab.
7. Click Settings. You should see the Update & Security panel.
8. Ensure Real-time protection and Cloud-based Protection are turned on.
9. Read the text associated with each option.
10.
Results exercise, you will have
Windows and Windows Defender.
11 of 11 03-Jun-19, 10:22 AM
