1

It didn't trigger SmartScreen but it was still unsigned. I enabled Device Guard right after setting up Windows, so I'm pretty sure it isn't hacked I was also able to install and run TPfancontrol EDIT: so apparently it's actually a really involved process to set this up (all I did was just select "Enabled" in BIOS). That would explain why it hasn't blocked anything yet.

genealogyxie
  • 431
  • 3
  • 13
  • It might help to get a substantive response if you added some more detail about how you've been setting up this arrangement. For example, do you know whether Device Guard is in effect & blocking anything at all (ie. have you tried any programs and had them have been blocked?)? What procedure did you use to set up Device Guard? (My understanding is that is currently not a simple thing to enable, even by whitelisting setup standards). Are you sure DG isn't in auditing mode (which is used to help with configuration but doesn't actually block programs from running)? More info, please. – mostlyinformed Sep 29 '16 at 09:07
  • @halfinformed oh I just selected "Enable" in BIOS. Apparently it's actually pretty involved. So does merely changing that BIOS setting actually do anything or do I have to do the whole process? – genealogyxie Sep 29 '16 at 12:51
  • @halfinformed also - how would I set it up for a personal computer? Or would I be better off just making a private network for it? – genealogyxie Sep 29 '16 at 13:00
  • It sounds like your BIOS and Windows both use "Device Guard" to mean different things. Windows Device Guard is not something you enable in the BIOS. – paj28 Sep 29 '16 at 13:03
  • Well, first, only the Enterprise version of Windows 10 (perhaps the Education version as well) have Device Guard at this stage. The Home and even the Pro version do not.(Unfortunately.) If you had a Windows 10 Enterprise PC you would almost certainly would have gotten it from work or some other kind of organization with an IT department. Do you know if you have the Win 10 Enterprise version on your PC? – mostlyinformed Oct 01 '16 at 06:35
  • There *is*something called Secure Boot in newer Windows machines, including those with Home and Pro versions of the OS. And Secure Boot can be turned on & off on in BIOS. (Well, except the new BIOS that supports this is now technically called UEFI.) Secure Boot helps guard key parts of a Windows PC's operating system from malicious alterations. But unlike Device Guard it doesn't do application whitelisting. – mostlyinformed Oct 01 '16 at 06:47
  • @halfinformed oh thanks. I only have the pro version, which would explain why I couldn't find the place in the group policy editor to enable Device Guard – genealogyxie Oct 01 '16 at 14:24
  • Funny enough, a few months ago I myself asked a question about what software whitelisting capabilities are available in non-Enterprise versions of Windows for people who don't want to use third-party software. Someone pointed out that Software Restriction Policies are a less robust & flexible option than either Device Guard or Applocker (in Win 8/8.1 Enterprise) but that option is indeed in the Home and Pro versions. See : http://security.stackexchange.com/questions/126640/application-whitelisting-approaches-options-on-non-enterprise-windows-pcs – mostlyinformed Oct 01 '16 at 19:18

0 Answers0