vendredi 31 mars 2017

[Windows 10] Device Guard and Credential Guard hardware readiness tool & bleu screen


I want to test the hardware compatibility of the asset of my company for Device Guard and Credential Guard, I launch on a sample of assets a script provided by Microsoft here to be sure that we will not face an hardware incompatibility.

Some days after I face very frequently (once the morning and the afternoon) a friendly SOD (Smiley Of the Death) 0x109 :(.


It happens on every computer I made the test and sometimes with the “verifier” stop error, after investigation with our Microsoft TAM I look carefully inside the PowerShell script used to make the checks for Credential Guard & Device Guard. And by coincidence several lines launch “verifier.exe”:

function CheckDriverCompat
{
    $_HVCIState = CheckDGRunning(2)
    if($_HVCIState)
    {
        LogAndConsoleWarning "HVCI is already enabled on this machine, driver compat list might not be complete."
        LogAndConsoleWarning "Please disable HVCI and run the script again..."
    }
    $verifier_state = verifier /query | Out-String
    if($verifier_state.ToString().Contains("No drivers are currently verified."))
    {
        LogAndConsole "Enabling Driver verifier"
        verifier.exe /flags 0x02000000 /all /log.code_integrity

        LogAndConsole "Enabling Driver Verifier and Rebooting system"
        Log $verifier_state 
        LogAndConsole "Please re-execute this script after reboot...."
        if($AutoReboot)
        {
            LogAndConsole "PC will restart in 30 seconds"
            ExecuteCommandAndLog 'shutdown /r /t 30'
        }
        else
        {
            LogAndConsole "Please reboot manually and run the script again...."
        }
        exit
    }
    else
    {
        LogAndConsole "Driver verifier already enabled"
        Log $verifier_state 
        ListDrivers($verifier_state.Trim().ToLowerInvariant())
    }
} 

We could notice on this section of the script that the check of the drivers switch to an “aggressive” mode, and a lot of kernel drivers (the anti-virus for example) don't like it and show it through a SOD 0x109 …

In order to solve this issue we need to go back to a normal mode, in order to do that we need to launch verifier.exe with high privileges. And on the setting screen we choose the option that delete all the settings related to the tool. Don't worry there will not impact anything, indeed this tool is mainly used by the support team of Microsoft when they need to investigate:


After a reboot the SOD disappeared by magic :)

Aucun commentaire:

Publier un commentaire