my personal blog about systemcenter

Adding OpenLiveWriter to a DeviceGuard Protected Machine

I wanted to add OpenLiveWriter to my pc but since its protected by device guard it required a few additional steps

Following Matt Graeber (@mattifestation http://www.exploit-monday.com/2016/12/updating-device-guard-code-integrity.html guide to merging policies i ended up with the folowing

PS C:\Windows\system32> $OpenLiveWriter = Get-SystemDriver -ScanPath ‘C:\Users\FR\AppData\Local\OpenLiveWriter’ –UserPEsimage

Scanning the install directory

New-CIPolicy -FilePath OpenLiveWriter.xml -DriverFiles $OpenLiveWriter -Level PUBLISHER -UserPEs

image

“Unable to generate rules for all scanned files at the requested level.  A list of files not covered by the current policy can be found at C:\
Users\Flemming Riis\AppData\Local\Temp\tmpD089tmp.  If it is safe to not include these files, no action needs to be taken, otherwise a more c
omplete policy may be created using the -fallback switch”

image

First run was with publisher , but the majority of the files isn’t signed so i changed the policy to HASH , this laves a issue with autoupdate so the icon was changed to openlivewriter.exe instead of the update.exe

image

image

We now end up with a rather large list of allowed files

And putting it all together

$MasterRuleXml = ‘BASE.xml’ (this was my T460s baseline)

$OpenLiveWriter = Get-SystemDriver -ScanPath ‘C:\Users\FR\AppData\Local\OpenLiveWriter’ -UserPEs

New-CIPolicy -FilePath OpenLiveWriter.xml -DriverFiles $OpenLiveWriter -Level HASH -UserPEs

$OpenLiveWriterRules = New-CIPolicyRule -DriverFiles $OpenLiveWriter -Level HASH

Merge-CIPolicy -OutputFilePath FinalPolicy.xml -PolicyPaths $MasterRuleXml -Rules $OpenLiveWriterRules

ConvertFrom-CIPolicy -XmlFilePath .\FinalPolicy.xml -BinaryFilePath SIPolicy.p7b

And after a reboot i can now run openlivewriter on my device guard protected pc Smile