I wanted to add OpenLiveWriter to my pc but since its protected by device guard it required a few additional steps
Following Matt Graeber (@mattifestation http://www.exploit-monday.com/2016/12/updating-device-guard-code-integrity.html guide to merging policies i ended up with the folowing
PS C:\Windows\system32> $OpenLiveWriter = Get-SystemDriver -ScanPath ‘C:\Users\FR\AppData\Local\OpenLiveWriter’ –UserPEs
Scanning the install directory
New-CIPolicy -FilePath OpenLiveWriter.xml -DriverFiles $OpenLiveWriter -Level PUBLISHER -UserPEs
“Unable to generate rules for all scanned files at the requested level. A list of files not covered by the current policy can be found at C:\
Users\Flemming Riis\AppData\Local\Temp\tmpD089tmp. If it is safe to not include these files, no action needs to be taken, otherwise a more c
omplete policy may be created using the -fallback switch”
First run was with publisher , but the majority of the files isn’t signed so i changed the policy to HASH , this laves a issue with autoupdate so the icon was changed to openlivewriter.exe instead of the update.exe
We now end up with a rather large list of allowed files
And putting it all together
$MasterRuleXml = ‘BASE.xml’ (this was my T460s baseline)
$OpenLiveWriter = Get-SystemDriver -ScanPath ‘C:\Users\FR\AppData\Local\OpenLiveWriter’ -UserPEs
New-CIPolicy -FilePath OpenLiveWriter.xml -DriverFiles $OpenLiveWriter -Level HASH -UserPEs
$OpenLiveWriterRules = New-CIPolicyRule -DriverFiles $OpenLiveWriter -Level HASH
Merge-CIPolicy -OutputFilePath FinalPolicy.xml -PolicyPaths $MasterRuleXml -Rules $OpenLiveWriterRules
ConvertFrom-CIPolicy -XmlFilePath .\FinalPolicy.xml -BinaryFilePath SIPolicy.p7b
And after a reboot i can now run openlivewriter on my device guard protected pc