Device Guard - Fixing VMWare Tools

2017-07-01 Read original →

This documents my experience implementing Windows Device Guard in a VMWare Workstation home lab environment, building on Matt Graeber’s comprehensive guides. While Device Guard doesn’t enable all features in VMWare, it provides valuable hands-on learning.

The Problem

After following Graeber’s deployment steps, VMWare Tools malfunctioned. The culprit was an unsigned DLL file: sigc-2.0.dll, which conflicted with the strict code integrity policies.

The Solution

I created a separate policy specifically for VMWare Tools and merged it with the master policy.

Step 1: Generate VMWare-specific policy

$VMWareFiles = Get-SystemDriver -ScanPath 'C:\Program Files\VMware\VMware Tools' -UserPEs
New-CIPolicy -FilePath C:\DGPolicyFiles\VMWare.xml -DriverFiles $VMWareFiles -Level Publisher -Fallback Hash -UserPEs

This scans VMWare Tools directory and creates hashes for unsigned executables and DLLs as a fallback verification method.

Step 2: Merge policies

$CIPolicyPath = "C:\DGPolicyFiles\"
$MasterPolicy = $CIPolicyPath+"MergedAuditPolicy.xml"
$NewPolicy = $CIPolicyPath+"VMWare.xml"
Merge-CIPolicy -PolicyPaths $MasterPolicy,$NewPolicy -OutputFilePath $CIPolicyPath\MasterMergedVMWareRules.xml

Step 3: Apply and reboot

After converting the merged policy and rebooting, VMWare Tools functions normally.

Key Considerations

Review whitelisted components before deployment
Hash-based policies prioritize functionality over strict security
Publisher-level validation alone proved insufficient for VMWare compatibility