Apply Code Integrity Policy without reboot

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Data Center Security articles.

First published on TECHNET on Apr 27, 2018
There is a new Code Integrity policy option introduced in Windows 10, and it is available in Windows Server 2019 insider build “ Update Policy No Reboot ”. I got numerous questions around how to use this option, and here is the blogpost to answer it.

What is this option?


After the Windows Server 2016 release, we talked to many customers about using Code Integrity (CI) policy to secure the servers. One main feedback from server customers is, it requires a reboot when I need to make a change in the policy. This option allows you apply a new CI policy without reboot.

This option can used for both signed and unsigned CI policy. For unsigned CI policy, any running executables; already loaded dlls or running PowerShell session will not be stopped, new policy will be applied to new PowerShell sessions, reloading dlls or executables. For signed CI policy, one additional check is in the pre-boot environment with UEFI validation, and this check won’t take effect till the machine reboot.

This option is not recommended on the Guarded Fabric deployment. As part of the host attestation, measured boot log and CI policy are checked against the HGS server, it ensures the guarded host is running the same copy of the CI policy as admin defined on the HGS server. If the guarded host is running the CI policy allow “no reboot”, it breaks the guarded host security promise.

How to apply it?


Let’s use an example to illustrate the process.

I have s server which is governed by a CI policy (CI.old), in this policy, it has the option enabled:
<Rule>
<Option>Enabled:Update Policy No Reboot</Option>
</Rule>
Now I have a new policy I’d like to apply, I convert it to the binary format using Convertfrom-CIpolicy, and run the following cmd to apply the new policy:
Invoke-CimMethod -Namespace root/microsoft/Windows/CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{ FilePath = 'C:\sipolicy.p7b' }
In short, to apply CI policy without reboot, you need to ensure the existing policy has the option enabled, and run the cmdlet to apply the new policy.

Note: this cmdlet for applying new CI policy may change in the new release of Windows (post 1804 release)

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.