# Device Guard - Fixing VMWare Tools I've been really keen to try Device Guard out lately and I finally rolled up my sleeves and used Matt Graeber's excellent guide found at: All this work is based on his work and full credit goes to him. I wanted to write this post in case someone finds themselves in the same situation I was in; simply wanting to get familiarized with Device Guard using their own mini home lab. Using VMWare Workstation with Device Guard won't enable every feature available in Device Guard, but it's a good starting point to get familiar with deploying policies and just getting a general feel for the technology. After following Matt's guide - VMWare tools refused to function and I want to outline how I got them working again using his posts and some Microsoft documentation. I'm going to start off assuming you have followed Matt's steps and have a system deployed with Device Guard but with VMWare Tools in a non working state. The culprit, it seems, is sigc-2.0.dll [![](https://3.bp.blogspot.com/-N5E1fhkwdGc/WVfbMtzbyBI/AAAAAAAAHa4/h7aYKh1k3JUzYX0DgKQwU7abYLtsI3CiACLcBGAs/s1600/Untitled%2Bpicture.png)](https://3.bp.blogspot.com/-N5E1fhkwdGc/WVfbMtzbyBI/AAAAAAAAHa4/h7aYKh1k3JUzYX0DgKQwU7abYLtsI3CiACLcBGAs/s1600/Untitled%2Bpicture.png) [![](https://4.bp.blogspot.com/-X11EhPt66ZY/WVfbjJuCDWI/AAAAAAAAHa8/6NYyDU5nZRc3lbvZCjdR7nyV5aR6K7tWACLcBGAs/s1600/2017-06-24_16-04-21.png)](https://4.bp.blogspot.com/-X11EhPt66ZY/WVfbjJuCDWI/AAAAAAAAHa8/6NYyDU5nZRc3lbvZCjdR7nyV5aR6K7tWACLcBGAs/s1600/2017-06-24_16-04-21.png) It looks like that particular dll isn't signed which doesn't jive with our originally created policies. From this point we have to create a new policy specifically for VMWare tools which we will merge with our master policy. I used the following code: *$VMWareFiles = Get-SystemDriver -ScanPath 'C:\Program Files\VMware\VMware Tools' -UserPEs*\ \&#xNAN;*New-CIPolicy -FilePath C:\DGPolicyFiles\VMWare.xml -DriverFiles $VMWareFiles -Level Publisher -Fallback Hash -UserPEs*\ This first line sets a variable with our scan path and then uses the New-CIPolicy cmdlet to create a policy using the publisher CA and then file hashes as a fallback method to generate a CI Policy. Taking a peak at the policy that was generated, we see hashes generated for the various dll's within the VMWare tools folder, including our sigc-2.0.dll: [![](https://2.bp.blogspot.com/-aNGvgz0X-a4/WVfc0ineboI/AAAAAAAAHbA/ipDx3x3k1Q0I8zHCaGpqhtxievippArJQCLcBGAs/s1600/2017-07-01_13-32-26.png)](https://2.bp.blogspot.com/-aNGvgz0X-a4/WVfc0ineboI/AAAAAAAAHbA/ipDx3x3k1Q0I8zHCaGpqhtxievippArJQCLcBGAs/s1600/2017-07-01_13-32-26.png) Now that we have a policy generated, we need to merge it into our master policy, I used the following code:\ \&#xNAN;*$CIPolicyPath = "C:\DGPolicyFiles\\"*\ \&#xNAN;*$MasterPolicy = $CIPolicyPath+"MergedAuditPolicy.xml"*\ \&#xNAN;*$NewPolicy = $CIPolicyPath+"VMWare.xml"*\ \&#xNAN;*Merge-CIPolicy -PolicyPaths $MasterPolicy,$NewPolicy -OutputFilePath $CIPolicyPath\MasterMergedVMWareRules.xml* This simply sets some variables with our path, including the original policy we used and our new VMWare Tools policy, the Merge-CIPolicy cmdlet is used to merge the two policies into one "Master Merged" policy. We then need to convert this policy and apply it, here I used Matt's code again, from his "Phase #4" portion ( ) - I just changed the relevant variable in the following line: *$MergedAuditPolicyXml = Join-Path -Path $PolicyDirectory -ChildPath 'MasterMergedVMWareRules.xml'*\ Now after a reboot, you should have a working set of VMWare tools. A few notes ... * You should take a close look to see what the generated VMWare Tools policy looks like and if you are comfortable trusting the dll's and exe's whitelisted. * I am by no means an expert in Device Guard, I just really wanted to get a feel for it because it's a pretty awesome way to secure your assets and it's free. I'm sure there are more streamlined ways to script this or to lock down the policy tighter. * Perhaps using hashes isn't the most robust or secure way to build a whitelist policy, but I couldn't seem to get VMWare tools working using just the publisher CA level. * Again, all credit goes to Matt Graeber for writing the original guides. Some helpful links: --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://blog.pwntario.com/team-posts/antons-posts/device-guard-fixing-vmware-tools.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.