deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' of github.com:MicrosoftDocs/windows-docs-pr into security-book-24

Browse Source
This commit is contained in:
Paolo Matarazzo
2024-11-04 11:10:27 -05:00
parent 81f4a34cfb 186882db98
commit 102cc4d1f4
97 changed files with 1768 additions and 1561 deletions
Download Patch File Download Diff File Expand all files Collapse all files

254
windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -13,6 +13,9 @@ appliesto:
# Enable virtualization-based protection of code integrity
> [!WARNING]
> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
**Memory integrity** is a Virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
> [!NOTE]
@ -20,9 +23,6 @@ appliesto:
> - Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
> - Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3.
> [!WARNING]
> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
## Memory integrity features
- Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
@ -32,28 +32,28 @@ appliesto:
To enable memory integrity on Windows devices with supporting hardware throughout an enterprise, use any of these options:
- [Windows Security settings](#windows-security)
- [Microsoft Intune (or another MDM provider)](#enable-memory-integrity-using-intune)
- [Group Policy](#enable-memory-integrity-using-group-policy)
- [Microsoft Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
- [Registry](#use-registry-keys-to-enable-memory-integrity)
### [:::image type="icon" source="../images/icons/security-app.svg" border="false"::: **Windows Security**](#tab/security)
### Windows Security
### Enable memory integrity using Windows Security
**Memory integrity** can be turned on in **Windows Security** settings and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within **Windows Security**.
### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
### Enable memory integrity using Intune
Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integrity** setting using the [settings catalog](/mem/intune/configuration/settings-catalog) to enable memory integrity. You can also use the HypervisorEnforcedCodeIntegrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology).
### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
### Enable memory integrity using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
1. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
1. Double-click **Turn on Virtualization Based Security**.
1. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
1. Select **Enabled**. Under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
![Enable memory integrity using Group Policy.](images/enable-hvci-gp.png)
@ -61,7 +61,9 @@ Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integri
To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated Command Prompt.
### Use registry keys to enable memory integrity
### [:::image type="icon" source="../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
### Enable memory integrity using registry
Set the following registry keys to enable memory integrity. These keys provide similar set of configuration options provided by Group Policy
@ -85,74 +87,78 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
If you want to customize the preceding recommended settings, use the following registry keys.
**To enable VBS only (no memory integrity)**
- To enable VBS only (no memory integrity):
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
```
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
```
**To enable VBS and require Secure boot only (value 1)**
- To enable VBS and require Secure boot only (value 1):
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
**To enable VBS with Secure Boot and DMA protection (value 3)**
- To enable VBS with Secure Boot and DMA protection (value 3):
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
**To enable VBS without UEFI lock (value 0)**
- To enable VBS without UEFI lock (value 0):
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
```
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
```
**To enable VBS with UEFI lock (value 1)**
- To enable VBS with UEFI lock (value 1):
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
```
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
```
**To enable memory integrity**
- To enable memory integrity:
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
```
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
```
**To enable memory integrity without UEFI lock (value 0)**
- To enable memory integrity without UEFI lock (value 0):
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
**To enable memory integrity with UEFI lock (value 1)**
- To enable memory integrity with UEFI lock (value 1):
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
```
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
```
**To enable VBS (and memory integrity) in mandatory mode**
- To enable VBS (and memory integrity) in mandatory mode:
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
```
```cmd
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
```
The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
> [!IMPORTANT]
> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
> [!IMPORTANT]
> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
**To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
```cmd
reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f
```
- To gray out the memory integrity UI and display the message `This setting is managed by your administrator`:
**To let memory integrity UI behave normally (Not grayed out)**
```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
```
```cmd
reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f
```
- To let memory integrity UI behave normally (Not grayed out):
```cmd
reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
```
### [:::image type="icon" source="../images/icons/app-control.svg" border="false"::: **App Control**](#tab/appcontrol)
### Enable memory integrity using App Control for Business
@ -165,6 +171,8 @@ You can use App Control policy to turn on memory integrity using any of the foll
> [!NOTE]
> If your App Control policy is set to turn memory integrity on, it will be turned on even if the policy is in audit mode.
---
### Validate enabled VBS and memory integrity features
#### Use Win32_DeviceGuard WMI class
@ -180,82 +188,98 @@ Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\D
The output of this command provides details of the available hardware-based security features and those features that are currently enabled.
##### AvailableSecurityProperties
- **InstanceIdentifier**: A string that is unique to a particular device and set by WMI.
This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
- **Version**: This field lists the version of this WMI class. The only valid value now is **1.0**.
| Value | Description |
|-------|---------------------------------------------------------|
| **0** | If present, no relevant properties exist on the device. |
| **1** | If present, hypervisor support is available. |
| **2** | If present, Secure Boot is available. |
| **3** | If present, DMA protection is available. |
| **4** | If present, Secure Memory Overwrite is available. |
| **5** | If present, NX protections are available. |
| **6** | If present, SMM mitigations are available. |
| **7** | If present, MBEC/GMET is available. |
| **8** | If present, APIC virtualization is available. |
- **AvailableSecurityProperties**: This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
##### InstanceIdentifier
| Value | Description |
|-------|---------------------------------------------------------|
| **0** | If present, no relevant properties exist on the device. |
| **1** | If present, hypervisor support is available. |
| **2** | If present, Secure Boot is available. |
| **3** | If present, DMA protection is available. |
| **4** | If present, Secure Memory Overwrite is available. |
| **5** | If present, NX protections are available. |
| **6** | If present, SMM mitigations are available. |
| **7** | If present, MBEC/GMET is available. |
| **8** | If present, APIC virtualization is available. |
A string that is unique to a particular device and set by WMI.
- **CodeIntegrityPolicyEnforcementStatus**: This field indicates the code integrity policy enforcement status.
##### RequiredSecurityProperties
| Value | Description |
|-------|-------------|
| **0** | Off |
| **1** | Audit. |
| **2** | Enforced. |
This field describes the required security properties to enable VBS.
- **RequiredSecurityProperties**: This field describes the required security properties to enable VBS.
| Value | Description |
|-------|------------------------------------------------|
| **0** | Nothing is required. |
| **1** | If present, hypervisor support is needed. |
| **2** | If present, Secure Boot is needed. |
| **3** | If present, DMA protection is needed. |
| **4** | If present, Secure Memory Overwrite is needed. |
| **5** | If present, NX protections are needed. |
| **6** | If present, SMM mitigations are needed. |
| **7** | If present, MBEC/GMET is needed. |
| Value | Description |
|-------|------------------------------------------------|
| **0** | Nothing is required. |
| **1** | If present, hypervisor support is needed. |
| **2** | If present, Secure Boot is needed. |
| **3** | If present, DMA protection is needed. |
| **4** | If present, Secure Memory Overwrite is needed. |
| **5** | If present, NX protections are needed. |
| **6** | If present, SMM mitigations are needed. |
| **7** | If present, MBEC/GMET is needed. |
##### SecurityServicesConfigured
- **SecurityServicesConfigured**: This field indicates whether Credential Guard or memory integrity is configured.
This field indicates whether Credential Guard or memory integrity is configured.
| Value | Description |
|-------|-------------------------------------------------------|
| **0** | No services are configured. |
| **1** | If present, Credential Guard is configured. |
| **2** | If present, memory integrity is configured. |
| **3** | If present, System Guard Secure Launch is configured. |
| **4** | If present, SMM Firmware Measurement is configured. |
| **5** | If present, Kernel-mode Hardware-enforced Stack Protection is configured. |
| **6** | If present, Kernel-mode Hardware-enforced Stack Protection is configured in Audit mode. |
| **7** | If present, Hypervisor-Enforced Paging Translation is configured. |
| Value | Description |
|-------|-------------------------------------------------------|
| **0** | No services are configured. |
| **1** | If present, Credential Guard is configured. |
| **2** | If present, memory integrity is configured. |
| **3** | If present, System Guard Secure Launch is configured. |
| **4** | If present, SMM Firmware Measurement is configured. |
- **SecurityServicesRunning**: This field indicates whether Credential Guard or memory integrity is running.
##### SecurityServicesRunning
| Value | Description |
|-------|----------------------------------------------------|
| **0** | No services running. |
| **1** | If present, Credential Guard is running. |
| **2** | If present, memory integrity is running. |
| **3** | If present, System Guard Secure Launch is running. |
| **4** | If present, SMM Firmware Measurement is running. |
| **5** | If present, Kernel-mode Hardware-enforced Stack Protection is running. |
| **6** | If present, Kernel-mode Hardware-enforced Stack Protection is running in Audit mode. |
| **7** | If present, Hypervisor-Enforced Paging Translation is running. |
This field indicates whether Credential Guard or memory integrity is running.
- **SmmIsolationLevel**: This field indicates the SMM isolation level.
| Value | Description |
|-------|----------------------------------------------------|
| **0** | No services running. |
| **1** | If present, Credential Guard is running. |
| **2** | If present, memory integrity is running. |
| **3** | If present, System Guard Secure Launch is running. |
| **4** | If present, SMM Firmware Measurement is running. |
- **UsermodeCodeIntegrityPolicyEnforcementStatus**: This field indicates the user mode code integrity policy enforcement status.
##### Version
| Value | Description |
|-------|-------------|
| **0** | Off |
| **1** | Audit. |
| **2** | Enforced. |
This field lists the version of this WMI class. The only valid value now is **1.0**.
- **VirtualizationBasedSecurityStatus**: This field indicates whether VBS is enabled and running.
##### VirtualizationBasedSecurityStatus
| Value | Description |
|-------|---------------------------------|
| **0** | VBS isn't enabled. |
| **1** | VBS is enabled but not running. |
| **2** | VBS is enabled and running. |
This field indicates whether VBS is enabled and running.
- **VirtualMachineIsolation**: This field indicates whether virtual machine isolation is enabled.
| Value | Description |
|-------|---------------------------------|
| **0** | VBS isn't enabled. |
| **1** | VBS is enabled but not running. |
| **2** | VBS is enabled and running. |
- **VirtualMachineIsolationProperties**: This field indicates the set of virtual machine isolation properties that are available.
##### PSComputerName
This field lists the computer name. All valid values for computer name.
| Value | Description |
|-------|-------------------------------|
| **1** | AMD SEV-SNP |
| **2** | Virtualization-based Security |
| **3** | Intel TDX |
#### Use msinfo32.exe