deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Freshness update

Browse Source
This commit is contained in:
Vinay Pamnani (from Dev Box) 2024-03-26 11:15:47 -06:00
parent ab8c2336a0
commit 17a23a9ffa
2 changed files with 63 additions and 119 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -2,7 +2,7 @@
title: Enable memory integrity title: Enable memory integrity
description: This article explains the steps to opt in to using memory integrity on Windows devices. description: This article explains the steps to opt in to using memory integrity on Windows devices.
ms.topic: conceptual ms.topic: conceptual
ms.date: 03/16/2023 ms.date: 03/26/2024
appliesto: appliesto:
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>" - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>"
- "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>" - "✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>"
@ -16,14 +16,13 @@ appliesto:
**Memory integrity** is a virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system. **Memory integrity** is a virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
> [!NOTE] > [!NOTE]
> Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3. >
> - Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
> - Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3.
> [!WARNING] > [!WARNING]
> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps. > Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
> [!NOTE]
> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
## Memory integrity features ## Memory integrity features
- Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers. - Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
@ -47,21 +46,16 @@ Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory i
### Enable memory integrity using Intune ### Enable memory integrity using Intune
Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure these settings by using the [settings catalog](/mem/intune/configuration/settings-catalog). Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integrity** setting using the [settings catalog](/mem/intune/configuration/settings-catalog) to enable memory integrity. You can also use the HypervisorEnforcedCodeIntegrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology).
### Enable memory integrity using Group Policy ### Enable memory integrity using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
1. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. 1. Double-click **Turn on Virtualization Based Security**.
1. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
3. Double-click **Turn on Virtualization Based Security**.
4. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
![Enable memory integrity using Group Policy.](images/enable-hvci-gp.png) ![Enable memory integrity using Group Policy.](images/enable-hvci-gp.png)
1. Select **Ok** to close the editor.
5. Select **Ok** to close the editor.
To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt. To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt.
@ -69,8 +63,6 @@ To apply the new policy on a domain-joined computer, either restart or run `gpup
Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy. Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy.
<!--This comment ensures that the Important above and the Warning below don't merge together. -->
> [!IMPORTANT] > [!IMPORTANT]
> >
> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. > - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
@ -79,19 +71,13 @@ Set the following registry keys to enable memory integrity. These keys provide e
> >
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 10 version 1607 and later and for Windows 11 version 21H2
Recommended settings (to enable memory integrity without UEFI Lock): Recommended settings (to enable memory integrity without UEFI Lock):
```console ```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
``` ```
@ -155,52 +141,6 @@ reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\Hyperviso
reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
``` ```
#### For Windows 10 version 1511 and earlier
Recommended settings (to enable memory integrity, without UEFI Lock):
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
If you want to customize the preceding recommended settings, use the following settings.
**To enable VBS (it is always locked to UEFI)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
```
**To enable VBS and require Secure boot only (value 1)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
**To enable VBS with Secure Boot and DMA (value 3)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
**To enable memory integrity (with the default, UEFI lock)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
```
**To enable memory integrity without UEFI lock**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
### Enable memory integrity using Windows Defender Application Control (WDAC) ### Enable memory integrity using Windows Defender Application Control (WDAC)
You can use WDAC policy to turn on memory integrity using any of the following techniques: You can use WDAC policy to turn on memory integrity using any of the following techniques:
@ -214,10 +154,12 @@ You can use WDAC policy to turn on memory integrity using any of the following t
### Validate enabled VBS and memory integrity features ### Validate enabled VBS and memory integrity features
Windows 10, Windows 11, and Windows Server 2016 and higher have a WMI class for VBS-related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: #### Use Win32_DeviceGuard WMI class
Windows 10, Windows 11, and Windows Server 2016 and higher have a WMI class for VBS-related properties and features: **Win32_DeviceGuard**. This class can be queried from an elevated Windows PowerShell session by using the following command:
```powershell ```powershell
Get-CimInstance ClassName Win32_DeviceGuard Namespace root\Microsoft\Windows\DeviceGuard Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
``` ```
> [!NOTE] > [!NOTE]
@ -225,83 +167,85 @@ Get-CimInstance ClassName Win32_DeviceGuard Namespace root\Microsoft\Windo
The output of this command provides details of the available hardware-based security features and those features that are currently enabled. The output of this command provides details of the available hardware-based security features and those features that are currently enabled.
#### AvailableSecurityProperties ##### AvailableSecurityProperties
This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity. This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
Value | Description | Value | Description |
-|- |-------|---------------------------------------------------------|
**0.** | If present, no relevant properties exist on the device. | **0** | If present, no relevant properties exist on the device. |
**1.** | If present, hypervisor support is available. | **1** | If present, hypervisor support is available. |
**2.** | If present, Secure Boot is available. | **2** | If present, Secure Boot is available. |
**3.** | If present, DMA protection is available. | **3** | If present, DMA protection is available. |
**4.** | If present, Secure Memory Overwrite is available. | **4** | If present, Secure Memory Overwrite is available. |
**5.** | If present, NX protections are available. | **5** | If present, NX protections are available. |
**6.** | If present, SMM mitigations are available. | **6** | If present, SMM mitigations are available. |
**7.** | If present, MBEC/GMET is available. | **7** | If present, MBEC/GMET is available. |
**8.** | If present, APIC virtualization is available. | **8** | If present, APIC virtualization is available. |
#### InstanceIdentifier ##### InstanceIdentifier
A string that is unique to a particular device and set by WMI. A string that is unique to a particular device and set by WMI.
#### RequiredSecurityProperties ##### RequiredSecurityProperties
This field describes the required security properties to enable VBS. This field describes the required security properties to enable VBS.
Value | Description | Value | Description |
-|- |-------|------------------------------------------------|
**0.** | Nothing is required. | **0** | Nothing is required. |
**1.** | If present, hypervisor support is needed. | **1** | If present, hypervisor support is needed. |
**2.** | If present, Secure Boot is needed. | **2** | If present, Secure Boot is needed. |
**3.** | If present, DMA protection is needed. | **3** | If present, DMA protection is needed. |
**4.** | If present, Secure Memory Overwrite is needed. | **4** | If present, Secure Memory Overwrite is needed. |
**5.** | If present, NX protections are needed. | **5** | If present, NX protections are needed. |
**6.** | If present, SMM mitigations are needed. | **6** | If present, SMM mitigations are needed. |
**7.** | If present, MBEC/GMET is needed. | **7** | If present, MBEC/GMET is needed. |
#### SecurityServicesConfigured ##### SecurityServicesConfigured
This field indicates whether Credential Guard or memory integrity has been configured. This field indicates whether Credential Guard or memory integrity has been configured.
Value | Description | Value | Description |
-|- |-------|-------------------------------------------------------|
**0.** | No services are configured. | **0** | No services are configured. |
**1.** | If present, Credential Guard is configured. | **1** | If present, Credential Guard is configured. |
**2.** | If present, memory integrity is configured. | **2** | If present, memory integrity is configured. |
**3.** | If present, System Guard Secure Launch is configured. | **3** | If present, System Guard Secure Launch is configured. |
**4.** | If present, SMM Firmware Measurement is configured. | **4** | If present, SMM Firmware Measurement is configured. |
#### SecurityServicesRunning ##### SecurityServicesRunning
This field indicates whether Credential Guard or memory integrity is running. This field indicates whether Credential Guard or memory integrity is running.
Value | Description | Value | Description |
-|- |-------|----------------------------------------------------|
**0.** | No services running. | **0** | No services running. |
**1.** | If present, Credential Guard is running. | **1** | If present, Credential Guard is running. |
**2.** | If present, memory integrity is running. | **2** | If present, memory integrity is running. |
**3.** | If present, System Guard Secure Launch is running. | **3** | If present, System Guard Secure Launch is running. |
**4.** | If present, SMM Firmware Measurement is running. | **4** | If present, SMM Firmware Measurement is running. |
#### Version ##### Version
This field lists the version of this WMI class. The only valid value now is **1.0**. This field lists the version of this WMI class. The only valid value now is **1.0**.
#### VirtualizationBasedSecurityStatus ##### VirtualizationBasedSecurityStatus
This field indicates whether VBS is enabled and running. This field indicates whether VBS is enabled and running.
Value | Description | Value | Description |
-|- |-------|---------------------------------|
**0.** | VBS isn't enabled. | **0** | VBS isn't enabled. |
**1.** | VBS is enabled but not running. | **1** | VBS is enabled but not running. |
**2.** | VBS is enabled and running. | **2** | VBS is enabled and running. |
#### PSComputerName ##### PSComputerName
This field lists the computer name. All valid values for computer name. This field lists the computer name. All valid values for computer name.
#### Use msinfo32.exe
Another method to determine the available and enabled VBS features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the VBS features are displayed at the bottom of the **System Summary** section. Another method to determine the available and enabled VBS features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the VBS features are displayed at the bottom of the **System Summary** section.
:::image type="content" alt-text="Virtualization-based security features in the System Summary of System Information." source="images/system-information-virtualization-based-security.png" lightbox="images/system-information-virtualization-based-security.png"::: :::image type="content" alt-text="Virtualization-based security features in the System Summary of System Information." source="images/system-information-virtualization-based-security.png" lightbox="images/system-information-virtualization-based-security.png":::

BIN
windows/security/hardware-security/images/system-information-virtualization-based-security.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 13 KiB