From 74eb90a8d76b05500ccf9ce20583614a5575ea2a Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 30 Jul 2021 17:46:30 +0530 Subject: [PATCH 1/2] Added powershell commands as per user feedback #9824, so i added correct commands after verification from the windows 11 dev channel. Also, I found that TWO screenshots are really old, so I want to add new screenshots. --- ...tion-based-protection-of-code-integrity.md | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 0628013832..e0a2325d8c 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -103,7 +103,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` -> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. +**To enable VBS with Secure Boot and DMA (value 3)** + +``` command +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f +``` **To enable VBS without UEFI lock (value 0)** @@ -111,7 +115,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f ``` -> To enable **VBS with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**. +**To enable VBS with UEFI lock (value 1)** + +``` command +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f +``` **To enable virtualization-based protection of Code Integrity policies** @@ -125,7 +133,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f ``` -> To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**. +**To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)** + +``` command +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f +``` #### For Windows 10 version 1511 and earlier @@ -155,7 +167,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` -> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. +**To enable VBS with Secure Boot and DMA (value 3)** + +``` command +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f +``` **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)** @@ -296,4 +312,4 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. -- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. \ No newline at end of file +- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. From 2cf0c6cf1b87c64594c832e8b63c3be4ded916d8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 30 Jul 2021 09:04:29 -0700 Subject: [PATCH 2/2] Update enable-virtualization-based-protection-of-code-integrity.md --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index e0a2325d8c..429cc12f93 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -10,7 +10,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/01/2019 +ms.date: 07/30/2021 ms.reviewer: ms.technology: mde ---