deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Add a brief explanation of the VBS Mandatory mode

Browse Source 
Update the public documentation to include VBS Mandatory mode
This commit is contained in:
Andrea Allievi 2024-09-17 08:58:12 -07:00 committed by GitHub
parent 5be328abb0
commit 4b305aed19
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -61,7 +61,7 @@ To apply the new policy on a domain-joined computer, either restart or run `gpup
### Use registry keys to enable memory integrity ### Use registry keys to enable memory integrity
Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy. Set the following registry keys to enable memory integrity. These keys provide similar set of configuration options provided by Group Policy
> [!IMPORTANT] > [!IMPORTANT]
> >
@ -95,7 +95,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
``` ```
**To enable VBS with Secure Boot and DMA (value 3)** **To enable VBS with Secure Boot and DMA protection (value 3)**
```console ```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
@ -131,6 +131,13 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
``` ```
**To enable VBS (and memory integrity) in mandatory mode**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
```
The "mandatory" setting <b>prevents</b> the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. Special careful should be used before enabling this mode, since, as explained, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
**To gray out the memory integrity UI and display the message "This setting is managed by your administrator"** **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
```console ```console
reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f