From 74eb90a8d76b05500ccf9ce20583614a5575ea2a Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 30 Jul 2021 17:46:30 +0530 Subject: [PATCH] Added powershell commands as per user feedback #9824, so i added correct commands after verification from the windows 11 dev channel. Also, I found that TWO screenshots are really old, so I want to add new screenshots. --- ...tion-based-protection-of-code-integrity.md | 26 +++++++++++++++---- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 0628013832..e0a2325d8c 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -103,7 +103,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` -> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. +**To enable VBS with Secure Boot and DMA (value 3)** + +``` command +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f +``` **To enable VBS without UEFI lock (value 0)** @@ -111,7 +115,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f ``` -> To enable **VBS with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**. +**To enable VBS with UEFI lock (value 1)** + +``` command +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f +``` **To enable virtualization-based protection of Code Integrity policies** @@ -125,7 +133,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f ``` -> To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**. +**To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)** + +``` command +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f +``` #### For Windows 10 version 1511 and earlier @@ -155,7 +167,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` -> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. +**To enable VBS with Secure Boot and DMA (value 3)** + +``` command +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f +``` **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)** @@ -296,4 +312,4 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. -- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. \ No newline at end of file +- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.