diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md index 5d7501522d..624d32f096 100644 --- a/windows/security/identity-protection/credential-guard/configure.md +++ b/windows/security/identity-protection/credential-guard/configure.md @@ -61,7 +61,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the | Setting | |--------| -| **Setting name**: Turn On Virtualization Based Security
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
**Data type**: int
**Value:** `1`| +| **Setting name**: Turn On Virtualization Based Security
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
**Data type**: int
**Value**: `1`| | **Setting name**: Credential Guard Configuration
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags`
**Data type**: int
**Value**:
 **Enabled with UEFI lock**: `1`
 **Enabled without lock**: `2`| Once the policy is applied, restart the device. @@ -91,9 +91,9 @@ To configure devices using the registry, use the following settings: | Setting | |--| -| **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
**Key name:** `EnableVirtualizationBasedSecurity`
**Type:** `REG_DWORD`
**Value:** `1` (to enable Virtualization Based Security)| -| **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
**Key name:** `RequirePlatformSecurityFeatures`
**Type:** `REG_DWORD`
**Value:**
 `1` (to use Secure Boot)
 `3` (to use Secure Boot and DMA protection) | -| **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
**Key name:** `LsaCfgFlags`
**Type:** `REG_DWORD`
**Value:**
 `1` (to enable Credential Guard with UEFI lock)
 `2` (to enable Credential Guard without lock)| +| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
**Key name**: `EnableVirtualizationBasedSecurity`
**Type**: `REG_DWORD`
**Value**: `1` (to enable Virtualization Based Security)| +| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
**Key name**: `RequirePlatformSecurityFeatures`
**Type**: `REG_DWORD`
**Value**:
 `1` (to use Secure Boot)
 `3` (to use Secure Boot and DMA protection) | +| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
**Key name**: `LsaCfgFlags`
**Type**: `REG_DWORD`
**Value**:
 `1` (to enable Credential Guard with UEFI lock)
 `2` (to enable Credential Guard without lock)| Restart the device to apply the change. @@ -280,8 +280,8 @@ If Credential Guard is enabled without UEFI Lock and without Group Policy, it's | Setting | |-| -| - **Key path:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
- **Key name:** `LsaCfgFlags`
- **Type:** `REG_DWORD`
- **Value:** `0`| -| - **Key path:** `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard`
- **Key name:** `LsaCfgFlags`
- **Type:** `REG_DWORD`
- **Value:** `0`| +| **Key path**: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa`
**Key name**: `LsaCfgFlags`
**Type**: `REG_DWORD`
- **Value**: `0`| +| **Key path**: `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard`
**Key name**: `LsaCfgFlags`
**Type**: `REG_DWORD`
- **Value**: `0`| > [!NOTE] > Deleting these registry settings may not disable Credential Guard. They must be set to a value of 0. @@ -356,7 +356,7 @@ Alternatively, you can configure devices using a [custom policy][INT-1] with the | Setting | |--------| -| **Setting name**: Turn On Virtualization Based Security
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
**Data type**: int
**Value:** `0`| +| **Setting name**: Turn On Virtualization Based Security
**OMA-URI**: `./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity`
**Data type**: int
**Value**: `0`| Once the policy is applied, restart the device. @@ -364,24 +364,33 @@ Once the policy is applied, restart the device. ### Disable VBS with group policy -1. Configure the policy used to enable VBS to **Disabled**. The policy setting path is: `Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security` -1. Once the policy is applied, restart the device +Configure the policy used to enable VBS to **Disabled**. + +[!INCLUDE [gpo-settings-1](../../../../includes/configure/gpo-settings-1.md)] + +| Group policy path | Group policy setting | Value | +| - | - | - | +| **Computer Configuration\Administrative Templates\System\Device Guard\Turn on Virtualization Based Security** |Turn On Virtualization Based Security | **Disabled** | + +[!INCLUDE [gpo-settings-2](../../../../includes/configure/gpo-settings-2.md)] + +Once the policy is applied, restart the device #### [:::image type="icon" source="../../images/icons/windows-os.svg" border="false"::: **Registry**](#tab/reg) ### Disable VBS with registry settings -1. Delete the following registry keys: +Delete the following registry keys: - | Setting | - |--| - | Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
Key name: `EnableVirtualizationBasedSecurity` | - | Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
Key name: `RequirePlatformSecurityFeatures`| +| Setting | +|--| +| Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
Key name: `EnableVirtualizationBasedSecurity` | +| Key path: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard`
Key name: `RequirePlatformSecurityFeatures`| - > [!IMPORTANT] - > If you manually remove the registry settings, make sure to delete them all, otherwise the device might go into BitLocker recovery. +> [!IMPORTANT] +> If you manually remove the registry settings, make sure to delete them all, otherwise the device might go into BitLocker recovery. -1. Restart the device +Restart the device to apply the change. ---