Updates

windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

@@ -13,6 +13,9 @@ appliesto:
 
 # Enable virtualization-based protection of code integrity
 
+> [!WARNING]
+> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
+
 **Memory integrity** is a Virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system.
 
 > [!NOTE]
@@ -20,9 +23,6 @@ appliesto:
 > - Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry.
 > - Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. When nested virtualization is enabled, memory integrity works better when the VM is version >= 9.3.
 
-> [!WARNING]
-> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps.
-
 ## Memory integrity features
 
 - Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
@@ -38,16 +38,22 @@ To enable memory integrity on Windows devices with supporting hardware throughou
 - [Microsoft Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/)
 - [Registry](#use-registry-keys-to-enable-memory-integrity)
 
+### [:::image type="icon" source="../images/icons/security-app.svg" border="false"::: **Security**](#tab/security)
+
 ### Windows Security
 
 **Memory integrity** can be turned on in **Windows Security** settings and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center).
 
 Beginning with Windows 11 22H2, **Windows Security** shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within **Windows Security**.
 
+### [:::image type="icon" source="../images/icons/intune.svg" border="false"::: **Intune/CSP**](#tab/intune)
+
 ### Enable memory integrity using Intune
 
 Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integrity** setting using the [settings catalog](/mem/intune/configuration/settings-catalog) to enable memory integrity. You can also use the HypervisorEnforcedCodeIntegrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology).
 
+### [:::image type="icon" source="../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
+
 ### Enable memory integrity using Group Policy
 
 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
@@ -61,6 +67,8 @@ Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integri
 
 To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated Command Prompt.
 
+### [:::image type="icon" source="../images/icons/registry.svg" border="false"::: **Registry**](#tab/reg)
+
 ### Use registry keys to enable memory integrity
 
 Set the following registry keys to enable memory integrity. These keys provide similar set of configuration options provided by Group Policy
@@ -85,55 +93,55 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 
 If you want to customize the preceding recommended settings, use the following registry keys.
 
-**To enable VBS only (no memory integrity)**
+- To enable VBS only (no memory integrity):
 
     ```cmd
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
     ```
 
-**To enable VBS and require Secure boot only (value 1)**
+- To enable VBS and require Secure boot only (value 1):
 
     ```cmd
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
     ```
 
-**To enable VBS with Secure Boot and DMA protection (value 3)**
+- To enable VBS with Secure Boot and DMA protection (value 3):
 
     ```cmd
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
     ```
 
-**To enable VBS without UEFI lock (value 0)**
+- To enable VBS without UEFI lock (value 0):
 
     ```cmd
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
     ```
 
-**To enable VBS with UEFI lock (value 1)**
+- To enable VBS with UEFI lock (value 1):
 
     ```cmd
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
     ```
 
-**To enable memory integrity**
+- To enable memory integrity:
 
     ```cmd
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
     ```
 
-**To enable memory integrity without UEFI lock (value 0)**
+- To enable memory integrity without UEFI lock (value 0):
 
     ```cmd
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
     ```
 
-**To enable memory integrity with UEFI lock (value 1)**
+- To enable memory integrity with UEFI lock (value 1):
 
     ```cmd
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
     ```
 
-**To enable VBS (and memory integrity) in mandatory mode**
+- To enable VBS (and memory integrity) in mandatory mode:
 
     ```cmd
     reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
@@ -144,16 +152,20 @@ The **Mandatory** setting prevents the OS loader from continuing to boot in case
     > [!IMPORTANT]
     > Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
 
-**To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
+- To gray out the memory integrity UI and display the message "This setting is managed by your administrator":
+
     ```cmd
     reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f
     ```
 
-**To let memory integrity UI behave normally (Not grayed out)**
+- To let memory integrity UI behave normally (Not grayed out):
+
     ```cmd
     reg add HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /t REG_DWORD /d 2 /f
     ```
 
+### [:::image type="icon" source="../images/icons/app-control.svg" border="false"::: **App Control**](#tab/appcontrol)
+
 ### Enable memory integrity using App Control for Business
 
 You can use App Control policy to turn on memory integrity using any of the following techniques:

windows/security/images/icons/app-control.svg

@@ -0,0 +1,19 @@
+<svg width="18" height="18" viewBox="0 0 18 18" xmlns="http://www.w3.org/2000/svg" id="FxSymbol0-02e">
+  <defs>
+    <linearGradient id="paint0_linear" x1="9" y1="17.293" x2="9" y2=".707" gradientUnits="userSpaceOnUse">
+      <stop offset="0" stop-color="#005ba1" />
+      <stop offset=".174" stop-color="#0861a8" />
+      <stop offset=".443" stop-color="#1e71ba" />
+      <stop offset=".772" stop-color="#418bd7" />
+      <stop offset="1" stop-color="#5ea0ef" />
+    </linearGradient>
+  </defs>
+  <path d="M.707 5.683h4.976V.707H1.4a.691.691 0 0 0-.693.693Zm.693 11.61h4.283v-4.976H.707V16.6a.691.691 0 0 0 .693.693Zm-.691-5.8h4.974V6.512H.707ZM12.317.707v4.976h4.976V1.4A.691.691 0 0 0 16.6.707ZM6.512 5.683h4.976V.707H6.512Z" fill="url(#paint0_linear)" />
+  <path d="M6.5 6.529h10.721v10.1a.626.626 0 0 1-.626.626H6.5V6.529Z" fill="#76bc2d" />
+  <rect x="7.266" y="9.861" width="5.403" height="1.407" rx=".398" fill="#365615" />
+  <rect x="12.518" y="9.861" width="3.945" height="1.407" rx=".398" fill="#b4ec36" />
+  <path d="M13.047 9.761v1.469a.334.334 0 0 1-.334.334.333.333 0 0 1-.334-.334V9.761a.334.334 0 0 1 .334-.334.335.335 0 0 1 .334.334Z" class="msportalfx-svg-c01" />
+  <rect x="7.266" y="12.298" width="2.403" height="1.407" rx=".398" fill="#365615" />
+  <path d="M9.779 12.3h6.287a.4.4 0 0 1 .4.4v.612a.4.4 0 0 1-.4.4H9.779V12.3Z" fill="#b4ec36" />
+  <path d="M9.805 12.274v1.469a.334.334 0 0 1-.334.334.334.334 0 0 1-.334-.334v-1.469a.333.333 0 0 1 .334-.334.333.333 0 0 1 .334.334Z" class="msportalfx-svg-c01" />
+</svg>

windows/security/images/icons/security-app.svg

@@ -0,0 +1,24 @@
+<svg width="18" height="18" viewBox="0 0 32 32" fill="none" xmlns="http://www.w3.org/2000/svg">
+<path d="M16 0.667053C18.0667 0.667053 19.8667 1.26705 21.2667 2.26705C23.5333 3.80038 25.1333 4.60039 29.7333 4.66705C30.2666 4.66705 30.7333 5.13372 30.7333 5.66705V12.267C30.7333 13.3337 30.6 14.3337 30.4667 15.3337H16V0.667053Z" fill="url(#paint0_linear_279_15108)"/>
+<path d="M1.59885 15.3337C1.39976 14.3337 1.33337 13.267 1.33337 12.267V5.66705C1.33337 5.13372 1.73156 4.66705 2.32885 4.66705C6.90804 4.60039 8.50081 3.80038 10.7572 2.26705C12.0845 1.26705 13.9427 0.667053 16 0.667053V15.3337H1.59885Z" fill="url(#paint1_linear_279_15108)"/>
+<path d="M16 15.3337V31.2004C15.8 31.2004 15.6666 31.1337 15.4666 31.0671C7.86663 26.6671 2.86664 21.8004 1.59998 15.3337H16Z" fill="url(#paint2_linear_279_15108)"/>
+<path d="M16 31.2004V15.3337H30.4C29.2 21.8004 24.1333 26.6671 16.5333 31.0671C16.3333 31.1337 16.2 31.2004 16 31.2004Z" fill="url(#paint3_linear_279_15108)"/>
+<defs>
+<linearGradient id="paint0_linear_279_15108" x1="27.7337" y1="17.1627" x2="17.1076" y2="1.33579" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0078D4"/>
+<stop offset="1" stop-color="#1493DF"/>
+</linearGradient>
+<linearGradient id="paint1_linear_279_15108" x1="13.7316" y1="16.6376" x2="5.60521" y2="2.62604" gradientUnits="userSpaceOnUse">
+<stop stop-color="#28AFEA"/>
+<stop offset="1" stop-color="#3CCBF4"/>
+</linearGradient>
+<linearGradient id="paint2_linear_279_15108" x1="17.089" y1="30.6523" x2="8.58889" y2="13.8265" gradientUnits="userSpaceOnUse">
+<stop stop-color="#0669BC"/>
+<stop offset="1" stop-color="#0078D4"/>
+</linearGradient>
+<linearGradient id="paint3_linear_279_15108" x1="25.7133" y1="26.9929" x2="19.8912" y2="16.7469" gradientUnits="userSpaceOnUse">
+<stop stop-color="#114A8B"/>
+<stop offset="1" stop-color="#0C59A4"/>
+</linearGradient>
+</defs>
+</svg>