deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 02:13:43 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'release-win11-24h2' into vp-wdac-rebrand

Browse Source
This commit is contained in:
Vinay Pamnani
2024-09-25 09:09:50 -06:00
committed by GitHub
parent f1d87391be e973abd516
commit c974690ed2
135 changed files with 3467 additions and 3356 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -61,7 +61,7 @@ To apply the new policy on a domain-joined computer, either restart or run `gpup
### Use registry keys to enable memory integrity
Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy.
Set the following registry keys to enable memory integrity. These keys provide similar set of configuration options provided by Group Policy
> [!IMPORTANT]
>
@ -95,7 +95,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
**To enable VBS with Secure Boot and DMA (value 3)**
**To enable VBS with Secure Boot and DMA protection (value 3)**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
@ -131,6 +131,17 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
```
**To enable VBS (and memory integrity) in mandatory mode**
```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
```
The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
> [!IMPORTANT]
> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
**To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
```console
reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f