added gp option to enable hvci

windows/security/threat-protection/windows-defender-application-control/types-of-devices.md

@@ -17,30 +17,13 @@ ms.date: 03/01/2018
 
 Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization.
 
-| **Type of device**                 | **How WDAC relates to this type of device**  | **WDAC components that you can use to protect this kind of device**    |
-|------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------|
-| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | - VBS (hardware-based) protections, enabled.<br><br>• WDAC in enforced mode, with UMCI enabled. |
-| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.<br>WDAC policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.<br><br>• WDAC in enforced mode, with UMCI enabled. |
-| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a WDAC policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.<br><br>• WDAC, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started.  |
-| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | 
+| **Type of device**                 | **How WDAC relates to this type of device**  | 
+|------------------------------------|------------------------------------------------------|
+| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | 
+| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.<br>WDAC policies are supported by the HVCI service. | 
+| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | 
+| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | 
 
-## WDAC deployment in virtual machines
-
-WDAC can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable WDAC are the same from within the virtual machine.
-
-WDAC protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable WDAC for a virtual machine:
-
-```powershell
-Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
-```
-
-
-### Requirements for running WDAC in Hyper-V virtual machines 
- -   The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. 
- -   WDAC and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. 
- -   Virtual Fibre Channel adapters are not compatible with Windows Defender Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
- -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with Windows Defender Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.
 
 ## Related topics
 

windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md

@@ -23,7 +23,28 @@ Some applications, including device drivers, may be incompatible with HVCI.
 This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. 
 If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. 
 
-## How to turn on virtualization-based protection of code integrity on the Windows 10 Fall Creators Update (version 1709) 
+## How to turn on HVCI in Windows 10 version 1803
+
+Beginning with Windows 10, version 1803, HVCI can be enabled using any of these options:
+- Windows Defender Security Center 
+- Windows Intune (or other MDM provider)
+- System Center Configuration Manager 
+- Group Policy
+
+### Enable HVCI using Group Policy
+
+1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
+2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.  
+3. Double-click **Turn on Virtualization Based Security**.
+4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be enabled remotely or select **Enabled without UEFI lock**.
+
+   ![Enable HVCI using Group Policy](images\enable-hvci-gp.png)
+
+5. Click *Ok** to close the editor.
+
+To apply the new policy on a domain-joined computer, either restart or run `gpupdate \force` in an elevated command prompt. 
+
+## How to turn on HVCI in Windows 10 Fall Creators Update (version 1709) 
 
 These steps apply to Windows 10 S, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. 
 
@@ -70,3 +91,20 @@ C. If you experience a critical error during boot or your system is unstable aft
 1.	Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
 2.	Restart the device.
 3.	To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
+
+## HVCI deployment in virtual machines
+
+HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable WDAC are the same from within the virtual machine.
+
+WDAC protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable WDAC for a virtual machine:
+
+```powershell
+Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
+```
+
+### Requirements for running HVCI in Hyper-V virtual machines 
+ -   The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
+ -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. 
+ -   HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. 
+ -   Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
+ -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.