diff --git a/browsers/edge/docfx.json b/browsers/edge/docfx.json index f021f6aafb..2205218007 100644 --- a/browsers/edge/docfx.json +++ b/browsers/edge/docfx.json @@ -29,6 +29,7 @@ "globalMetadata": { "uhfHeaderId": "MSDocsHeader-MSEdge", "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier3" ], diff --git a/browsers/internet-explorer/docfx.json b/browsers/internet-explorer/docfx.json index 626d8e7d35..ed0fa381c5 100644 --- a/browsers/internet-explorer/docfx.json +++ b/browsers/internet-explorer/docfx.json @@ -24,6 +24,7 @@ ], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier3" ], diff --git a/education/docfx.json b/education/docfx.json index 993809eee6..8662cf333f 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -28,6 +28,7 @@ ], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.topic": "article", "ms.collection": [ "education", diff --git a/store-for-business/docfx.json b/store-for-business/docfx.json index 4be7b72365..c0b85a8a1d 100644 --- a/store-for-business/docfx.json +++ b/store-for-business/docfx.json @@ -32,6 +32,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], diff --git a/windows/application-management/docfx.json b/windows/application-management/docfx.json index 1c1b014b8d..76647fae53 100644 --- a/windows/application-management/docfx.json +++ b/windows/application-management/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "ms.collection": [ "tier2" diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 2abfcd2135..32fe81be20 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -49,13 +49,17 @@ There's no requirement for the local device to be joined to a domain or Azure AD To connect to the remote computer: - Launch **Remote Desktop Connection** from Windows Search, or by running `mstsc.exe`. -- Specify the name of the remote computer. - Select **Use a web account to sign in to the remote computer** option in the **Advanced** tab. This option is equivalent to the `enablerdsaadauth` RDP property. For more information, see [Supported RDP properties with Remote Desktop Services](/windows-server/remote/remote-desktop-services/clients/rdp-files). +- Specify the name of the remote computer and select **Connect**. + + > [!NOTE] + > IP address cannot be used when **Use a web account to sign in to the remote computer** option is used. + - When prompted for credentials, specify your user name in `user@domain.com` format. - You're then prompted to allow the remote desktop connection when connecting to a new PC. Azure AD remembers up to 15 hosts for 30 days before prompting again. If you see this dialogue, select **Yes** to connect. > [!IMPORTANT] -> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. +> If your organization has configured and is using [Azure AD Conditional Access](/azure/active-directory/conditional-access/overview), your device must satisfy the conditional access requirements to allow connection to the remote computer. Conditional Access policies with [grant controls](/azure/active-directory/conditional-access/concept-conditional-access-grant) and [session controls](/azure/active-directory/conditional-access/howto-conditional-access-session-lifetime) may be applied to the application **Microsoft Remote Desktop (a4a365df-50f1-4397-bc59-1a1564b8bb9c)** for controlled access. ### Disconnection when the session is locked @@ -87,7 +91,7 @@ To connect to the remote computer: ### Supported configurations -This table lists the supported configurations for remotely connecting to an Azure AD joined device: +This table lists the supported configurations for remotely connecting to an Azure AD joined device without using Azure AD authentication: | **Criteria** | **Client operating system** | **Supported credentials** | |--------------------------------------------|-----------------------------------|--------------------------------------------------------------------| diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index ae506a8cb0..1fcb22e3c9 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], diff --git a/windows/configuration/docfx.json b/windows/configuration/docfx.json index 90a28bb7e6..ae433621cc 100644 --- a/windows/configuration/docfx.json +++ b/windows/configuration/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], diff --git a/windows/deployment/docfx.json b/windows/deployment/docfx.json index 1387984499..066cd3ec04 100644 --- a/windows/deployment/docfx.json +++ b/windows/deployment/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], diff --git a/windows/hub/docfx.json b/windows/hub/docfx.json index c1b07ce9d8..92c7e04bad 100644 --- a/windows/hub/docfx.json +++ b/windows/hub/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier1" ], diff --git a/windows/privacy/docfx.json b/windows/privacy/docfx.json index 79774ab7cc..9527d8b80f 100644 --- a/windows/privacy/docfx.json +++ b/windows/privacy/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "breadcrumb_path": "/windows/resources/breadcrumb/toc.json", "uhfHeaderId": "MSDocsHeader-M365-IT", "ms.technology": "windows", diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 0310c13313..7591454011 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ], diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 9c1feb7d06..d40726923d 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- -title: Enable virtualization-based protection of code integrity -description: This article explains the steps to opt in to using HVCI on Windows devices. +title: Enable memory integrity +description: This article explains the steps to opt in to using memory integrity on Windows devices. ms.prod: windows-client ms.mktglfcycl: deploy ms.localizationpriority: medium @@ -12,7 +12,7 @@ ms.collection: - highpri - tier2 ms.topic: conceptual -ms.date: 12/16/2021 +ms.date: 03/16/2023 ms.reviewer: ms.technology: itpro-security --- @@ -20,41 +20,50 @@ ms.technology: itpro-security # Enable virtualization-based protection of code integrity **Applies to** + - Windows 10 - Windows 11 +- Windows Server 2016 or higher -This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10 and Windows 11. -Some applications, including device drivers, may be incompatible with HVCI. -This incompatibility can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. -If these issues occur, see [Troubleshooting](#troubleshooting) for remediation steps. +**Memory integrity** is a virtualization-based security (VBS) feature available in Windows. Memory integrity and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows kernel. VBS uses the Windows hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. Memory integrity is a critical component that protects and hardens Windows by running kernel mode code integrity within the isolated virtual environment of VBS. Memory integrity also restricts kernel memory allocations that could be used to compromise the system. > [!NOTE] -> Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. +> Memory integrity works better with Intel Kabylake and higher processors with *Mode-Based Execution Control*, and AMD Zen 2 and higher processors with *Guest Mode Execute Trap* capabilities. Older processors rely on an emulation of these features, called *Restricted User Mode*, and will have a bigger impact on performance. -## HVCI Features +> [!WARNING] +> Some applications and hardware device drivers may be incompatible with memory integrity. This incompatibility can cause devices or software to malfunction and in rare cases may result in a boot failure (blue screen). Such issues may occur after memory integrity has been turned on or during the enablement process itself. If compatibility issues occur, see [Troubleshooting](#troubleshooting) for remediation steps. -* HVCI protects modification of the Control Flow Guard (CFG) bitmap. -* HVCI also ensures that your other trusted processes, like Credential Guard, have got a valid certificate. -* Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI. +> [!NOTE] +> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry. -## How to turn on HVCI in Windows 10 and Windows 11 +## Memory integrity features + +- Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers. +- Protects the kernel mode code integrity process that ensures that other trusted kernel processes have a valid certificate. + +## How to turn on memory integrity + +To enable memory integrity on Windows devices with supporting hardware throughout an enterprise, use any of these options: -To enable HVCI on Windows 10 and Windows 11 devices with supporting hardware throughout an enterprise, use any of these options: - [Windows Security app](#windows-security-app) -- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune) -- [Group Policy](#enable-hvci-using-group-policy) +- [Microsoft Intune (or another MDM provider)](#enable-memory-integrity-using-intune) +- [Group Policy](#enable-memory-integrity-using-group-policy) - [Microsoft Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) -- [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity) +- [Registry](#use-registry-keys-to-enable-memory-integrity) ### Windows Security app -HVCI is labeled **Memory integrity** in the Windows Security app and it can be accessed via **Settings** > **Update & Security** > **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [KB4096339](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center). +**Memory integrity** can be turned on in the Windows Security app and found at **Windows Security** > **Device security** > **Core isolation details** > **Memory integrity**. For more information, see [Device protection in Windows Security](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center). -### Enable HVCI using Intune +Beginning with Windows 11 22H2, the Windows Security app shows a warning if memory integrity is turned off. The warning indicator also appears on the Windows Security icon in the Windows Taskbar and in the Windows Notification Center. The user can dismiss the warning from within the Windows Security app. -Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure the settings in Windows by using the [settings catalog](/mem/intune/configuration/settings-catalog). +To proactively dismiss the memory integrity warning, you can set the **Hardware_HVCI_Off** (DWORD) registry value under `HKLM\SOFTWARE\Microsoft\Windows Security Health\State` to 0. After you change the registry value, you must restart the device for the change to take effect. -### Enable HVCI using Group Policy +### Enable memory integrity using Intune + +Enabling in Intune requires using the Code Integrity node in the [VirtualizationBasedTechnology CSP](/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology). You can configure these settings by using the [settings catalog](/mem/intune/configuration/settings-catalog). + +### Enable memory integrity using Group Policy 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. @@ -62,17 +71,17 @@ Enabling in Intune requires using the Code Integrity node in the [Virtualization 3. Double-click **Turn on Virtualization Based Security**. -4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI can't be disabled remotely or select **Enabled without UEFI lock**. +4. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity. - ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png) + ![Enable memory integrity using Group Policy.](../images/enable-hvci-gp.png) -5. Click **Ok** to close the editor. +5. Select **Ok** to close the editor. To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt. -### Use registry keys to enable virtualization-based protection of code integrity +### Use registry keys to enable memory integrity -Set the following registry keys to enable HVCI. These keys provide exactly the same set of configuration options provided by Group Policy. +Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy. @@ -80,13 +89,13 @@ Set the following registry keys to enable HVCI. These keys provide exactly the s > > - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer's hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. > -> - In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have Windows Defender Application Control enabled. +> - If you select **Secure Boot with DMA**, memory integrity and the other VBS features will only be turned on for computers that support DMA. That is, for computers with IOMMUs only. Any computer without IOMMUs will not have VBS or memory integrity protection. > > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. #### For Windows 10 version 1607 and later and for Windows 11 version 21H2 -Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): +Recommended settings (to enable memory integrity without UEFI Lock): ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f @@ -100,9 +109,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f ``` -If you want to customize the preceding recommended settings, use the following settings. +If you want to customize the preceding recommended settings, use the following registry keys. -**To enable VBS** +**To enable VBS only (no memory integrity)** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f @@ -132,19 +141,19 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_D reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f ``` -**To enable virtualization-based protection of Code Integrity policies** +**To enable memory integrity** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f ``` -**To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)** +**To enable memory integrity without UEFI lock (value 0)** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f ``` -**To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)** +**To enable memory integrity with UEFI lock (value 1)** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f @@ -152,7 +161,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE #### For Windows 10 version 1511 and earlier -Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): +Recommended settings (to enable memory integrity, without UEFI Lock): ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f @@ -184,34 +193,45 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f ``` -**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)** +**To enable memory integrity (with the default, UEFI lock)** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f ``` -**To enable virtualization-based protection of Code Integrity policies without UEFI lock** +**To enable memory integrity without UEFI lock** ```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` -### Validate enabled Windows Defender Device Guard hardware-based security features +### Enable memory integrity using Windows Defender Application Control (WDAC) -Windows 10, Windows 11, and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: +You can use WDAC policy to turn on memory integrity using any of the following techniques: + +1. Use the [WDAC Wizard](https://aka.ms/wdacwizard) to create or edit your WDAC policy and select the option **Hypervisor-protected Code Integrity** on the **Policy Rules** page of the Wizard. +2. Use the [Set-HVCIOptions](/powershell/module/configci/set-hvcioptions) PowerShell cmdlet. +3. Edit your WDAC policy XML and modify the value set for the `` element. + +> [!NOTE] +> If your WDAC policy is set to turn memory integrity on, it will be turned on even if the policy is in audit mode. + +### Validate enabled VBS and memory integrity features + +Windows 10, Windows 11, and Windows Server 2016 and higher have a WMI class for VBS-related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: ```powershell Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard ``` > [!NOTE] -> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. +> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. This value is reported for both Intel's *Mode-Based Execution Control* and AMD's *Guest Mode Execute Trap* capabilities. The output of this command provides details of the available hardware-based security features and those features that are currently enabled. #### AvailableSecurityProperties -This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard. +This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity. Value | Description -|- @@ -227,11 +247,11 @@ Value | Description #### InstanceIdentifier -A string that is unique to a particular device. Valid values are determined by WMI. +A string that is unique to a particular device and set by WMI. #### RequiredSecurityProperties -This field describes the required security properties to enable virtualization-based security. +This field describes the required security properties to enable VBS. Value | Description -|- @@ -246,25 +266,25 @@ Value | Description #### SecurityServicesConfigured -This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured. +This field indicates whether Windows Defender Credential Guard or memory integrity has been configured. Value | Description -|- **0.** | No services are configured. **1.** | If present, Windows Defender Credential Guard is configured. -**2.** | If present, HVCI is configured. +**2.** | If present, memory integrity is configured. **3.** | If present, System Guard Secure Launch is configured. **4.** | If present, SMM Firmware Measurement is configured. #### SecurityServicesRunning -This field indicates whether the Windows Defender Credential Guard or HVCI service is running. +This field indicates whether Windows Defender Credential Guard or memory integrity is running. Value | Description -|- **0.** | No services running. **1.** | If present, Windows Defender Credential Guard is running. -**2.** | If present, HVCI is running. +**2.** | If present, memory integrity is running. **3.** | If present, System Guard Secure Launch is running. **4.** | If present, SMM Firmware Measurement is running. @@ -286,43 +306,41 @@ Value | Description This field lists the computer name. All valid values for computer name. -Another method to determine the available and enabled virtualization-based security features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the virtualization-based security features are displayed at the bottom of the **System Summary** section. +Another method to determine the available and enabled VBS features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the VBS features are displayed at the bottom of the **System Summary** section. :::image type="content" alt-text="Virtualization-based security features in the System Summary of System Information." source="images/system-information-virtualization-based-security.png" lightbox="images/system-information-virtualization-based-security.png"::: ## Troubleshooting -A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**. +- If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**. +- If you experience a critical error during boot or your system is unstable after turning on memory integrity, you can recover using the Windows Recovery Environment (Windows RE). + 1. First, disable any policies that are used to enable VBS and memory integrity, for example Group Policy. + 2. Then, boot to Windows RE on the affected computer, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). + 3. After logging in to Windows RE, set the memory integrity registry key to off: -B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you're able to sign in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device. + ```console + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f + ``` -C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device. + 4. Finally, restart your device. -## How to turn off HVCI +> [!NOTE] +> If you turned on memory integrity with UEFI lock, you will need to disable Secure Boot to complete the Windows RE recovery steps. -1. Run the following command from an elevated prompt to set the HVCI registry key to off: +## Memory integrity deployment in virtual machines - ```console - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f - ``` +Memory integrity can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable memory integrity are the same from within the virtual machine. -1. Restart the device. - -1. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed. - -## HVCI deployment in virtual machines - -HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Application Control are the same from within the virtual machine. - -WDAC protects against malware running in the guest virtual machine. It doesn't provide extra protection from the host administrator. From the host, you can disable WDAC for a virtual machine: +Memory integrity protects against malware running in the guest virtual machine. It doesn't provide extra protection from the host administrator. From the host, you can disable memory integrity for a virtual machine: ```powershell Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ``` -### Requirements for running HVCI in Hyper-V virtual machines -- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. -- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. -- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the Hyper-V role on the virtual machine, you must first install the Hyper-V role in a Windows nested virtualization environment. -- Virtual Fibre Channel adapters aren't compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. -- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. +### Requirements for running memory integrity in Hyper-V virtual machines + +- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. +- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. +- Memory integrity and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the Hyper-V role on the virtual machine, you must first install the Hyper-V role in a Windows nested virtualization environment. +- Virtual Fibre Channel adapters aren't compatible with memory integrity. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. +- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with memory integrity. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 25024c897f..09f6cce05f 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -9,7 +9,7 @@ ms.reviewer: manager: aaroncz ms.custom: asr ms.technology: itpro-security -ms.date: 12/31/2017 +ms.date: 03/16/2023 ms.topic: article --- @@ -18,30 +18,29 @@ ms.topic: article **Applies to** - Windows 10 -- Windows Server 2016 +- Windows 11 +- Windows Server 2016 and higher -Windows 10 includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows 10 systems so they behave more like mobile devices. In this configuration, Windows Defender Application Control (WDAC) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using hypervisor-protected code integrity (HVCI). +Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](enable-virtualization-based-protection-of-code-integrity.md). -WDAC policies and HVCI are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows 10 devices. +WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices. -Using Windows Defender Application Control to restrict devices to only authorized apps has these advantages over other solutions: +Using WDAC to restrict devices to only authorized apps has these advantages over other solutions: -1. WDAC policy is enforced by the Windows kernel itself, and the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. -2. WDAC lets you set application control policy for code that runs in user mode, kernel mode hardware and software drivers, and even code that runs as part of Windows. -3. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. To change signed policy requires both administrative privilege and access to the organization's digital signing process. This makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy. -4. You can protect the entire WDAC enforcement mechanism with HVCI. Even if a vulnerability exists in kernel mode code, HVCI greatly reduces the likelihood that an attacker could successfully exploit it. This is important because an attacker that compromises the kernel could normally disable most system defenses, including those enforced by WDAC or any other application control solution. +1. The Windows kernel handles enforcement of WDAC policy and requires no other services or agents. +2. The WDAC policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. +3. WDAC lets you set application control policy for any code that runs on Windows, including kernel mode drivers and even code that runs as part of Windows. +4. Customers can protect the WDAC policy even from local administrator tampering by digitally signing the policy. Changing signed policy requires both administrative privilege and access to the organization's digital signing process. Using signed policies makes it difficult for an attacker, including one who has managed to gain administrative privilege, to tamper with WDAC policy. +5. You can protect the entire WDAC enforcement mechanism with memory integrity. Even if a vulnerability exists in kernel mode code, memory integrity greatly reduces the likelihood that an attacker could successfully exploit it. Without memory integrity, an attacker who compromises the kernel could normally disable most system defenses, including application control policies enforced by WDAC or any other application control solution. -## Why we no longer use the Device Guard brand +There are no direct dependencies between WDAC and memory integrity. You can deploy them individually or together and there's no order in which they must be deployed. -When we originally promoted Device Guard, we did so with a specific security promise in mind. Although there were no direct dependencies between WDAC and HVCI, we intentionally focused our discussion around the lockdown state achieved when using them together. However, since HVCI relies on Windows virtualization-based security, it has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet. This misled many people to assume that if systems couldn't use HVCI, they couldn't use WDAC either. +Memory integrity relies on Windows virtualization-based security, and has hardware, firmware, and kernel driver compatibility requirements that some older systems can't meet. -WDAC has no specific hardware or software requirements other than running Windows 10, which means customers were denied the benefits of this powerful application control capability due to Device Guard confusion. - -Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. With this in mind, we now discuss and document Windows Defender Application Control as an independent technology within our security stack and gave it a name of its own: [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md). -We hope this change will help us better communicate options for adopting application control within your organizations. +WDAC has no specific hardware or software requirements. ## Related articles - [Windows Defender Application Control](../windows-defender-application-control/windows-defender-application-control.md) -- [Driver compatibility with Device Guard in Windows 10](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) -- [Code integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) +- [Memory integrity](enable-virtualization-based-protection-of-code-integrity.md) +- [Driver compatibility with memory integrity](https://techcommunity.microsoft.com/t5/windows-hardware-certification/driver-compatibility-with-device-guard-in-windows-10/ba-p/364865) diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 1d37a88d20..9e1561c2d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: jogeurte ms.author: vinpa manager: aaroncz -ms.date: 02/27/2023 +ms.date: 03/16/2023 ms.technology: itpro-security --- @@ -36,7 +36,7 @@ When you create policies for use with Windows Defender Application Control (WDAC | **Example Base Policy** | **Description** | **Where it can be found** | |-------------------------|---------------------------------------------------------------|--------| | **DefaultWindows_\*.xml** | This example policy is available in both audit and enforced mode. It includes rules to allow Windows, third-party hardware and software kernel drivers, and Windows Store apps. Used as the basis for the [Microsoft Intune product family](https://www.microsoft.com/security/business/endpoint-management/microsoft-intune) policies. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_\*.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\DefaultWindows_Audit.xml | -| **AllowMicrosoft.xml** | This example policy is available in enforcement mode. It includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml | +| **AllowMicrosoft.xml** | This example policy includes the rules from DefaultWindows and adds rules to trust apps signed by the Microsoft product root certificate. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowMicrosoft.xml
%ProgramFiles%\WindowsApps\Microsoft.WDAC.WDACWizard*\AllowMicrosoft.xml | | **AllowAll.xml** | This example policy is useful when creating a blocklist. All block policies should include rules allowing all other code to run and then add the DENY rules for your organization's needs. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml | | **AllowAll_EnableHVCI.xml** | This example policy can be used to enable [memory integrity](https://support.microsoft.com/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78) (also known as hypervisor-protected code integrity) using WDAC. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll_EnableHVCI.xml | | **DenyAllAudit.xml** | ***Warning: May cause long boot time on Windows Server 2019.*** Only deploy this example policy in audit mode to track all binaries running on critical systems or to meet regulatory requirements. | %OSDrive%\Windows\schemas\CodeIntegrity\ExamplePolicies\DenyAllAudit.xml | diff --git a/windows/whats-new/docfx.json b/windows/whats-new/docfx.json index bd292f17c7..e833279c7f 100644 --- a/windows/whats-new/docfx.json +++ b/windows/whats-new/docfx.json @@ -34,6 +34,7 @@ "externalReference": [], "globalMetadata": { "recommendations": true, + "adobe-target": true, "ms.collection": [ "tier2" ],