--- title: DeviceGuard Policy CSP description: Learn more about the DeviceGuard Area in Policy CSP. ms.date: 01/18/2024 --- # Policy CSP - DeviceGuard ## ConfigureSystemGuardLaunch | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1809 [10.0.17763] and later | ```Device ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch ``` Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch. For more information about System Guard, see [Introducing Windows Defender System Guard runtime attestation](https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation) and [How a hardware-based root of trust helps protect Windows 10](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows). **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | | Default Value | 0 | **Allowed values**: | Value | Description | |:--|:--| | 0 (Default) | Unmanaged Configurable by Administrative user. | | 1 | Unmanaged Enables Secure Launch if supported by hardware. | | 2 | Unmanaged Disables Secure Launch. | **Group policy mapping**: | Name | Value | |:--|:--| | Name | VirtualizationBasedSecurity | | Friendly Name | Turn On Virtualization Based Security | | Element Name | Secure Launch Configuration. | | Location | Computer Configuration | | Path | System > Device Guard | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | | ADMX File Name | DeviceGuard.admx | ## EnableVirtualizationBasedSecurity | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | ```Device ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity ``` Turns On Virtualization Based Security(VBS) **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | | Default Value | 0 | **Allowed values**: | Value | Description | |:--|:--| | 0 (Default) | Disable virtualization based security. | | 1 | Enable virtualization based security. | **Group policy mapping**: | Name | Value | |:--|:--| | Name | VirtualizationBasedSecurity | | Friendly Name | Turn On Virtualization Based Security | | Location | Computer Configuration | | Path | System > Device Guard | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | | Registry Value Name | EnableVirtualizationBasedSecurity | | ADMX File Name | DeviceGuard.admx | ## LsaCfgFlags | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | ```Device ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags ``` Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | | Default Value | 0 | **Allowed values**: | Value | Description | |:--|:--| | 0 (Default) | (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock. | | 1 | (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock. | | 2 | (Enabled without lock) Turns on Credential Guard without UEFI lock. | **Group policy mapping**: | Name | Value | |:--|:--| | Name | VirtualizationBasedSecurity | | Friendly Name | Turn On Virtualization Based Security | | Element Name | Credential Guard Configuration. | | Location | Computer Configuration | | Path | System > Device Guard | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | | ADMX File Name | DeviceGuard.admx | ## RequirePlatformSecurityFeatures | Scope | Editions | Applicable OS | |:--|:--|:--| | ✅ Device
❌ User | ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC | ✅ Windows 10, version 1709 [10.0.16299] and later | ```Device ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures ``` Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support. This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. **Description framework properties**: | Property name | Property value | |:--|:--| | Format | `int` | | Access Type | Add, Delete, Get, Replace | | Default Value | 1 | **Allowed values**: | Value | Description | |:--|:--| | 1 (Default) | Turns on VBS with Secure Boot. | | 3 | Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support. | **Group policy mapping**: | Name | Value | |:--|:--| | Name | VirtualizationBasedSecurity | | Friendly Name | Turn On Virtualization Based Security | | Element Name | Select Platform Security Level. | | Location | Computer Configuration | | Path | System > Device Guard | | Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\DeviceGuard | | ADMX File Name | DeviceGuard.admx | ## Related articles [Policy configuration service provider](policy-configuration-service-provider.md)