7.0 KiB
title, description, ms.author, ms.topic, ms.prod, ms.technology, author, ms.localizationpriority, ms.date, ms.reviewer, manager
| title | description | ms.author | ms.topic | ms.prod | ms.technology | author | ms.localizationpriority | ms.date | ms.reviewer | manager |
|---|---|---|---|---|---|---|---|---|---|---|
| Policy CSP - DeviceGuard | Learn how to use the Policy CSP - DeviceGuard setting to allow the IT admin to configure the launch of System Guard. | dansimp | article | w10 | windows | manikadhiman | medium | 09/27/2019 | dansimp |
Policy CSP - DeviceGuard
DeviceGuard policies
- DeviceGuard/ConfigureSystemGuardLaunch
- DeviceGuard/EnableVirtualizationBasedSecurity
- DeviceGuard/LsaCfgFlags
- DeviceGuard/RequirePlatformSecurityFeatures
DeviceGuard/ConfigureSystemGuardLaunch
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | No | No |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This policy allows the IT admin to configure the launch of System Guard.
Secure Launch configuration:
- 0 - Unmanaged, configurable by Administrative user
- 1 - Enables Secure Launch if supported by hardware
- 2 - Disables Secure Launch.
For more information about System Guard, see Introducing Windows Defender System Guard runtime attestation and How a hardware-based root of trust helps protect Windows 10.
ADMX Info:
- GP Friendly name: Turn On Virtualization Based Security
- GP name: VirtualizationBasedSecurity
- GP element: SystemGuardDrop
- GP path: System/Device Guard
- GP ADMX file name: DeviceGuard.admx
DeviceGuard/EnableVirtualizationBasedSecurity
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | No | No |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.
ADMX Info:
- GP Friendly name: Turn On Virtualization Based Security
- GP name: VirtualizationBasedSecurity
- GP path: System/Device Guard
- GP ADMX file name: DeviceGuard.admx
The following list shows the supported values:
- 0 (default) - disable virtualization based security.
- 1 - enable virtualization based security.
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | No | No |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.
ADMX Info:
- GP Friendly name: Turn On Virtualization Based Security
- GP name: VirtualizationBasedSecurity
- GP element: CredentialIsolationDrop
- GP path: System/Device Guard
- GP ADMX file name: DeviceGuard.admx
The following list shows the supported values:
- 0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock.
- 1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
- 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock.
DeviceGuard/RequirePlatformSecurityFeatures
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | No | No |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
Specifies the platform security level at the next reboot. Value type is integer.
ADMX Info:
- GP Friendly name: Turn On Virtualization Based Security
- GP name: VirtualizationBasedSecurity
- GP element: RequirePlatformSecurityFeaturesDrop
- GP path: System/Device Guard
- GP ADMX file name: DeviceGuard.admx
The following list shows the supported values:
- 1 (default) - Turns on VBS with Secure Boot.
- 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.