windows-itpro-docs/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md

title, description, keywords, ms.prod, ms.mktglfcycl, localizationpriority, author

title	description	keywords	ms.prod	ms.mktglfcycl	localizationpriority	author
Deploy Device Guard - enable virtualization-based security (Windows 10)	This article describes how to enable virtualization-based security, one of the main features that are part of Device Guard in Windows 10.	virtualization, security, malware	w10	deploy	high	brianlic-msft

Deploy Device Guard: enable virtualization-based security

Applies to

• Windows 10
• Windows Server 2016

Hardware-based security features, also called virtualization-based security or VBS, make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are three steps to configure hardware-based security features in Device Guard:

1. Verify that hardware and firmware requirements are met. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in Hardware, firmware, and software requirements for Device Guard.

2. Enable the necessary Windows features. There are several ways to enable the Windows features required for hardware-based security. For details, see the following section, Windows feature requirements for virtualization-based security.

3. Enable additional features as desired. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. For more information, see the following sections in this topic:

   • Enable Unified Extensible Firmware Interface Secure Boot
   • Enable virtualization-based security for kernel-mode code integrity

For information about enabling Credential Guard, see Protect derived domain credentials with Credential Guard.

Windows feature requirements for virtualization-based security

In addition to the hardware requirements found in Hardware, firmware, and software requirements for Device Guard, you must enable certain operating system features before you can enable VBS:

• With Windows 10, version 1607 or Windows Server 2016:
  Hyper-V Hypervisor (shown in Figure 1).

• With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
  Hyper-V Hypervisor and Isolated User Mode (not shown).

Note

  You can configure these features manually by using Windows PowerShell or Deployment Image Servicing and Management. For specific information about these methods, see Protect derived domain credentials with Credential Guard.  

Figure 1. Enable operating system feature for VBS

After you enable the feature or features, you can configure any additional hardware-based security features you want. The following sections provide more information:

• Enable Unified Extensible Firmware Interface Secure Boot
• Enable virtualization-based security for kernel-mode code integrity

Enable Unified Extensible Firmware Interface Secure Boot

Before you begin this process, verify that the target device meets the hardware requirements for UEFI Secure Boot that are laid out in Hardware, firmware, and software requirements for Device Guard. There are two options to configure UEFI Secure Boot: manual configuration of the appropriate registry keys and Group Policy deployment. Complete the following steps to manually configure UEFI Secure Boot on a computer running Windows 10.

Note

  There are two platform security levels for Secure Boot: stand-alone Secure Boot and Secure Boot with DMA protection. DMA protection provides additional memory protection but will be enabled only on systems whose processors include input/output memory management units (IOMMUs). Protection against driver-based attacks is provided only on systems that have IOMMUs and that have DMA protection enabled. For more information about how IOMMUs help protect against DMA attacks, see How Device Guard features help protect against threats.

1. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard registry subkey.

2. Set the EnableVirtualizationBasedSecurity DWORD value to 1.

3. Set the RequirePlatformSecurityFeatures DWORD value as appropriate:

   With Windows 10, version 1607, or Windows Server 2016	With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier
   1 enables the Secure Boot option 3 enables the Secure Boot and DMA protection option	1 enables the Secure Boot option 2 enables the Secure Boot and DMA protection option

4. Restart the client computer.

Unfortunately, it would be time consuming to perform these steps manually on every protected computer in your enterprise. Group Policy offers a much simpler way to deploy UEFI Secure Boot to your organization. This example creates a test organizational unit (OU) called DG Enabled PCs. If you want, you can instead link the policy to an existing OU, and then scope the GPO by using appropriately named computer security groups.

Note

  We recommend that you test-enable this feature on a group of test computers before you deploy it to users' computers.

Use Group Policy to deploy Secure Boot

1. To create a new GPO, right-click the OU to which you want to link the GPO, and then click Create a GPO in this domain, and Link it here.

   

   Figure 5. Create a new OU-linked GPO

2. Give the new GPO a name, for example, Contoso Secure Boot GPO Test, or any name you prefer. Ideally, the name will align with your existing GPO naming convention.

3. Open the Group Policy Management Editor: right-click the new GPO, and then click Edit.

4. Within the selected GPO, navigate to Computer Configuration\Administrative Templates\System\Device Guard. Right-click Turn On Virtualization Based Security, and then click Edit.

   

   Figure 6. Enable VBS

5. Select the Enabled button, and then select Secure Boot and DMA Protection from the Select Platform Security Level list.

   

   Figure 7. Enable Secure Boot (in Windows 10, version 1607)

   Note

     Device Guard Secure Boot is maximized when combined with DMA protection. If your hardware contains the IOMMUs required for DMA protection, be sure to select the Secure Boot and DMA Protection platform security level. If your hardware does not contain IOMMUs, there are several mitigations provided by leveraging Secure Boot without DMA Protection.

6. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. After you configure this setting, UEFI Secure Boot will be enabled upon restart.

7. Check the test computer’s event log for Device Guard GPOs.

   Processed Device Guard policies are logged in event viewer at Applications and Services Logs\Microsoft\Windows\DeviceGuard-GPEXT\Operational. When the Turn On Virtualization Based Security policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.

Enable virtualization-based security for kernel-mode code integrity

Before you begin this process, verify that the desired computer meets the hardware requirements for VBS found in Hardware, firmware, and software requirements for Device Guard, and enable the Windows features discussed in the Windows feature requirements for virtualization-based security section. When validated, you can enable virtualization-based protection of KMCI in one of two ways: manual configuration of the appropriate registry subkeys and Group Policy deployment.

Note

  All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable this feature on a group of test computers before you enable it on users' computers.

To configure virtualization-based protection of KMCI manually:

1. Navigate to the appropriate registry subkey:

   • With Windows 10, version 1607, or Windows Server 2016:
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios

   • With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
     HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard

2. Set the HypervisorEnforcedCodeIntegrity DWORD value to 1.

3. Restart the client computer.

It would be time consuming to perform these steps manually on every protected computer in your enterprise. Instead, use Group Policy to deploy virtualization-based protection of KMCI. This example creates a test OU called DG Enabled PCs, which you will use to link the GPO. If you prefer to link the policy to an existing OU rather than create a test OU and scope the policy by using appropriately named computer security groups, that is another option.

Note

  We recommend that you test-enable this feature on a group of test computers before you deploy it to users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.

To use Group Policy to configure VBS of KMCI:

1. Create a new GPO: Right-click the OU to which you want to link the GPO, and then click Create a GPO in this domain, and Link it here.

   

   Figure 2. Create a new OU-linked GPO

2. Give the new GPO a name, for example, Contoso VBS CI Protection GPO Test, or any name you prefer. Ideally, the name will align with your existing GPO naming convention.

3. Open the Group Policy Management Editor: Right-click the new GPO, and then click Edit.

4. Within the selected GPO, navigate to Computer Configuration\Administrative Templates\System\Device Guard. Right-click Turn On Virtualization Based Security, and then click Edit.

   

   Figure 3. Enable VBS

5. Select the Enabled button, and then for Virtualization Based Protection of Code Integrity, select the appropriate option:

   • With Windows 10, version 1607 or Windows Server 2016, choose an enabled option:
     For an initial deployment or test deployment, we recommend Enabled without UEFI lock.
     When your deployment is stable in your environment, we recommend changing to Enabled with UEFI lock. This option helps protect the registry from tampering, either through malware or by an unauthorized person.

   • With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
     Select the Enable Virtualization Based Protection of Code Integrity check box.

   

   Figure 4. Enable VBS of KMCI (in Windows 10, version 1607)

6. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. With this setting configured, the VBS of the KMCI will take effect upon restart.

7. Check the test client event log for Device Guard GPOs.

   Processed Device Guard policies are logged in event viewer under Applications and Services Logs\Microsoft\Windows\DeviceGuard-GPEXT\Operational. When the Turn On Virtualization Based Security policy has been successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.

Validate enabled Device Guard hardware-based security features

Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: Win32_DeviceGuard. This class can be queried from an elevated Windows PowerShell session by using the following command:

Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

Note

  The Win32_DeviceGuard WMI class is only available on the Enterprise edition of Windows 10.

The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. For detailed information about what each property means, refer to Table 1.

Table 1. Win32_DeviceGuard properties

Properties	Description	Valid values
AvailableSecurityProperties	This field helps to enumerate and report state on the relevant security properties for Device Guard.	0. If present, no relevant properties exist on the device. 1. If present, hypervisor support is available. 2. If present, Secure Boot is available. 3. If present, DMA protection is available. 4. If present, Secure Memory Overwrite is available. 5. If present, NX protections are available. 6. If present, SMM mitigations are available. Note: 4, 5, and 6 were added as of Windows 10, version 1607.
InstanceIdentifier	A string that is unique to a particular device.	Determined by WMI.
RequiredSecurityProperties	This field describes the required security properties to enable virtualization-based security.	0. Nothing is required. 1. If present, hypervisor support is needed. 2. If present, Secure Boot is needed. 3. If present, DMA protection is needed. 4. If present, Secure Memory Overwrite is needed. 5. If present, NX protections are needed. 6. If present, SMM mitigations are needed. Note: 4, 5, and 6 were added as of Windows 10, version 1607.
SecurityServicesConfigured	This field indicates whether the Credential Guard or HVCI service has been configured.	0. No services configured. 1. If present, Credential Guard is configured. 2. If present, HVCI is configured.
SecurityServicesRunning	This field indicates whether the Credential Guard or HVCI service is running.	0. No services running. 1. If present, Credential Guard is running. 2. If present, HVCI is running.
Version	This field lists the version of this WMI class.	The only valid value now is 1.0.
VirtualizationBasedSecurityStatus	This field indicates whether VBS is enabled and running.	0. VBS is not enabled. 1. VBS is enabled but not running. 2. VBS is enabled and running.
PSComputerName	This field lists the computer name.	All valid values for computer name.

Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the System Summary section, as shown in Figure 11.

Figure 11. Device Guard properties in the System Summary

Related topics

• Introduction to Device Guard: virtualization-based security and code integrity policies

• Deploy Device Guard: deploy code integrity policies