deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-21 17:57:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
John Liu a8680be7fe
CAT Auto Pulish for Windows Release Messages - 20190910123725 (#1079) 
* Update waas-servicing-differences.md

Added two clarifications regarding Windows 10 preview updates.  I have consistently fielded questions about why they are 'missing' in people's enterprise environments.  It almost always boils down to one of these two notes: they either weren't published to WSUS or they are looking for the word 'Preview' in the title.

* Update windows/deployment/update/waas-servicing-differences.md

Looks great, thanks Johan!

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update waas-servicing-differences.md

Implement the MarkDown standard of using 1 space between the indent marker > and the [!Note] markers

* Update windows/deployment/update/waas-servicing-differences.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/deployment/update/waas-servicing-differences.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update windows/deployment/update/waas-servicing-differences.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* Updated the document

Updated the steps in the document related to Windows Analytics Solutions.

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4392

* Update windows/deployment/update/windows-analytics-FAQ-troubleshooting.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* Update windows/deployment/update/windows-analytics-FAQ-troubleshooting.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>

* Update autopilot-support.md

Remove redundant line (PFE was the old term for an Ecosystem PM).  And added new alias for Ecosystem PMs (after discussing all this with the Ecosystem PM managers).

* Terminology Correction

Terminology Correction

* Incorrect Command Line Arguments

According to this doc https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/windows-setup-command-line-options the correct command line argument for ignoring dismissable warnings is /Compat IgnoreWarning not /compat /ignore warning as specified here in the docs. Also, the same incorrect message is included in the setupdiag.exe, so when the report is generated, it is providing incorrect guidance.

* Update mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md

* Enterprise Mode schema: duplicate https usage

- Resolve duplicate use of https where both http and https was intended
- MarkDown code fence XML tag corrections
- Replace HTML `<br>` codes with NewLine
- Remove redundant space at the end of the version 2 file

Resolves #4769

* Update: NewLine changes

- Remove extraneous NewLine breaks
- Remove missed HTML `<br>` code

* Update credential-guard-manage.md

* Update event-5155.md

* Update windows-autopilot-requirements.md

Separated the Windows Autopilot deployment service and Windows Activation items into two separate rows to make it easier to read.

* Update upgrade-mbam2.5-sp1.md

* finish

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* Update windows/security/threat-protection/auditing/event-5155.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* Update kiosk-mdm-bridge.md

* Windows Update resources: add MD code block

Description:

The list of manual regsvr32.exe commands becomes translated in other
languages, to the extent that extra words appear among the commands.
This is an attempt to mitigate this behavior in the machine translation,
by adding a MarkDown code block around the list of commands.

Proposed changes:
- Add MD code block around the long list of regsvr32.exe commands
- Remove blank space characters at the end of each line (cosmetic)

issue ticket reference or closure:
Ref. #4800 (Spanish "translation" of commands)
Ref. #3569, #3570, #3571, #3572, #3574, #3575
( [LOC] Back-Translation "regsvr32.exe [...]" )

* MetaData update: convert ^M (2x) to NewLine

- replaced Ctrl-M character with NewLine in MetaData

* Update mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* comment

* Clarify the registry key needed to set tags

* Update microsoft-defender-atp-mac-install-with-intune.md

adding troubleshooting step for common 'no license found' issue

* Add page for Audit Token Right Adjusted

* Windows/What's New: amend broken link in See Also

The first link under "See Also",
"What's New in Windows Server, version 1903" ,
is broken because it points to the wrong directory for the file
'whats-new-in-windows-server-1903' which resides in the new directory
/get-started-19/ instead of the old directory /get-started/.

This directory difference is only present in the docs.microsoft.com
pages, not on Github. The links are therefore pointing directly to the
docs.microsoft.com pages instead of being relative to the Github
directory structure.

Broken link:
https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1903

Operative link:
https://docs.microsoft.com/windows-server/get-started-19/whats-new-in-windows-server-1903

Closes #4784

* Update TOC.md

* Added multifactor unlock

Added multifactor unlock feature update using Passport for work CSP.

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4700

* Added policies for 1803 and 1809 (1903 not out yet)

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3912

* Fix typo

* Actually fix typos

* Windows Defender Antivirus: amend broken link

From the issue ticket
> Set-mppreference is configured with dead URL. (#4831)

- The link "Use the [Set-MpPreference][]" is broken,
  but without the empty brackets it will work as expected.
- Removing the redundant empty brackets after the next link too.

Closes #4831

* Update windows/client-management/new-policies-for-windows-10.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* Update windows/client-management/new-policies-for-windows-10.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* Update upgrading-to-mbam-25-sp1-from-mbam-25.md

* Update windows/client-management/new-policies-for-windows-10.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/client-management/new-policies-for-windows-10.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/client-management/new-policies-for-windows-10.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update windows/client-management/new-policies-for-windows-10.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* URL addition of OWA

Added URL for OWA attachment protection using WIP

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3747

* Update windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Fixed text

"Automated investigation" instead of "Alert"

* Update waas-overview.md

Corrected a typo

* Update windows/deployment/update/waas-overview.md

Makes sense.

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* edit

* Update microsoft-recommended-block-rules.md

updated typo in description.

* Update windows/security/threat-protection/auditing/audit-token-right-adjusted.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* note ragarding Company Portal change

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3843

info found here: https://blogs.technet.microsoft.com/cbernier/2018/03/08/windows-information-protection-adding-the-intune-company-portal-for-windows-as-an-exempt-app/

* Update microsoft-defender-atp-mac-install-with-intune.md

* Microsoft Defender ATP: amend copy-paste error

When using Microsoft Intune as part of the Defender ATP setup,
it will become necessary to configure some controlled folder access.
This bug looks like it could have been transferred from one of the
other pages during editing, but I could not locate it easily enough.

Anyway, the correct part of this step is to refer to
-- Controlled folder access --
exactly as the page name points to.

Thanks to jcampos79 for discovering this text-based bug.

Closes #4854

* Updated how to disable HVCI

Prior guidance to disable HVCI was outdated

* Update windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* update content of upgrade mbam2.5 sp1

* Removed bullet

Removed bullet as it was not making any sense.

* format setting

a minor format setting

* Update windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* Update windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>

* sample script syntax error due to ASCII codes for quotes

sample script filter syntax contained ASCII codes for single quotes instead of actual quotes, causing the Get-CimInstance commands to error out.

* Update how-windows-update-works.md: amend typo

Simple typo correction, along with a few MarkDown
codestyle corrections for MD blockquote (`>`) indenting.

- typo correction: initates -> initiates
- codestyle corrections:
  3 MarkDown blockquote indentations amended

Thanks to Jessie Gouw (jessiegouw) for reporting the typo.

Closes #4866

* Moved '.' syntax description to a separate table

* fixes #4760, broken table

The formatting was broken because a pipe character was in the wrong place. There was also an extra row due to double spacing below the table.

* Enterprise Mode schema: convert Important notes

As previously discussed in this PR, I have converted the
**Important** section headings by using their MarkDown equivalent
> [!IMPORTANT] (as well as adding the blockquote for its text content).

* Update text in windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md

Per review.

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Update text in windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md

Per review.

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>

* Spelled out acronym, fixed typo

* pull from public to private and fix warnings

* CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190910100213 (#1073)

* pull from public to private and fix warnings

* CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190910112417 (#1077)

* Cat auto publish 20190910112417 (#1081)

* Merge changes from master to live (#950)

* v 1.6

* removed a known issue

* removed references to CB, CBB

* Latest changes for publish today (#949)

* Merge from master to live (#956)

* safety checkin

* added location for group policy object

* replaced reboot w/ restart

* safety commit for some initial noodlings

* restructured to emphasize new policy; connected to TOC

* adjusting heading levels

* fixing tables

* Latest change for August 20 (#955)

* CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190823163336 (#980) (#981)

* CAT Auto Pulish for Windows Release Messages - 20190829112356 (#1007)

* Update deploy-the-latest-firmware-and-drivers-for-surface-devices.md

* add table

* CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190829102107 (#1006)

* CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190829175859 (#1012) (#1013)

* CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190830100739 (#1018) (#1019)

* CAT Auto Pulish for Windows Release Messages - 20190903135254 (#1033)

* SIEM connector: change alert notion to Detection

* update casing and redirects

* remove space json file

* fix json

* CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190903123340 (#1031)

* CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190906173611 (#1061) (#1062)

* CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190910100213 (#1073) (#1074)

* CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_20190910112417
2019-09-10 13:41:31 -07:00

15 KiB
Raw Blame History

title, description, ms.prod, ms.mktglfcycl, ms.localizationpriority, ms.author, author, manager, audience, ms.collection, ms.topic, ms.date, ms.reviewer
title description ms.prod ms.mktglfcycl ms.localizationpriority ms.author author manager audience ms.collection ms.topic ms.date ms.reviewer
Enable virtualization-based protection of code integrity This article explains the steps to opt in to using HVCI on Windows devices. w10 deploy medium ellevin levinec dansimp ITPro M365-security-compliance conceptual 04/01/2019

Enable virtualization-based protection of code integrity

Applies to

This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. If this happens, see Troubleshooting for remediation steps.

Note

HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required Mode based execution control (MBE) Virtualization. AMD CPUs do not have MBE.

Tip

"The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisors software emulation of this feature, called Restricted User Mode (RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book

HVCI Features

  • HVCI protects modification of the Code Flow Guard (CFG) bitmap.
  • HVCI also ensure your other Truslets, like Credential Guard have a valid certificate.
  • Modern device drivers must also have an EV (Extended Validation) certificate and should support HVCI.

How to turn on HVCI in Windows 10

To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:

Windows Security app

HVCI is labeled Memory integrity in the Windows Security app and it can be accessed via Settings > Update & Security > Windows Security > Device security > Core isolation details > Memory integrity. For more information, see KB4096339.

Enable HVCI using Intune

Enabling in Intune requires using the Code Integrity node in the AppLocker CSP.

Enable HVCI using Group Policy

  1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.

  2. Navigate to Computer Configuration > Administrative Templates > System > Device Guard.

  3. Double-click Turn on Virtualization Based Security.

  4. Click Enabled and under Virtualization Based Protection of Code Integrity, select Enabled with UEFI lock to ensure HVCI cannot be disabled remotely or select Enabled without UEFI lock.

    Enable HVCI using Group Policy

  5. Click Ok to close the editor.

To apply the new policy on a domain-joined computer, either restart or run gpupdate /force in an elevated command prompt.

Use registry keys to enable virtualization-based protection of code integrity

Set the following registry keys to enable HVCI. This provides exactly the same set of configuration options provided by Group Policy.

Important

  • Among the commands that follow, you can choose settings for Secure Boot and Secure Boot with DMA. In most situations, we recommend that you choose Secure Boot. This option provides Secure Boot with as much protection as is supported by a given computers hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
    In contrast, with Secure Boot with DMA, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
  • All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.

For Windows 10 version 1607 and later

Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f

If you want to customize the preceding recommended settings, use the following settings.

To enable VBS

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

To enable VBS and require Secure boot only (value 1)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f

To enable VBS with Secure Boot and DMA (value 3), in the preceding command, change /d 1 to /d 3.

To enable VBS without UEFI lock (value 0)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f

To enable VBS with UEFI lock (value 1), in the preceding command, change /d 0 to /d 1.

To enable virtualization-based protection of Code Integrity policies

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f

To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f

To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1), in the preceding command, change /d 0 to /d 1.

For Windows 10 version 1511 and earlier

Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f

If you want to customize the preceding recommended settings, use the following settings.

To enable VBS (it is always locked to UEFI)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

To enable VBS and require Secure boot only (value 1)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f

To enable VBS with Secure Boot and DMA (value 3), in the preceding command, change /d 1 to /d 3.

To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f

To enable virtualization-based protection of Code Integrity policies without UEFI lock

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f

Validate enabled Windows Defender Device Guard hardware-based security features

Windows 10 and Windows Server 2016 have a WMI class for related properties and features: Win32_DeviceGuard. This class can be queried from an elevated Windows PowerShell session by using the following command:

Get-CimInstance ClassName Win32_DeviceGuard Namespace root\Microsoft\Windows\DeviceGuard

Note

The Win32_DeviceGuard WMI class is only available on the Enterprise edition of Windows 10.

Note

Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803.

The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.

AvailableSecurityProperties

This field helps to enumerate and report state on the relevant security properties for Windows Defender Device Guard.

Value Description
0. If present, no relevant properties exist on the device.
1. If present, hypervisor support is available.
2. If present, Secure Boot is available.
3. If present, DMA protection is available.
4. If present, Secure Memory Overwrite is available.
5. If present, NX protections are available.
6. If present, SMM mitigations are available.
7. If present, Mode Based Execution Control is available.

InstanceIdentifier

A string that is unique to a particular device. Valid values are determined by WMI.

RequiredSecurityProperties

This field describes the required security properties to enable virtualization-based security.

Value Description
0. Nothing is required.
1. If present, hypervisor support is needed.
2. If present, Secure Boot is needed.
3. If present, DMA protection is needed.
4. If present, Secure Memory Overwrite is needed.
5. If present, NX protections are needed.
6. If present, SMM mitigations are needed.
7. If present, Mode Based Execution Control is needed.

SecurityServicesConfigured

This field indicates whether the Windows Defender Credential Guard or HVCI service has been configured.

Value Description
0. No services configured.
1. If present, Windows Defender Credential Guard is configured.
2. If present, HVCI is configured.
3. If present, System Guard Secure Launch is configured.

SecurityServicesRunning

This field indicates whether the Windows Defender Credential Guard or HVCI service is running.

Value Description
0. No services running.
1. If present, Windows Defender Credential Guard is running.
2. If present, HVCI is running.
3. If present, System Guard Secure Launch is running.

Version

This field lists the version of this WMI class. The only valid value now is 1.0.

VirtualizationBasedSecurityStatus

This field indicates whether VBS is enabled and running.

Value Description
0. VBS is not enabled.
1. VBS is enabled but not running.
2. VBS is enabled and running.

PSComputerName

This field lists the computer name. All valid values for computer name.

Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the System Summary section.

Windows Defender Device Guard properties in the System Summary

Troubleshooting

A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using Device Manager.

B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.

C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see Windows RE Technical Reference. After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.

How to turn off HVCI

  1. Run the following command from an elevated prompt to set the HVCI registry key to off
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
  1. Restart the device.
  2. To confirm HVCI has been successfully disabled, open System Information and check Virtualization-based security Services Running, which should now have no value displayed.

HVCI deployment in virtual machines

HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable WDAC are the same from within the virtual machine.

WDAC protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable WDAC for a virtual machine:

Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true

Requirements for running HVCI in Hyper-V virtual machines

  • The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
  • The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
  • HVCI and nested virtualization can be enabled at the same time
  • Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
  • The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.