Device Guard is a combination of enterprise-related software and hardware security features, when configured together, locks the device to run only trusted applications that you specify in the code integrity policy. . If the application is not trusted, it will not be able to run. With hardware that meets the basic requirements, that means that even if an attacker can gain control of the Windows kernel, they cannot run malicious executable code. With the right hardware, Device Guard can use the new virtualization-based security in Windows 10 to isolate the Code Integrity service from Microsoft Windows. In this case, the Code Integrity service runs in the same folder as the Windows virtualized protected container.
This tutorial will show you how to enable or disable security based on Device Guard virtualization on Windows 10 Enterprise and Windows 10 Education PCs.
You must log on as an administrator to enable or disable Device Guard.
How to enable or disable Device Guard
Step 1 . Open the Windows Features.
In Windows 10 Enterprise / Education version 1607 or later, select Hyper-V Hypervisor in Hyper-V and click OK .
In Windows 10 Enterprise / Education versions before version 1607, select Hyper-V Hypervisor in Hyper-V, select Isolated User Mode and click OK .
Step 2 . Open Local Group Policy Editor.
Step 3 . Navigate to the following key in the left pane of Local Group Policy Editor.
Computer ConfigurationAdministrative TemplatesSystemDevice Guard
Step 4 . In the right pane of Device Guard in the Local Group Policy Editor, double-click the Turn On Virtualization Based Security policy to edit it.
Step 5 . Follow Step 6 (turn on) or Step 7 (off).
Step 6 . To activate Device Guard
Note: The Secure Boot (recommended) option provides secure boot with multiple protections supported by specific computer hardware. A computer with an input / output memory manager (IOMMUs) will have a safe boot with DMA protection. A computer without IOMMUs will only activate secure boot.
Secure Boot with DMA will enable secure booting and VBS only on computers that support DMA, ie computers with IOMMUs. With this setting, any computer without IOMMU will not have VBS protection (hardware-based), although it can enable code integrity policies.
Note: Enabled with UEFI lock option ensures Virtualization Based Protection of Code Integrity is not disabled remotely. To disable this feature, you need to set up Group Policy Disabled as well as delete the security for each computer with the current user to delete the configuration on UEFI.
Option Enabled without lock for Virtualization Based Protection of Code Integrity is remotely disabled using Group Policy.
Note: Enabled with UEFI lock option ensures Credential Guard is not disabled remotely. To turn off this feature, you must set Group Policy to Disabled as well as delete the security function in each computer with the current user to delete the configuration in UEFI.
Enabled without lock option allows Credential Guard to be turned off remotely using Group Policy. Devices using this installation need to run on the operating system from Windows 10 (Version 1511) or later.
Step 7 . To disable Device Guard
Select Not Configured or Disabled , click OK and go to Step 8.
Note : Not Configured is the default setting.
Step 8 . Close Local Group Policy Editor.
Step 9 . Restart the computer to apply changes.
I wish you all success!
ncG1vNJzZmismaXArq3KnmWcp51ktbDDjK2mZp2elq%2BtsYyoqWacmaiuo7jEZpuerpmYsm6z1JqpnWWfo3q4tc2dprCrXWZ9