Published by


Brink's Avatar
Administrator

Posts: 16,420

Show Printable Version 


How to Enable or Disable Device Guard in Windows 10

information   Information
Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.

Device Guard references: (recommend to read)


This tutorial will show you how to enable or disable Device Guard virtualization-based security on Windows 10 Enterprise and Windows 10 Education PCs.

You must be signed in as an administrator to enable or disable Device Guard.



Here's How:

1. Open Windows Features, and:

In Windows 10 Enterprise/Education version 1607 and newer, check Hyper-V Hypervisor under Hyper-V, and click/tap on OK. (see left screenshot below)

OR

In Windows 10 Enterprise/Education versions earlier than 1607, check Hyper-V Hypervisor under Hyper-V, check Isolated User Mode, and click/tap on OK. (see right screenshot below)

Name:  Device_Guard_Windows_Features_1607.png
Views: 398
Size:  26.9 KB Name:  Device_Guard_Windows_Features.png
Views: 403
Size:  17.0 KB


2. Open the Local Group Policy Editor.

3. Navigate to the key below in the left pane of Local Group Policy Editor. (see screenshot below)

Computer Configuration\Administrative Templates\System\Device Guard

Click image for larger version. 

Name:	Device_Guard_gpedit-1.png 
Views:	20 
Size:	37.9 KB 
ID:	108861

4. In the right pane of Device Guard in Local Group Policy Editor, double click/tap on the Turn On Virtualization Based Security policy to edit it. (see screenshot above)

5. Do step 6 (enable) or step 7 (disable) below for what you would like to do.


 6. To Enable Device Guard

A) Select (dot) Enabled. (see screenshot below step 7)

B) Under Options, select Secure Boot or Secure Boot and DMA Protection in the Select Platform Security Level drop menu for what you want.
Note   Note
The Secure Boot (recommended) option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.

The Secure Boot with DMA will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.


C) Under Options, select Enabled with UEFI lock or Enabled without lock in the Virtualization Based Protection of Code Integrity drop menu for what you want.
Note   Note
The Enabled with UEFI lock option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.

The Enabled without lock option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy.


D) If you like, you could also enable Credential Guard by selecting Enabled with UEFI lock or Enabled without lock in the Credential Guard Configuration drop menu for what you want.
Note   Note
The Enabled with UEFI lock option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.

The Enabled without lock option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).


E) Go to step 8 below.


 7. To Disable Device Guard

A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 8 below. (see screenshot below)

NOTE: Not Configured is the default setting.

Click image for larger version. 

Name:	Device_Guard_gpedit-2.png 
Views:	26 
Size:	89.1 KB 
ID:	108862


8. Close the Local Group Policy Editor.

9. Restart the computer to apply.



That's it,
Shawn