How to Enable or Disable Device Guard in Windows 10
InformationDevice Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
Device Guard references: (recommend to read)
- Device Guard deployment guide (Windows 10)
- Introduction to Device Guard - virtualization-based security and code integrity policies (Windows 10)
- Requirements and deployment planning guidelines for Device Guard (Windows 10)
- Planning and getting started on the Device Guard deployment process (Windows 10)
- Deploy Device Guard - deploy code integrity policies (Windows 10)
- Deploy Device Guard - enable virtualization-based security (Windows 10)
This tutorial will show you how to enable or disable Device Guard virtualization-based security on Windows 10 Enterprise and Windows 10 Education PCs.
You must be signed in as an administrator to enable or disable Device Guard.
1. Open Windows Features, and:
In Windows 10 Enterprise/Education version 1607 and newer, check Hyper-V Hypervisor under Hyper-V, and click/tap on OK. (see left screenshot below)
In Windows 10 Enterprise/Education versions earlier than 1607, check Hyper-V Hypervisor under Hyper-V, check Isolated User Mode, and click/tap on OK. (see right screenshot below)
2. Open the Local Group Policy Editor.
3. Navigate to the key below in the left pane of Local Group Policy Editor. (see screenshot below)
4. In the right pane of Device Guard in Local Group Policy Editor, double click/tap on the Turn On Virtualization Based Security policy to edit it. (see screenshot above)
5. Do step 6 (enable) or step 7 (disable) below for what you would like to do.
A) Select (dot) Enabled. (see screenshot below step 7)
B) Under Options, select Secure Boot or Secure Boot and DMA Protection in the Select Platform Security Level drop menu for what you want.
NoteThe Secure Boot (recommended) option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
The Secure Boot with DMA will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.
C) Under Options, select Enabled with UEFI lock or Enabled without lock in the Virtualization Based Protection of Code Integrity drop menu for what you want.
NoteThe Enabled with UEFI lock option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
The Enabled without lock option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy.
D) If you like, you could also enable Credential Guard by selecting Enabled with UEFI lock or Enabled without lock in the Credential Guard Configuration drop menu for what you want.
NoteThe Enabled with UEFI lock option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.
The Enabled without lock option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).
E) Go to step 8 below.
A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 8 below. (see screenshot below)
NOTE: Not Configured is the default setting.
8. Close the Local Group Policy Editor.
9. Restart the computer to apply.
- How to Verify if Device Guard is Enabled or Disabled in Windows 10
- How to Enable or Disable Credential Guard in Windows 10
- How to Enable or Disable Secure Boot in UEFI
- How to Turn On or Off Windows Defender in Windows 10