How to Verify if Device Guard is Enabled or Disabled in Windows 10
Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.
Device Guard references: (recommend to read)
- Device Guard hardware requirements | Microsoft Docs
- Device Guard deployment guide (Windows 10)
- Introduction to Device Guard - virtualization-based security and code integrity policies (Windows 10)
- Requirements and deployment planning guidelines for Device Guard (Windows 10)
- Planning and getting started on the Device Guard deployment process (Windows 10)
- Deploy Device Guard - deploy code integrity policies (Windows 10)
- Deploy Device Guard - enable virtualization-based security (Windows 10)
- Windows 10 Device Guard and Credential Guard Demystified
This tutorial will show you how to verify if Device Guard virtualization-based security is enable or disable on your Windows 10 Enterprise or Windows 10 Education PC.
Contents
- Option One: To Verify if Device Guard is Enabled or Disabled in System Information
- Option Two: To Verify if Device Guard is Enabled or Disabled in PowerShell
1. Press the Win+R keys to open Run, type msinfo32, and click/tap on OK to open System Information. (see screenshot below)
2. The Device Guard properties (if enabled and running) are displayed at the bottom of the System Summary section.
1. Open PowerShell.
2. Enter the command below into PowerShell, and press Enter.
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
3. The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled.
Properties Description Valid values AvailableSecurityProperties This field helps to enumerate and report state on the relevant security properties for Device Guard.
- 0. If present, no relevant properties exist on the device.
- 1. If present, hypervisor support is available.
- 2. If present, Secure Boot is available.
- 3. If present, DMA protection is available.
- 4. If present, Secure Memory Overwrite is available.
- 5. If present, NX protections are available.
- 6. If present, SMM mitigations are available.
- 7. If present, MBEC/GMET is available.
- 8. If present, APIC virtualization is available.
InstanceIdentifier A string that is unique to a particular device. Determined by WMI. RequiredSecurityProperties This field describes the required security properties to enable virtualization-based security.
- 0. Nothing is required.
- 1. If present, hypervisor support is needed.
- 2. If present, Secure Boot is needed.
- 3. If present, DMA protection is needed.
- 4. If present, Secure Memory Overwrite is needed.
- 5. If present, NX protections are needed.
- 6. If present, SMM mitigations are needed.
- 7. If present, MBEC/GMET is needed.
SecurityServicesConfigured This field indicates whether the Credential Guard or HVCI service has been configured.
- 0. No services configured.
- 1. If present, Credential Guard is configured.
- 2. If present, HVCI is configured.
- 3. If present, System Guard Secure Launch is configured.
- 4. If present, SMM Firmware Measurement is configured.
SecurityServicesRunning This field indicates whether the Credential Guard or HVCI service is running.
- 0. No services running.
- 1. If present, Credential Guard is running.
- 2. If present, HVCI is running.
- 3. If present, System Guard Secure Launch is running.
- 4. If present, SMM Firmware Measurement is running.
Version This field lists the version of this WMI class. The only valid value now is 1.0. VirtualizationBasedSecurityStatus This field indicates whether VBS is enabled and running.
- 0. VBS is not enabled.
- 1. VBS is enabled but not running.
- 2. VBS is enabled and running.
PSComputerName This field lists the computer name. All valid values for computer name.
That's it,
Shawn
Related Tutorials
- How to Enable or Disable Device Guard in Windows 10
- How to Verify if Credential Guard is Enabled or Disabled in Windows 10
Verify if Device Guard is Enabled or Disabled in Windows 10
-
New #1
Great info as usual, have one or two questions though.
My laptop supports virtualisation-based security but it is not enabled by default.
Secure Boot and TPM are on and enabled.
The question is whether to go into BIOS and enable virtualisation-based security, what advantages it gives, and whether there are any performance hits by doing so.
Thanks!
Specs. if needed:
Win 10 Pro v. 1803
RAM: 16GB
CPU: Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz, 2208 Mhz, 6 Core(s), 12 Logical Processor(s)Last edited by Rubi; 23 Jan 2019 at 04:05. Reason: adding additional information
-
New #2
Hello @Rubi,
You would need to enable virtualization for your CPU in your BIOS settings.
Afterwards, the tutorial below can show you how to enable the Device Guard feature, but it's only available for Windows 10 Enterprise and Windows 10 Education editions.
Enable or Disable Device Guard in Windows 10 | Tutorials
-
New #3
Thank you, I understand.
Since I have neither of those editions is there any advantage to turning the feature on in BIOS or best to leave as is?
-
New #4
If virtualization is enabled for your CPU in BIOS, you would be able to use Hyper-V if wanted.
Hyper-V virtualization - Setup and Use in Windows 10 | Tutorials
-
New #5
Currently I see no need to use this feature so will likely leave it disabled for now.
Thanks.
-
-
New #7
You cannot enable Device Guard but you can enable Virtualization Based Security so that your command in powershell returns:Hello @Rubi,
You would need to enable virtualization for your CPU in your BIOS settings.
Afterwards, the tutorial below can show you how to enable the Device Guard feature, but it's only available for Windows 10 Enterprise and Windows 10 Education editions.
Enable or Disable Device Guard in Windows 10 | Tutorials
VirtualizationBasedSecurityStatus : 2
This enables IOMMU which provides many security benefits. With that enabled, the latest version of Windows claims that it provides:
Base Virtualization Support, Secure Boot, DMA Protection, UEFI Code Readonly, SMM Security Mitigations 1.0, Mode Based Execution Control
I highly recommend enabling this whether you're running Windows or Linux. I am not sure what support Apple provides for security through IOMMU.
TO be clear: You still have to go into the Group Policy Editor and you can turn on the virtualization based security under Device Guard, even with Windows 10 Pro. have not tried on Home but it is supposedly supported as well:
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################Last edited by HockeyGuy; 13 Feb 2019 at 23:19.
-
New #8
Hello @Brink,
Another great Tutorial as always.
I have been doing some work on this as part of a project that I am working on and found that there are a few entries that can be added for completeness.
I hope this helps.
AvailableSecurityProperties:
0. If present, no relevant properties exist on the device.
1. If present, hypervisor support is available.
2. If present, Secure Boot is available.
3. If present, DMA protection is available.
4. If present, Secure Memory Overwrite is available.
5. If present, NX protections are available.
6. If present, SMM mitigations are available.
7. If present, MBEC/GMET is available.
8. If present, APIC virtualization is available.
RequiredSecurityProperties:
0. Nothing is required.
1. If present, hypervisor support is needed.
2. If present, Secure Boot is needed.
3. If present, DMA protection is needed.
4. If present, Secure Memory Overwrite is needed.
5. If present, NX protections are needed.
6. If present, SMM mitigations are needed.
7. If present, MBEC/GMET is needed.
SecurityServicesConfigured:
0. No services are configured.
1. If present, Windows Defender Credential Guard is configured.
2. If present, memory integrity is configured.
3. If present, System Guard Secure Launch is configured.
4. If present, SMM Firmware Measurement is configured.
SecurityServicesRunning:
0. No services running.
1. If present, Windows Defender Credential Guard is running.
2. If present, memory integrity is running.
3. If present, System Guard Secure Launch is running.
4. If present, SMM Firmware Measurement is running.
VirtualizationBasedSecurityStatus:
0. VBS isn't enabled.
1. VBS is enabled but not running.
2. VBS is enabled and running.
-
-
Verify if Device Guard is Enabled or Disabled in Windows 10
How to Verify if Device Guard is Enabled or Disabled in Windows 10Published by Shawn BrinkCategory: Security System
27 May 2023
QuoteTutorial Categories
Related Discussions
