Device Guard

Most of the Device Guard and Virtualization-Based Security features are Automatically enabled by default on capable and modern hardware. The rest of them will be enabled and configured to the most secure state after you apply the Microsoft Security Baselines 23H2 or later.

The Harden Windows Security Module has a feature that is accessible through confirm-SystemCompliance cmdlet. It will let you scan your system and verify the implementations of the Device Guard policies.

• Check out Secured-Core PC requirements.

About UEFI Lock

UEFI locked security measures are rooted in Proof of Physical Presence and they can't be disabled by modifying Group Policy, registry keys or other Administrative tasks.

The only way to disable UEFI locked security measures is to have physical access to the computer, reboot and access the UEFI settings, supply the credentials to access the UEFI, turn off Secure Boot, reboot the system and then you will be able to disable those security measures with Administrator privileges.

Device Guard Controls and Policies

• Virtualization-Based Security + UEFI Lock CSP

  • Validate enabled Windows Defender Device Guard hardware-based security features

• Secure boot (without requiring DMA protection) for Virtualization-Based Security CSP

  • This is in accordance with Microsoft's recommendation. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
  • Secure boot has 2 parts, part 1 is enforced using the Group Policy by this module, but for part 2, you need to enable Secure Boot in your UEFI firmware settings if it's not enabled by default (which is the case on older hardware).
  • (Kernel) DMA protection hardware requirements

• Virtualization-based protection of Code Integrity + UEFI Lock CSP

• Require UEFI Memory Attributes Table (MAT) CSP

• Windows Defender Credential Guard + UEFI Lock CSP

  • Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
  • Windows Defender Credential Guard requirements

• System Guard Secure Launch and SMM protection (Firmware Protection) CSP

  • How to verify System Guard Secure Launch is configured and running

• Kernel Mode Hardware Enforced Stack Protection

• Local Security Authority (LSA) process Protection + UEFI Lock CSP

Device Protection in Windows Security Gives You One of These 4 Hardware Scores

1. Standard hardware security not supported
• This means that your device does not meet at least one of the requirements of Standard Hardware Security.
2. Your device meets the requirements for Standard Hardware Security.
• TPM 2.0
• Secure boot
• DEP
• UEFI MAT
3. Your device meets the requirements for Enhanced Hardware Security
• TPM 2.0
• Secure boot
• DEP
• UEFI MAT
• Memory Integrity
4. Your device has all Secured-core PC features enabled
• TPM 2.0
• Secure boot
• DEP
• UEFI MAT
• Memory Integrity
• System Management Mode (SMM)

Additional Resources

• Memory integrity and VBS enablement