Device Guard¶
Most of the Device Guard and Virtualization-Based Security features are Automatically enabled by default on capable and modern hardware. The rest of them will be enabled and configured to the most secure state after you apply the Microsoft Security Baselines 23H2 or later.
The Harden Windows Security Module has a feature that is accessible through confirm-SystemCompliance
cmdlet. It will let you scan your system and verify the implementations of the Device Guard policies.
About UEFI Lock¶
UEFI locked security measures are rooted in Proof of Physical Presence and they can't be disabled by modifying Group Policy, registry keys or other Administrative tasks.
The only way to disable UEFI locked security measures is to have physical access to the computer, reboot and access the UEFI settings, supply the credentials to access the UEFI, turn off Secure Boot, reboot the system and then you will be able to disable those security measures with Administrator privileges.
Device Guard Controls and Policies¶
-
Secure boot (without requiring DMA protection) for Virtualization-Based Security CSP
- This is in accordance with Microsoft's recommendation. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
- Secure boot has 2 parts, part 1 is enforced using the Group Policy by this module, but for part 2, you need to enable Secure Boot in your UEFI firmware settings if it's not enabled by default (which is the case on older hardware).
- (Kernel) DMA protection hardware requirements
-
Virtualization-based protection of Code Integrity + UEFI Lock CSP
-
System Guard Secure Launch and SMM protection (Firmware Protection) CSP
-
Local Security Authority (LSA) process Protection + UEFI Lock CSP
Device Protection in Windows Security Gives You One of These 4 Hardware Scores¶
- Standard hardware security not supported
- This means that your device does not meet at least one of the requirements of Standard Hardware Security.
- Your device meets the requirements for Standard Hardware Security.
- Your device meets the requirements for Enhanced Hardware Security
- Your device has all Secured-core PC features enabled