Windows 10: Enable or Disable Device Guard in Windows 10

Brink · Feb 17, 2017

How to: Enable or Disable Device Guard in Windows 10

How to Enable or Disable Device Guard in Windows 10

Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isnt trusted it cant run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.

Device Guard references: (recommend to read)

Device Guard hardware requirements | Microsoft Docs

Device Guard deployment guide (Windows 10)

Introduction to Device Guard - virtualization-based security and code integrity policies (Windows 10)

Requirements and deployment planning guidelines for Device Guard (Windows 10)

Planning and getting started on the Device Guard deployment process (Windows 10)

Deploy Device Guard - deploy code integrity policies (Windows 10)

Deploy Device Guard - enable virtualization-based security (Windows 10)

Windows 10 Enterprise Security: Credential Guard and Device Guard | Dell US

ThinkPad support for Device Guard and Credential Guard in Microsoft Windows 10 - ThinkPad

HP Manageability Integration Kit Supported Platforms | HP Client Management Solutions

Windows 10 Device Guard and Credential Guard Demystified

This tutorial will show you how to enable or disable Device Guard virtualization-based security on Windows 10 Enterprise and Windows 10 Education PCs.

You must be signed in as an administrator to enable or disable Device Guard.

Here's How:

1. Open Windows Features, and:
*Arrow In Windows 10 Enterprise/Education version 1607 and newer, check Hyper-V Hypervisor under Hyper-V, and click/tap on OK. (see left screenshot below)

OR

*Arrow In Windows 10 Enterprise/Education versions earlier than 1607, check Hyper-V Hypervisor under Hyper-V, check Isolated User Mode, and click/tap on OK. (see right screenshot below)

2. Open the Local Group Policy Editor.

3. Navigate to the key below in the left pane of Local Group Policy Editor. (see screenshot below)
*Arrow Computer Configuration\Administrative Templates\System\Device Guard

4. In the right pane of Device Guard in Local Group Policy Editor, double click/tap on the Turn On Virtualization Based Security policy to edit it. (see screenshot above)

5. Do step 6 (enable) or step 7 (disable) below for what you would like to do.

6. To Enable Device Guard
A) Select (dot) Enabled. (see screenshot below step 7)

B) Under Options, select Secure Boot or Secure Boot and DMA Protection in the Select Platform Security Level drop menu for what you want.

*note The Secure Boot (recommended) option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.

The Secure Boot with DMA will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.

C) Under Options, select Enabled with UEFI lock or Enabled without lock in the Virtualization Based Protection of Code Integrity drop menu for what you want.

*note The Enabled with UEFI lock option ensures that Virtualization Based Protection of Code Integrity cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.

The Enabled without lock option allows Virtualization Based Protection of Code Integrity to be disabled remotely by using Group Policy.

D) If you like, you could also enable Credential Guard by selecting Enabled with UEFI lock or Enabled without lock in the Credential Guard Configuration drop menu for what you want.

*note The Enabled with UEFI lock option ensures that Credential Guard cannot be disabled remotely. In order to disable the feature, you must set the Group Policy to "Disabled" as well as remove the security functionality from each computer, with a physically present user, in order to clear configuration persisted in UEFI.

The Enabled without lock option allows Credential Guard to be disabled remotely by using Group Policy. The devices that use this setting must be running at least Windows 10 (Version 1511).

E) Go to step 8 below.

7. To Disable Device Guard
A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 8 below. (see screenshot below)

*note Not Configured[/B] is the default setting.

8. Close the Local Group Policy Editor.

9. Restart the computer to apply.

That's it,
Shawn

Related Tutorials

How to Verify if Device Guard is Enabled or Disabled in Windows 10

How to Enable or Disable Credential Guard in Windows 10

How to Enable or Disable Secure Boot in UEFI

How to Turn On or Off Windows Defender in Windows 10

:)

Brink · Oct 26, 2019

Windows 10 Device Guard and Credential Guard Demystified

While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I've observed there's still a lot of confusion regarding the security features of the operating system. This is a shame since some of the key benefits of Windows 10 involve these deep security features. This post serves to detail the Device Guard and Credential Guard feature sets, and their relationship to each other.

First, let's set the foundation by thinking about the purpose of each feature:

Device Guard is a group of key features, designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run.

Credential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector.

The two are different, but complimentary as they offer different protections against different types of threats. Let's dive in and take a logical approach to understanding each.

It’s worth noting here that these are enterprise features, and as such are included only in the Windows Enterprise client.

Virtual Secure Mode

The first technology you'll need to understand before we can really dig into either Device Guard or Credential Guard, is Virtual Secure Mode (VSM). VSM is a feature that leverages the virtualization extensions of the CPU to provide added security of data in memory. We call this class of technology Virtualization Based Security (VBS), and you may have heard that term used elsewhere. Anytime we’re using virtualization extensions to provide security, we're essentially talking about a VBS feature.

VSM leverages the on chip virtualization extensions of the CPU to sequester critical processes and their memory against tampering from malicious entities.

The way this works is the Hyper-V hypervisor is installed - the same way it gets added in when you install the Hyper-V role. Only the hypervisor itself is required, the Hyper-V services (that handle shared networking and the management of VMs themselves) and management tools aren't required, but are optional if you’re using the machine for ‘real’ Hyper-V duties. As part of boot, the hypervisor loads and later calls the real 'guest' OS loaders.
The diagram below illustrates the relationship of the hypervisor with the installed operating system (usually referred to as the host operating system)

The difference between this and a traditional architecture is that the hypervisor sits directly on top of the hardware, rather than the host OS (Windows) directly interacting at that layer. The hypervisor serves to abstract the host OS (and any guest OS or processes) from the underlying hardware itself, providing control and scheduling functions that allow the hardware to be shared.

In VSM, we’re able to extend this by tagging specific processes and their associated memory as actually belonging to a separate operating system, creating a ‘bubble’ sitting on top of the hypervisor where security sensitive operations can occur, independent of the host OS:

In this way, the VSM instance is segregated from the normal operating system functions and is protected by attempts to read information in that mode. The protections are hardware assisted, since the hypervisor is requesting the hardware treat those memory pages differently. This is the same way to two virtual machines on the same host cannot interact with each other; their memory is independent and hardware regulated to ensure each VM can only access it’s own data.

From here, we now have a protected mode where we can run security sensitive operations. At the time of writing, we support three capabilities that can reside here: the Local Security Authority (LSA), and Code Integrity control functions in the form of Kernel Mode Code Integrity (KMCI) and the hypervisor code integrity control itself, which is called Hypervisor Code Integrity (HVCI).

Each of these capabilities (called Trustlets) are illustrated below:

When these capabilities are handled by Trustlets in VSM, the Host OS simply communicates with them through standard channels and capabilities inside of the OS. While this Trustlet-specific communication is allowed, having malicious code or users in the Host OS attempt to read or manipulate the data in VSM will be significantly harder than on a system without this configured, providing the security benefit.

Running LSA in VSM, causes the LSA process itself (LSASS) to remain in the Host OS, and a special, additional instance of LSA (called LSAIso – which stands for LSA Isolated) is created. This is to allow all of the standard calls to LSA to still succeed, offering excellent legacy and backwards compatibility, even for services or capabilities that require direct communication with LSA. In this respect, you can think of the remaining LSA instance in the Host OS as a ‘proxy’ or ‘stub’ instance that simply communicates with the isolated version in prescribed ways.

Deploying VSM is fairly straightforward. You simply need to verify you have the appropriate hardware configuration, install certain Windows features, and configure VSM via Group Policy.

Step One: Configure Hardware

In order to use VSM, you’ll need a number of hardware features to be present and enabled in the firmware of the machine:

UEFI running in Native Mode (not Compatibility/CSM/Legacy mode)

Windows 64bit and it’s associated requirements

Second Layer Address Translation (SLAT) and Virtualization Extensions (Eg, Intel VT or AMD V)

A Trusted Platform Module (TPM) is recommended.

Step Two: Enable Windows Features

The Windows features you’ll need to make VSM work are called Hyper-V Hypervisor (you don’t need the other Hyper-V components) and Isolated User Mode:

If these options are greyed out or unavailable for install, it will typically indicate that the hardware requirements in step one haven’t been met.

You’ll notice the name of the feature is called Isolated User Mode in here. It actually is the Virtual Secure Mode feature – you can thank a last minute name change for that. In order to not confuse people, this isn’t planned to change to reflect the VSM name at this time, and may look to being integrated as a standard Windows feature at a later stage.

Update: In Windows 10, Version 1607 this is indeed an integrated feature and no longer needs to be explicitly enabled.

Step Three: Configure VSM

VSM and the Trustlets loaded within are controlled via either Mobile Device Management (MDM) or Group Policy (GP).

For the purposes of this article, I’ll cover the Group Policy method as that’s the most commonly used option, but the same configuration is possible with MDM.

The GP setting you need to know about is called Turn On Virtualization Based Security, located under Computer Configuration \ Administrative Templates \ System \ Device Guard in the Group Policy Object Editor:

Enabling this setting, and leaving all the settings blank or at their defaults will turn on VSM, ready for the steps below for Device Guard and Credential Guard. In this default state, only the Hypervisor Code Integrity (HVCI) runs in VSM until you enable the features below (protected KMCI and LSA).

Device Guard

Now that we have an understanding of Virtual Secure Mode, we can begin to discuss Device Guard. The most important thing to realize is that Device Guard is not a feature; rather it is a set of features designed to work together to prevent and eliminate untrusted code from running on a Windows 10 system.

Device Guard consists of three primary components:

Configurable Code Integrity (CCI) – Ensures that only trusted code runs from the boot loader onwards.

VSM Protected Code Integrity – Moves Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into VSM, hardening them from attack.

Platform and UEFI Secure Boot – Ensuring the boot binaries and UEFI firmware are signed and have not been tampered with.

When these features are enabled together, the system is protected by Device Guard, providing class leading malware resistance in Windows 10.

Configurable Code Integrity (CCI)

CCI dramatically changes the trust model of the system to require that code is signed and trusted for it to run. Other code simply cannot execute. While this is extremely effective from a security perspective, it provides some challenges in ensuring that code is signed.

Your existing applications will likely be a combination of code that is signed by the vendor, and code that is not. For code that is signed by the vendor, the easiest option is just to use a tool called signtool.exe to generate security catalogs (signatures) for just about any application.

More detail on this in an upcoming post.

The high level steps to configure code integrity for your organization is:

Group devices into similar roles – some systems might require different policies (or you may wish to enable CCI for only select systems such as Point of Sale systems or Kiosks.

Use PowerShell to create integrity policies from “golden” PCs
(use the New-CIPolicy Cmdlet)

After auditing, merge code integrity policies using PowerShell (if needed)
(Merge-CIPolicy Cmdlet)

Discover unsigned LOB apps and generate security catalogs as needed (Package Inspector & signtool.exe – more info on this in a subsequent post)

Deploy code integrity policies and catalog files
(GP Setting Below + Copying .cat files to catroot - C:\Windows\System32\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\)

The Group Policy setting in question is Computer Configuration \ Administrative Templates \ System \ Device Guard \ Deploy Code Integrity Policy:

VSM Protected Code Integrity

The next component of Device Guard we’ll cover is VSM hosted Kernel Mode Code Integrity (KMCI). KMCI is the component that handles the control aspects of enforcing code integrity for kernel mode code. When you use Configurable Code Integrity (CCI) to enforce a Code Integrity policy, it is KMCI and it’s User-Mode cousin, UMCI – that actually enforces the policy.

Moving KMCI to being protected by VSM ensures that it is hardened to tampering by malware and malicious users.

Platform & UEFI Secure Boot

While not a new feature (introduced in Windows 8), Secure Boot provides a high-value security benefit by ensuring that firmware and boot loader code is protected from tampering using signatures and measurements.

To deploy this feature you must be UEFI booting (not legacy), and the Secure Boot option (if supported) must be enabled in the UEFI. Once this is done, you can build the machine (you’ll have to wipe & reload if you’re switching from legacy to UEFI) and it will utilize Secure Boot automatically.

For more information about the specifics of deploying Device Guard, start with the deployment guide.

Credential Guard

Although separate from Device Guard, the Credential Guard feature also leverages Virtual Secure Mode by placing an isolated version of the Local Security Authority (LSA – or LSASS) under it’s protection.

The LSA performs a number of security sensitive operations, the main one being the storage and management of user and system credentials (hence the name – Credential Guard)
Credential guard is enabled by configuring VSM (steps above) and configuring the Virtualization Based Security Group Policy setting with Credential Guard configured to be enabled.

Once this is done, you can easily check if Credential Guard (or many of the other features from this article) is enabled by launching MSINFO32.EXE and viewing the following information:

You can also check for the presence of the LSAIso process, which is running in VSM:

I hope this article has been useful for you and answered at least some of your questions about Device Guard and Credential Guard.

If your thirst for knowledge is not yet quenched and you need more information while you wait for the follow up posts, check out the following Channel9 videos that cover this topic:

https://channel9.msdn.com/Blogs/Seth...h-Dave-Probert
https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-...
https://channel9.msdn.com/Blogs/Seth...h-Dave-Probert

Stay tuned for further posts about this and other Windows 10 features. Hey, why not subscribe?
Click to expand...

Source: Windows 10 Device Guard and Credential Guard Demystified - Microsoft Tech Community - 376419

Tip How to Enable or Disable Device Guard in Windows 10

How to Verify if Device Guard is Enabled or Disabled in Windows 10

How to Enable or Disable Credential Guard in Windows 10

How to Verify if Credential Guard is Enabled or Disabled in Windows 10

Brink · Oct 26, 2019

Credential Guard lab companion

If you have heard about Credential Guard in Windows Server 2016 (and in Windows 10), but do not have an environment to try it out, here is a lab environment we built for you to play.

Lab access

The link will lead you to a sign up page, after that, you will see the following labs listed for Windows Server 2016:

Windows Server 2016 labs

There are 3 exercises in the “Implementing Breach Resistance Security in Windows Server 2016”:

Credential Guard

Remote Credential Guard

Device Guard

This blogpost will walk you through the Credential Guard lab details.

After click on the link of Breach Resistance lab, you be required to sign in and then you can launch the lab:

Sign-in

Launch page

It takes a few minutes to create the VMs, and once it has done, you will see the following machines prepared:

Initialize

DC: domain controller, which is not used for this exercise.

SRV01 and SRV02: both are Windows Server 2016, and used for the lab exercise.

Lab exercise – Explained

The steps are listed in the Content section:

Content

This lab is structured to cover the following in sequence:

Understand how attackers can use the hash in memory to gain access to domain controllers

Configure Credential Guard

Verify the hash in memory is protected using Credential Guard

You can follow the steps listed under the content section to complete the lab, the intent of the blog, is to break the procedures into groups, to help you understand the exercise better.

Prep the hash

Lsass.exe is the process which handles user logon, it stores the user credential information in its memory. The memory is cleared when the machine starts up. In this lab environment, all the virtual machines start at the time lab launches, when you logon to the machine, you will only have the logon user credential information in memory. In order to demonstrate an attacker gaining user access using other account’s hash, the first part of the lab is to simulate a server which has been running for a while, different users had remotely or locally connected to it, therefore, lsass memory stored many different user credential information.
This is accomplished by step 1-8.

Retrieving credential hash

Mimikatz is a popular tool for retrieving lsass memory information. The tool has been copied to the lab machines, step 9-13 walk you through the process of dumping lsass memory using Mimikatz.

Pass the Hash

Pass the hash is a hacking technique that allows an attacker to authenticate by using the underlying NTLM, instead of specifying the user password. In step 14 to 24, you will extract LabAdmin hash from lsass using Mimikatz, and use the hash to open a PowerShell console, and perform a couple of operations using the LabAdmin privilege:

Add a user to the domain admin group

Open remote PowerShell connection to a domain controller

Both operations could not be performed by the logon user. But using the hash of the LabAdmin, an attacker will be able to do it using the information retrieve from Lsass memory.

Configure and verify Credential Guard

Step 25 to 36 illustrate the steps to configure credential guard, then verify its status using msinfo32.exe and PowerShell.

Step 37 to 43 goes further to use Mimikatz to show the hash in Lsass is now encrypted using Credential Guard.

More info

The exercise illustrated the benefit of Credential Guard in Windows Server 2016 as well as Windows 10. For more information, you can find here.
Click to expand...

Source: Credential Guard lab companion Datacenter and Private Cloud Security Blog

See also:

Enable or Disable Credential Guard in Windows 10 Windows 10 Security System Tutorials

Verify if Credential Guard is Enabled or Disabled in Windows 10 Windows 10 Security System Tutorials

Brink · Oct 26, 2019

Windows 10 Device Guard and Credential Guard Demystified

While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I've observed there's still a lot of confusion regarding the security features of the operating system. This is a shame since some of the key benefits of Windows 10 involve these deep security features. This post serves to detail the Device Guard and Credential Guard feature sets, and their relationship to each other.

First, let's set the foundation by thinking about the purpose of each feature:

Device Guard is a group of key features, designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run.

Credential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector.

The two are different, but complimentary as they offer different protections against different types of threats. Let's dive in and take a logical approach to understanding each.

It’s worth noting here that these are enterprise features, and as such are included only in the Windows Enterprise client.

Virtual Secure Mode

The first technology you'll need to understand before we can really dig into either Device Guard or Credential Guard, is Virtual Secure Mode (VSM). VSM is a feature that leverages the virtualization extensions of the CPU to provide added security of data in memory. We call this class of technology Virtualization Based Security (VBS), and you may have heard that term used elsewhere. Anytime we’re using virtualization extensions to provide security, we're essentially talking about a VBS feature.

VSM leverages the on chip virtualization extensions of the CPU to sequester critical processes and their memory against tampering from malicious entities.

The way this works is the Hyper-V hypervisor is installed - the same way it gets added in when you install the Hyper-V role. Only the hypervisor itself is required, the Hyper-V services (that handle shared networking and the management of VMs themselves) and management tools aren't required, but are optional if you’re using the machine for ‘real’ Hyper-V duties. As part of boot, the hypervisor loads and later calls the real 'guest' OS loaders.
The diagram below illustrates the relationship of the hypervisor with the installed operating system (usually referred to as the host operating system)

The difference between this and a traditional architecture is that the hypervisor sits directly on top of the hardware, rather than the host OS (Windows) directly interacting at that layer. The hypervisor serves to abstract the host OS (and any guest OS or processes) from the underlying hardware itself, providing control and scheduling functions that allow the hardware to be shared.

In VSM, we’re able to extend this by tagging specific processes and their associated memory as actually belonging to a separate operating system, creating a ‘bubble’ sitting on top of the hypervisor where security sensitive operations can occur, independent of the host OS:

In this way, the VSM instance is segregated from the normal operating system functions and is protected by attempts to read information in that mode. The protections are hardware assisted, since the hypervisor is requesting the hardware treat those memory pages differently. This is the same way to two virtual machines on the same host cannot interact with each other; their memory is independent and hardware regulated to ensure each VM can only access it’s own data.

From here, we now have a protected mode where we can run security sensitive operations. At the time of writing, we support three capabilities that can reside here: the Local Security Authority (LSA), and Code Integrity control functions in the form of Kernel Mode Code Integrity (KMCI) and the hypervisor code integrity control itself, which is called Hypervisor Code Integrity (HVCI).

Each of these capabilities (called Trustlets) are illustrated below:

When these capabilities are handled by Trustlets in VSM, the Host OS simply communicates with them through standard channels and capabilities inside of the OS. While this Trustlet-specific communication is allowed, having malicious code or users in the Host OS attempt to read or manipulate the data in VSM will be significantly harder than on a system without this configured, providing the security benefit.

Running LSA in VSM, causes the LSA process itself (LSASS) to remain in the Host OS, and a special, additional instance of LSA (called LSAIso – which stands for LSA Isolated) is created. This is to allow all of the standard calls to LSA to still succeed, offering excellent legacy and backwards compatibility, even for services or capabilities that require direct communication with LSA. In this respect, you can think of the remaining LSA instance in the Host OS as a ‘proxy’ or ‘stub’ instance that simply communicates with the isolated version in prescribed ways.

Deploying VSM is fairly straightforward. You simply need to verify you have the appropriate hardware configuration, install certain Windows features, and configure VSM via Group Policy.

Step One: Configure Hardware

In order to use VSM, you’ll need a number of hardware features to be present and enabled in the firmware of the machine:

UEFI running in Native Mode (not Compatibility/CSM/Legacy mode)

Windows 64bit and it’s associated requirements

Second Layer Address Translation (SLAT) and Virtualization Extensions (Eg, Intel VT or AMD V)

A Trusted Platform Module (TPM) is recommended.

Step Two: Enable Windows Features

The Windows features you’ll need to make VSM work are called Hyper-V Hypervisor (you don’t need the other Hyper-V components) and Isolated User Mode:

If these options are greyed out or unavailable for install, it will typically indicate that the hardware requirements in step one haven’t been met.

You’ll notice the name of the feature is called Isolated User Mode in here. It actually is the Virtual Secure Mode feature – you can thank a last minute name change for that. In order to not confuse people, this isn’t planned to change to reflect the VSM name at this time, and may look to being integrated as a standard Windows feature at a later stage.

Update: In Windows 10, Version 1607 this is indeed an integrated feature and no longer needs to be explicitly enabled.

Step Three: Configure VSM

VSM and the Trustlets loaded within are controlled via either Mobile Device Management (MDM) or Group Policy (GP).

For the purposes of this article, I’ll cover the Group Policy method as that’s the most commonly used option, but the same configuration is possible with MDM.

The GP setting you need to know about is called Turn On Virtualization Based Security, located under Computer Configuration \ Administrative Templates \ System \ Device Guard in the Group Policy Object Editor:

Enabling this setting, and leaving all the settings blank or at their defaults will turn on VSM, ready for the steps below for Device Guard and Credential Guard. In this default state, only the Hypervisor Code Integrity (HVCI) runs in VSM until you enable the features below (protected KMCI and LSA).

Device Guard

Now that we have an understanding of Virtual Secure Mode, we can begin to discuss Device Guard. The most important thing to realize is that Device Guard is not a feature; rather it is a set of features designed to work together to prevent and eliminate untrusted code from running on a Windows 10 system.

Device Guard consists of three primary components:

Configurable Code Integrity (CCI) – Ensures that only trusted code runs from the boot loader onwards.

VSM Protected Code Integrity – Moves Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into VSM, hardening them from attack.

Platform and UEFI Secure Boot – Ensuring the boot binaries and UEFI firmware are signed and have not been tampered with.

When these features are enabled together, the system is protected by Device Guard, providing class leading malware resistance in Windows 10.

Configurable Code Integrity (CCI)

CCI dramatically changes the trust model of the system to require that code is signed and trusted for it to run. Other code simply cannot execute. While this is extremely effective from a security perspective, it provides some challenges in ensuring that code is signed.

Your existing applications will likely be a combination of code that is signed by the vendor, and code that is not. For code that is signed by the vendor, the easiest option is just to use a tool called signtool.exe to generate security catalogs (signatures) for just about any application.

More detail on this in an upcoming post.

The high level steps to configure code integrity for your organization is:

Group devices into similar roles – some systems might require different policies (or you may wish to enable CCI for only select systems such as Point of Sale systems or Kiosks.

Use PowerShell to create integrity policies from “golden” PCs
(use the New-CIPolicy Cmdlet)

After auditing, merge code integrity policies using PowerShell (if needed)
(Merge-CIPolicy Cmdlet)

Discover unsigned LOB apps and generate security catalogs as needed (Package Inspector & signtool.exe – more info on this in a subsequent post)

Deploy code integrity policies and catalog files
(GP Setting Below + Copying .cat files to catroot - C:\Windows\System32\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\)

The Group Policy setting in question is Computer Configuration \ Administrative Templates \ System \ Device Guard \ Deploy Code Integrity Policy:

VSM Protected Code Integrity

The next component of Device Guard we’ll cover is VSM hosted Kernel Mode Code Integrity (KMCI). KMCI is the component that handles the control aspects of enforcing code integrity for kernel mode code. When you use Configurable Code Integrity (CCI) to enforce a Code Integrity policy, it is KMCI and it’s User-Mode cousin, UMCI – that actually enforces the policy.

Moving KMCI to being protected by VSM ensures that it is hardened to tampering by malware and malicious users.

Platform & UEFI Secure Boot

While not a new feature (introduced in Windows 8), Secure Boot provides a high-value security benefit by ensuring that firmware and boot loader code is protected from tampering using signatures and measurements.

To deploy this feature you must be UEFI booting (not legacy), and the Secure Boot option (if supported) must be enabled in the UEFI. Once this is done, you can build the machine (you’ll have to wipe & reload if you’re switching from legacy to UEFI) and it will utilize Secure Boot automatically.

For more information about the specifics of deploying Device Guard, start with the deployment guide.

Credential Guard

Although separate from Device Guard, the Credential Guard feature also leverages Virtual Secure Mode by placing an isolated version of the Local Security Authority (LSA – or LSASS) under it’s protection.

The LSA performs a number of security sensitive operations, the main one being the storage and management of user and system credentials (hence the name – Credential Guard)
Credential guard is enabled by configuring VSM (steps above) and configuring the Virtualization Based Security Group Policy setting with Credential Guard configured to be enabled.

Once this is done, you can easily check if Credential Guard (or many of the other features from this article) is enabled by launching MSINFO32.EXE and viewing the following information:

You can also check for the presence of the LSAIso process, which is running in VSM:

I hope this article has been useful for you and answered at least some of your questions about Device Guard and Credential Guard.

If your thirst for knowledge is not yet quenched and you need more information while you wait for the follow up posts, check out the following Channel9 videos that cover this topic:

https://channel9.msdn.com/Blogs/Seth...h-Dave-Probert
https://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-...
https://channel9.msdn.com/Blogs/Seth...h-Dave-Probert

Stay tuned for further posts about this and other Windows 10 features. Hey, why not subscribe?
Click to expand...

Source: Windows 10 Device Guard and Credential Guard Demystified - Microsoft Tech Community - 376419

Tip How to Enable or Disable Device Guard in Windows 10

How to Verify if Device Guard is Enabled or Disabled in Windows 10

How to Enable or Disable Credential Guard in Windows 10

How to Verify if Credential Guard is Enabled or Disabled in Windows 10

SugarySalt · Oct 26, 2019

How to disable "Device Guard"

Hi,

I am trying to install a software but i have to turn off "Device Guard" in my surface pro before i can do so.

Please provide steps on how to do so.

Lycaeus · Oct 26, 2019

How can I disable Device Guard?

I'd like to know how I can disable Device Guard in windows 10 after successfully upgrading from windows 7. A large number of apps will no longer run stating that an administrator has blocked access (even with me being the only user and having full admin
privileges) despite all security and UAC settings being fully disabled, and a google search lead me to Device Guard.

How can I disable this utterly abysmal flaw in Windows 10? If I can not disable or configure it, I will be rolling back to windows 7

Windows 10: Enable or Disable Device Guard in Windows 10

Enable or Disable Device Guard in Windows 10

Enable or Disable Device Guard in Windows 10

Enable or Disable Device Guard in Windows 10

Enable or Disable Device Guard in Windows 10 - Similar Threads - Enable Disable Device

Disable DDoS Guard

Windows 10 Device Guard and Credential Guard Demystified

Disabling Windows Device/Credential Guard in Windows 10 Home

Device Guard in Windows 10 home?

Windows 10 Device Guard and Credential Guard Demystified

How to disable "Device Guard"

Verify if Credential Guard is Enabled or Disabled in Windows 10

Enable or Disable Credential Guard in Windows 10

Verify if Device Guard is Enabled or Disabled in Windows 10

Users found this page by searching for:

device guard disable windows 10

how to enable device guard windows 10

device guard windows 10 s mode disable