Skip to content

Device Guard and Virtualization Based Security in Windows

Violet Hansen edited this page Jun 15, 2024 · 5 revisions

Device GuardDeviceGuardIcon

Device Guard Category - Harden Windows Security GitHub repository


Most of the Device Guard and Virtualization-Based Security features are Automatically enabled by default on capable and modern hardware. The rest of them will be enabled and configured to the most secure state after you apply the Microsoft Security Baselines 23H2 or later.

The Harden Windows Security Module has a feature that is accessible through confirm-SystemCompliance cmdlet. It will let you scan your system and verify the implementations of the Device Guard policies.


About UEFI Lock

UEFI locked security measures are rooted in Proof of Physical Presence and they can't be disabled by modifying Group Policy, registry keys or other Administrative tasks.

The only way to disable UEFI locked security measures is to have physical access to the computer, reboot and access the UEFI settings, supply the credentials to access the UEFI, turn off Secure Boot, reboot the system and then you will be able to disable those security measures with Administrator privileges.


Device Guard Controls and Policies


  1. Standard hardware security not supported
    • This means that your device does not meet at least one of the requirements of Standard Hardware Security.
  2. Your device meets the requirements for Standard Hardware Security.
  3. Your device meets the requirements for Enhanced Hardware Security
  4. Your device has all Secured-core PC features enabled

Additional Resources


C#


Clone this wiki locally