Policy CSP - DeviceGuard


DeviceGuard policies

DeviceGuard/ConfigureSystemGuardLaunch
DeviceGuard/EnableVirtualizationBasedSecurity
DeviceGuard/LsaCfgFlags
DeviceGuard/RequirePlatformSecurityFeatures

DeviceGuard/ConfigureSystemGuardLaunch

Edition Windows 10 Windows 11
Home No No
Pro No No
Business No No
Enterprise Yes Yes
Education Yes Yes

Scope:

  • Device

This policy allows the IT admin to configure the launch of System Guard.

Secure Launch configuration:

  • 0 - Unmanaged, configurable by Administrative user
  • 1 - Enables Secure Launch if supported by hardware
  • 2 - Disables Secure Launch.

For more information about System Guard, see Introducing Windows Defender System Guard runtime attestation and How a hardware-based root of trust helps protect Windows 10.

ADMX Info:

  • GP Friendly name: Turn On Virtualization Based Security
  • GP name: VirtualizationBasedSecurity
  • GP element: SystemGuardDrop
  • GP path: System/Device Guard
  • GP ADMX file name: DeviceGuard.admx

DeviceGuard/EnableVirtualizationBasedSecurity

Edition Windows 10 Windows 11
Home No No
Pro No No
Business No No
Enterprise Yes Yes
Education Yes Yes

Scope:

  • Device

Turns on virtualization based security(VBS) at the next reboot. virtualization based security uses the Windows Hypervisor to provide support for security services. Value type is integer.

ADMX Info:

  • GP Friendly name: Turn On Virtualization Based Security
  • GP name: VirtualizationBasedSecurity
  • GP path: System/Device Guard
  • GP ADMX file name: DeviceGuard.admx

The following list shows the supported values:

  • 0 (default) - disable virtualization based security.
  • 1 - enable virtualization based security.

DeviceGuard/LsaCfgFlags

Edition Windows 10 Windows 11
Home No No
Pro No No
Business No No
Enterprise Yes Yes
Education Yes Yes

Scope:

  • Device

This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.

ADMX Info:

  • GP Friendly name: Turn On Virtualization Based Security
  • GP name: VirtualizationBasedSecurity
  • GP element: CredentialIsolationDrop
  • GP path: System/Device Guard
  • GP ADMX file name: DeviceGuard.admx

The following list shows the supported values:

  • 0 (default) - (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock.
  • 1 - (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
  • 2 - (Enabled without lock) Turns on Credential Guard without UEFI lock.

DeviceGuard/RequirePlatformSecurityFeatures

Edition Windows 10 Windows 11
Home No No
Pro No No
Business No No
Enterprise Yes Yes
Education Yes Yes

Scope:

  • Device

Specifies the platform security level at the next reboot. Value type is integer.

ADMX Info:

  • GP Friendly name: Turn On Virtualization Based Security
  • GP name: VirtualizationBasedSecurity
  • GP element: RequirePlatformSecurityFeaturesDrop
  • GP path: System/Device Guard
  • GP ADMX file name: DeviceGuard.admx

The following list shows the supported values:

  • 1 (default) - Turns on VBS with Secure Boot.
  • 3 - Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.