Secured-core is a collection of capabilities that offers built-in hardware, firmware, driver and
operating system security features. This article shows you how to configure Secured-core server by
using Windows Admin Center, the Windows Server Desktop Experience, and Group Policy.
Secured-core server is designed to deliver a secure platform for critical data and applications. For
more information, see What is Secured-core server?
Prerequisites
Before you can configure Secured-core server, you must have the following security components
installed and enabled in the BIOS:
Secure Boot.
Trusted Platform Module (TPM) 2.0.
System firmware must meet preboot DMA protection requirements and set appropriate flags in ACPI
tables to opt into and enable Kernel DMA Protection. To learn more about Kernel DMA Protection,
see
Kernel DMA Protection (Memory Access Protection) for OEMs.
A processor with support enabled in the BIOS for:
Virtualization extensions.
Input/Output Memory Management Unit (IOMMU).
Dynamic Root of Trust for Measurement (DRTM).
Transparent Secure Memory Encryption is also required for AMD based systems.
Important
Enabling each of the security features in the BIOS can vary based on your hardware vendor. Make
sure to check your hardware manufacturer's Secured-core server enablement guide.
Here's how to enable Secured-core server using the user interface.
From the Windows desktop, open the Start menu, select Windows Administrative Tools, open
Computer Management.
In Computer management, select Device Manager, resolve any device error if necessary.
For AMD based systems, confirm the DRTM Boot Driver device is present before continuing
From Windows desktop, open the Start menu, select Windows Security.
Select Device security > Core isolation details, then enable Memory Integrity and
Firmware Protection. You might not be able to enable Memory Integrity until you've enabled Firmware Protection first and restarted your server.
Restart your server when prompted.
Once your server has restarted, your server is enabled for Secured-core server.
Here's how to enable Secured-core server using Windows Admin Center.
Sign into your Windows Admin Center portal.
Select the server you want to connect to.
Select Security using the left-hand panel, then select the Secured-core tab.
Check the Security Features with a status of Not configured, then select Enable.
When notified, select Schedule system reboot to persist the changes.
Select either the Restart immediately or Schedule restart at a time suitable for your
workload.
Once your server has restarted, your server is enabled for Secured-core server.
Here's how to enable Secured-core server for domain members using Group Policy.
Open the Group Policy Management Console, create or edit a policy applied to your server.
In the console tree, select Computer Configuration > Administrative Templates > System >
Device Guard.
For the setting, right-click Turn On Virtualization Based Security and select Edit.
Select Enabled, from the drop down menus select the following:
Select Secure Boot and DMA Protection for the Platform Security Level.
Select either Enabled without lock or Enabled with UEFI lock for Virtualization Based Protect of Code Integrity.
Select Enabled for the Secure Launch Configuration.
Caution
If you use Enabled with UEFI lock for Virtualization Based Protect of Code Integrity, it
cannot be disabled remotely. To disable the feature, you must set the Group Policy to Disabled
as well as remove the security functionality from each computer, with a physically present user,
in order to clear configuration persisted in UEFI.
Select OK to complete the configuration.
Restart your server to apply the Group Policy.
Once your server has restarted, your server is enabled for Secured-core server.
Verify Secured-core server configuration
Now that you've configured Secured-core server, select the relevant method to verify your configuration.
Here's how to verify your Secured-core server is configured using Windows Admin Center.
Sign into your Windows Admin Center portal.
Select the server you want to connect to.
Select Security using the left-hand panel, then select the Secured-core tab.
Check the all Security Features have a status of Configured.
To verify Group Policy has applied to your server, run the following command from an elevated command prompt.
gpresult /SCOPE COMPUTER /R /V
In the output, confirm the Device Guard settings are applied under the Administrative Templates section. The following example shows the output when the settings are applied.
Administrative Templates
------------------------
GPO: Local Group Policy
Folder Id: SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags
Value: 3, 0, 0, 0
State: Enabled
GPO: Local Group Policy
Folder Id: SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\RequirePlatformSecurityFeatures
Value: 3, 0, 0, 0
State: Enabled
GPO: Local Group Policy
Folder Id: SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\EnableVirtualizationBasedSecurity
Value: 1, 0, 0, 0
State: Enabled
GPO: Local Group Policy
Folder Id: SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HypervisorEnforcedCodeIntegrity
Value: 2, 0, 0, 0
State: Enabled
GPO: Local Group Policy
Folder Id: SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\HVCIMATRequired
Value: 0, 0, 0, 0
State: Enabled
GPO: Local Group Policy
Folder Id: SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ConfigureSystemGuardLaunch
Value: 1, 0, 0, 0
State: Enabled
Verify your Secured-core server is configured by following the steps.
From the Windows desktop, open the Start menu, type msinfo32.exe to open System
Information. From the System Summary page, confirm:
Secure Boot State and Kernel DMA Protection is On.
