Edit

Share via

Policy CSP - DeviceGuard

  • Article

ConfigureSystemGuardLaunch

Scope Editions Applicable OS
✅ Device
❌ User		 ✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 10, version 1809 [10.0.17763] and later 
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/ConfigureSystemGuardLaunch

Secure Launch configuration: 0 - Unmanaged, configurable by Administrative user, 1 - Enables Secure Launch if supported by hardware, 2 - Disables Secure Launch.

For more information about System Guard, see Introducing Windows Defender System Guard runtime attestation and How a hardware-based root of trust helps protect Windows 10.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Unmanaged Configurable by Administrative user.
1 Unmanaged Enables Secure Launch if supported by hardware.
2 Unmanaged Disables Secure Launch.

Group policy mapping:

Name Value
Name VirtualizationBasedSecurity
Friendly Name Turn On Virtualization Based Security
Element Name Secure Launch Configuration.
Location Computer Configuration
Path System > Device Guard
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
ADMX File Name DeviceGuard.admx

EnableVirtualizationBasedSecurity

Scope Editions Applicable OS
✅ Device
❌ User		 ✅ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 10, version 1709 [10.0.16299] and later 
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity

Turns On Virtualization Based Security(VBS)

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disable virtualization based security.
1 Enable virtualization based security.

Group policy mapping:

Name Value
Name VirtualizationBasedSecurity
Friendly Name Turn On Virtualization Based Security
Location Computer Configuration
Path System > Device Guard
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
Registry Value Name EnableVirtualizationBasedSecurity
ADMX File Name DeviceGuard.admx

LsaCfgFlags

Scope Editions Applicable OS
✅ Device
❌ User		 ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 10, version 1709 [10.0.16299] and later 
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags

Credential Guard Configuration: 0 - Turns off CredentialGuard remotely if configured previously without UEFI Lock, 1 - Turns on CredentialGuard with UEFI lock. 2 - Turns on CredentialGuard without UEFI lock.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) (Disabled) Turns off Credential Guard remotely if configured previously without UEFI Lock.
1 (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
2 (Enabled without lock) Turns on Credential Guard without UEFI lock.

Group policy mapping:

Name Value
Name VirtualizationBasedSecurity
Friendly Name Turn On Virtualization Based Security
Element Name Credential Guard Configuration.
Location Computer Configuration
Path System > Device Guard
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
ADMX File Name DeviceGuard.admx

RequirePlatformSecurityFeatures

Scope Editions Applicable OS
✅ Device
❌ User		 ❌ Pro
✅ Enterprise
✅ Education
❌ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC		 ✅ Windows 10, version 1709 [10.0.16299] and later 
./Device/Vendor/MSFT/Policy/Config/DeviceGuard/RequirePlatformSecurityFeatures

Select Platform Security Level: 1 - Turns on VBS with Secure Boot, 3 - Turns on VBS with Secure Boot and DMA. DMA requires hardware support.

This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 1

Allowed values:

Value Description
1 (Default) Turns on VBS with Secure Boot.
3 Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.

Group policy mapping:

Name Value
Name VirtualizationBasedSecurity
Friendly Name Turn On Virtualization Based Security
Element Name Select Platform Security Level.
Location Computer Configuration
Path System > Device Guard
Registry Key Name SOFTWARE\Policies\Microsoft\Windows\DeviceGuard
ADMX File Name DeviceGuard.admx

Policy configuration service provider