Device Guard failed to process the Group Policy

Question

I have several Windows 2016 servers connected to a Domain Controller. Every hour and a half to two hours I get the error, " Windows failed to apply the {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings. {F312195E-3D9D-447A-A3F5-08DFFA24735E} settings might have its own log file. Please click on the "More information" link. "

At the same timestamp, I get the error, "Device Guard failed to process the Group Policy to enable Virtualization Based Security (Status = 0xC035001E): A hypervisor feature is not available to the user."

 

I tried editing group policy Computer Config > Policies > Admin Templates > System > Device Guard > Turn On Virtualization Based Security

·         Enabled

·         Platform Security Level:                 Secure Boot and DMA Protection

·         VBP of Code Integrity:                    Disabled

·         Credential Guard:                             Enabled with UEFI lock

The problem persists.

If I disable group policy Computer Config > Policies > Admin Templates > System > Device Guard > Turn On Virtualization Based Security, the error goes away.

Hypervisor is not enabled on any of these servers though all of these servers are virtual on a VMWare host.

What hypervisor feature is not available to the user?

Why is a hypervisor feature even needed?

What is the security risk of disabling this group policy object?

Answer 1

Hello,

have you checked the information posted by VMWare?
https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-CE292D3F-D4AC-4607-B262-DE19CE6E9F6B.html

VBS has to be enabled for the guest VM before it can be enabled inside the guest OS