Microsoft-Windows-DeviceGuard-Unattend
The Microsoft-Windows-DeviceGuard-Unattend component specifies settings for initializing and enforcing virtualization-based security, which helps protect system memory and kernel mode apps and drivers from possible tampering.
Administrators can set values for the following settings to control virtualization-based security.
In this section
| Setting | Description |
|---|---|
| EnableVirtualizationBasedSecurity | Use to enable virtualization-based security. |
| HypervisorEnforcedCodeIntegrity | Specifies the code integrity that will be enforced for the hypervisor, which is a layer of software under the OS that runs virtual machines. |
| LsaCfgFlags | Use to enable the Credential Guard, which uses virtualization-based security to isolate secrets so that only privileged system software can access them when they are stored on disk or in memory. For more information, see Credential Guard. |
XML example
The following unattend XML example shows how you can enable virtualization-based security.
<?xml version="1.0" encoding="UTF-8"?>
<unattend xmlns="urn:schemas-microsoft-com:unattend">
<settings pass="offlineServicing">
<component language="neutral" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" versionScope="nonSxS" publicKeyToken="31bf3856ad364e35" processorArchitecture="amd64" name="Microsoft-Windows-DeviceGuard-Unattend">
<EnableVirtualizationBasedSecurity>1</EnableVirtualizationBasedSecurity>
<HypervisorEnforcedCodeIntegrity>1</HypervisorEnforcedCodeIntegrity>
<LsaCfgFlags>1</LsaCfgFlags>
</component>
</settings>
<cpi:offlineImage xmlns:cpi="urn:schemas-microsoft-com:cpi" cpi:source="wim:c:/install2/sources/install.wim#Windows 10 Enterprise"/>
</unattend>
Enabling Device Guard or Credential Guard
In addition to the Unattend settings in Microsoft-Windows-DeviceGuard-Unattend, you also need to either enable Hyper-V and IUM to enable Device Guard or Credential Guard, or you can directly set registry keys using FirstLogonCommands.
- Enable Hyper-V and IUM to turn on Device Guard or Credential Guard by running the following DISM commands:
- DISM.EXE /Image:<full path to offline image> /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All
- DISM.EXE /Image:<full path to offline image> /Enable-Feature: IsolatedUserMode /All
- Set the following registry keys using the FirstLogonCommands setting:
- REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
- REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f
- REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
Read the following articles to learn more about Device Guard and Credential Guard:
- Microsoft Defender Application Control and virtualization-based protection of code integrity
- Enable virtualization-based protection of code integrity
- Protect derived domain credentials with Credential Guard
Applies To
To determine whether a component applies to the image you’re building, load your image into Windows SIM and search for the component or setting name. For information on how to view components and settings, see Configure Components and Settings in an Answer File.