Defender Device Guard

The Microsoft Defender Device Guard (Device Guard) settings enable virtualization-based Windows 10+ security features that support services for a group of devices.

Configuring Device Guard settings

The following table describes the Device Guard settings that you can configure for Windows 10+ devices.
Policy setting Description Supported devices
Configure Defender Device Guard If this setting is enabled, allows administrators to configure settings that protect system integrity and credentials on Windows 10+ devices. Windows 10+ Education and Enterprise
Credential Guard Settings
Configure System Guard Launch System Guard protects and maintains the integrity of the system as the system starts and validates that system integrity was maintained through local and remote attestation. For more information about System Guard, see https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/.
Settings include:
  • Leave it unmanaged: Allows administrators to configure System Guard.
  • Enable if supported by hardware: Turns on System Guard on the supported hardware. Devices must support a discrete Trusted Platform Module (TPM 2.0). Integrated or firmware TPMs are not supported.

    TPM provides protection for VBS encryption keys that are stored in the firmware and prevents unauthorized access to the BIOS. For more information about TPM, see https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/trusted-platform-module-top-node.

  • Disable: Turns off System Guard.
Windows 10+ Education and Enterprise
Enable Virtualization Based Security (VBS) Virtualization-based security creates and isolates vital operating system resources and credentials. Virtualization-based security uses the Windows Hypervisor to provide support for security services. For more information about virtualization-based security, see https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs. Windows 10+ Education and Enterprise
Configure Credential Guard Credential Guard uses virtualization-based security to isolate secrets that only privileged system software can access. Credential Guard prevents unauthorized access that can lead to credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGT), and credentials stored by applications as domain credentials. For more information about Credential Guard, see https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard.
Settings include:
  • Disable Credential Guard: Allows administrators to remotely turn off Credential Guard if Credential Guard was previously configured with an Unified Extensible Firmware Interface (UEFI) lock.
  • Enable with UEFI lock: Use Credential Guard with an Unified Extensible Firmware Interface (UEFI) lock to prevent an attacker from disabling the operating system with a registry key change.
  • Enable without UEFI lock: Turns on Credential Guard without an Unified Extensible Firmware Interface (UEFI) lock.
Windows 10+ Education and Enterprise
Configure platform security level for the next reboot Enables security features that help protect devices.
  • Turn on VBS with Secure Boot: Enables virtualization-based security to use Secure Boot on the next reboot. Secure Boot is a security standard that checks that a device boots authorized code and also prevents bootkits and rootkits from installing and persisting across reboots.
  • Turn on VBS with Secure Boot and DMA: Enables virtualization-based security to use the following security features on the next reboot:
    • Secure Boot: A security standard that checks that a device boots authorized code and also prevents bootkits and rootkits from installing and persisting across reboots.
    • Direct Memory Access (DMA): A hardware-based security feature that provides isolation and protection against malicious DMA attacks during the boot process and during the runtime of the operating system.
Windows 10+ Education and Enterprise