Defender Device Guard
The Microsoft Defender Device Guard (Device Guard) settings enable virtualization-based Windows 10+ security features that support services for a group of devices.
Configuring Device Guard settings
The following table describes the Device Guard settings that you can configure for Windows 10+ devices.
Policy setting | Description | Supported devices |
---|---|---|
Configure Defender Device Guard | If this setting is enabled, allows administrators to configure settings that protect system integrity and credentials on Windows 10+ devices. | Windows 10+ Education and Enterprise |
Credential Guard Settings | ||
Configure System Guard Launch | System Guard protects and maintains the integrity of the system as the system starts and
validates that system integrity was maintained through local and remote attestation. For more
information about System Guard, see https://www.microsoft.com/security/blog/2018/04/19/introducing-windows-defender-system-guard-runtime-attestation/. Settings include:
|
Windows 10+ Education and Enterprise |
Enable Virtualization Based Security (VBS) | Virtualization-based security creates and isolates vital operating system resources and credentials. Virtualization-based security uses the Windows Hypervisor to provide support for security services. For more information about virtualization-based security, see https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs. | Windows 10+ Education and Enterprise |
Configure Credential Guard | Credential Guard uses virtualization-based security to isolate secrets that only privileged
system software can access. Credential Guard prevents unauthorized access that can lead to
credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGT),
and credentials stored by applications as domain credentials. For more information about Credential
Guard, see https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard. Settings include:
|
Windows 10+ Education and Enterprise |
Configure platform security level for the next reboot | Enables security features that help protect devices.
|
Windows 10+ Education and Enterprise |