How to enable or disable Device Guard on Windows 10

Device Guard is a combination of enterprise-related software and hardware security features, when configured together, locks the device to run only trusted applications that you specify in the code integrity policy. . If the application is not trusted, it will not be able to run. With hardware that meets the basic requirements, that means that even if an attacker can gain control of the Windows kernel, they cannot run malicious executable code. With the right hardware, Device Guard can use the new virtualization-based security in Windows 10 to isolate the Code Integrity service from Microsoft Windows. In this case, the Code Integrity service runs in the same folder as the Windows virtualized protected container.

This tutorial will show you how to enable or disable security based on Device Guard virtualization on Windows 10 Enterprise and Windows 10 Education PCs.

You must log on as an administrator to enable or disable Device Guard.

How to open Windows Security in Windows 10
How to turn on Tamper Protection for Windows Security on Windows 10
Enhance Windows 10 security with Exploit Protection

How to enable or disable Device Guard

Step 1 . Open the Windows Features.

In Windows 10 Enterprise / Education version 1607 or later, select Hyper-V Hypervisor in Hyper-V and click OK .

How to enable or disable Device Guard on Windows 10 Picture 1

In Windows 10 Enterprise / Education versions before version 1607, select Hyper-V Hypervisor in Hyper-V, select Isolated User Mode and click OK .

How to enable or disable Device Guard on Windows 10 Picture 2

Step 2 . Open Local Group Policy Editor.

Step 3 . Navigate to the following key in the left pane of Local Group Policy Editor.

 Computer ConfigurationAdministrative TemplatesSystemDevice Guard

How to enable or disable Device Guard on Windows 10 Picture 3

Step 4 . In the right pane of Device Guard in the Local Group Policy Editor, double-click the Turn On Virtualization Based Security policy to edit it.

Step 5 . Follow Step 6 (turn on) or Step 7 (off).

Step 6 . To activate Device Guard

Select Enabled .
In Options, select Secure Boot or Secure Boot and DMA Protection in the Select Platform Security Level drop-down menu.

Note: The Secure Boot (recommended) option provides secure boot with multiple protections supported by specific computer hardware. A computer with an input / output memory manager (IOMMUs) will have a safe boot with DMA protection. A computer without IOMMUs will only activate secure boot.

Secure Boot with DMA will enable secure booting and VBS only on computers that support DMA, ie computers with IOMMUs. With this setting, any computer without IOMMU will not have VBS protection (hardware-based), although it can enable code integrity policies.

In Options, select Enabled with UEFI lock or Enabled without lock in the Virtualization Based Protection drop-down menu of Code Integrity.

Note: Enabled with UEFI lock option ensures Virtualization Based Protection of Code Integrity is not disabled remotely. To disable this feature, you need to set up Group Policy Disabled as well as delete the security for each computer with the current user to delete the configuration on UEFI.

Option Enabled without lock for Virtualization Based Protection of Code Integrity is remotely disabled using Group Policy.

If you wish, you can also activate Credential Guard by selecting Enabled with UEFI lock or Enabled without lock in the drop-down menu Credential Guard Configuration.

Note: Enabled with UEFI lock option ensures Credential Guard is not disabled remotely. To turn off this feature, you must set Group Policy to Disabled as well as delete the security function in each computer with the current user to delete the configuration in UEFI.

Enabled without lock option allows Credential Guard to be turned off remotely using Group Policy. Devices using this installation need to run on the operating system from Windows 10 (Version 1511) or later.

Go to Step 8.

Step 7 . To disable Device Guard

Select Not Configured or Disabled , click OK and go to Step 8.

Note : Not Configured is the default setting.

How to enable or disable Device Guard on Windows 10 Picture 4

Step 8 . Close Local Group Policy Editor.

Step 9 . Restart the computer to apply changes.

I wish you all success!

windows 10

Marvin Fry

Update 15 August 2019

You should read it

May be interested

How to use Chocolatey to install and update Windows programs
if there are many windows programs that need to be managed and updated, it's probably time to think about using a package manager like chocolatey.
How to create a two-screen switch mode shortcut on Windows 10
display switch is used to change the display mode between the main screen and the screens connected to it. this article will show you how to create or download the display switch shortcut in windows 10.
How to uninstall the driver completely on Windows
to avoid problems and dead blue screen errors, you need to delete the failed driver, causing problems. this article will show you how to uninstall the driver completely on windows.
How to reset network data usage on Windows 10
windows 10 has a feature that allows you to view pc network data usage in the past 30 days. this article will show you how to reset network data usage to 0 when needed on windows 10.
How to turn on the search box on the lock screen on Windows 10
starting with windows 10 build 18932, a new experimental feature allows adding a search box on the lock screen so users can search the web using bing directly on the lock screen. and this is how to turn it on.
How to fix the Game Bar problem does not work on Windows 10
some users of windows 10 version 1809 and above are having problems launching the game bar. this article will help you fix the problem of game bar not working and some other problems.