I need some help in my question to enable Windows System Guard in my environment. If you want to know what it is see:
Hardening the system and maintaining integrity with Windows Defender System Guard
and the Microsoft article is here:
Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
and in summary Windows System Guard is:
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees:
– Protect and maintain the integrity of the system as it starts up
– Validate that system integrity has truly been maintained through local and remote attestation
I enabled it using the techniques in this article:
System Guard Secure Launch and SMM protection
To verify it is enabled 9according to the article) you check MSInfor32 and you should see:
i.e. Secure Launch appear in both:
1. Virtualization based Security Configured
2. Virtualization based security Services Running
However, in my case I don’t see it appear under Virtualization based security Services Running as you see above?
Now, the Microsoft article does say:
Credential Guard is definitely running per my MSInfo32
To check Virtualization Based Security I can run the command:
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
and I see the following:
According to the documentation,
if VirtualizationBasedSecurityStatus = 2 then:
VBS is enabled and running
Now, if I look at the SecurityServicesRunning field I see:
only Credential Guard and HVCI running per:
i.e no System Guard Secure launch. This confirms what I see in MSInfo32.
Verifying Device Guard is where things get challenging, because this:
Why we no longer use the Device Guard brand
seems to indicated the device Guard is now Windows Defender Application Control (WDAC)??
However, there is this article:
Windows 10 Device Guard and Credential Guard Demystified
from early 2021 talking about Device Guard?? Here, Device Guard is:
Now that we have an understanding of Virtual Secure Mode, we can begin to discuss Device Guard. The most important thing to realize is that Device Guard is not a feature; rather it is a set of features designed to work together to prevent and eliminate untrusted code from running on a Windows 10 system
Device Guard consists of three primary components:
- Configurable Code Integrity (CCI) – Ensures that only trusted code runs from the boot loader onwards.
- VSM Protected Code Integrity – Moves Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into VSM, hardening them from attack.
- Platform and UEFI Secure Boot – Ensuring the boot binaries and UEFI firmware are signed and have not been tampered with.
According to that article the CCI is located at:
Computer Configuration \ Administrative Templates \ System \ Device Guard \ Deploy Code Integrity Policy
But I can’t see that on my machine as shown above??
I can’t see how to specifically enabled VSM Protected Code Integrity, I can only find:
Finally, my machine does have UEFI and secure boot enabled:
The last piece of the puzzle is a service called Secure Launch:
which I have running and seems to be linked to System Guard but I can find no confirmation of what this service actually does??
In summary, I am at a loss to understand why my machine seems to not have System Guard enabled even though it is capable it seems. I feel confident that I do have all the requirements in place but the Configurable Code Integrity (CCI) may be the issue but I can’t find anything on how to configure that.
My ask then, is if you have any information on helping me get System Guard working on my machine or help me understand why it isn’t working I’d appreciate it as I have drawn a blank with all my other sources.