Determine if Device Guard is Enabled RRS feed

  • Question

  • I've looked at posts about determining if Device Guard is enabled, but when I run msinfo32, my results don't look quite the same as what I see in those posts.  I'm not sure if that is because Device Guard is not enabled on my computer, or if it because I'm using a newer version of Windows 10 - 1709.

    Here's what I see:

    Friday, March 23, 2018 2:25 PM

All replies

  • What version of Windows 10 are using, Pro or Enterprise? Device Guard requires Enterprise. That is perhaps not clear as I enabled Credential Guard on Pro once and my results looked the same as yours from memory. The

    Requirements and deployment planning guidelines for Windows Defender Device Guard

    does mention the Windows version in the 'Software: Qualified Windows operating system' section.

    Monday, March 26, 2018 6:16 PM
  • I'm running Enterprise.  I'll double-check this requirement list and make sure I didn't miss anything.
    Monday, March 26, 2018 6:21 PM
  • You can use this script to test your system ;-)

    Device Guard and Credential Guard hardware readiness tool


    Monday, March 26, 2018 6:46 PM
  • I've run .\db_readiness_tool_v3.2.ps1 -Ready and received this output:

    Credential-Guard is enabled and running.

    HVCI is enabled and running.

    Config-CI is enabled and running (Audit mode)

    HVCI, Credential-Guard, and Config-CI are enabled and running.

    • Proposed as answer by Narcoticoo Friday, March 30, 2018 6:31 AM
    Monday, March 26, 2018 6:56 PM
  • This clears things up a little:

    The most important thing to realize is that Device Guard is not a feature; rather it is a set of features designed to work together to prevent and eliminate untrusted code from running on a Windows 10 system.

    Device Guard consists of three primary components:

    • Configurable Code Integrity (CCI) – Ensures that only trusted code runs from the boot loader onwards.
    • VSM Protected Code Integrity – Moves Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into VSM, hardening them from attack.
    • Platform and UEFI Secure Boot – Ensuring the boot binaries and UEFI firmware are signed and have not been tampered with.

    VSM is a little cloudy.  I have HVCI enabled.  Do I have KMCI enabled?  Have they been moved into VSM?

    Wednesday, March 28, 2018 1:05 PM
  • It been a while since I watched this video which I watch out of interest did not set it up.

    Dropping the Hammer on Malware with Windows 10 Device Guard

    Perhaps give that a watch. When I get sometime I will follow that again and set it up see what I get.

    Wednesday, March 28, 2018 8:19 PM