Join Pete Zerger for an in-depth discussion in this video Deploy Device Guard, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Device Guard is a really important complement to Credential Guard and your other layers of endpoint security, as it helps us move towards a state where we have tight control of what can be run on a desktop and by whom. So there are multiple ways we can configure the virtualization-based security features for Device Guard. We can use the readiness tool release by Microsoft, we can configure VBS manually using registry keys, or we can use active directory group policy, which I'll show you now. So we'll start by launching the Group Policy Management snap in.
And to create a new group policy I'm just going to click group policy objects, select new, and I'll give this a name. I'm going to call this Device Guard, and I won't link this to anything for now. You'll ultimately want to configure this group policy, link it to an active directory OU, and you'll need to reboot your desktop. So on the next reboot your Windows 10 desktops to which this policy applies will get those settings. So we'll right click that new Device Guard GPO and select edit.
I'll just full screen this, and we'll expand policies, administrative templates, system, and here we'll see Device Guard. So there are a few settings here under turn on virtualization based security that we want to have a look at. So we'll set enabled. So at a platform level, we need to enable secure boot. And you'll notice there are two options here. There is secure boot and secure boot with DMA protection.
So the DMA protection option requires hardware support, basically a computer with input, output memory management units. So if we enable secure boot, all of our systems are going to enable that feature. If we enable secure boot with DMA protection, the systems that support it will enable that additional DMA feature. Those that don't support it will simply enable secure boot. And I'll actually show you how in the Windows event viewer, you can see what the effective settings are for the computer you're working with quickly and easily.
So let's go that route of secure boot with DMA protection, and then for virtualization based protection of code integrity this is what enables kernel mode code integrity. Now if we enable this with UEFI lock, this simply means that the feature can no longer be remotely disabled. We can disable this with group policy or we can disable this by going to that computer and physically logging in.
I'm going to do that without lock for the moment. And typically you're going to turn on Credential Guard as well. That's another conversation, but we'll go ahead and enable Credential Guard without lock also, which is going to encrypt our credentials in memory for this computer. And I'll go ahead and select OK, and I'm going to close the group policy management editor. Now my next step here is to actually link this GPO to an organizational unit or a domain or some target in Active Directory to apply these settings.
I would typically apply this to my desktop, so I've actually gone ahead and to give you the before and after I have those same settings applied to the Kineteco desktop's OU, and my Windows 10 systems have rebooted. Now I mentioned there were three ways we can enable this feature. Through the readiness tool, through the registry, or through group policy. I'd recommend you use group policy whenever possible for one simple reason. When you use group policy, the Windows event log channel is used to log the status of Device Guard.
Specifically it's going to log an event ID 7000 which is going to give you a crystal clear picture into the effective settings on that machine. So let's go from our domain controller over to our Windows 10 desktop and have a quick look at our event viewer. So this is the Windows event viewer that you're no doubt familiar with. Just right click your start menu, launch the event viewer. And those events are logged under applications and services, Microsoft, Windows, then go down to the d's where you'll find Device Guard.
And here we are. And we're going to look at the operational log here, and sure enough there's an event ID 7000 and if you look down here in the details, you'll see that VBS is enabled, that secure boot is on. You're going to notice DMA protection is off even though we enabled it because this is a virtual machine. It doesn't have the hardware support that we need for that feature. And you'll notice code integrity is on. So again, Device Guard is a really important complement to Credential Guard and these other layers of security because we're now setting the stage to deploy code integrity policies.
That's exactly what we're ready to do. And code integrity policies provide control over a computer, allowing us to specify whether a driver or an application is trusted and can actually be run.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure