Forum Discussion

Copper Contributor

Feb 24, 2021

Solved

Kernal DMA Protection in dell inspiron 14 5405

AMD Ryzen 7 4700U I have upgraded the OS from home to pro to Enterprise version 20H2 Then I checked the Hyper-V using the systeminfo.exe command from cmd The output was compatible: 64-b...

Device Guard

dretzer
Feb 25, 2021
You don't need Kernel DMA Protection for Device Guard.
What you need is:
64-bit CPU
SLAT
IOMMU (Intel-VT-D or AMD-Vi)
TPM 2.0
SMM Protection (Firmware)
UEFI Memory Reporting
MOR2
HVCI compatible drivers
That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:
https://www.amd.com/en/technologies/pro-security

Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.

To answer your other questions more directly:
kernel DMA protection is an additional hardware feature and protects especially from DMA-device security issues (PCIe, Thunderbolt,...). It needs support from your hardware (CPU, Mainboard, Firmware) to work and is not tied to device guard or credential guard. It needs VBS to work correctly, but it is not needed for VBS.
coreinfo gives you wrong information because when you run a hypervisor some queries are not returned correctly from the CPU. Make sure you run coreinfo in and administrative prompt, but even then, all the virtualization informations are not reliable when virtualization is running.
I'm not sure if you really want device guard (a collection of features that prevents code from running on your machine) or if you just want VBS.
Mehdi_Sellami

dretzer

Iron Contributor

Feb 25, 2021

You don't need Kernel DMA Protection for Device Guard.

What you need is:

64-bit CPU
SLAT
IOMMU (Intel-VT-D or AMD-Vi)
TPM 2.0
SMM Protection (Firmware)
UEFI Memory Reporting
MOR2
HVCI compatible drivers

That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:

https://www.amd.com/en/technologies/pro-security

Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.

To answer your other questions more directly:

kernel DMA protection is an additional hardware feature and protects especially from DMA-device security issues (PCIe, Thunderbolt,...). It needs support from your hardware (CPU, Mainboard, Firmware) to work and is not tied to device guard or credential guard. It needs VBS to work correctly, but it is not needed for VBS.
coreinfo gives you wrong information because when you run a hypervisor some queries are not returned correctly from the CPU. Make sure you run coreinfo in and administrative prompt, but even then, all the virtualization informations are not reliable when virtualization is running.
I'm not sure if you really want device guard (a collection of features that prevents code from running on your machine) or if you just want VBS.

Mehdi_Sellami

Copper Contributor

Feb 25, 2021

I need Advanced protection with VBS to create isolation or virtual secure mode for user and kernel operations.

dretzer

dretzer
Iron Contributor
Feb 25, 2021
If you want to check if VBS is running use the following command in an administrative PowerShell console:

$dgstatus = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard $dgstatus.VirtualizationBasedSecurityStatus

This will return a number from 0 to 2.
0 = VBS not available
1 = VBS available but not running
2 = VBS available and running
You can also type $dgstatus to see all information about device guard. You can find a description of all the values on this site:
https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity

Mehdi_Sellami
- Mehdi_Sellami
  Copper Contributor
  Feb 25, 2021
  
  Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
  
  The output of this command:
  AvailableSecurityProperties : {1, 2, 3, 4...}
  CodeIntegrityPolicyEnforcementStatus : 2
  InstanceIdentifier : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  RequiredSecurityProperties : {0}
  SecurityServicesConfigured : {0}
  SecurityServicesRunning : {1, 2}
  UsermodeCodeIntegrityPolicyEnforcementStatus : 0
  Version : 1.0
  VirtualizationBasedSecurityStatus : 2
  PSComputerName
  
  VirtualizationBasedSecurityStatus : 2
  VBS available and running
  
  dretzer
  - dretzer
    Iron Contributor
    Feb 25, 2021
    
    SecurityServicesRunning : {1, 2}
    
    This means that credential guard (1) and HVCI (2) is running too.
    So you already have VBS, Credential Guard and HVCI running correctly.
    
    Be aware that credential guard only protects domain credentials! It does not protect any other credentials, like for example, local accounts. So if you want to use CG, make sure that you use only domain accounts and block any creation or usage of local accounts.
    Mehdi_Sellami