Forum Discussion

Copper Contributor

Feb 24, 2021

Solved

Kernal DMA Protection in dell inspiron 14 5405

AMD Ryzen 7 4700U I have upgraded the OS from home to pro to Enterprise version 20H2 Then I checked the Hyper-V using the systeminfo.exe command from cmd The output was compatible: 64-b...

Device Guard

dretzer
Feb 25, 2021
You don't need Kernel DMA Protection for Device Guard.
What you need is:
64-bit CPU
SLAT
IOMMU (Intel-VT-D or AMD-Vi)
TPM 2.0
SMM Protection (Firmware)
UEFI Memory Reporting
MOR2
HVCI compatible drivers
That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:
https://www.amd.com/en/technologies/pro-security

Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.

To answer your other questions more directly:
kernel DMA protection is an additional hardware feature and protects especially from DMA-device security issues (PCIe, Thunderbolt,...). It needs support from your hardware (CPU, Mainboard, Firmware) to work and is not tied to device guard or credential guard. It needs VBS to work correctly, but it is not needed for VBS.
coreinfo gives you wrong information because when you run a hypervisor some queries are not returned correctly from the CPU. Make sure you run coreinfo in and administrative prompt, but even then, all the virtualization informations are not reliable when virtualization is running.
I'm not sure if you really want device guard (a collection of features that prevents code from running on your machine) or if you just want VBS.
Mehdi_Sellami

Mehdi_Sellami

Copper Contributor

Feb 25, 2021

I need Advanced protection with VBS to create isolation or virtual secure mode for user and kernel operations.

dretzer

Iron Contributor

Feb 25, 2021

If you want to check if VBS is running use the following command in an administrative PowerShell console:

$dgstatus = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
$dgstatus.VirtualizationBasedSecurityStatus

This will return a number from 0 to 2.

0 = VBS not available
1 = VBS available but not running
2 = VBS available and running

You can also type $dgstatus to see all information about device guard. You can find a description of all the values on this site:

https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity

Mehdi_Sellami

Mehdi_Sellami
Copper Contributor
Feb 25, 2021

Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

The output of this command:
AvailableSecurityProperties : {1, 2, 3, 4...}
CodeIntegrityPolicyEnforcementStatus : 2
InstanceIdentifier : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RequiredSecurityProperties : {0}
SecurityServicesConfigured : {0}
SecurityServicesRunning : {1, 2}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version : 1.0
VirtualizationBasedSecurityStatus : 2
PSComputerName

VirtualizationBasedSecurityStatus : 2
VBS available and running

dretzer
- dretzer
  Iron Contributor
  Feb 25, 2021
  
  SecurityServicesRunning : {1, 2}
  
  This means that credential guard (1) and HVCI (2) is running too.
  So you already have VBS, Credential Guard and HVCI running correctly.
  
  Be aware that credential guard only protects domain credentials! It does not protect any other credentials, like for example, local accounts. So if you want to use CG, make sure that you use only domain accounts and block any creation or usage of local accounts.
  Mehdi_Sellami
  - Mehdi_Sellami
    Copper Contributor
    Feb 25, 2021
    Question: You have told me if you want to use Credential Guard
    only protects domain credentials! It does not protect any other credentials.
    
    Credential Guard helps protect user authentication and access tokens in the Local
    Security Authority Subsystem (LSASS) or Lsass.exe file from being stolen.
    Without Credential Guard enabled, derived credentials such as Kerberos tickets and password hashes are stored in memory without the secure isolated protection of a VBS hypervisor and are vulnerable to password stealing malware.
    With Credential Guard enabled, credentials are stored in a protected isolated process called Lsaiso.exe.
    Pass-the-Hash (PtH) and Pass-the-Ticket (PtT).
    
    Meaning, I do not enable Enabling Credential Guard with Group Policy or with MDM (Intune) (local accounts)
    Computer Configuration > Policies > Administrative Templates > System> Device Guard.
    Open Turn on Virtualization Based Security and choose Enabled (radio button).
    Select Platform Security Level: Secure Boot and DMA Protection
    Credential Guard Configuration: Enabled with or without UEFI lock
    
    If I using a device Gurad which are used to determine what applications can run on your Windows systems (Microsoft recommends a combination of WDAC and AppLocker)
    
    Enabling Device Guard and Windows Defender Application Control with Group Policy
    
    Computer Configuration > Policies > Administrative Templates > System> Device Guard.
    Deploy Code Integrity Policy and Enable it.
    Enter the UNC path to the .bin file located on the deployment share
    
    If I work on local accounts I won't need Credential Guard and Device Gurad
    
    yes or no
    
    dretzer