Forum Discussion
Kernal DMA Protection in dell inspiron 14 5405
You don't need Kernel DMA Protection for Device Guard.
What you need is:
- 64-bit CPU
- SLAT
- IOMMU (Intel-VT-D or AMD-Vi)
- TPM 2.0
- SMM Protection (Firmware)
- UEFI Memory Reporting
- MOR2
- HVCI compatible drivers
That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:
https://www.amd.com/en/technologies/pro-security
Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.
To answer your other questions more directly:
- kernel DMA protection is an additional hardware feature and protects especially from DMA-device security issues (PCIe, Thunderbolt,...). It needs support from your hardware (CPU, Mainboard, Firmware) to work and is not tied to device guard or credential guard. It needs VBS to work correctly, but it is not needed for VBS.
- coreinfo gives you wrong information because when you run a hypervisor some queries are not returned correctly from the CPU. Make sure you run coreinfo in and administrative prompt, but even then, all the virtualization informations are not reliable when virtualization is running.
- I'm not sure if you really want device guard (a collection of features that prevents code from running on your machine) or if you just want VBS.
Question: You have told me if you want to use Credential Guard
only protects domain credentials! It does not protect any other credentials.
Credential Guard helps protect user authentication and access tokens in the Local
Security Authority Subsystem (LSASS) or Lsass.exe file from being stolen.
Without Credential Guard enabled, derived credentials such as Kerberos tickets and password hashes are stored in memory without the secure isolated protection of a VBS hypervisor and are vulnerable to password stealing malware.
With Credential Guard enabled, credentials are stored in a protected isolated process called Lsaiso.exe.
Pass-the-Hash (PtH) and Pass-the-Ticket (PtT).
Meaning, I do not enable Enabling Credential Guard with Group Policy or with MDM (Intune) (local accounts)
Computer Configuration > Policies > Administrative Templates > System> Device Guard.
Open Turn on Virtualization Based Security and choose Enabled (radio button).
Select Platform Security Level: Secure Boot and DMA Protection
Credential Guard Configuration: Enabled with or without UEFI lock
If I using a device Gurad which are used to determine what applications can run on your Windows systems (Microsoft recommends a combination of WDAC and AppLocker)
Enabling Device Guard and Windows Defender Application Control with Group Policy
Computer Configuration > Policies > Administrative Templates > System> Device Guard.
Deploy Code Integrity Policy and Enable it.
Enter the UNC path to the .bin file located on the deployment share
If I work on local accounts I won't need Credential Guard and Device Gurad
yes or no
https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-protection-limits
So, no. If you use only local accounts you don't need credential guard.
Regarding WDAC: It depends if you want to use it. WDAC ist a very strong security feature which can protect you from many attack vectors, but it also needs a lot of knowledge to implement correctly. Also it does not work automatically, meaning you have to constantly refine it and alter it to your needs. Without a central management of some sort this will be hard to do.
The recommendation for combining it with Applocker (Enterprise feature only) comes from the limitation of WDAC to only work on a system level. With Applocker you can make user-based exceptions for whitelisting/blacklisting. Combining both is the best way for large enterprises.