SOLVED

Kernal DMA Protection in dell inspiron 14 5405

Copper Contributor

AMD Ryzen 7 4700U

 

I have upgraded the OS from home to pro to Enterprise version 20H2


Then I checked the Hyper-V using the systeminfo.exe command from cmd

The output was compatible:

64-bit processor with second-level address translation (SLAT) is enable

Virtual Machine Monitor Mode Extensions is enable

Virtualization Enabled In Firmware (These require enabling from bios)

Data Execution Prevention is enable

I entered the bios by pressing F2

For Hyper-V the BIOS has one line which is: Virtualization Technology

I have enabling it.

Now I have verified Hyper-V requires using the system info command

The result was Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Meaning, Hyper-V is detected but!!!!!

 

I check for kernel dma protection in system information

 

What does it require?

 

The rule says that when you enabling Virtualization Technology on bios , kernel Dma protection is enabling Automatically.

 

Why kernel dma protection is off?


I tried Coreinfo64.exe


When disable Virtualization Technology on bios

 

coreinfo Output:


HYPERVISOR - Hypervisor is present

SVM * Supports AMD hardware-assisted virtualization
NP * Supports AMD nested page tables (SLAT)


- : not enable 
* : SVM and slat mode is enable

 

Again check kernel dma protection - kernel dma protection is off !!!

And when I enabling Virtualization Technology from the bios:

 

coreinfo Output:

 

HYPERVISOR * Hypervisor is present

SVM - Supports AMD hardware-assisted virtualization
NP - Supports AMD nested page tables (SLAT)


SVM and slat mode is disable and Virtualization  is enable

 

WHAT!!!!

Therefore, I cannot use Device Guard and Credential Guard.

 

Why kernel dma protection is off?

 

The reason...

 

I have to check several things, and they are:

 

Secure boot enabled

TPM v2.0

Ensure boot is configured to use (UEFI)

 

OK All steps are available

 

There are requirements to look out for and they are :

 

IOMMU i/o Memory Management Unit

Enabling Secure Virtual Machine Mode (Svm)

Or I looked for something called AMD-V

 

All of these steps require checking bios settings

 

In the bios configured insydeh20 on this device, these settings do not exist

 

Why I'm enabling Virtualization Technology from the bios

 

(Svm) disable

(SLAT) is disable

 

And when I disable Virtualization Technology from the bios

 

Svm and slat is enable

 

Is there an overlap (Virtual enable on exe windows) or what

 

I need to use Device Guard and Credential Guard

9 Replies
best response confirmed by Mehdi_Sellami (Copper Contributor)
Solution

You don't need Kernel DMA Protection for Device Guard.

What you need is:

  • 64-bit CPU
  • SLAT
  • IOMMU (Intel-VT-D or AMD-Vi)
  • TPM 2.0
  • SMM Protection (Firmware)
  • UEFI Memory Reporting
  • MOR2
  • HVCI compatible drivers

That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:

AMD PRO Security | AMD

 

Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.

 

To answer your other questions more directly:

  • kernel DMA protection is an additional hardware feature and protects especially from DMA-device security issues (PCIe, Thunderbolt,...). It needs support from your hardware (CPU, Mainboard, Firmware) to work and is not tied to device guard or credential guard. It needs VBS to work correctly, but it is not needed for VBS.
  • coreinfo gives you wrong information because when you run a hypervisor some queries are not returned correctly from the CPU. Make sure you run coreinfo in and administrative prompt, but even then, all the virtualization informations are not reliable when virtualization is running.
  • I'm not sure if you really want device guard (a collection of features that prevents code from running on your machine) or if you just want VBS.

@Mehdi_Sellami 

I need Advanced protection with VBS to create isolation or virtual secure mode for user and kernel operations.

 

@dretzer 

If you want to check if VBS is running use the following command in an administrative PowerShell console:

 

 

$dgstatus = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
$dgstatus.VirtualizationBasedSecurityStatus

 

This will return a number from 0 to 2.

  • 0 = VBS not available
  • 1 = VBS available but not running
  • 2 = VBS available and running

You can also type $dgstatus to see all information about device guard. You can find a description of all the values on this site:

Enable virtualization-based protection of code integrity - Windows security | Microsoft Docs

 

@Mehdi_Sellami 

 

Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

 

The output of this command:

AvailableSecurityProperties : {1, 2, 3, 4...}
CodeIntegrityPolicyEnforcementStatus : 2
InstanceIdentifier : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RequiredSecurityProperties : {0}
SecurityServicesConfigured : {0}
SecurityServicesRunning : {1, 2}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version : 1.0
VirtualizationBasedSecurityStatus : 2
PSComputerName

 

VirtualizationBasedSecurityStatus : 2

 VBS available and running

 

@dretzer 

 

 

 

SecurityServicesRunning : {1, 2}

 

This means that credential guard (1) and HVCI (2) is running too.

So you already have VBS, Credential Guard and HVCI running correctly.

 

Be aware that credential guard only protects domain credentials! It does not protect any other credentials, like for example, local accounts. So if you want to use CG, make sure that you use only domain accounts and block any creation or usage of local accounts.

@Mehdi_Sellami 

Thank you, sir.
You helped me.

 

@dretzer 

Question: You have told me if you want to use Credential Guard

only protects domain credentials! It does not protect any other credentials.

 

Credential Guard helps protect user authentication and access tokens in the Local
Security Authority Subsystem (LSASS) or Lsass.exe file from being stolen.

Without Credential Guard enabled, derived credentials such as Kerberos tickets and password hashes are stored in memory without the secure isolated protection of a VBS hypervisor and are vulnerable to password stealing malware.

With Credential Guard enabled, credentials are stored in a protected isolated process called Lsaiso.exe.

Pass-the-Hash (PtH) and Pass-the-Ticket (PtT).

 

Meaning, I do not enable Enabling Credential Guard with Group Policy or with MDM (Intune) (local accounts) 

Computer Configuration > Policies > Administrative Templates > System> Device Guard.

Open Turn on Virtualization Based Security and choose Enabled (radio button).

Select Platform Security Level: Secure Boot and DMA Protection
Credential Guard Configuration: Enabled with or without UEFI lock

 

If I using a device Gurad which are used to determine what applications can run on your Windows systems (Microsoft recommends a combination of WDAC and AppLocker)

 

Enabling Device Guard and Windows Defender Application Control with Group Policy

 

 Computer Configuration > Policies > Administrative Templates > System> Device Guard.

Deploy Code Integrity Policy and Enable it.
Enter the UNC path to the .bin file located on the deployment share

 

If I work on local accounts I won't need Credential Guard and Device Gurad 

 

yes or no

 

 

@dretzer 

You can read about the limitations of credential guard here:
https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-gu...

So, no. If you use only local accounts you don't need credential guard.
Regarding WDAC: It depends if you want to use it. WDAC ist a very strong security feature which can protect you from many attack vectors, but it also needs a lot of knowledge to implement correctly. Also it does not work automatically, meaning you have to constantly refine it and alter it to your needs. Without a central management of some sort this will be hard to do.
The recommendation for combining it with Applocker (Enterprise feature only) comes from the limitation of WDAC to only work on a system level. With Applocker you can make user-based exceptions for whitelisting/blacklisting. Combining both is the best way for large enterprises.
1 best response

Accepted Solutions
best response confirmed by Mehdi_Sellami (Copper Contributor)
Solution

You don't need Kernel DMA Protection for Device Guard.

What you need is:

  • 64-bit CPU
  • SLAT
  • IOMMU (Intel-VT-D or AMD-Vi)
  • TPM 2.0
  • SMM Protection (Firmware)
  • UEFI Memory Reporting
  • MOR2
  • HVCI compatible drivers

That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:

AMD PRO Security | AMD

 

Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.

 

To answer your other questions more directly:

  • kernel DMA protection is an additional hardware feature and protects especially from DMA-device security issues (PCIe, Thunderbolt,...). It needs support from your hardware (CPU, Mainboard, Firmware) to work and is not tied to device guard or credential guard. It needs VBS to work correctly, but it is not needed for VBS.
  • coreinfo gives you wrong information because when you run a hypervisor some queries are not returned correctly from the CPU. Make sure you run coreinfo in and administrative prompt, but even then, all the virtualization informations are not reliable when virtualization is running.
  • I'm not sure if you really want device guard (a collection of features that prevents code from running on your machine) or if you just want VBS.

@Mehdi_Sellami 

View solution in original post