Feb 24 2021 03:46 PM - edited Feb 24 2021 04:15 PM
AMD Ryzen 7 4700U
I have upgraded the OS from home to pro to Enterprise version 20H2
Then I checked the Hyper-V using the systeminfo.exe command from cmd
The output was compatible:
64-bit processor with second-level address translation (SLAT) is enable
Virtual Machine Monitor Mode Extensions is enable
Virtualization Enabled In Firmware (These require enabling from bios)
Data Execution Prevention is enable
I entered the bios by pressing F2
For Hyper-V the BIOS has one line which is: Virtualization Technology
I have enabling it.
Now I have verified Hyper-V requires using the system info command
The result was Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Meaning, Hyper-V is detected but!!!!!
I check for kernel dma protection in system information
What does it require?
The rule says that when you enabling Virtualization Technology on bios , kernel Dma protection is enabling Automatically.
Why kernel dma protection is off?
I tried Coreinfo64.exe
When disable Virtualization Technology on bios
coreinfo Output:
HYPERVISOR - Hypervisor is present
SVM * Supports AMD hardware-assisted virtualization
NP * Supports AMD nested page tables (SLAT)
- : not enable
* : SVM and slat mode is enable
Again check kernel dma protection - kernel dma protection is off !!!
And when I enabling Virtualization Technology from the bios:
coreinfo Output:
HYPERVISOR * Hypervisor is present
SVM - Supports AMD hardware-assisted virtualization
NP - Supports AMD nested page tables (SLAT)
SVM and slat mode is disable and Virtualization is enable
WHAT!!!!
Therefore, I cannot use Device Guard and Credential Guard.
Why kernel dma protection is off?
The reason...
I have to check several things, and they are:
Secure boot enabled
TPM v2.0
Ensure boot is configured to use (UEFI)
OK All steps are available
There are requirements to look out for and they are :
IOMMU i/o Memory Management Unit
Enabling Secure Virtual Machine Mode (Svm)
Or I looked for something called AMD-V
All of these steps require checking bios settings
In the bios configured insydeh20 on this device, these settings do not exist
Why I'm enabling Virtualization Technology from the bios
(Svm) disable
(SLAT) is disable
And when I disable Virtualization Technology from the bios
Svm and slat is enable
Is there an overlap (Virtual enable on exe windows) or what
I need to use Device Guard and Credential Guard
Feb 25 2021 12:50 AM
SolutionYou don't need Kernel DMA Protection for Device Guard.
What you need is:
That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:
Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.
To answer your other questions more directly:
Feb 25 2021 04:16 AM - edited Feb 25 2021 04:21 AM
I need Advanced protection with VBS to create isolation or virtual secure mode for user and kernel operations.
Feb 25 2021 04:28 AM - edited Feb 25 2021 04:29 AM
If you want to check if VBS is running use the following command in an administrative PowerShell console:
$dgstatus = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
$dgstatus.VirtualizationBasedSecurityStatus
This will return a number from 0 to 2.
You can also type $dgstatus to see all information about device guard. You can find a description of all the values on this site:
Enable virtualization-based protection of code integrity - Windows security | Microsoft Docs
Feb 25 2021 04:40 AM
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
The output of this command:
AvailableSecurityProperties : {1, 2, 3, 4...}
CodeIntegrityPolicyEnforcementStatus : 2
InstanceIdentifier : XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
RequiredSecurityProperties : {0}
SecurityServicesConfigured : {0}
SecurityServicesRunning : {1, 2}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version : 1.0
VirtualizationBasedSecurityStatus : 2
PSComputerName
VirtualizationBasedSecurityStatus : 2
VBS available and running
Feb 25 2021 04:44 AM - edited Feb 25 2021 04:47 AM
SecurityServicesRunning : {1, 2}
This means that credential guard (1) and HVCI (2) is running too.
So you already have VBS, Credential Guard and HVCI running correctly.
Be aware that credential guard only protects domain credentials! It does not protect any other credentials, like for example, local accounts. So if you want to use CG, make sure that you use only domain accounts and block any creation or usage of local accounts.
Feb 25 2021 04:48 AM
Feb 25 2021 05:40 AM
Question: You have told me if you want to use Credential Guard
only protects domain credentials! It does not protect any other credentials.
Credential Guard helps protect user authentication and access tokens in the Local
Security Authority Subsystem (LSASS) or Lsass.exe file from being stolen.
Without Credential Guard enabled, derived credentials such as Kerberos tickets and password hashes are stored in memory without the secure isolated protection of a VBS hypervisor and are vulnerable to password stealing malware.
With Credential Guard enabled, credentials are stored in a protected isolated process called Lsaiso.exe.
Pass-the-Hash (PtH) and Pass-the-Ticket (PtT).
Meaning, I do not enable Enabling Credential Guard with Group Policy or with MDM (Intune) (local accounts)
Computer Configuration > Policies > Administrative Templates > System> Device Guard.
Open Turn on Virtualization Based Security and choose Enabled (radio button).
Select Platform Security Level: Secure Boot and DMA Protection
Credential Guard Configuration: Enabled with or without UEFI lock
If I using a device Gurad which are used to determine what applications can run on your Windows systems (Microsoft recommends a combination of WDAC and AppLocker)
Enabling Device Guard and Windows Defender Application Control with Group Policy
Computer Configuration > Policies > Administrative Templates > System> Device Guard.
Deploy Code Integrity Policy and Enable it.
Enter the UNC path to the .bin file located on the deployment share
If I work on local accounts I won't need Credential Guard and Device Gurad
yes or no
Feb 25 2021 11:10 PM
Feb 25 2021 12:50 AM
SolutionYou don't need Kernel DMA Protection for Device Guard.
What you need is:
That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:
Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.
To answer your other questions more directly: