Microsoft Technical Takeoff: Windows and Microsoft Intune
Oct 24 2022 07:00 AM - Oct 27 2022 12:00 PM (PDT)

Kernal DMA Protection in dell inspiron 14 5405

Occasional Contributor

AMD Ryzen 7 4700U


I have upgraded the OS from home to pro to Enterprise version 20H2

Then I checked the Hyper-V using the systeminfo.exe command from cmd

The output was compatible:

64-bit processor with second-level address translation (SLAT) is enable

Virtual Machine Monitor Mode Extensions is enable

Virtualization Enabled In Firmware (These require enabling from bios)

Data Execution Prevention is enable

I entered the bios by pressing F2

For Hyper-V the BIOS has one line which is: Virtualization Technology

I have enabling it.

Now I have verified Hyper-V requires using the system info command

The result was Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.

Meaning, Hyper-V is detected but!!!!!


I check for kernel dma protection in system information


What does it require?


The rule says that when you enabling Virtualization Technology on bios , kernel Dma protection is enabling Automatically.


Why kernel dma protection is off?

I tried Coreinfo64.exe

When disable Virtualization Technology on bios


coreinfo Output:

HYPERVISOR - Hypervisor is present

SVM * Supports AMD hardware-assisted virtualization
NP * Supports AMD nested page tables (SLAT)

- : not enable 
* : SVM and slat mode is enable


Again check kernel dma protection - kernel dma protection is off !!!

And when I enabling Virtualization Technology from the bios:


coreinfo Output:


HYPERVISOR * Hypervisor is present

SVM - Supports AMD hardware-assisted virtualization
NP - Supports AMD nested page tables (SLAT)

SVM and slat mode is disable and Virtualization  is enable



Therefore, I cannot use Device Guard and Credential Guard.


Why kernel dma protection is off?


The reason...


I have to check several things, and they are:


Secure boot enabled

TPM v2.0

Ensure boot is configured to use (UEFI)


OK All steps are available


There are requirements to look out for and they are :


IOMMU i/o Memory Management Unit

Enabling Secure Virtual Machine Mode (Svm)

Or I looked for something called AMD-V


All of these steps require checking bios settings


In the bios configured insydeh20 on this device, these settings do not exist


Why I'm enabling Virtualization Technology from the bios


(Svm) disable

(SLAT) is disable


And when I disable Virtualization Technology from the bios


Svm and slat is enable


Is there an overlap (Virtual enable on exe windows) or what


I need to use Device Guard and Credential Guard

9 Replies
best response confirmed by Mehdi_Sellami (Occasional Contributor)

You don't need Kernel DMA Protection for Device Guard.

What you need is:

  • 64-bit CPU
  • SLAT
  • IOMMU (Intel-VT-D or AMD-Vi)
  • TPM 2.0
  • SMM Protection (Firmware)
  • UEFI Memory Reporting
  • MOR2
  • HVCI compatible drivers

That said, I'm not sure if your AMD CPU even supports Device Guard. It should support virtualization, and I'm not firm with AMD CPUs for enterprise usage. According to AMD they support all Secure-Core-PC features (among those Device Guard) with their AMD Pro series of processort:

AMD PRO Security | AMD


Also Credential Guard needs Windows 10 Enterprise. You cannot use it with Windows 10 Pro. You can still use Device Guard (though you may have to do some pre-configuration on a different Windows 10 Enterprise installation) and you can use VBS with or without HVCI.


To answer your other questions more directly:

  • kernel DMA protection is an additional hardware feature and protects especially from DMA-device security issues (PCIe, Thunderbolt,...). It needs support from your hardware (CPU, Mainboard, Firmware) to work and is not tied to device guard or credential guard. It needs VBS to work correctly, but it is not needed for VBS.
  • coreinfo gives you wrong information because when you run a hypervisor some queries are not returned correctly from the CPU. Make sure you run coreinfo in and administrative prompt, but even then, all the virtualization informations are not reliable when virtualization is running.
  • I'm not sure if you really want device guard (a collection of features that prevents code from running on your machine) or if you just want VBS.


I need Advanced protection with VBS to create isolation or virtual secure mode for user and kernel operations.



If you want to check if VBS is running use the following command in an administrative PowerShell console:



$dgstatus = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard


This will return a number from 0 to 2.

  • 0 = VBS not available
  • 1 = VBS available but not running
  • 2 = VBS available and running

You can also type $dgstatus to see all information about device guard. You can find a description of all the values on this site:

Enable virtualization-based protection of code integrity - Windows security | Microsoft Docs




Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard


The output of this command:

AvailableSecurityProperties : {1, 2, 3, 4...}
CodeIntegrityPolicyEnforcementStatus : 2
RequiredSecurityProperties : {0}
SecurityServicesConfigured : {0}
SecurityServicesRunning : {1, 2}
UsermodeCodeIntegrityPolicyEnforcementStatus : 0
Version : 1.0
VirtualizationBasedSecurityStatus : 2


VirtualizationBasedSecurityStatus : 2

 VBS available and running






SecurityServicesRunning : {1, 2}


This means that credential guard (1) and HVCI (2) is running too.

So you already have VBS, Credential Guard and HVCI running correctly.


Be aware that credential guard only protects domain credentials! It does not protect any other credentials, like for example, local accounts. So if you want to use CG, make sure that you use only domain accounts and block any creation or usage of local accounts.


Thank you, sir.
You helped me.



Question: You have told me if you want to use Credential Guard

only protects domain credentials! It does not protect any other credentials.


Credential Guard helps protect user authentication and access tokens in the Local
Security Authority Subsystem (LSASS) or Lsass.exe file from being stolen.

Without Credential Guard enabled, derived credentials such as Kerberos tickets and password hashes are stored in memory without the secure isolated protection of a VBS hypervisor and are vulnerable to password stealing malware.

With Credential Guard enabled, credentials are stored in a protected isolated process called Lsaiso.exe.

Pass-the-Hash (PtH) and Pass-the-Ticket (PtT).


Meaning, I do not enable Enabling Credential Guard with Group Policy or with MDM (Intune) (local accounts) 

Computer Configuration > Policies > Administrative Templates > System> Device Guard.

Open Turn on Virtualization Based Security and choose Enabled (radio button).

Select Platform Security Level: Secure Boot and DMA Protection
Credential Guard Configuration: Enabled with or without UEFI lock


If I using a device Gurad which are used to determine what applications can run on your Windows systems (Microsoft recommends a combination of WDAC and AppLocker)


Enabling Device Guard and Windows Defender Application Control with Group Policy


 Computer Configuration > Policies > Administrative Templates > System> Device Guard.

Deploy Code Integrity Policy and Enable it.
Enter the UNC path to the .bin file located on the deployment share


If I work on local accounts I won't need Credential Guard and Device Gurad 


yes or no




You can read about the limitations of credential guard here:

So, no. If you use only local accounts you don't need credential guard.
Regarding WDAC: It depends if you want to use it. WDAC ist a very strong security feature which can protect you from many attack vectors, but it also needs a lot of knowledge to implement correctly. Also it does not work automatically, meaning you have to constantly refine it and alter it to your needs. Without a central management of some sort this will be hard to do.
The recommendation for combining it with Applocker (Enterprise feature only) comes from the limitation of WDAC to only work on a system level. With Applocker you can make user-based exceptions for whitelisting/blacklisting. Combining both is the best way for large enterprises.