Device Guard lets you lock down the system to run trusted applications only. Follow these steps to enable Device Guard in Windows 10.
One of the interesting features of Windows is the Device Guard. This feature is specifically designed for enterprises where security and control is the top requirement. When enabled and configured properly, it allows the admins to restrict the system to run only the trusted application. The good thing is that the admins can set rules called code integrity policies to define what constitutes trusted applications. If an application is not in the trusted list, it won't run no matter what you do.
Since the Device Guard is a combination of both hardware and software security features and runs in a protected hypervisor container alongside the Windows kernel, it is very hard to bypass the restrictions. So, in this quick guide, let me show the steps to enable Device Guard and disable it when needed.
To enable and use the device guard, you need to meet specific hardware and software requirements. They are as follows.
- Hardware requirements: Microsoft has a great page listing all the specific hardware requirements. Do take a look at it.
- Software requirements: Should be using Windows Enterprise or Education version. If you are using other versions like Home or Pro, your system is not compatible.
Steps to Enable Device Guard (GPO)
The steps to enable the device guard feature is pretty simple and straightforward. Do keep in mind that your system should meet all the above-listed requirements.
1. The first thing we need to do is to enable Hyper-V Hypervisor. To do that, open the start menu, search for "Turn Windows Features On or Off" and click on the search result.
2. In the Windows Features panel, scroll down, expand the "Hyper-V → Hyper-V Platform" and select the "Hyper-V Hypervisor" checkbox. Click on the "Ok" button to save changes.
3. Now, Windows will make the necessary changes. Reboot Windows to apply the changes.
4. Next, open the start menu, search for "gpedit.msc" and click on the search result to open the Group Policy Editor.
5. In the Group Policy Editor, go to the following folder.
Computer Configuration → Administrative Templates → System → Device Guard
6. On the right panel, find and double click on the "Turn On Virtualization Based Security" group policy object.
7. In the properties window, select the "Enabled" option. This action will enable three to four more options under the "Options" panel.
8. From the available dropdown menus, choose the appropriate options.
If you are ever in need of more information about what each option does, take a look at the left panel. It will tell you in detail what each option does.
9. Once you are done configuring, click on the "Apply" and "Ok" buttons.
10. Reboot Windows.
After enabling the Device Guard, you need to configure the policies. I recommend you get started with this Microsoft guide.
Steps to Disable
If you want to disable the Device Guard feature, simply select "Disabled" or "Not Configured" in the policy properties window (see step 7).
That is it. I hope that helps. If you are stuck or need some help, comment below and I will try to help as much as possible. If you like this article, do check out how to enable ransomware protection in Windows 10 to protect your data from ransomware.