maxkabakov - Fotolia
Microsoft Windows Defender Device Guard offers a variety of capabilities, but IT professionals must enable Device Guard properly.
First, IT pros must ensure that the underlying hardware meets the minimum requirements for Device Guard. This includes a 64-bit processor with virtualization extensions, such as Intel VT-x, AMD-V and extended page tables; Trusted Platform Module 2.0; Unified Extensible Firmware Interface (UEFI) 2.3.1.c or later with Secure Boot enabled; and Hypervisor Enforced Code Integrity compatible Windows drivers.
In addition, IT must handle firmware updates through Windows Update, and the system must support Hardware Security Test Interface standards.
Enabling Windows Defender Device Guard
To enable Windows Defender Exploit Guard and Application Control features, IT can use desktop management tools including Group Policy, Microsoft System Center Configuration Manager, Windows PowerShell and Microsoft Intune.
The Windows Defender Device Guard features are virtualization-based, so IT must enable Hyper-V before they deploy anything from Device Guard. For example, endpoints running Windows 10 Enterprise or Education editions can enable Hyper-V through the Windows Features dialog by typing "Turn Windows features on or off" in the Search dialog on the Taskbar.
After IT enables Hyper-V, it can open the Local Group Policy Editor -- gpedit.msc. Desktop administrators can launch the editor directly by typing "gpedit.msc" in the Run bar, or through Windows Search by typing "gpedit.msc" in the Search bar and selecting the corresponding applet from the results. If the file is not found, IT may need to install the Local Group Policy Editor.
Once the Local Group Policy Editor starts, desktop admins should navigate to the "Computer Configuration\Administrative Templates\System\Device Guard" key and locate the "Turn On Virtualization Based Security" policy entry. IT pros should double-click the entry, enable the desired feature and select options such as Secure Boot and UEFI lock. After configuring the features, IT pros should close the Local Group Policy Editor and restart the computer.
If administrators would prefer to use Windows PowerShell to manage Windows Defender Device Guard features, Microsoft provides a Device Guard and Credential Guard hardware readiness tool which runs a PowerShell script to check hardware and enable Device Guard.
Dig Deeper on Windows OS and management
Related Q&A from Stephen J. Bigelow
Some enterprises avoid the public cloud due to its multi-tenant nature and data security concerns. Learn what data separation is and how it can keep ... Continue Reading
There are advantages and disadvantages to using NAS or object storage for unstructured data. Find out what to consider when it comes to scalability, ... Continue Reading
Knowing hardware maximums and VM limits ensures you don't overload the system. Learn hypervisor scalability limits for Hyper-V, vSphere, ESXi and ... Continue Reading