Virtualization Based Security must be enabled with the platform security level configured to Secure Boot with DMA Protection.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-63595	WN10-CC-000070	SV-78085r1_rule		Medium

Description
Virtualization Based Security (VBS) provides the platform for the additional security features, Credential Guard and Virtualization based protection of code integrity. Secure Boot is the minimum security level with DMA protection providing additional memory protection.

STIG	Date
Windows 10 Security Technical Implementation Guide	2015-11-30

Details

Check Text ( C-64345r2_chk )
Confirm Virtualization Based Security has been enabled with Secure Boot and DMA Protection on domain-joined systems. For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V. Run "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "RequiredSecurityProperties" does not include a value of "3" (e.g., "{1, 2, 3}"), this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Available Security Properties" does not list "Base Virtualization Support, Secure Boot, DMA Protection", this is finding. The policy settings referenced in the Fix section will configure the following registry values. However due to hardware requirements, the registry values alone do not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: EnableVirtualizationBasedSecurity Value Type: REG_DWORD Value: 1 Value Name: RequirePlatformSecurityFeatures Value Type: REG_DWORD Value: 3 A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link. https://technet.microsoft.com/en-us/library/mt483740%28v=vs.85%29.aspx

Check Text ( C-64345r2_chk )

Confirm Virtualization Based Security has been enabled with Secure Boot and DMA Protection on domain-joined systems.
For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V.

Run "PowerShell" with elevated privileges (run as administrator).
Enter the following:
"Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard"

If "RequiredSecurityProperties" does not include a value of "3" (e.g., "{1, 2, 3}"), this is a finding.

Alternately:

Run "System Information".
Under "System Summary", verify the following:
If "Device Guard Available Security Properties" does not list "Base Virtualization Support, Secure Boot, DMA Protection", this is finding.

The policy settings referenced in the Fix section will configure the following registry values. However due to hardware requirements, the registry values alone do not ensure proper function.

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\

Value Name: EnableVirtualizationBasedSecurity
Value Type: REG_DWORD
Value: 1

Value Name: RequirePlatformSecurityFeatures
Value Type: REG_DWORD
Value: 3

A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link.
https://technet.microsoft.com/en-us/library/mt483740%28v=vs.85%29.aspx

Fix Text (F-69525r2_fix)
For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V. Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot and DMA Protection" selected. A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link. https://technet.microsoft.com/en-us/library/mt483740%28v=vs.85%29.aspx

Fix Text (F-69525r2_fix)

For standalone systems, this is NA. For virtual desktop implementations (VDI) that are dynamically generated at user log on and deleted at log off, and cannot meet the supporting requirements, this is NA. Supporting requirements include TPM, UEFI with Secure Boot and Hyper-V.

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot and DMA Protection" selected.

A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link.
https://technet.microsoft.com/en-us/library/mt483740%28v=vs.85%29.aspx