Skip to content

Device Guard configuration (Windows policy)


This configuration doesn’t apply to Windows Pro, Windows Home, or Windows in S mode.

With the Device Guard configuration you configure virtualization-based security (VBS) on Windows computers.


All settings are applied the first time the Windows computer starts after the policy has been assigned.

Setting Description
Turn on virtualization-based security (VBS) Virtualization-based security (VBS) is turned on.
Credential Guard configuration
  • Turn off: Turn off Credential Guard.

    This doesn’t work if Credential Guard was turned on using the Turn on with UEFI lock option.

  • Turn on with UEFI lock: Turn on Credential Guard and ensure that it can’t be turned off remotely.

    Credential Guard can only be turned off again in the BIOS settings, requiring physical access to the computer.

  • Turn on without lock: Turn on Credential Guard.

    Credential Guard can be turned off again with the Turn off option, or with a Windows Group Policy.

Platform security level
  • Secure Boot: VBS is turned on with as much protection as is supported by the computer’s hardware.

    If the computer doesn’t have input/output memory management units (IOMMUs), VBS uses the Secure Boot UEFI feature.

    If the computer has IOMMUs, VBS uses Secure Boot with direct memory access (DMA) protection.

  • Secure Boot and DMA protection: VBS uses Secure Boot with direct memory access (DMA) protection.

    VBS is not turned on if the computer doesn’t support DMA.