This guide explains what Windows Device Guard is, how it protects enterprise devices, and how to check whether it is enabled or disabled. Detailed instructions are provided for checking Device Guard status, as well as troubleshooting information, and the implications of Device Guard being switched off.
What is Windows Device Guard?
Device Guard refers to a collection of Windows security features that are designed to protect against malware and other cybersecurity threats in enterprise and education environments, allowing only trusted and authorized applications and code to be run. If you’re using Windows 10 Pro/Windows 10 Home, or Windows 11 Pro/Windows 11 Home, Device Guard isn’t available, and you will not be able to verify whether it is enabled.
Windows Device Guard is a component of Windows Defender Application Control (WDAC) and implements several security technologies to protect Windows infrastructure in enterprise environments, both at the hardware and software level. These include Virtualization-based Security (VBS) that isolates sensitive processes and information from the rest of the system, kernel control flow guard (CFG) to protect Windows from code injection attacks, and hypervisor-enforced code integrity (HVCI) to enforce user-defined code integrity policies that ensure only whitelisted applications can run.
These measures improve protection against malware, and allow administrators to ensure only code they authorize can be run on systems in their Windows Domain environment.
Why verifying Device Guard status matters
Device Guard works in conjunction with Credential Guard to protect enterprise Windows networks against cyberattacks. However, unlike Credential Guard, Device Guard is not automatically enabled on systems that meet its hardware requirements.
Some components used by Device Guard, such as HVCI, may be automatically enabled if the system meets the requirements. This means that it’s worth making sure that the specific Device Guard features you require are running once you have configured them for your Windows deployments.
Before Device Guard can be fully enabled, code integrity policies must be set up by an administrator to define which authorized code will be allowed to run on applicable devices. Configuring these policies and enabling Device Guard on your Windows Domain is beneficial for two primary reasons: it helps protect your systems from malware and cyberattacks by preventing malicious code from executing, and gives you control over what your users can do with their machines by allowing only approved apps to run.
How to verify Device Guard status
The below methods can be used to check the status of Device Guard on a Windows Enterprise PC:
Checking Device Guard using Windows System Information (msinfo32)
To use the Windows System Information tool to verify Device Guard status, follow these steps:
- Right-click on the Start button and select Run
- Enter msinfo32 in the Run dialog and click OK
- In the left navigation panel, click System Summary
- In the right panel, scroll down to Device Guard Virtualization-based Security
- If Device Guard is enabled, it will be listed as Running
In addition to the system information item displaying the status of Device Guard, there will also be entries containing specific information about Device Guard properties and services, and whether they are available/running on your system.
Verifying Device Guard Using PowerShell commands
The Get-CimInstance PowerShell cmdlet can be used to check the status of Device Guard by running this command in an administrative PowerShell prompt:
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
This command will display the currently available hardware security features of your Windows PC, and which are enabled.
Verifying Device Guard on a single PC using Group Policy Editor
To verify whether Device Guard features are enabled via Local Group Policy, follow these steps:
- Start the Local Group Policy Editor by running gpedit.msc
- Go to Computer Configuration/Administrative Templates/System/Device Guard
- Check the status of Device Guard policies including Turn On Virtualization-based Security, Deploy Windows Defender Application Control, and Configure HVCI and Kernel Mode Code Integrity
Note that Device Guard policies should be configured at the domain level, and the Local Group Policy console should only be used to check the status of Device Guard on a specific machine.
Confirming Group Policy changes have successfully enabled Device Guard
If you have recently made changes to Group Policy on your Windows Domain and do not yet see the changes applied, try running gpupdate /force to apply the changes or reboot the affected machines.
To check whether Device Guard has been successfully enabled by Group Policy on a Windows Domain, you can run gpresult /h gpresult.html in PowerShell (as an administrator) to see which domain policies have been applied.
If Device Guard is causing compatibility issues, you can either disable it for specific devices using Group Policy or disable the related security settings in that device’s BIOS/UEFI.
Ensuring the security of fleets of Windows devices in the enterprise
Maintaining a strong security stance against cyber threats doesn’t have to become more difficult as the number of machines you manage increases. Enforcing Windows Security configurations, including enabling and verifying the status of Device Guard, can be automated using endpoint management by NinjaOne.
NinjaOne lets you manage and report on your Windows configurations from a centralized web interface that can deploy scripts, take inventory, and assist with patch management. It also supports the administration of Linux, MacOS, Android, and mobile Apple devices, ensuring comprehensive monitoring, complete visibility, and up-to-date insights into the status of your IT infrastructure.
