Virtualization-based protection of code integrity must be enabled.

An XCCDF Rule

Description

<VulnDiscussion>Virtualization-based protection of code integrity enforces kernel mode memory protections as well as protecting Code Integrity validation paths. This isolates the processes from the rest of the operating system and can only be accessed by privileged system software.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-253371r991589_rule
Severity: Medium
References: CCI-000366
Updated: 17 days ago

Virtualization-based security currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.

For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On virtualization-based Security" to "Enabled" with "Enabled with UEFI lock" or "Enabled without lock" selected for "virtualization-based Protection of Code Integrity:".
"Enabled with UEFI lock" is preferred as more secure, however it cannot be turned off remotely through a group policy change if there is an issue.

"Enabled without lock" will allow this to be turned off remotely while testing for issues.

Virtualization-based protection of code integrity must be enabled.

Description

Remediation - Manual Procedure