Windows-Setup/Group Policies Objects/Device Guard.md

# Device Guard

`Computer Configuration\Administrative Templates\System\Device Guard`

- Turn On Virtualization Based Security -> Enabled (**Only do this if you are running Windows on bare metal or with nested virtualization**)

1. Select Platform Security Level: Secure Boot and DMA Protection
2. Virtualization Based Protection of Code Integrity: Enabled with UEFI lock
3. Credential Guard Configuration: Enabled with UEFI lock
4. Secure Launch Configuration: Enabled
5. Kernel-mode Hardware-enforced Stack Protection: Enabled in enforcement mode