How to Set Up Device Guard on Windows Server 2019

March 21, 2026
Tutorials
Comment off

Introduction to Device Guard

Device Guard is a set of hardware and software security features in Windows Server 2019 that locks down a device to run only trusted applications and drivers. It consists of two main components: Virtualization-Based Code Integrity (HVCI, also called Memory Integrity), which uses Hyper-V to protect the kernel from unsigned or malicious drivers and code, and Windows Defender Application Control (WDAC), which enforces policies about which applications are allowed to run. Together, these features prevent malware, ransomware, and advanced persistent threats from executing on protected systems. This tutorial covers enabling HVCI and the Device Guard deployment workflow on Windows Server 2019.

Device Guard Components

Hypervisor-Protected Code Integrity (HVCI) runs the Windows kernel code integrity checks inside a VBS (Virtualization-Based Security) enclave, preventing kernel-mode attacks from bypassing them. Unsigned or improperly signed drivers are blocked from loading, which stops many rootkits and driver-based exploits. Windows Defender Application Control (WDAC) operates at the user level, controlling which executables, scripts, and packaged apps are allowed to run based on configurable policies. Device Guard also includes Secure Boot configuration to prevent boot-level tampering.

Hardware Requirements

Device Guard (specifically HVCI) requires the same hardware as Credential Guard: 64-bit CPU with virtualization extensions and SLAT, UEFI 2.3.1+ with Secure Boot, TPM 1.2 or 2.0, and I/O MMU virtualization (Intel VT-d or AMD-Vi) for DMA protection. Verify hardware readiness before deployment.

# Check IOMMU support
Get-WmiObject -Namespace rootcimv2 -Class Win32_Processor | 
    Select-Object Name, VirtualizationFirmwareEnabled

# Run the Device Guard Readiness Tool
DG_Readiness_Tool_v3.6.ps1 -Ready

Enabling HVCI via Group Policy

Enable HVCI (Virtualization-Based Code Integrity) through the same Group Policy setting used for Credential Guard. Navigate to Computer Configuration > Policies > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security. Enable the policy and set “Virtualization Based Protection of Code Integrity” to “Enabled with UEFI lock” or “Enabled without lock”.

gpmc.msc

Enabling HVCI via Registry

Configure HVCI directly via registry for immediate testing on a single server.

# Enable VBS
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" `
    -Name "EnableVirtualizationBasedSecurity" -Value 1 -Type DWord

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" `
    -Name "RequirePlatformSecurityFeatures" -Value 3 -Type DWord

# Enable HVCI (Memory Integrity): 0=disabled, 1=enabled with UEFI lock, 2=enabled without lock
Set-ItemProperty `
    -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuardScenariosHypervisorEnforcedCodeIntegrity" `
    -Name "Enabled" -Value 1 -Type DWord -Force

Restart the server after making these changes. HVCI initializes during the VBS startup phase of the boot process.

Verifying HVCI Status

After rebooting, verify HVCI is running using the WMI query or the System Information tool.

$dg = Get-WmiObject -Namespace rootMicrosoftWindowsDeviceGuard -Class Win32_DeviceGuard
Write-Host "VBS Status: $($dg.VirtualizationBasedSecurityStatus)"
Write-Host "Security Services Running: $($dg.SecurityServicesRunning)"
Write-Host "Security Services Configured: $($dg.SecurityServicesConfigured)"

# SecurityServicesRunning values: 2 = HVCI running, 1 = Credential Guard running
if ($dg.SecurityServicesRunning -contains 2) {
    Write-Host "HVCI (Memory Integrity) is RUNNING" -ForegroundColor Green
}

Auditing Incompatible Drivers

HVCI blocks drivers that are not compatible with the stricter code integrity requirements. Before enabling HVCI in enforcement mode, run the compatibility check to identify problematic drivers. Enable HVCI audit mode first to identify issues without enforcing.

# Check for HVCI incompatible drivers in the event log
Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-CodeIntegrity/Operational'
    StartTime = (Get-Date).AddDays(-7)
} | Where-Object { $_.Id -in @(3065, 3066) } | 
    Select-Object TimeCreated, Id, Message | Format-List

# Use the DG Readiness Tool in Driver Compat mode
DG_Readiness_Tool_v3.6.ps1 -HVCI_Capable

Configuring Secure Boot with Device Guard

Device Guard uses UEFI Secure Boot to prevent unauthorized bootloaders and BIOS-level malware. Ensure Secure Boot is enabled in UEFI firmware. You can verify Secure Boot status from Windows.

# Check Secure Boot status
Confirm-SecureBootUEFI

# Get Secure Boot policy details
Get-SecureBootPolicy

Configure Secure Boot enforcement in the Device Guard Group Policy by setting “Select Platform Security Level” to “Secure Boot and DMA Protection.”

Understanding the Trust Hierarchy

Device Guard (HVCI) determines trust for drivers based on digital signatures. Drivers must be: signed by a code signing certificate that chains to the Microsoft Windows Hardware Driver root CA, or signed by an organization’s own certificate that is explicitly trusted through the WDAC policy. Drivers with only Authenticode signatures (not WHQL-level kernel-mode signing) are blocked when HVCI is enabled.

# Check driver signing status
Get-AuthenticodeSignature -FilePath "C:WindowsSystem32driversmydriver.sys" |
    Select-Object Path, Status, SignerCertificate

# List all loaded kernel modules and their signing status
Get-WmiObject Win32_SystemDriver | 
    Select-Object Name, PathName | 
    ForEach-Object {
        $sig = Get-AuthenticodeSignature $_.PathName -ErrorAction SilentlyContinue
        [PSCustomObject]@{
            Name = $_.Name
            Path = $_.PathName
            SignatureStatus = $sig.Status
        }
    } | Where-Object { $_.SignatureStatus -ne "Valid" }

Deploying Device Guard on Server Core

Windows Server 2019 Server Core installations have a smaller attack surface and are recommended for Hyper-V hosts and domain controllers. Device Guard with HVCI can be fully configured on Server Core using PowerShell.

# All Device Guard configuration is done via registry and Group Policy
# No GUI tools are required
# Apply registry settings and restart
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" `
    -Name "EnableVirtualizationBasedSecurity" -Value 1 -Type DWord

Set-ItemProperty `
    -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuardScenariosHypervisorEnforcedCodeIntegrity" `
    -Name "Enabled" -Value 1 -Type DWord -Force

Restart-Computer -Force

Conclusion

Device Guard with HVCI on Windows Server 2019 provides one of the strongest available defenses against kernel-mode attacks and driver exploitation. By enforcing code integrity checking inside a VBS enclave, even a compromised OS cannot disable the protection or load unsigned drivers. The key challenge in deployment is driver compatibility—always audit and test drivers before enabling HVCI in enforcement mode. Prioritize Device Guard deployment on the most critical servers: domain controllers, Hyper-V hosts, and Certificate Authority servers where a kernel compromise would have the broadest impact.