How to Configure Windows Server 2016 Device Guard
Device Guard is a Windows Server 2016 security feature that uses hardware virtualization and code integrity policies to ensure only trusted, signed code runs on a system. It consists of two components: Configurable Code Integrity (CCI), which enforces a whitelist of trusted code, and Virtualization-Based Security (VBS), which protects the code integrity engine itself from being tampered with by malware. Together, these make it extremely difficult for attackers to execute malicious code even if they have administrator access.
Prerequisites
- 64-bit CPU with virtualization extensions (Intel VT-x or AMD-V).
- UEFI firmware with Secure Boot enabled.
- SLAT (Second Level Address Translation) support.
- TPM 2.0 recommended.
- Windows Server 2016 Enterprise or Datacenter.
Understanding Code Integrity Policy Modes
- Audit Mode: Logs violations but does not block execution. Use to baseline your environment before enforcement.
- Enforced Mode: Blocks execution of unsigned or untrusted code.
- UMCI (User Mode Code Integrity): Applies to user-mode binaries and scripts.
- HVCI (Hypervisor-Protected Code Integrity): Kernel-mode code integrity enforced by the hypervisor.
Step 1: Create a Code Integrity Policy
Scan the current system to generate a baseline policy that allows everything currently installed:
New-CIPolicy -Level FilePublisher -FilePath "C:CIPolicyBaselinePolicy.xml" -UserPEs -MultiplePolicyFormat -ScanPath "C:"This may take several minutes. For faster initial scanning, use hash rules:
New-CIPolicy -Level Hash -FilePath "C:CIPolicyHashPolicy.xml" -UserPEs -ScanPath "C:Windows","C:Program Files"Step 2: Convert the XML Policy to Binary
Device Guard requires the policy in binary format:
ConvertFrom-CIPolicy -XmlFilePath "C:CIPolicyBaselinePolicy.xml" -BinaryFilePath "C:WindowsSystem32CodeIntegritySIPolicy.p7b"Step 3: Enable Audit Mode First
Modify the XML policy to set audit mode before converting to binary:
Set-RuleOption -FilePath "C:CIPolicyBaselinePolicy.xml" -Option 3Option 3 = Audit Mode. Then convert and copy the binary:
ConvertFrom-CIPolicy -XmlFilePath "C:CIPolicyBaselinePolicy.xml" -BinaryFilePath "C:WindowsSystem32CodeIntegritySIPolicy.p7b"Restart the server to activate the policy.
Step 4: Review Audit Events
Review Code Integrity violations in Event Viewer (Event ID 3076 = would be blocked, 3077 = blocked):
Get-WinEvent -LogName "Microsoft-Windows-CodeIntegrity/Operational" | Where-Object {$_.Id -in @(3076, 3077)} | Select-Object TimeCreated, Id, Message | Select-Object -First 30Step 5: Merge Policies
Merge multiple policies into one (e.g., combine baseline with allowed-tools policy):
Merge-CIPolicy -PolicyPaths "C:CIPolicyBaselinePolicy.xml","C:CIPolicyToolsPolicy.xml" -OutputFilePath "C:CIPolicyMergedPolicy.xml"Step 6: Add Signer Rules for a Specific Certificate
Add a publisher-based rule to allow all software signed by a specific organization:
Add-SignerRule -FilePath "C:CIPolicyMergedPolicy.xml" -CertificatePath "C:CertsVendorCert.cer" -UserStep 7: Enable HVCI via Group Policy
Enable Hypervisor-Protected Code Integrity via GPO at:
Computer Configuration > Administrative Templates > System > Device Guard > “Turn On Virtualization Based Security”
Set “Virtualization Based Protection of Code Integrity” to “Enabled with UEFI lock”.
Or via registry:
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuardScenariosHypervisorEnforcedCodeIntegrity" -Name "Enabled" -Value 1 -Type DWord -ForceStep 8: Switch from Audit to Enforcement Mode
Remove the audit mode option from the policy:
Set-RuleOption -FilePath "C:CIPolicyMergedPolicy.xml" -Option 3 -DeleteReconvert and deploy:
ConvertFrom-CIPolicy -XmlFilePath "C:CIPolicyMergedPolicy.xml" -BinaryFilePath "C:WindowsSystem32CodeIntegritySIPolicy.p7b"
Restart-ComputerTroubleshooting
If a legitimate application is blocked, add it to the policy by generating its hash or publisher rule:
Get-SystemDriver -ScanPath "C:ToolsLegitApp.exe" -UserPEs | ConvertFrom-CIPolicy -BinaryFilePath .AppRule.p7bSummary
Device Guard on Windows Server 2016 provides kernel-level protection against unauthorized code execution, making it one of the most powerful defenses against advanced persistent threats. Always start with audit mode to build an accurate allowlist, thoroughly review violations, and only then move to enforcement. For highest security, combine with HVCI and Credential Guard.
