Code Library

The core functionality and protection of Device Guard begins at the hardware level. Devices that have processors equipped with SLAT technologies and virtualization extensions, such as Intel VT x and AMD V, will be able to take advantage of a Virtualization Based Security (VBS) environment that dramatically enhances Windows security by isolating critical Windows services from the operating system itself.

Device Guard uses VBS to isolate its Hypervisor Code Integrity (HVCI) service, which makes it possible for Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero-day attacks. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This means that after memory has been allocated, its state must be changed from writable to read-only or run-only. By forcing memory into these states, it helps to ensure that attacks are unable to inject malicious code into Kernel mode processes and drivers through techniques such as buffer overruns or heap spraying.

To deliver this level of security, Device Guard has the following hardware and software requirements:
 UEFI Secure Boot (optionally with a non-Microsoft UEFI CA removed from the UEFI database)
 Virtualization support turned on by default in the system firmware (BIOS):
 Virtualization extensions (for example, Intel VT-x and AMD RVI)
 SLAT (for example, Intel EPT and AMD RVI)
 IOMMU (for example, Intel VT-d, AMD-Vi
 UEFI BIOS configured to prevent an unauthorized user from disabling Device Guard–dependent hardware security features (for example, Secure Boot)
 Kernel-mode drivers signed and compatible with hypervisor-enforced code integrity

Source of Information : Microsoft Introduction Windows Server 2016