Virtualization-based protection of code integrity enforces kernel mode memory protections as well as protecting Code Integrity validation paths. This isolates the processes from the rest of the operating system and can only be accessed by privileged system software.
Check
Confirm virtualization-based protection of code integrity.
If there are documented operational mission needs to disable code integrity, this may be reduced to a CAT II finding.
Run "PowerShell" with elevated privileges (run as administrator).
If "SecurityServicesRunning" does not include a value of "2" (e.g., "{1, 2}"), this is a finding.
Alternately:
Run "System Information".
Under "System Summary", verify the following:
If "Virtualization-based Security Services Running" does not list "Hypervisor enforced Code Integrity", this is a finding.
The policy settings referenced in the Fix section will configure the following registry value. However, due to hardware requirements, the registry value alone does not ensure proper function.
Value Name: HypervisorEnforcedCodeIntegrity Value Type: REG_DWORD Value: 0x00000001 (1) (Enabled with UEFI lock), or 0x00000002 (2) (Enabled without lock)
Fix
Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On virtualization-based Security" to "Enabled" with "Enabled with UEFI lock" or "Enabled without lock" selected for "virtualization-based Protection of Code Integrity:".
"Enabled with UEFI lock" is preferred as more secure; however, it cannot be turned off remotely through a group policy change if there is an issue.
"Enabled without lock" will allow this to be turned off remotely while testing for issues.