Technical white paper

Implementing Windows Server 2016 Device Guard and Credential Guard on HPE ProLiant servers

1.0 Introduction

With the release of Windows Server 2016, Microsoft introduced the concept of Virtualization Based Security (VBS). The commonly known features such as Device Guard and Credential Guard were built around VBS. While Microsoft does a good job of providing wealthy amount of detailed information (see link), this document will provide the user with a clear overview of the fundamentals, and best practice of implementing Device Guard and Credential Guard with HPE ProLiant Servers hardware and software.
When VBS is enabled, essentially an isolated "sandbox" environment is created, so critical code and data can be executed with much less exploit surface. This isolated "sandbox" environment is referred to as Virtualized Secure Mode (VSM). VSM is achieved with virtualization hardware functionalities such as Intel VT-x or AMD virtualization (AMD-V), and Intel VT-d or AMD IOMMU, Microsoft's hypervisor software layer (Hyper-V), and new implementation in Windows kernel.
Device Guard is the combination of the new feature, VBS, and an existing feature, Code Integrity (CI). CI exists prior to Windows Server 2016. CI is similar to a "white list" to allow drivers, DLL, and executable to be run depending on a set of pre-defined rule set. Such rule set is called Configurable CI Policy. Prior to Windows Server 2016, processing of the CI Policy during early OS boot happens in the normal CPU/Memory/Kernel execution path. In Windows Server 2016, if Device Guard is enabled, the processing of CI Policy is done in VSM; thus reduce the possibility of tampering or breaches on the CI Policy. The processing of CI Policy in VSM is referred to as Hypervisor-assisted Code Integrity (HVCI).