Key Points
- What Is Device Guard? Device Guard is a set of enterprise-grade Windows security features that block unauthorized apps and enforce code integrity using virtualization-based security (VBS) and hypervisor-enforced code integrity (HVCI).
- Availability by Edition: Device Guard is only supported on Windows 10/11 Enterprise and Education editions. It is not available on Home or Pro editions.
- Device Guard vs. Windows Defender Application Control (WDAC): Device Guard is a component of WDAC. Together, they enforce strict app control policies and harden systems against malware and zero-day exploits.
- How Device Guard Works: Device Guard uses VBS to isolate sensitive operations and HVCI to ensure only signed, trusted code is executed—essential for protecting enterprise infrastructure.
- Hardware & Boot Requirements: Device Guard requires Secure Boot, virtualization support (Intel VT-x/AMD-V), and compatible hardware (second-level address translation or SLAT).
- Check Device Guard:
- Via System Information (msinfo32): Run msinfo32 → Navigate to System Summary → Check Device Guard Virtualization-based Security to see if it’s running.
- Via PowerShell: Use this command: Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard. View security features configured and running (e.g., HVCI, Credential Guard).
- Via Group Policy Editor (gpedit.msc): Navigate to Computer Configuration > Administrative Templates > System > Device Guard. Check policies like Turn On Virtualization-based Security and Configure HVCI.
- Confirm Policy Enforcement with gpupdate and gpresult: Run gpupdate /force to apply changes and gpresult /h gpresult.html to verify domain policy application for Device Guard.
This guide explains what Windows Device Guard is, how it protects enterprise devices, and how to check whether it is enabled or disabled. Detailed instructions are provided for checking Device Guard status, as well as troubleshooting information, along with the implications of Device Guard being switched off.
Broaden visibility over your managed endpoints and mitigate potential threats.
Watch a free demo of NinjaOne Endpoint Management
What is Device Guard in Windows 10/11?
Device Guard refers to a collection of Windows security features that are designed to protect against malware and other cybersecurity threats in enterprise and education environments, allowing only trusted and authorized applications and code to be run. If you’re using Windows 10 Pro/Windows 10 Home, or Windows 11 Pro/Windows 11 Home, Device Guard isn’t available, and you can’t verify whether it is enabled on your PC.
How does Windows Device Guard work?
Windows Device Guard is a component of Windows Defender Application Control (WDAC) and implements several security technologies to protect Windows infrastructure in enterprise environments, both at the hardware and software levels. These include:
- virtualization-based security (VBS), which isolates sensitive processes and information from the rest of the system, and
- hypervisor-enforced code integrity (HVCI), to enforce user-defined code integrity policies that ensure only whitelisted applications can run.
These measures improve protection against malware, and allow administrators to ensure only code they authorize can be run on systems in their Windows Domain environment.
Why verifying Device Guard status matters
Device Guard works in conjunction with Credential Guard to protect enterprise Windows networks against cyberattacks. In fact, just like Credential Guard, enabling Device Guard requires hardware-based virtualization support and activating Secure Boot. However, unlike Credential Guard, Device Guard is n’ot automatically enabled on systems that meet its hardware requirements.
Some components used by Device Guard, such as HVCI, may be automatically enabled if the system meets the requirements. For this reason, it’s worth making sure that the specific Device Guard features you require are running once you’ have configured them for your Windows deployments.
Before Device Guard can be fully enabled, code integrity policies must be set up by an administrator to define which authorized code will be allowed to run on applicable devices. Configuring these policies and enabling Device Guard on your Windows Domain is beneficial for two primary reasons:
- Iit helps protect your systems from malware and cyberattacks by preventing malicious code from executing.,
- It gives you control over what your users can do with their machines by allowing only approved apps to run.
How to verify Device Guard status
The methods listed below can be used to check the status of Device Guard on a Windows Enterprise PC:
Checking Device Guard using Windows System Information (msinfo32)
To use the Windows System Information tool to verify Device Guard status, follow these steps:
- Right-click the Start button and select Run
- Enter msinfo32 in the Run dialog and click OK
- In the left navigation panel, click System Summary
- In the right panel, scroll down to Device Guard Virtualization-based Security
- If Device Guard is enabled, it will be listed as Running
In addition to the system information item displaying the status of Device Guard,some entries containing specific information about Device Guard properties and services, as well as whether they are available/running on your system.
Verifying Device Guard using PowerShell commands
The Get-CimInstance PowerShell cmdlet can be used to check the status of Device Guard by running this command in an administrative PowerShell prompt:
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
This command will display the currently available hardware security features of your Windows PC, along with which are enabled.
Verifying Device Guard on a single PC using the Group Policy Editor
To verify whether Device Guard features are enabled via Local Group Policy, follow these steps:
- Start the Local Group Policy Editor by running gpedit.msc
- Go to Computer Configuration/Administrative Templates/System/Device Guard
- Check the status of Device Guard policies including the following:
- Turn On Virtualization-based Security
- Deploy Windows Defender Application Control
- Configure HVCI and Kernel Mode Code Integrity
Note that Device Guard policies should be configured at the domain level, and that the Local Group Policy console should only be used to check the status of Device Guard on a specific machine.
For a clear, step-by-step demonstration of the methods reviewed above, please watch this brief video: ‘How to Verify if Device Guard is Enabled or Disabled in Windows’.
Confirming Group Policy changes have successfully enabled Device Guard
If you’ve recently made changes to Group Policy on your Windows Domain and don’t see the changes applied yet, try running gpupdate /force to apply the changes or reboot the affected machines.
To check whether Device Guard has been successfully enabled by Group Policy on a Windows Domain, you can run gpresult /h gpresult.html in PowerShell (as an administrator) to see which domain policies have been applied.
If Device Guard is causing compatibility issues, you can either disable it for specific devices using Group Policy or disable the related security settings in that device’s BIOS/UEFI.
Discover how NinjaOne enhances Windows endpoints’ security posture.
⛨ Explore NinjaOne Endpoint Security
Ensuring the security of fleets of Windows devices in your enterprise
Maintaining a strong security stance against cyber threats doesn’t have to become more difficult as the number of machines you manage increases. Enforcing Windows Security configurations, including enabling and verifying the status of Device Guard, can be automated using endpoint management by NinjaOne.
NinjaOne lets you manage and report on your Windows configurations from a centralized web interface that can deploy scripts, take inventory, and assist with patch management. It also supports the administration of Linux, macOS, Android, and mobile Apple devices, ensuring comprehensive monitoring, complete visibility, and up-to-date insights into the status of your IT infrastructure.
