Windows-itpro-docs: Device Guard missing in Group Policy

@ChayimEliazer. download and update the latest policy templtes to your windows 10

here is the screenshot

@officedocsbot assign @jvsam

Hi @ChayimEliazer, were you able to resolve your concern? I can confirm the same results as @RAJU2529's. If you need technical assistance, I recommend that you contact Windows 10 support. There are also other support resources that are available for you like the Microsoft Tech Community or the Technet forums where you can post your question and get help from the community. You may want to check as well if you are meeting the hardware requirements. Please keep us posted, thank you.

Not solved. Where can I "download and update" the latest policy templates
to windows 10 ?

On Sat, Dec 14, 2019 at 6:44 PM Jo notifications@github.com wrote:

Hi @ChayimEliazer https://github.com/ChayimEliazer, were you able to
resolve your concern? I can confirm the same results as @RAJU2529
https://github.com/RAJU2529's. If you need technical assistance, I
recommend that you contact Windows 10 support
https://support.microsoft.com/hub/4338813/windows-help?os=windows-10.
There are also other support resources that are available for you like the Microsoft
Tech Community https://techcommunity.microsoft.com/ or the Technet
forums https://social.technet.microsoft.com/Forums/home where you can
post your question and get help from the community. You may want to check
as well if you are meeting the hardware requirements
https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-device-guard.
Please keep us posted, thank you.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5509?email_source=notifications&email_token=AG5NYNPL3QWTR2IGIAPEPDTQYUEQNA5CNFSM4JQRZATKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG4GOHA#issuecomment-565733148,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AG5NYNINHNHV72PAAKRT2JDQYUEQNANCNFSM4JQRZATA
.

@ChayimEliazer . I will give you the link

@ChayimEliazer .
https://www.microsoft.com/en-us/download/100591

Just a question:
Are that templates "needed" if Security Baselines are already in use?

After downloading and installing from link, Device Guard still missing.

On Sun, Dec 15, 2019 at 1:59 PM beerisgood notifications@github.com wrote:

Just a question:
Are that templates "needed" if Security Baselines are already in use?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5509?email_source=notifications&email_token=AG5NYNIB34WQZUIFQWHKHPTQYYLYTA5CNFSM4JQRZATKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG4XP4Y#issuecomment-565802995,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AG5NYNIGZUWHITTMPU77YIDQYYLYTANCNFSM4JQRZATA
.

@ChayimEliazer . after installing group policy settings does not update. instead
you must copy the folder of policydefinitions from the installation folder to the path C:\windows\

if you get access denied error message , then you must take ownership of the folder policydefinitons

In the installation wizard there's no option to choose where to install.

On Sun, Dec 15, 2019 at 6:03 PM VARADHARAJAN K notifications@github.com
wrote:

@ChayimEliazer https://github.com/ChayimEliazer . after installing
group policy settings does not update. installed you must copy the folder
of policydefinitions from the installation folder to the path C:\windows\

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5509?email_source=notifications&email_token=AG5NYNNITDNYB6P6XLFGINDQYZIN7A5CNFSM4JQRZATKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG44IMI#issuecomment-565822513,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AG5NYNNAP2ZQP5K2YEJ4PWTQYZIN7ANCNFSM4JQRZATA
.

I checked and saw that the folder was installed to "C:\windows\"
automatically but there's no "Device Guard".

On Mon, Dec 16, 2019 at 5:09 AM C C P chayimeliazer@gmail.com wrote:

In the installation wizard there's no option to choose where to install.

On Sun, Dec 15, 2019 at 6:03 PM VARADHARAJAN K notifications@github.com
wrote:

@ChayimEliazer https://github.com/ChayimEliazer . after installing
group policy settings does not update. installed you must copy the folder
of policydefinitions from the installation folder to the path C:\windows\

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5509?email_source=notifications&email_token=AG5NYNNITDNYB6P6XLFGINDQYZIN7A5CNFSM4JQRZATKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG44IMI#issuecomment-565822513,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AG5NYNNAP2ZQP5K2YEJ4PWTQYZIN7ANCNFSM4JQRZATA
.

There's only:
DeviceCompat
DeviceCredential
DeviceInstallation
DeviceSetup

On Mon, Dec 16, 2019 at 5:20 AM C C P chayimeliazer@gmail.com wrote:

I checked and saw that the folder was installed to "C:\windows\"
automatically but there's no "Device Guard".

On Mon, Dec 16, 2019 at 5:09 AM C C P chayimeliazer@gmail.com wrote:

In the installation wizard there's no option to choose where to install.

On Sun, Dec 15, 2019 at 6:03 PM VARADHARAJAN K notifications@github.com
wrote:

@ChayimEliazer https://github.com/ChayimEliazer . after installing
group policy settings does not update. installed you must copy the folder
of policydefinitions from the installation folder to the path C:\windows\

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5509?email_source=notifications&email_token=AG5NYNNITDNYB6P6XLFGINDQYZIN7A5CNFSM4JQRZATKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG44IMI#issuecomment-565822513,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AG5NYNNAP2ZQP5K2YEJ4PWTQYZIN7ANCNFSM4JQRZATA
.

And Device Manager. But no Device Guard.

On Mon, Dec 16, 2019 at 5:22 AM C C P chayimeliazer@gmail.com wrote:

There's only:
DeviceCompat
DeviceCredential
DeviceInstallation
DeviceSetup

On Mon, Dec 16, 2019 at 5:20 AM C C P chayimeliazer@gmail.com wrote:

I checked and saw that the folder was installed to "C:\windows\"
automatically but there's no "Device Guard".

On Mon, Dec 16, 2019 at 5:09 AM C C P chayimeliazer@gmail.com wrote:

In the installation wizard there's no option to choose where to install.

On Sun, Dec 15, 2019 at 6:03 PM VARADHARAJAN K notifications@github.com
wrote:

@ChayimEliazer https://github.com/ChayimEliazer . after installing
group policy settings does not update. installed you must copy the folder
of policydefinitions from the installation folder to the path C:\windows\

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5509?email_source=notifications&email_token=AG5NYNNITDNYB6P6XLFGINDQYZIN7A5CNFSM4JQRZATKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG44IMI#issuecomment-565822513,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AG5NYNNAP2ZQP5K2YEJ4PWTQYZIN7ANCNFSM4JQRZATA
.

@ChayimEliazer . I will make video and then I share the link

I'm waiting

On Mon, Dec 16, 2019 at 6:22 AM VARADHARAJAN K notifications@github.com
wrote:

@ChayimEliazer https://github.com/ChayimEliazer . I will make video and
then I share the link

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5509?email_source=notifications&email_token=AG5NYNIL27NWDLCXZC3IWQTQY37ATA5CNFSM4JQRZATKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEG5O7DQ#issuecomment-565899150,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AG5NYNOZIWNN33QCFBFLIOLQY37ATANCNFSM4JQRZATA
.

Here's the link of the video that Device Guard is missing after updating:
https://youtu.be/bZHDT1MmxgM

@ChayimEliazer . May I know which version of Windows 10 you using on computer.
afternoon I will send video

Windows Home 10 ver. 1909

בתאריך יום ג׳, 17 בדצמ׳ 2019 ב-6:27 לפ׳ מאת VARADHARAJAN K <
[email protected]>:

@ChayimEliazer https://github.com/ChayimEliazer . May I know which
version of Windows 10 you using on computer.
afternoon I will send video

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5509?email_source=notifications&email_token=AG5NYNJH6UJI2QP5RBNROYDQZBIJ5A5CNFSM4JQRZATKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEHBDGHY#issuecomment-566375199,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AG5NYNKWJH463YKSHMMCCDTQZBIJ5ANCNFSM4JQRZATA
.

@ChayimEliazer please update the .admx and .adml from 1909 from the directory

C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)\PolicyDefinitions\

to
C:\Windows\PolicyDefinitions

@RAJU2529
please update the .admx and .adml from 1909 from the directory

C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)\PolicyDefinitions\

to
C:\Windows\PolicyDefinitions

Thanks. This solved it. Now I have Device Guard in Group Policy Editor.

But when clicking on Device guard it opens only 2 configuration options
Deploy Windows Defender Application Control
Turn On Virtualization Based Security

Is this all about Device Guard?

@RAJU2529 can you please help me with https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5509#issuecomment-565802995

@ChayimEliazer . turn on virtualization based on security, thats belongs to device guard.
don't use deploy Windows defender application guard.

@beerisgood. security baseline used to check the applied or modified group policy and the security updates including system guard, credential guard and wdac . windows defender atp too and so many targets

@RAJU2529 I don't understand your post. Does that mean that the security Baselines include and add the policy definitions or not?

Hi @RAJU2529 can you please provide more details regarding security baseline to answer @beerisgood's question, if you have time? Thank you.

@beerisgood, it might be best to maximize other MS resources, this means tapping the support community. You can post your question at Technet forums or Microsoft Tech community and collaborate with other users, experts and also Microsoft engineers. Thank you.

@jvsam . Give me four days time for checking completely and analysis.
I have lots of work in college.

Hello everyone! It looks to me like this issue has been resolved, so I'm closing it out with kind regards.

@denisebmsft Please re-open. Issue is not fixed

@RAJU2529 any updates?

@beerisgood , @ChayimEliazer : Can you point me to where it says that Device Guard is actually supported on Windows 10 Home edition? From what I can find when searching, Device Guard is a bigger source of problems than usefulness when forced to be installed on Windows 10 Home. It can easily break access to Virtual Machines running on Windows 10 Home.

@illfated . I have own experiences, I made the windows 10 home edition supports actually group policy Editor. And then I configured some policies. I have not checked the device guard. I Will check device guard feature on Monday in college computer, when I get free time.

Fair enough, but please note my focus on Windows 10 Home Edition, which I believe is the Windows 10 edition in use by @ChayimEliazer .

I would expect the Group Policy for Device Guard to look very different between Home and Professional versions of Windows 10. I do have access to a regular Windows 10 Professional via TeamViewer in my spare time, so I will go there and check out what the default path looks like in Windows 10 Professional 1909 x64, as compared to my local Windows 10 Home 1909 x64.

Sure enough. By default, Device Guard is present in Windows 10 Professional 1909, but not in Windows 10 Home 1909.

@beerisgood , @ChayimEliazer : Can you point me to where it says that Device Guard is actually supported on Windows 10 Home edition?

I never say that. Windows Pro is (yet) required for Device Guard.

OK, fair enough. May I ask what the issue is, just in case there is something worth adding to the documentation?

OK, fair enough. May I ask what the issue is, just in case there is something worth adding to the documentation?

my question was/ is that: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5509#issuecomment-565802995

MAJOJRLY PEOPLE AS THIS BECAUSE OF VMWARE ERROR IF YES THEN FOLLOW:

Directly install the latest update of Vmware 15.5.6 which supports hypervisor or if that not solves follow below.

Fixed error in VMware Workstation on Windows 10 host
Transport (VMDB) error -14: Pipe connection has been broken.

Today we will be fixing VMWare error on a windows 10 computer.

1. In RUN box type "gpedit" then Goto [ERROR if no device guard SEE POINT 3] [NO GPEDIT SEE [this](https://www.itechtics.com/enable-gpedit-windows-10-home/) ]

1- Computer Configuration
2- Administrative Templates
3- System - Device Guard : IF NO DEVICE GUARD : (DOWNLOAD https://www.microsoft.com/en-us/download/100591 install this "c:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)\PolicyDefinitions" copy to c:\windows\PolicyDefinitions )
4- Turn on Virtualization Based Security.
Now Double click that and "Disable"

1. Open Command Prompt as Administrator and type the following
   gpupdate /force [DONT DO IF YOU DONT HAVE DEVICE GUARD ELSE IT WILL GO AGAIN]

2. Open Registry Editor, now Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard. Add a new DWORD value named EnableVirtualizationBasedSecurity and set it to 0 to disable it.
   Next Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA. Add a new DWORD value named LsaCfgFlags and set it to 0 to disable it.

3. In RUN box, type Turn Windows features on or off, now uncheck Hyper-V and restart system.

4. Open command prompt as a administrator and type the following commands
   bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"

bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS

bcdedit /set hypervisorlaunchtype off

Now, Restart your system

Thank you so much @gptshubham595 bro, you saved me today! I was stuck for like 4 hrs trying various solutions but none worked.

But now I am facing problem with Virtual Box, the VM isn't running :(

Can you explain this part btw?

Open Registry Editor, now Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard. Add a new DWORD value named EnableVirtualizationBasedSecurity and set it to 0 to disable it.
Next Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA. Add a new DWORD value named LsaCfgFlags and set it to 0 to disable it.

In RUN box, type Turn Windows features on or off, now uncheck Hyper-V and restart system.

Open command prompt as a administrator and type the following commands
bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"

bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}

bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS

bcdedit /set hypervisorlaunchtype off

@ChayimEliazer please update the .admx and .adml from 1909 from the directory

C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)\PolicyDefinitions\

to
C:\Windows\PolicyDefinitions

@RAJU2529 @ChayimEliazer I was wondering if one of you could clarify this instruction.

I was able to download and copy the files as you instructed and DeviceGuard.admx is in both PolicyDefinitions folders, but I cannot see it in the gpedit.msc (Group Policy).

Do you mean that I need to edit the DeviceGuard.admx file? or am I understanding this all wrong? what directory are you referring to and what do you mean from 1909?

I apologize if this is a dumb question, but I am very new to this. I would greatly appreciate any help, thank you!

Note: I have Windows version 2004 right now

@alexshin0523 , in windows 10 professional edition, you can use gpedit.msc , in home edition gpedit.msc does not exist.
Do you install a professional edition? If you have professional edition , then open a command \prompt with admin rights, then type GPEDUT.MSC in cmd. and you have to enable Turn on Virtualization Based Security.

@RAJU2529 I tried to run gpedit.msc with administrative rights on cmd, but DeviceGuard is still not showing up.

I have the home version. I downloaded the gpedit.msc from an installer I found online (not sure if it is professional, is there a way to check?) and I have been trying to add and disable the DeviceGuard.admx to enable KVM on ubuntu.

I downloaded the 2004 policy templates in the default folder and copied over all files to C:/Windows/PolicyDefinitions. Although I was unable to copy over the en-US folder inside even after I changed the ownership to me, could this be the problem? I already had an en-US folder in my C:/Windows/PolicyDefinitions folder before I copied everything over so I didn't think it would be a problem, but now I am not so sure.

Also, I was reading about adding a Central Store, but I'm not sure if that's the solution I am looking for.

Here is a link to a video of me running through the steps you recommended: https://youtu.be/WVJmPsw1vmE

@alexshin0523 ,

Add Ownership Context Menu.zip

unzip file, merge it , then go to C:/Windows/PolicyDefinitions , rightclick , click take ownership of thr folder , then copy the policies

i attached full policy definitions from my windows os , unzip the file, copy appropriate files to corresponding folder,

PolicyDefinitions.zip

@alexshin0523 : Please note, as long as you are using Windows 10 Home edition, Microsoft does not expect your Windows version to be covered by the Microsoft IT Pro documentation, unless the document is talking about Windows 10 Home edition explicitly. Everything else should be considered available AS IS, meaning that "if it works, it works, but we are not saying that we guarantee that it will work".

@RAJU2529 Sorry for the late reply, I was working on this for like 8 hours straight and needed a break lol

Im a little confused about your instructions. what do you mean by merge the Add Ownership Context Menu? Do I merge it with C:/Windows/PolicyDefinitions?

Do you mean I have to change ownership of C:/Windows/PolicyDefinitions to me, then copy-paste the Ownership Context Menu into my C:/Windows/PolicyDefinitions and also do the same for PolicyDefinitions?

@alexshin0523 . right click of .reg file click merge. thats it
if you get error while copying files to en-us folder,
right click on en-us folder, click take ownership

@RAJU2529 For some reason it is still not working even after I copied everything over successfully and merged the .reg file

Here is a video of what I did: https://youtu.be/NMDum_JgpG0

Also after the video, I merged the .reg file inside C:/Windows/PolicyDefinitions by right-clicking and selecting merge, but it is still not showing me Device Guard.

@alexshin0523 . you did wrong . you not understood what I said.

After adding something to Registry, it is often required to reboot the computer (restart Windows).

@RAJU2529 Im so sorry about that, could you elaborate on what I did wrong?

Also, I really appreciate your help, all this is very new to me and I am still learning.

@illfated Thanks I will try that

@illfated The restart was not the problem. It is still showing the same list as before.

@RAJU2529 I deleted the copy of .reg file in C:/WIndows/PolicyDefinitions and merged it from the original folder. Is there something else I did wrong?

@alexshin0523 , Will you upgrade to professional edition from home edition .

@alexshin0523 : Very well, thank you for confirming that a reboot was not the issue.

1. To add a .reg file to the registry, it does not need to be in any particular folder, as long as it is on the OS system drive. "My Documents" or "Downloads" are OK too.
2. You may want to take this discussion to a forum page instead, like

• TechNet forums: https://social.technet.microsoft.com/Forums/en-US/home
• MSDN: https://social.msdn.microsoft.com/Forums/en-US/home
• Microsoft Community: https://answers.microsoft.com/

@RAJU2529 If I buy the professional edition, will I be able to access Device Guard as soon as it is done downloading?

@illfated would you recommend this too? Or should I keep trying to make this work?

@alexshin0523 . Device guard features depends upon the processor enabled supported features, TPM , and the windows 10 pro or enterprise os .

give me one or two days time, I myself I install windows home edition and I try to enable Device guard, if it works, then no need to buy professional edition

@RAJU2529 Thank you so much, I appreciate all your help! I look forward to hearing from you!

@RAJU2529 Thank you so much, I appreciate all your help! I look forward to hearing from you!

at last try this step.
Install Group Policy Editor.zip

unzip the file , right click on " Install Group Policy Editor.bat" run as administrator .

then see if device guard is visible or not

@RAJU2529 The .bat you sent me ran successfully, but when I opened gpedit.msc on cmd with administrative rights, the list was still the same and does not include device guard

Edit: I also tried to restart my laptop, but it did not change anything. It did update a bit while restarting, but I guess that must've been for something else.