Information
This policy setting enables Hardware-enforced Stack Protection for kernel-mode code. Kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered.
The recommended state for this setting is: Enabled: Enabled in enforcement mode
Note: Virtualization Based Security (VBS) requires a 64-bit version of Windows with Secure Boot enabled, which in turn requires that Windows was installed with a UEFI BIOS configuration, not a Legacy BIOS configuration. In addition, if running Windows on a virtual machine, the hardware-assisted CPU virtualization feature (Intel VT-x or AMD-V) must be exposed by the host to the guest VM.
More information on system requirements for this feature can be found at
Windows Defender Credential Guard Requirements (Windows 10) | Microsoft Docs
Note #2: This specific security feature of VBS is only compatible with Windows 11 Release 22H2 (or newer).
Note #3: Only Intel CPUs from Tiger Lake and beyond or AMD CPUs Zen3 and beyond (both were release in fall 2020) are compatible with this security feature.
Note #4: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.
This setting stores a copy of the apps shadow stack (intended code execution flow) in the hardware-based (CPU) security feature VBS. This can prevent malware from hijacking an apps code by exploiting memory bugs such as stack buffer overflows, dangling pointers, or uninitialized variables. This allows VBS to shut down any exploit attempts via the modification of the intended code execution flow.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Enabled in enforcement mode
Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection
Note: This Group Policy path is provided by the Group Policy template DeviceGuard.admx/adml that is included with the Microsoft Windows 11 Release 22H2 Administrative Templates v1.0 (or newer).
Impact:
This setting is dependent upon Virtualization Based Protection of Code Integrity (aka HVCI) first being enabled, in addition to CPU hardware support for shadow stacks. If either HVCI is not enabled or hardware-based shadow stacks are not supported, this setting will have no effect.
If this setting is successfully enabled, shadow stack violations will be fatal.
Note: This setting was moved from the Next Generation (NG) profile to the Level 1 (L1) profile for the Windows 11 Operating System only NG profile settings were isolated from the L1 profile due to potential hardware compatibility issues. The Windows 11 Operating System is dependent on the same hardware as the NG settings, so hardware compatibility is no longer an issue.