Category: At least Windows 10 Server, Windows 10 or Windows 10 RT

Specifies whether Virtualization Based Security is enabled.Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices.Virtualization Based Protection of Code IntegrityThis setting enables virtualization based protection of Kernel Mode Code Integrity. When this is enabled kernel mode memory protections are enforced and the Code Integrity validation path is protected by the virtualization based security feature.Warning: All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible. Credential GuardThis setting lets you decide whether users can turn on Credential Guard with virtualization-based security to help protect credentials. Disabling these settings does not remove the feature from the computer. Instead you must also remove the security functionality from each computer with a physically present user in order to clear configuration persisted in Secure Boot.Please refer to the documentation for a complete set of requirements to securely configure this feature.

Deploy Code Integrity PolicyThis policy setting lets you deploy a Code Integrity Policy to a machine to control what is allowed to run on that machine.If you deploy a Code Integrity Policy Windows will restrict what can run in both kernel mode and on the Windows Desktop based on the policy. To enable this policy the machine must be rebooted. The file path must be either a UNC path (for example -> -> ServerName -> ShareName -> SIPolicy.p7b) or a locally valid path (for example C: -> FolderName -> SIPolicy.p7b). The local machine account (LOCAL SYSTEM) must have access permission to the policy file. If using a signed and protected policy then disabling this policy setting doesn’t remove the feature from the computer. Instead you must either: 1) first update the policy to a non-protected policy and then disable the setting or 2) disable the setting and then remove the policy from each computer with a physically present user.

This security feature provides a global setting to prevent programs from loading untrusted fonts. Untrusted fonts are any font installed outside of the %windir% -> Fonts directory. This feature can be configured to be in 3 modes: On Off and Audit. By default it is Off and no fonts are blocked. If you aren’t quite ready to deploy this feature into your organization you can run it in Audit mode to see if blocking untrusted fonts causes any usability or compatibility issues.