-
Notifications
You must be signed in to change notification settings - Fork 3
/
DeviceGuard.admx
98 lines (97 loc) · 3.62 KB
/
DeviceGuard.admx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<?xml version="1.0" encoding="utf-8"?>
<!-- (c) 2015 Microsoft Corporation -->
<policyDefinitions xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" revision="1.0" schemaVersion="1.0" xmlns="http://schemas.microsoft.com/GroupPolicy/2006/07/PolicyDefinitions">
<policyNamespaces>
<target prefix="DeviceGuard" namespace="Microsoft.Windows.DeviceGuard" />
<using prefix="windows" namespace="Microsoft.Policies.Windows" />
</policyNamespaces>
<resources minRequiredRevision="1.0" />
<categories>
<category name="DeviceGuardCategory" displayName="$(string.DeviceGuard)">
<parentCategory ref="windows:System" />
</category>
</categories>
<policies>
<policy
name="VirtualizationBasedSecurity"
clientExtension="{F312195E-3D9D-447A-A3F5-08DFFA24735E}"
displayName="$(string.VirtualizationBasedSecurity)"
explainText="$(string.VirtualizationBasedSecurityHelp)"
presentation="$(presentation.VirtualizationBasedSecurity)"
class="Machine"
key="SOFTWARE\Policies\Microsoft\Windows\DeviceGuard"
valueName="EnableVirtualizationBasedSecurity">
<parentCategory ref="DeviceGuardCategory" />
<supportedOn ref="windows:SUPPORTED_Windows_10_0" />
<elements>
<enum
id="RequirePlatformSecurityFeaturesDrop"
valueName="RequirePlatformSecurityFeatures">
<item displayName="$(string.SecureBoot)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.SecureBootAndDmaProtection)">
<value>
<decimal value="3" />
</value>
</item>
</enum>
<enum
id="HypervisorEnforcedCodeIntegrityDrop"
valueName="HypervisorEnforcedCodeIntegrity">
<item displayName="$(string.Disabled)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.EnabledWithUefiLock)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.EnabledWithoutLock)">
<value>
<decimal value="2" />
</value>
</item>
</enum>
<enum
id="CredentialIsolationDrop"
valueName="LsaCfgFlags">
<item displayName="$(string.Disabled)">
<value>
<decimal value="0" />
</value>
</item>
<item displayName="$(string.EnabledWithUefiLock)">
<value>
<decimal value="1" />
</value>
</item>
<item displayName="$(string.EnabledWithoutLock)">
<value>
<decimal value="2" />
</value>
</item>
</enum>
</elements>
</policy>
<policy
name="ConfigCIPolicy"
clientExtension="{FC491EF1-C4AA-4CE1-B329-414B101DB823}"
displayName="$(string.ConfigCIPolicy)"
explainText="$(string.ConfigCIPolicyHelp)"
presentation="$(presentation.ConfigCIPolicy)"
class="Machine"
key="SOFTWARE\Policies\Microsoft\Windows\DeviceGuard"
valueName="DeployConfigCIPolicy">
<parentCategory ref="DeviceGuardCategory" />
<supportedOn ref="windows:SUPPORTED_Windows_10_0" />
<elements>
<text id="ConfigCIPolicyFilePathText" valueName="ConfigCIPolicyFilePath" maxLength="255" required="true" />
</elements>
</policy>
</policies>
</policyDefinitions>