Security: Virtualization-based security must be enabled with platform security level set to Secure Boot

b056102b-3477-4a44-bda9-536330033264

Windows OS: Virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection

Virtualization Based Security (VBS) provides the platform for the additional security features Credential Guard and virtualization-based protection of code integrity. Secure Boot is the minimum security level, with DMA protection providing additional memory protection. DMA Protection requires a CPU that supports input/output memory management unit (IOMMU).

Remediation

To fix this configure the policy value for:
Computer Configuration
|_ Administrative Templates
|_ System
|_ Device Guard
|_ Turn On Virtualization Based Security to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected.

A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link:

https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard

STIG:
Server 2022: https://www.stigviewer.com/stig/microsoft_windows_server_2022/2022-08-25/finding/V-254343
Server 2019: https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93245 / https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93245
Server 2016: https://www.stigviewer.com/stig/microsoft_windows_server_2016/2021-09-29/finding/V-224923 / https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73513

Desktop:
W10: https://www.stigviewer.com/stig/microsoft_windows_10/2022-04-08/finding/V-220811 / https://www.stigviewer.com/stig/windows_10/2021-08-18/finding/V-220811
W11: https://www.stigviewer.com/stig/microsoft_windows_11/2022-06-24/finding/V-253369

NOTE: The policy settings referenced in the Fix section will configure the registry values. However, due to hardware requirements, the registry values alone do not ensure proper function.

NOTE 2: If this GPO is enabled but the secure boot is not when applying the GPO changes an error GPO error message applying settings for {F312195E-3D9D-447A-A3F5-08DFFA24735E} could be shown, indicating that secure boot is not enabled so this policy can't be applied.