CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.8.5.6 (NG) Ensure 'Turn On Virtualization Based Security: Secure Launch Configuration' is set to 'Enabled' (Scored)

ProfileApplicability:

 Level 1 (L1) + Next Generation Windows Security (NG)

 Level 1 (L1) + BitLocker (BL) + Next Generation Windows Security (NG)

 Level 2 (L2) + Next Generation Windows Security (NG)

 Level 2 (L2) + BitLocker (BL) + Next Generation Windows Security (NG)

 Next Generation Windows Security (NG) - optional add-on for use in the newest hardware and configuration environments

Description:

Secure Launch protects the Virtualization Based Security environment from exploited vulnerabilities in device firmware.

The recommended state for this setting is: Enabled .

Rationale:

Secure Launch changes the way windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard:ConfigureS ystemGuardLaunch

632 | P a g e