English Community

Software and Operating SystemSecurity & Malware
All Forum Topics
Options

2 Posts

01-30-2018

US

5 Signins

44 Page Views

  • Posts: 2
  • Registered: ‎01-30-2018
  • Location: US
  • Views: 44
  • Message 1 of 17

Device Guard BIOS Setting?

2018-01-30, 16:20 PM

T460s and T470s have a Device Guard setting in the BIOS. According to this article (https://support.lenovo.com/us/en/solutions/ht503039), only ThinkPad devices with this setting are officially supported for Device Guard. However, I would like a more detailed explanation of what the BIOS setting actually does or what feature it enables. We have some older model ThinkPads that meet system requirements for device guard according to Microsoft that do not have the BIOS option for enabling device guard, so we are looking for further information in order to move forward. 

 

Thanks for any input. 

 

Reply
Options

11386 Posts

01-02-2010

US

39802 Signins

416799 Page Views

  • Posts: 11386
  • Registered: ‎01-02-2010
  • Location: US
  • Views: 416799
  • Message 2 of 17

Re: Device Guard BIOS Setting?

2018-01-31, 2:35 AM

you might read this:

 

https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/

 


Rich


I do not respond to requests for private, one-on-one help. Your questions should be posted in the appropriate forum where they may help others as well.

If a response answers your question, please mark it as the accepted solution.

I am not an employee or agent of Lenovo.
Reply
Options

6 Posts

04-10-2019

CA

21 Signins

330 Page Views

  • Posts: 6
  • Registered: ‎04-10-2019
  • Location: CA
  • Views: 330
  • Message 3 of 17

Re: Device Guard BIOS Setting?

2019-04-10, 6:11 AM
I have the same question about this feature, using the X1 extreme; I am worried about the boot order being locked & not being able to use USB Flash to repair / re-install MS OS. For reasons unknown, I cannot place the USB F to the top of the boot order list. Details seem to be scarce on this -even with the instructions!
Reply
Options

6570 Posts

10-29-2009

NC

17672 Signins

162539 Page Views

  • Posts: 6570
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 162539
  • Message 4 of 17

Re: Device Guard BIOS Setting?

2019-04-11, 17:08 PM

With Device Guard enabled, boot order is locked to internal drive only.  USB boot is not possible.  But you can always go into BIOS setup and disable Device Guard if you need to boot to USB.

Reply
Options

1 Posts

10-02-2019

DE

2 Signins

29 Page Views

  • Posts: 1
  • Registered: ‎10-02-2019
  • Location: DE
  • Views: 29
  • Message 5 of 17

Re: Device Guard BIOS Setting?

2019-10-02, 7:08 AM

Does it mean it have nothing to do with the Windows Defender Device Guard? I understand that these are completly different things.

 

1. Device Guard in Bios means it only deny to boot from USB Devices.

 

2. Windows Defender Device Guard is a windows only feature. It has nothing to do with the "Device Guard" setting in the BIOS.

 

Is that correct?

 

 

Edit: I have set the Device Guard in BIOS to DISABLED, but i cannot boot from the USB-Stick. So i think the first rule is wrong...?

 

 

Regards,

 

R. Langen

Reply
Options

6570 Posts

10-29-2009

NC

17672 Signins

162539 Page Views

  • Posts: 6570
  • Registered: ‎10-29-2009
  • Location: NC
  • Views: 162539
  • Message 6 of 17

Re: Device Guard BIOS Setting?

2019-10-02, 12:21 PM

The Device Guard BIOS setting locks down the boot order to internal HDD/SSD only.  It also configures the other BIOS settings (like Virtualization) which are required for Device Guard.  But you still need to enable Device Guard in Windows if you want to use it.

 

If you have Device Guard disabled and still can't boot from USB stick, it might be something wrong with your USB stick.  What are you trying to boot to, and what are the contents of the USB stick?

Reply
Options

421 Posts

07-08-2019

CA

582 Signins

7398 Page Views

  • Posts: 421
  • Registered: ‎07-08-2019
  • Location: CA
  • Views: 7398
  • Message 7 of 17

Re: Device Guard BIOS Setting?

2019-10-14, 23:48 PM

Hi!

One possibility is that you have Secure Boot still active. Most bootable tools are not boot-signed for Secure Boot.

 

Device Guard does turn ON Secure Boot (as well as change a handfull of others), but disabling Device Guard does not return the settings to their previous state. It's up to you to change the settings back.

 

Martin

Using Browser Search to find your answers in Lenovo and Moto Community

I'm a volunteer, NOT a Lenovo employee.
If I solved your issue, please click Accept as a Solution.
If my post helped, consider giving me a Thumbs Up.

Main: P52 (I7-8750H P1000 FHD 16GB 2TB-SSD 1TB-HDD)
Also, 2x M820z, 1x P520c, 1x ideaCentre 300S-11IBR

Reply
Options

421 Posts

07-08-2019

CA

582 Signins

7398 Page Views

  • Posts: 421
  • Registered: ‎07-08-2019
  • Location: CA
  • Views: 7398
  • Message 8 of 17

Re: Device Guard BIOS Setting?

2019-10-15, 0:19 AM

Windows Defender Device Guard might be a software implementation of Device Guard. I would hope it augments the BIOS capabilities too if enabled, as the BIOS still has a somewhat limited understanding of devices.

 

The idea is to force the computer to boot ONLY to Windows, so Windows can limit or block all other possible boot devices. That explains the need for Secure Boot and locking out external devices.

 

I'm not completely sure yet about why it enables VT tech, but I suspect it's to better protect critical structures in Windows from external tampering by malware. After all, on capable machines, Windows creates a virtual machine in which it partly runs to better defend itself from attack. That way, "normal" users cannot alter critical structures. At least, that's the plan...

 

Martin

Using Browser Search to find your answers in Lenovo and Moto Community

I'm a volunteer, NOT a Lenovo employee.
If I solved your issue, please click Accept as a Solution.
If my post helped, consider giving me a Thumbs Up.

Main: P52 (I7-8750H P1000 FHD 16GB 2TB-SSD 1TB-HDD)
Also, 2x M820z, 1x P520c, 1x ideaCentre 300S-11IBR

Reply
Options

3 Posts

06-20-2020

US

2 Signins

30 Page Views

  • Posts: 3
  • Registered: ‎06-20-2020
  • Location: US
  • Views: 30
  • Message 9 of 17

Re:Device Guard BIOS Setting?

2020-06-20, 10:31 AM

Hi , I read your inputs very carefully, now I have one query . My window has corrupted and I want disable device guard from t470 bios but no option is available as device guard is ebable . 
 

please advice . I am following Lenovo help desk from last 2 months but looks they don’t have any answers.

Reply
Options

421 Posts

07-08-2019

CA

582 Signins

7398 Page Views

  • Posts: 421
  • Registered: ‎07-08-2019
  • Location: CA
  • Views: 7398
  • Message 10 of 17

Re:Device Guard BIOS Setting?

2020-06-21, 23:45 PM

Hi @Sarvesh1306,

 

It should be in your BIOS under Security > Device Guard. To see it, you MUST enter the BIOS Supervisor password or it won't show.

 

You might want to compare your screens with BIOS Simulator Center. 

 

If it doesn't show up, you should check if your BIOS is up to date, take note of your settings and Load Setup Defaults. Then look again.

 

Martin

Using Browser Search to find your answers in Lenovo and Moto Community

I'm a volunteer, NOT a Lenovo employee.
If I solved your issue, please click Accept as a Solution.
If my post helped, consider giving me a Thumbs Up.

Main: P52 (I7-8750H P1000 FHD 16GB 2TB-SSD 1TB-HDD)
Also, 2x M820z, 1x P520c, 1x ideaCentre 300S-11IBR

Reply
Forum Home

Community Guidelines

Please review our Guidelines before posting.

Learn More

Check out current deals!

Go Shop
X

Save

X

Delete