01-30-2018 08:20 AM
T460s and T470s have a Device Guard setting in the BIOS. According to this article (https://support.lenovo.com/us/en/solutions/ht503039), only ThinkPad devices with this setting are officially supported for Device Guard. However, I would like a more detailed explanation of what the BIOS setting actually does or what feature it enables. We have some older model ThinkPads that meet system requirements for device guard according to Microsoft that do not have the BIOS option for enabling device guard, so we are looking for further information in order to move forward.
Thanks for any input.
01-30-2018 06:35 PM
you might read this:
04-09-2019 11:11 PM
04-11-2019 10:08 AM
With Device Guard enabled, boot order is locked to internal drive only. USB boot is not possible. But you can always go into BIOS setup and disable Device Guard if you need to boot to USB.
10-02-2019 12:08 AM - edited 10-02-2019 01:16 AM
Does it mean it have nothing to do with the Windows Defender Device Guard? I understand that these are completly different things.
1. Device Guard in Bios means it only deny to boot from USB Devices.
2. Windows Defender Device Guard is a windows only feature. It has nothing to do with the "Device Guard" setting in the BIOS.
Is that correct?
Edit: I have set the Device Guard in BIOS to DISABLED, but i cannot boot from the USB-Stick. So i think the first rule is wrong...?
10-02-2019 05:21 AM
The Device Guard BIOS setting locks down the boot order to internal HDD/SSD only. It also configures the other BIOS settings (like Virtualization) which are required for Device Guard. But you still need to enable Device Guard in Windows if you want to use it.
If you have Device Guard disabled and still can't boot from USB stick, it might be something wrong with your USB stick. What are you trying to boot to, and what are the contents of the USB stick?
10-14-2019 04:48 PM
One possibility is that you have Secure Boot still active. Most bootable tools are not boot-signed for Secure Boot.
Device Guard does turn ON Secure Boot (as well as change a handfull of others), but disabling Device Guard does not return the settings to their previous state. It's up to you to change the settings back.
10-14-2019 05:19 PM
Windows Defender Device Guard might be a software implementation of Device Guard. I would hope it augments the BIOS capabilities too if enabled, as the BIOS still has a somewhat limited understanding of devices.
The idea is to force the computer to boot ONLY to Windows, so Windows can limit or block all other possible boot devices. That explains the need for Secure Boot and locking out external devices.
I'm not completely sure yet about why it enables VT tech, but I suspect it's to better protect critical structures in Windows from external tampering by malware. After all, on capable machines, Windows creates a virtual machine in which it partly runs to better defend itself from attack. That way, "normal" users cannot alter critical structures. At least, that's the plan...