How to Configure UEFI Memory Protection for VBS in Microsoft Intune

Before deploying UEFI Memory Protection policies, you need to confirm your devices meet the strict hardware requirements. HVCI requires specific firmware capabilities that aren't present on older systems.

First, check if your test device supports the required features. Open PowerShell as administrator and run:

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

Look for these critical values in the output:

• VirtualizationBasedSecurityHardwareRequirementState: Should be "1" (Met)
• HypervisorEnforcedCodeIntegrityHardwareRequirementState: Should be "1" (Met)
• SecurityServicesConfigured: Should include "1" (Credential Guard) or "2" (HVCI)

Next, verify UEFI Memory Attributes Table support by checking the firmware version:

Get-ComputerInfo | Select-Object BiosFirmwareType, BiosVersion

If BiosFirmwareType shows "Uefi", check your manufacturer's documentation to confirm EFI_MEMORY_ATTRIBUTES_TABLE support. Most systems from 2018+ support this, but legacy firmware may cause boot failures.

Now you'll create the Intune configuration profile that enforces UEFI Memory Protection. This uses the Settings Catalog to configure Virtualization-Based Security policies.

Sign in to the Microsoft Intune admin center at https://endpoint.microsoft.com and navigate to Devices > Configuration > Create > New policy.

Configure the basic profile settings:

• Platform: Windows 10 and later
• Profile type: Settings catalog
• Name: "UEFI Memory Protection - HVCI Enforcement"
• Description: "Enables Hypervisor-Enforced Code Integrity with UEFI Memory Attributes Table requirement"

Click Next to proceed to configuration settings. In the Configuration settings section, click + Add settings and search for "Virtualization Based Technology".

You'll see several VBS-related settings appear. Select these key settings:

• Hypervisor Enforced Code Integrity
• Require UEFI Memory Attributes Table
• Turn on Virtualization Based Security (if not already enabled)

This step configures the core HVCI settings that provide kernel-level memory protection. The configuration determines how strictly the policy is enforced and whether it can be disabled remotely.

For the Hypervisor Enforced Code Integrity setting, you have three options:

For production environments, select "1 - Enabled with UEFI lock". This provides maximum security by preventing attackers from disabling HVCI even with administrative privileges.

Configure the Require UEFI Memory Attributes Table setting to "1 - Enabled". This forces the system to verify that the firmware properly supports memory attribute tables before enabling HVCI.

For the Turn on Virtualization Based Security setting, select "1 - Enabled" if VBS isn't already active on your devices.

Before deploying to production, you need to carefully plan your device targeting to avoid widespread compatibility issues. Start with a small pilot group to validate the configuration.

Click Next to reach the Assignments section. Create a pilot deployment first:

Click + Add group under Included groups and select a small test group (5-10 devices maximum). For the assignment type, choose:

• Available for enrolled devices: Users can manually install from Company Portal
• Required: Automatically deploys to all devices in the group

For pilot testing, use Required but limit the scope. Add exclusions if needed by clicking + Add group under Excluded groups.

Configure the deployment schedule:

{
  "deploymentType": "Required",
  "makeAvailableTime": "As soon as possible",
  "installDeadline": "As soon as possible",
  "restartGracePeriod": "4 hours",
  "restartNotification": "Show all notifications"
}

Click Next to review your configuration. Verify all settings are correct:

• Profile name and description
• VBS settings (HVCI=1, UEFI MAT=1, VBS=1)
• Target groups (pilot only)

After creating the policy, you need to monitor its deployment status and ensure devices are applying the configuration correctly. Policy deployment can take several sync cycles to complete.

Navigate to Devices > Configuration and locate your "UEFI Memory Protection - HVCI Enforcement" profile. Click on it to view the deployment dashboard.

Monitor these key metrics:

• Device status: Shows Success, Error, Conflict, or Not applicable
• User status: User-based deployment results
• Per-setting status: Individual setting deployment results

To force immediate policy sync on test devices, you can trigger manual sync:

# On the target device, run as administrator:
Get-ScheduledTask | Where-Object {$_.TaskName -eq "PushLaunch"} | Start-ScheduledTask

# Or use Intune remote action:
# Devices > All devices > Select device > Sync

Check for common deployment errors in the device details:

• Error 0x80070032: Policy conflicts with existing configuration
• Error 0x87D1FDE8: Setting not supported on this device
• Error 0x80070005: Access denied (usually driver compatibility)

Once the policy deploys successfully, you need to verify that HVCI is actually running and providing memory protection. The policy deployment success doesn't guarantee the feature is active.

On a test device, open Windows Security from the Start menu and navigate to Device security > Core isolation details. You should see:

• Memory integrity: On
• Microsoft Defender Application Guard: Available (if supported)

For command-line verification, run these PowerShell commands as administrator:

# Check VBS and HVCI status
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard | Select-Object *

# Verify specific HVCI status
(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

# Check for UEFI Memory Attributes Table
bcdedit /enum {current} | findstr hypervisorenforcedcodeintegrity

The SecurityServicesRunning should return "2" if HVCI is active. The bcdedit command should show "hypervisorenforcedcodeintegrity Yes".

You can also verify through System Information:

msinfo32

Search for "Virtualization-based security Services Running" - it should show "Yes" with HVCI listed.

HVCI enforces strict driver signing and memory protection requirements. Incompatible drivers will prevent the system from booting or cause stability issues. You need to identify and resolve these before full deployment.

Check for incompatible drivers in Windows Security:

1. Open Windows Security > Device security
2. Click Core isolation details
3. If available, click Review incompatible drivers

This shows drivers that don't meet HVCI requirements. Common problematic drivers include:

• Older antivirus/security software
• Legacy hardware drivers (especially network/graphics)
• Virtualization software (VMware, VirtualBox)
• Debugging/development tools

To identify problematic drivers via command line:

# Check for unsigned drivers
Get-WindowsDriver -Online | Where-Object {$_.DriverSignature -eq "Unsigned"}

# Check system event logs for HVCI violations
Get-WinEvent -FilterHashtable @{LogName='System'; ID=219} | Select-Object TimeCreated, Message

For driver issues, you have several options:

• Update drivers: Download HVCI-compatible versions from manufacturer
• Remove software: Uninstall incompatible applications
• Exclude devices: Add problematic devices to exclusion groups
• Use audit mode: Enable HVCI in audit mode first to identify issues without blocking boot

After successful pilot testing and driver compatibility validation, you can safely expand the UEFI Memory Protection policy to broader device groups. This requires careful planning and phased rollout.

Return to your configuration profile in the Intune admin center: Devices > Configuration > Select your HVCI profile > Assignments.

Plan your production rollout in phases:

For each phase, modify the assignments:

1. Click Edit on the assignment
2. Add new included groups for the current phase
3. Maintain exclusion groups for incompatible devices
4. Set deployment timing to "As soon as possible"

Monitor deployment metrics closely during each phase:

# PowerShell script to check HVCI status across domain computers
$computers = Get-ADComputer -Filter * | Select-Object -ExpandProperty Name
foreach ($computer in $computers) {
    try {
        $hvci = Invoke-Command -ComputerName $computer -ScriptBlock {
            (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
        }
        Write-Output "$computer : HVCI Status = $hvci"
    }
    catch {
        Write-Output "$computer : Connection failed"
    }
}

Ongoing monitoring ensures HVCI remains active and alerts you to any security policy violations or compatibility issues that emerge after deployment.

Set up automated monitoring using Microsoft Defender for Endpoint or Azure Monitor. Create a custom detection rule for HVCI status:

// KQL query for HVCI monitoring in Microsoft Defender
DeviceInfo
| where Timestamp > ago(1d)
| extend HVCIStatus = iff(isnotempty(OSArchitecture) and OSArchitecture contains "x64", 
    iff(DeviceGuardSecurityServicesRunning has "2", "Enabled", "Disabled"), "N/A")
| where HVCIStatus == "Disabled"
| project Timestamp, DeviceName, OSVersion, HVCIStatus
| summarize DisabledDevices = dcount(DeviceName) by bin(Timestamp, 1h)

For environments without Defender for Endpoint, create a PowerShell monitoring script:

# HVCI monitoring script for scheduled execution
$logPath = "C:\Logs\HVCI-Monitor.log"
$timestamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"

try {
    $deviceGuard = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
    $hvciStatus = $deviceGuard.SecurityServicesRunning
    
    if ($hvciStatus -contains 2) {
        $status = "ENABLED"
    } else {
        $status = "DISABLED"
        # Send alert email or write to event log
        Write-EventLog -LogName Application -Source "HVCI Monitor" -EventId 1001 -EntryType Warning -Message "HVCI is disabled on $env:COMPUTERNAME"
    }
    
    "$timestamp - $env:COMPUTERNAME - HVCI Status: $status" | Out-File -FilePath $logPath -Append
}
catch {
    "$timestamp - $env:COMPUTERNAME - HVCI Check Failed: $($_.Exception.Message)" | Out-File -FilePath $logPath -Append
}

Deploy this script via Intune as a PowerShell script or scheduled task. Configure it to run daily and alert on HVCI failures.

Set up compliance policies to enforce HVCI status:

1. Navigate to Devices > Compliance policies > Create policy
2. Select Windows 10 and later platform
3. Under System Security, configure custom compliance rules