- Enforces platform-level security features (like Secure Boot, TPM, and virtualization-based protections)
- Ensuring that enrolled devices meet baseline hardware security standards.
- Ideal for organizations adopting Zero Trust principles
- Simplifies enforcement of critical hardware security requirements
Let’s discuss How to Enable Require Platform Security Features Policy using Intune. The Intune policy setting Device Guard \ Require Platform Security Features is a critical hardware-hardening configuration used to enable Virtualization-Based Security (VBS). By configuring this setting, you are essentially telling Windows which underlying hardware security technologies it must use to create a secure, isolated environment for sensitive system processes.
Table of Contents
Table of Contents
How to Enable Require Platform Security Features Policy using Intune
Organizations enable this to move from a software-only security model to a Hardware-Rooted Trust model. Without VBS, login hashes (NTLM/Kerberos) sit in the regular system memory (LSASS) where malware with admin rights can “scrape” them. With VBS, these secrets live in a “virtual” bubble that even the OS kernel cannot see.
- Step-by-Step Guide to UEFI Memory Protection for Virtualization-Based Security using Intune
- Best Method to Enable Virtualization Based Security Using Microsoft Intune
- Turn On Virtualization Based Security Policy using Intune
Start Policy Creation in Intune Portal
With your credential you can easily sign in Intune Portal. Then you can configure Require Platform Security Features policy for your managed devices. For this go to Devices > Configuration >+ Create > +New Policy.
Policy Profile Creation
It is the next step step you have to do for policy Creation. In profile creation you must select platform and profile type. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Add Name and Description
Naming the policy is the primary step that help admins to identify the policy later. This is important and necessary step that allows you to know the purpose of the policy. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Select Platform Security Features Settings
With Settings Picker, you can use the Configuration Settings Tab. On this tab, you can click on the +Add Settings hyperlink to get the Settings Picker. The settings picker shows huge number of settings. Here, I would like to select the settings by browsing by Category. I choose Device Guard\Require Platform Security Features.
Choose Value
For this policy, there are 2 values are available. They are VBS Secure Boot and VBS with Secure Boot DMA Protection. The below table shows more details.
| Value | Description |
|---|---|
| 1 (Default) | Turns on VBS with Secure Boot. |
| 3 | Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support. |
Add Scope Tags
With scope tags, you create a restriction to the visibility of the Require Platform Security Features. It helps to organise resources as well. Here, I would like to skip this section, because it is not mandatory. Click on the Next button.
Assignments Tab for Selecting Group
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync the assigned device on Company Portal. Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Removing the Assigned Group from Require Platform Security Features
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Require Platform Security Features
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
This setting lets users turn on Credential Guard with virtualization-based security to help protect credentials at next reboot. Value type is integer. This policy is applicable for Windows 10, version 1709 [10.0.16299] and later OS.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, join the WhatsApp Community and the WhatsApp channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair is a Workplace Technology solution architect with 25+ years of experience. Microsoft Certified Trainer. Microsoft MVP from 2015 onwards for consecutive 11+ years! He is a blogger, Speaker, and Founder of HTMD Community and HTMD Conference. His main focus is on Device Management technologies like Intune, Windows, and Cloud PC. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Entra, and Microsoft Security.