Vulnerability V-224923

V-224923

CAT II

Windows Server 2016 virtualization-based security must be enabled with the platform security level configured to Secure Boot or Secure Boot with DMA Protection.

Ships Affected: 1
Total Findings: 8
Open: 1
Closed: 7

Check Text

For standalone or nondomain-joined systems, this is NA. Open "PowerShell" with elevated privileges (run as administrator). Enter the following: "Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard" If "RequiredSecurityProperties" does not include a value of "2" indicating "Secure Boot" (e.g., "{1, 2}"), this is a finding. If "Secure Boot and DMA Protection" is configured, "3" will also be displayed in the results (e.g., "{1, 2, 3}"). If "VirtualizationBasedSecurityStatus" is not a value of "2" indicating "Running", this is a finding. Alternately: Run "System Information". Under "System Summary", verify the following: If "Device Guard Virtualization based security" does not display "Running", this is a finding. If "Device Guard Required Security Properties" does not display "Base Virtualization Support, Secure Boot", this is a finding. If "Secure Boot and DMA Protection" is configured, "DMA Protection" will also be displayed (e.g., "Base Virtualization Support, Secure Boot, DMA Protection"). The policy settings referenced in the Fix section will configure the following registry values. However, due to hardware requirements, the registry values alone do not ensure proper function. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\ Value Name: EnableVirtualizationBasedSecurity Value Type: REG_DWORD Value: 0x00000001 (1) Value Name: RequirePlatformSecurityFeatures Value Type: REG_DWORD Value: 0x00000001 (1) (Secure Boot only) or 0x00000003 (3) (Secure Boot and DMA Protection) A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard

Fix Text

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Device Guard >> "Turn On Virtualization Based Security" to "Enabled" with "Secure Boot" or "Secure Boot and DMA Protection" selected. A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link: https://technet.microsoft.com/itpro/windows/keep-secure/credential-guard

STIG Reference

STIG: Microsoft Windows Server 2016 Security Technical Implementation Guide
Version: 2
Release: 10
Rule ID: SV-224923r991589_rule

All Occurrences

This vulnerability appears on 1 ship(s)

Ship	Hull #	Source File	Assigned To	Scan Date	Actions
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-AP-002/Checklist/MONT-AP-002_WinServer2016_V2R10_20251023-144214.ckl	Unassigned	2026-01-14T12:57:42.721079	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-BE-002/Checklist/MONT-BE-002_WinServer2016_V2R10_20251023-143943.ckl	Unassigned	2026-01-14T12:57:41.363810	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-DB-002/Checklist/MONT-DB-002_WinServer2016_V2R10_20251023-144132.ckl	Unassigned	2026-01-14T12:57:39.082634	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-DC-003/Checklist/MONT-DC-003_WinServer2016_V2R10_20251023-172220.ckl	Unassigned	2026-01-14T12:57:37.248886	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-DP-001/Checklist/MONT-DP-001_WinServer2016_V2R10_20251023-144106.ckl	Unassigned	2026-01-14T12:57:35.637816	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-MB-002/Checklist/MONT-MB-002_WinServer2016_V2R10_20251023-152736.ckl	Unassigned	2026-01-14T12:57:33.842838	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-VSF-003/Checklist/MONT-VSF-003_WinServer2016_V2R10_20251023-143935.ckl	Unassigned	2026-01-14T12:57:31.534241	View in Context
USNS MONTFORD POINT	T-ESD-1	_Reviewed/MONT-VSF-004/Checklist/MONT-VSF-004_WinServer2016_V2R10_20251023-143909.ckl	Unassigned	2026-01-14T12:57:30.046447	View in Context