Blog

Device Guard is a powerful security feature in Windows 11 designed to protect your system from unauthorized software and threats. When it stops working properly, your device’s security can be at risk. Fixing these issues is essential to keep your system safe and secure.

This guide will walk you through simple, step-by-step solutions to troubleshoot and resolve Device Guard problems on your Windows 11 PC. Each step is explained clearly, so even beginners can follow along easily.

By following these instructions, you can restore Device Guard’s functionality and ensure your computer remains protected. Let’s get started with some quick checks before diving into detailed fixes.

Remember, security features like Device Guard rely on specific system settings and hardware support, so some solutions may involve changing configurations or updating your system.

Quick Note: Prerequisites and Initial Checks

Before starting with fixes, make sure your PC meets the basic requirements for Device Guard to work correctly.

• Windows 11 Pro, Enterprise, or Education edition: Device Guard is not available on Windows 11 Home edition.
• Compatible CPU with virtualization support: Check if your processor supports virtualization and that it is enabled in BIOS/UEFI.
• Secure Boot enabled: This must be active in BIOS/UEFI for Device Guard to function.
• Latest Windows updates installed: Outdated systems can cause features to malfunction.
• Administrator access: You need admin rights to change system settings and run commands.

To check virtualization and Secure Boot, you can use the System Information tool by typing msinfo32 in the Start menu search box and looking for the relevant entries.

Step 1: Verify Device Guard Status

First, confirm if Device Guard is actually enabled or disabled on your system.

1. Press Windows + R keys to open the Run dialog box.
2. Type cmd and press Enter to open Command Prompt.
3. In Command Prompt, enter the following command and press Enter:

sc query deviceguard

This command checks the status of the Device Guard service. If the service is stopped or not running, Device Guard may not work.

Alternatively, you can check the status using PowerShell:

Get-CimInstance -Namespace rootMicrosoftWindowsDeviceGuard -ClassName Win32_DeviceGuard

If Device Guard is disabled, proceed to the next steps to enable and configure it.

Step 2: Enable Virtualization and Secure Boot in BIOS/UEFI

Device Guard relies on virtualization and Secure Boot being enabled in your system firmware settings. Here’s how to check and enable them:

1. Restart your PC and enter BIOS/UEFI setup. This usually involves pressing keys like F2, Del, or Esc during startup (check your PC manual).
2. Look for settings named Intel VT-x, AMD-V, or Virtualization Technology and make sure they are enabled.
3. Find the Secure Boot option and enable it if it’s disabled.
4. Save changes and exit BIOS/UEFI. Your PC will restart automatically.

Enabling these options allows Windows to enforce stricter security policies required by Device Guard.

Step 3: Enable Device Guard Using Group Policy

Group Policy Editor allows you to manage Device Guard settings easily.

1. Press Windows + R, type gpedit.msc, and press Enter to open the Local Group Policy Editor.
2. Navigate to:
   Computer Configuration > Administrative Templates > System > Device Guard
3. Double-click Turn On Virtualization Based Security.
4. Select Enabled, then under Virtualization Based Security Services, choose the options that match your security needs (like Credential Guard).
5. Click Apply and then OK.
6. Restart your PC to apply these changes.

This process activates Device Guard policies and ensures Windows enforces them on your system.

Step 4: Use Windows Security App to Check Core Isolation

Core Isolation is a feature related to Device Guard that helps protect core parts of your system.

1. Open Settings by pressing Windows + I.
2. Go to Privacy & security > Windows Security > Device security.
3. Under Core isolation, click Core isolation details.
4. Make sure Memory integrity is turned On.

If Memory integrity was off, turning it on may fix Device Guard issues but might require a restart. This feature helps prevent attacks on your system memory.

Step 5: Update Windows and Drivers

Outdated system files or drivers can cause Device Guard to malfunction. Keeping your system updated ensures compatibility and security.

1. Open Settings with Windows + I.
2. Go to Windows Update.
3. Click Check for updates and install any available updates.
4. Also, update your device drivers by visiting the manufacturer’s website or using Device Manager.

After updates, restart your computer to apply changes fully.

Alternative Method: Enable Device Guard Using PowerShell

If you prefer command-line tools, you can enable Device Guard with PowerShell:

1. Open PowerShell as Administrator by right-clicking the Start button and selecting Windows Terminal (Admin) or PowerShell (Admin).
2. Run the following command to enable virtualization-based security:

Set-ProcessMitigation -System -Enable

You can also check the status with:

Get-CimInstance -Namespace rootMicrosoftWindowsDeviceGuard -ClassName Win32_DeviceGuard

PowerShell provides a quick way to manage Device Guard without navigating through multiple menus.

FAQs

What is Device Guard and why is it important?

Device Guard is a Windows 11 security feature that uses hardware and software virtualization to protect your system from malicious code. It enhances system integrity by only allowing trusted applications to run.

Can I use Device Guard on Windows 11 Home?

No, Device Guard is only available on Windows 11 Pro, Enterprise, and Education editions. Home edition does not support this feature.

Why does Device Guard keep turning off after a reboot?

This can happen if virtualization or Secure Boot is disabled, or if Group Policy settings are overwritten. Make sure these settings remain enabled and your system firmware supports them.

Will enabling Device Guard affect my system performance?

Device Guard may use some system resources due to virtualization, but on modern hardware, performance impact is usually minimal and worth the added security.

How do I know if my CPU supports virtualization?

You can check your CPU specs on the manufacturer’s website or use the System Information tool (msinfo32) and look for “Virtualization Enabled In Firmware.” If it says “Yes,” your CPU supports it.

What if I cannot access BIOS to enable virtualization or Secure Boot?

Refer to your PC or motherboard manual for the correct key to enter BIOS. Some manufacturers also provide software for BIOS updates or settings changes within Windows.

When Nothing Works

If none of the above steps resolve your Device Guard issues, consider the following:

• Reset Windows Security Settings: Sometimes resetting security policies back to default can fix conflicts.
• Run the System File Checker: Open Command Prompt as admin and run sfc /scannow to repair corrupted system files.
• Contact Microsoft Support: For persistent problems, visit the official Microsoft support site for help.
• Consider clean reinstall: As a last resort, backing up your data and performing a clean Windows 11 installation can fix deep system issues.

Conclusion

Device Guard is a critical security feature in Windows 11 that helps protect your PC from unauthorized software and threats. If it stops working, your system’s defense can be compromised.

By following the simple, step-by-step solutions outlined above—starting from checking prerequisites, enabling virtualization and Secure Boot, configuring policies, and updating your system—you can effectively fix most Device Guard issues.

Always ensure your system meets the necessary requirements and keep your Windows and drivers up to date. If problems persist, don’t hesitate to seek official support or consider advanced troubleshooting options.

Keeping Device Guard active helps maintain a more secure and reliable computing environment on your Windows 11 device.