Ensure Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection is set to Enabled: Enabled in enforcement modeID: oval:org.secpod.oval:def:94689 | Date: (C)2023-11-22 (M)2023-11-22 |
Class: COMPLIANCE | Family: windows |
This policy setting enables Hardware-enforced Stack Protection for kernel-mode code. Kernel-mode data stacks are hardened with hardware-based shadow stacks, which store intended return address targets to ensure that program control flow is not tampered. The recommended state for this setting is: Enabled: Enabled in enforcement mode.Fix:(1) GPO: Computer Configuration\Policies\Administrative Templates\System\Device Guard\Turn On Virtualization Based Security: Kernel-mode Hardware-enforced Stack Protection(2) REG: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard!ConfigureKernelShadowStacksLaunch
Platform: |
Microsoft Windows 11 |