Skip to content

Virtualization Settings#

Virtualization

Kernel DMA Protection

Whether to enable Kernel DMA protection, to prevent drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to system.

  • Defaults to On, if OS Optimized Defaults has value On.
  • When switched On, automatically enables Intel (R) Virtualization Technology and Intel (R) VT-d Feature.
  • Requires additional confirmation of changing these settings.

Possible options:

  1. Off – Default.
  2. On
WMI Setting name Values Locked by SVP AMD/Intel
KernelDMAProtection Disable, Enable Yes Both
Intel (R) Virtualization Technology \ AMD-V

Intel-based machine#

Whether a VMM (Virtual Machine Monitor) can utilize the additional hardware capabilities provided by Intel (R) Virtualization technology.

Defaults to On, if OS Optimized Defaults has value On.

Possible options:

  1. On
  2. Off - Default.

It is automatically enabled and cannot be disabled if ‘Kernel DMA Protection’ is enabled.

Additional information: How to enable Virtualization Technology on Lenovo PC computers.

WMI Setting name Values Locked by SVP AMD/Intel
VirtualizationTechnology Disable, Enable Yes Intel

AMD-based machine#

Whether VMM (Virtual Machine Monitor) can utilize the additional hardware capabilities provided by AMD-V (AMD Virtualization).

Possible options:

  1. On - Default.
  2. Off

Enabled automatically when Device Guard is set to On.

WMI Setting name Values Locked by SVP AMD/Intel
AmdVt Disable, Enable Yes AMD
Intel (R) VT-d Feature

Whether to enable Intel (R) VT-d Feature ( Intel (R) Virtualization Technology for Directed I/O).

Defaults to On, if OS Optimized Defaults has value On.

Possible options:

  1. On
  2. Off - Default

Automatically enabled and cannot be disabled if Kernel DMA Protection is enabled.

More information on the official Intel site.

WMI Setting name Values Locked by SVP AMD/Intel
VTdFeature Disable, Enable Yes Intel
Enhanced Windows Biometric Security

Whether to allow use of ‘Enhanced sign-in security’ for fingerprint and face authentication with Windows Hello.

What is Enhanced Sign-in Security (ESS)?

Enhanced Sign-in Security is an advanced security feature built into Windows Hello that strengthens biometric authentication (face or fingerprint) by isolating sensitive processes and data from the main operating system.

Core Principle: ESS uses Virtualization-Based Security (VBS) to create a secure environment for biometric operations and credential handling. Goal: Prevent malware—even with kernel-level privileges—from intercepting biometric data or authentication secrets.a End-to-End Assurance: ESS can cryptographically prove to cloud services that the user was physically present during authentication, improving trust for enterprise scenarios.

How Does It Work?

  • Isolation: The Windows Hello biometric stack and credential release processes run inside a VBS-protected enclave, separate from the OS kernel.
  • TPM Integration: Keys may be protected by TPM 2.0, adding hardware-based security.
  • Secure Devices (SDEV): Device firmware must include an ACPI SDEV table for ESS-capable sensors.

Why Is It Important?

Without ESS, malware could:

  • Sniff biometric input streams.
  • Replay stolen samples.
  • Modify match results or impersonate users.

ESS mitigates these threats by ensuring biometric data and operations are shielded from tampering.

Possible options:

  1. On - Default since 2024
  2. Off
WMI Setting name Values Locked by SVP AMD/Intel
EnhancedWindowsBiometricSecurity Disable, Enable Yes Both