deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 22:07:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #6575 from illfated/wddg-wdcg-hwr-tool

Browse Source 
WDDG & WDCG HW readiness tool: typo & Arch Locale
This commit is contained in:
Daniel Simpson 2020-05-28 10:31:31 -07:00 committed by GitHub
commit 5963793a0d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 81 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

161
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -14,11 +14,13 @@ ms.collection: M365-identity-device-management
ms.topic: article ms.topic: article
ms.reviewer: ms.reviewer:
--- ---
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
```powershell ```powershell
# Script to find out if machine is Device Guard compliant # Script to find out if a machine is Device Guard compliant.
# requires driver verifier on system. # The script requires a driver verifier present on the system.
param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier) param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
$path = "C:\DGLogs\" $path = "C:\DGLogs\"
@ -36,7 +38,7 @@ $DGVerifySuccess = New-Object System.Text.StringBuilder
$Sys32Path = "$env:windir\system32" $Sys32Path = "$env:windir\system32"
$DriverPath = "$env:windir\system32\drivers" $DriverPath = "$env:windir\system32\drivers"
#generated by certutil -encode #generated by certutil -encode
$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA $SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA
HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC
NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC
@ -114,7 +116,7 @@ function LogAndConsoleSuccess($message)
function LogAndConsoleError($message) function LogAndConsoleError($message)
{ {
Write-Host $message -foregroundcolor "Red" Write-Host $message -foregroundcolor "Red"
Log $message Log $message
} }
@ -132,16 +134,16 @@ function IsExempted([System.IO.FileInfo] $item)
Log $cert.ToString() Log $cert.ToString()
return 0 return 0
} }
} }
function CheckExemption($_ModName) function CheckExemption($_ModName)
{ {
$mod1 = Get-ChildItem $Sys32Path $_ModName $mod1 = Get-ChildItem $Sys32Path $_ModName
$mod2 = Get-ChildItem $DriverPath $_ModName $mod2 = Get-ChildItem $DriverPath $_ModName
if($mod1) if($mod1)
{ {
Log "NonDriver module" + $mod1.FullName Log "NonDriver module" + $mod1.FullName
return IsExempted($mod1) return IsExempted($mod1)
} }
elseif($mod2) elseif($mod2)
{ {
@ -184,15 +186,15 @@ function CheckFailedDriver($_ModName, $CIStats)
} }
if($Result.Contains("PASS")) if($Result.Contains("PASS"))
{ {
$CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null $CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null
} }
elseif($FailingStat.Trim().Contains("execute-write")) elseif($FailingStat.Trim().Contains("execute-write"))
{ {
$FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null $FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
} }
else else
{ {
$FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null $FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
} }
Log "Result: " $Result Log "Result: " $Result
} }
@ -204,7 +206,7 @@ function ListCIStats($_ModName, $str1)
{ {
Log "String := " $str1 Log "String := " $str1
Log "Warning! CI Stats are missing for " $_ModName Log "Warning! CI Stats are missing for " $_ModName
return return
} }
$temp_str1 = $str1.Substring($i1) $temp_str1 = $str1.Substring($i1)
$CIStats = $temp_str1.Substring(0).Trim() $CIStats = $temp_str1.Substring(0).Trim()
@ -245,7 +247,7 @@ function ListDrivers($str)
} }
$DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile $DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile
LogAndConsole $DriverScanCompletedMessage LogAndConsole $DriverScanCompletedMessage
if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 ) if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 )
{ {
@ -254,7 +256,7 @@ function ListDrivers($str)
{ {
LogAndConsoleError $WarningMessage LogAndConsoleError $WarningMessage
} }
else else
{ {
LogAndConsoleWarning $WarningMessage LogAndConsoleWarning $WarningMessage
} }
@ -321,7 +323,7 @@ function ListSummary()
} }
else else
{ {
LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n" LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"
if(!$HVCI -and !$DG) if(!$HVCI -and !$DG)
{ {
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f ' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f '
@ -336,56 +338,56 @@ function ListSummary()
function Instantiate-Kernel32 { function Instantiate-Kernel32 {
try try
{ {
Add-Type -TypeDefinition @" Add-Type -TypeDefinition @"
using System; using System;
using System.Diagnostics; using System.Diagnostics;
using System.Runtime.InteropServices; using System.Runtime.InteropServices;
public static class Kernel32 public static class Kernel32
{ {
[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)] [DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
public static extern IntPtr LoadLibrary( public static extern IntPtr LoadLibrary(
[MarshalAs(UnmanagedType.LPStr)]string lpFileName); [MarshalAs(UnmanagedType.LPStr)]string lpFileName);
[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)] [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
public static extern IntPtr GetProcAddress( public static extern IntPtr GetProcAddress(
IntPtr hModule, IntPtr hModule,
string procName); string procName);
} }
"@ "@
} }
catch catch
{ {
Log $_.Exception.Message Log $_.Exception.Message
LogAndConsole "Instantiate-Kernel32 failed" LogAndConsole "Instantiate-Kernel32 failed"
} }
} }
function Instantiate-HSTI { function Instantiate-HSTI {
try try
{ {
Add-Type -TypeDefinition @" Add-Type -TypeDefinition @"
using System; using System;
using System.Diagnostics; using System.Diagnostics;
using System.Runtime.InteropServices; using System.Runtime.InteropServices;
using System.Net; using System.Net;
public static class HstiTest3 public static class HstiTest3
{ {
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)] [DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
public static extern int QueryHSTIdetails( public static extern int QueryHSTIdetails(
ref HstiOverallError pHstiOverallError, ref HstiOverallError pHstiOverallError,
[In, Out] HstiProviderErrorDuple[] pHstiProviderErrors, [In, Out] HstiProviderErrorDuple[] pHstiProviderErrors,
ref uint pHstiProviderErrorsCount, ref uint pHstiProviderErrorsCount,
byte[] hstiPlatformSecurityBlob, byte[] hstiPlatformSecurityBlob,
ref uint pHstiPlatformSecurityBlobBytes); ref uint pHstiPlatformSecurityBlobBytes);
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)] [DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
public static extern int QueryHSTI(ref bool Pass); public static extern int QueryHSTI(ref bool Pass);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct HstiProviderErrorDuple public struct HstiProviderErrorDuple
{ {
@ -397,7 +399,7 @@ function Instantiate-HSTI {
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)] [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)]
internal string ErrorString; internal string ErrorString;
} }
[FlagsAttribute] [FlagsAttribute]
public enum HstiProviderErrors : int public enum HstiProviderErrors : int
{ {
@ -425,8 +427,8 @@ function Instantiate-HSTI {
BlobVersionMismatch = 0x00000080, BlobVersionMismatch = 0x00000080,
PlatformSecurityVersionMismatch = 0x00000100, PlatformSecurityVersionMismatch = 0x00000100,
ProviderError = 0x00000200 ProviderError = 0x00000200
} }
} }
"@ "@
@ -434,9 +436,9 @@ function Instantiate-HSTI {
$FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails") $FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails")
$FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI") $FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI")
if ([System.IntPtr]::Size -eq 8) if ([System.IntPtr]::Size -eq 8)
{ {
#assuming 64 bit #assuming 64 bit
Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())" Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())"
Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())" Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())"
} }
@ -450,7 +452,7 @@ function Instantiate-HSTI {
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize) $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize)
[byte[]]$blob = New-Object byte[] $blobByteSize [byte[]]$blob = New-Object byte[] $blobByteSize
[HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize) $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize)
$string = $null $string = $null
$blob | foreach { $string = $string + $_.ToString("X2")+"," } $blob | foreach { $string = $string + $_.ToString("X2")+"," }
@ -479,7 +481,7 @@ function Instantiate-HSTI {
LogAndConsoleError $ErrorMessage LogAndConsoleError $ErrorMessage
$DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null $DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null
} }
else else
{ {
LogAndConsoleWarning $ErrorMessage LogAndConsoleWarning $ErrorMessage
$DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null
@ -487,9 +489,9 @@ function Instantiate-HSTI {
} }
} }
catch catch
{ {
LogAndConsoleError $_.Exception.Message LogAndConsoleError $_.Exception.Message
LogAndConsoleError "Instantiate-HSTI failed" LogAndConsoleError "Instantiate-HSTI failed"
} }
} }
@ -613,10 +615,10 @@ function ExecuteCommandAndLog($_cmd)
$CmdOutput = Invoke-Expression $_cmd | Out-String $CmdOutput = Invoke-Expression $_cmd | Out-String
Log "Output: $CmdOutput" Log "Output: $CmdOutput"
} }
catch catch
{ {
Log "Exception while exectuing $_cmd" Log "Exception while exectuing $_cmd"
Log $_.Exception.Message Log $_.Exception.Message
} }
@ -676,7 +678,7 @@ function CheckDriverCompat
verifier.exe /flags 0x02000000 /all /log.code_integrity verifier.exe /flags 0x02000000 /all /log.code_integrity
LogAndConsole "Enabling Driver Verifier and Rebooting system" LogAndConsole "Enabling Driver Verifier and Rebooting system"
Log $verifier_state Log $verifier_state
LogAndConsole "Please re-execute this script after reboot...." LogAndConsole "Please re-execute this script after reboot...."
if($AutoReboot) if($AutoReboot)
{ {
@ -692,7 +694,7 @@ function CheckDriverCompat
else else
{ {
LogAndConsole "Driver verifier already enabled" LogAndConsole "Driver verifier already enabled"
Log $verifier_state Log $verifier_state
ListDrivers($verifier_state.Trim().ToLowerInvariant()) ListDrivers($verifier_state.Trim().ToLowerInvariant())
} }
} }
@ -700,23 +702,23 @@ function IsDomainController
{ {
$_isDC = 0 $_isDC = 0
$CompConfig = Get-WmiObject Win32_ComputerSystem $CompConfig = Get-WmiObject Win32_ComputerSystem
foreach ($ObjItem in $CompConfig) foreach ($ObjItem in $CompConfig)
{ {
$Role = $ObjItem.DomainRole $Role = $ObjItem.DomainRole
Log "Role=$Role" Log "Role=$Role"
Switch ($Role) Switch ($Role)
{ {
0 { Log "Standalone Workstation" } 0 { Log "Standalone Workstation" }
1 { Log "Member Workstation" } 1 { Log "Member Workstation" }
2 { Log "Standalone Server" } 2 { Log "Standalone Server" }
3 { Log "Member Server" } 3 { Log "Member Server" }
4 4
{ {
Log "Backup Domain Controller" Log "Backup Domain Controller"
$_isDC=1 $_isDC=1
break break
} }
5 5
{ {
Log "Primary Domain Controller" Log "Primary Domain Controller"
$_isDC=1 $_isDC=1
@ -735,7 +737,7 @@ function CheckOSSKU
Log "OSNAME:$osname" Log "OSNAME:$osname"
$SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home") $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home")
$HLKAllowed = @("microsoft windows 10 pro") $HLKAllowed = @("microsoft windows 10 pro")
foreach ($SKUent in $SKUarray) foreach ($SKUent in $SKUarray)
{ {
if($osname.ToString().Contains($SKUent.ToLower())) if($osname.ToString().Contains($SKUent.ToLower()))
{ {
@ -762,7 +764,7 @@ function CheckOSSKU
} }
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f ' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f '
} }
else else
{ {
LogAndConsoleError "This PC edition is Unsupported for Device Guard" LogAndConsoleError "This PC edition is Unsupported for Device Guard"
$DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null $DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null
@ -773,14 +775,14 @@ function CheckOSSKU
function CheckOSArchitecture function CheckOSArchitecture
{ {
$OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower() $OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()
Log $OSArch Log $OSArch
if($OSArch.Contains("64-bit")) if($OSArch -match ("^64\-?\s?bit"))
{ {
LogAndConsoleSuccess "64 bit archictecture" LogAndConsoleSuccess "64 bit architecture"
} }
elseif($OSArch.Contains("32-bit")) elseif($OSArch -match ("^32\-?\s?bit"))
{ {
LogAndConsoleError "32 bit archictecture" LogAndConsoleError "32 bit architecture"
$DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null $DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null
} }
else else
@ -878,7 +880,7 @@ function CheckTPM
function CheckSecureMOR function CheckSecureMOR
{ {
$isSecureMOR = CheckDGFeatures(4) $isSecureMOR = CheckDGFeatures(4)
Log "isSecureMOR= $isSecureMOR " Log "isSecureMOR= $isSecureMOR "
if($isSecureMOR -eq 1) if($isSecureMOR -eq 1)
{ {
LogAndConsoleSuccess "Secure MOR is available" LogAndConsoleSuccess "Secure MOR is available"
@ -904,7 +906,7 @@ function CheckSecureMOR
function CheckNXProtection function CheckNXProtection
{ {
$isNXProtected = CheckDGFeatures(5) $isNXProtected = CheckDGFeatures(5)
Log "isNXProtected= $isNXProtected " Log "isNXProtected= $isNXProtected "
if($isNXProtected -eq 1) if($isNXProtected -eq 1)
{ {
LogAndConsoleSuccess "NX Protector is available" LogAndConsoleSuccess "NX Protector is available"
@ -921,7 +923,7 @@ function CheckNXProtection
function CheckSMMProtection function CheckSMMProtection
{ {
$isSMMMitigated = CheckDGFeatures(6) $isSMMMitigated = CheckDGFeatures(6)
Log "isSMMMitigated= $isSMMMitigated " Log "isSMMMitigated= $isSMMMitigated "
if($isSMMMitigated -eq 1) if($isSMMMitigated -eq 1)
{ {
LogAndConsoleSuccess "SMM Mitigation is available" LogAndConsoleSuccess "SMM Mitigation is available"
@ -938,15 +940,15 @@ function CheckSMMProtection
function CheckHSTI function CheckHSTI
{ {
LogAndConsole "Copying HSTITest.dll" LogAndConsole "Copying HSTITest.dll"
try try
{ {
$HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded) $HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded)
[System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded) [System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded)
} }
catch catch
{ {
LogAndConsole $_.Exception.Message LogAndConsole $_.Exception.Message
LogAndConsole "Copying and loading HSTITest.dll failed" LogAndConsole "Copying and loading HSTITest.dll failed"
} }
@ -959,7 +961,7 @@ function PrintToolVersion
LogAndConsole "" LogAndConsole ""
LogAndConsole "###########################################################################" LogAndConsole "###########################################################################"
LogAndConsole "" LogAndConsole ""
LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole "" LogAndConsole ""
LogAndConsole "###########################################################################" LogAndConsole "###########################################################################"
LogAndConsole "" LogAndConsole ""
@ -1030,7 +1032,7 @@ if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -a
} }
$user = [Security.Principal.WindowsIdentity]::GetCurrent(); $user = [Security.Principal.WindowsIdentity]::GetCurrent();
$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) $TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if(!$TestForAdmin) if(!$TestForAdmin)
{ {
@ -1065,7 +1067,7 @@ if($Ready)
{ {
Log "_CGState: $_CGState" Log "_CGState: $_CGState"
PrintCGDetails $_CGState PrintCGDetails $_CGState
if($_CGState) if($_CGState)
{ {
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f'
@ -1077,28 +1079,28 @@ if($Ready)
} }
elseif($DG) elseif($DG)
{ {
Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
PrintHVCIDetails $_HVCIState PrintHVCIDetails $_HVCIState
PrintConfigCIDetails $_ConfigCIState PrintConfigCIDetails $_ConfigCIState
if($_ConfigCIState -and $_HVCIState) if($_ConfigCIState -and $_HVCIState)
{ {
LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running." LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running."
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f'
} }
else else
{ {
LogAndConsoleWarning "Not all services are running." LogAndConsoleWarning "Not all services are running."
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f'
} }
} }
else else
{ {
Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
PrintCGDetails $_CGState PrintCGDetails $_CGState
PrintHVCIDetails $_HVCIState PrintHVCIDetails $_HVCIState
PrintConfigCIDetails $_ConfigCIState PrintConfigCIDetails $_ConfigCIState
@ -1147,7 +1149,7 @@ if($Enable)
{ {
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f'
} }
else else
{ {
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f'
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f' ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f'
@ -1158,8 +1160,8 @@ if($Enable)
{ {
if(!$HVCI -and !$CG) if(!$HVCI -and !$CG)
{ {
if(!$SIPolicyPath) if(!$SIPolicyPath)
{ {
Log "Writing Decoded SIPolicy.p7b" Log "Writing Decoded SIPolicy.p7b"
$SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded) $SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded)
[System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded) [System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded)
@ -1182,7 +1184,7 @@ if($Enable)
if(!$_isRedstone) if(!$_isRedstone)
{ {
LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately" LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately"
#Enable/Disable IOMMU seperately #Enable/Disable IOMMU separately
ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart' ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart'
} }
$CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String
@ -1251,7 +1253,7 @@ if($Disable)
if(!$_isRedstone) if(!$_isRedstone)
{ {
LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately" LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately"
#Enable/Disable IOMMU seperately #Enable/Disable IOMMU separately
ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart' ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart'
} }
$CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String
@ -1270,7 +1272,7 @@ if($Disable)
} }
#set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS #set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS
#these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always
#this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS #this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS
$FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random $FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random
Log "FreeDrive=$FreeDrive" Log "FreeDrive=$FreeDrive"
@ -1314,7 +1316,7 @@ if($Capable)
} }
$_StepCount = 1 $_StepCount = 1
if(!$CG) if(!$CG)
{ {
LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== " LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== "
$_StepCount++ $_StepCount++
CheckDriverCompat CheckDriverCompat
@ -1323,15 +1325,15 @@ if($Capable)
LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== " LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== "
$_StepCount++ $_StepCount++
CheckSecureBootState CheckSecureBootState
if(!$HVCI -and !$DG -and !$CG) if(!$HVCI -and !$DG -and !$CG)
{ {
#check only if sub-options are absent #check only if sub-options are absent
LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== " LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== "
$_StepCount++ $_StepCount++
CheckHSTI CheckHSTI
} }
LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== " LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== "
$_StepCount++ $_StepCount++
CheckOSArchitecture CheckOSArchitecture
@ -1345,11 +1347,11 @@ if($Capable)
CheckVirtualization CheckVirtualization
if(!$HVCI -and !$DG) if(!$HVCI -and !$DG)
{ {
LogAndConsole " ====================== Step $_StepCount TPM version ====================== " LogAndConsole " ====================== Step $_StepCount TPM version ====================== "
$_StepCount++ $_StepCount++
CheckTPM CheckTPM
LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== " LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== "
$_StepCount++ $_StepCount++
CheckSecureMOR CheckSecureMOR
@ -1358,11 +1360,11 @@ if($Capable)
LogAndConsole " ====================== Step $_StepCount NX Protector ====================== " LogAndConsole " ====================== Step $_StepCount NX Protector ====================== "
$_StepCount++ $_StepCount++
CheckNXProtection CheckNXProtection
LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== " LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== "
$_StepCount++ $_StepCount++
CheckSMMProtection CheckSMMProtection
LogAndConsole " ====================== End Check ====================== " LogAndConsole " ====================== End Check ====================== "
LogAndConsole " ====================== Summary ====================== " LogAndConsole " ====================== Summary ====================== "
@ -1371,7 +1373,6 @@ if($Capable)
} }
# SIG # Begin signature block # SIG # Begin signature block
## REPLACE ## REPLACE
# SIG # End signature block # SIG # End signature block