mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Merge pull request #2927 from MicrosoftDocs/repo_sync_working_branch
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Tina Burden
GitHub
commit
5d68009924
@ -14,11 +14,13 @@ ms.collection: M365-identity-device-management
|
|||||||
ms.topic: article
|
ms.topic: article
|
||||||
ms.reviewer:
|
ms.reviewer:
|
||||||
---
|
---
|
||||||
|
|
||||||
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
|
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
|
||||||
|
|
||||||
```powershell
|
```powershell
|
||||||
# Script to find out if machine is Device Guard compliant
|
# Script to find out if a machine is Device Guard compliant.
|
||||||
# requires driver verifier on system.
|
# The script requires a driver verifier present on the system.
|
||||||
|
|
||||||
param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
|
param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
|
||||||
|
|
||||||
$path = "C:\DGLogs\"
|
$path = "C:\DGLogs\"
|
||||||
@ -36,7 +38,7 @@ $DGVerifySuccess = New-Object System.Text.StringBuilder
|
|||||||
$Sys32Path = "$env:windir\system32"
|
$Sys32Path = "$env:windir\system32"
|
||||||
$DriverPath = "$env:windir\system32\drivers"
|
$DriverPath = "$env:windir\system32\drivers"
|
||||||
|
|
||||||
#generated by certutil -encode
|
#generated by certutil -encode
|
||||||
$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA
|
$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA
|
||||||
HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC
|
HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC
|
||||||
NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC
|
NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC
|
||||||
@ -114,7 +116,7 @@ function LogAndConsoleSuccess($message)
|
|||||||
|
|
||||||
function LogAndConsoleError($message)
|
function LogAndConsoleError($message)
|
||||||
{
|
{
|
||||||
Write-Host $message -foregroundcolor "Red"
|
Write-Host $message -foregroundcolor "Red"
|
||||||
Log $message
|
Log $message
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -132,16 +134,16 @@ function IsExempted([System.IO.FileInfo] $item)
|
|||||||
Log $cert.ToString()
|
Log $cert.ToString()
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function CheckExemption($_ModName)
|
function CheckExemption($_ModName)
|
||||||
{
|
{
|
||||||
$mod1 = Get-ChildItem $Sys32Path $_ModName
|
$mod1 = Get-ChildItem $Sys32Path $_ModName
|
||||||
$mod2 = Get-ChildItem $DriverPath $_ModName
|
$mod2 = Get-ChildItem $DriverPath $_ModName
|
||||||
if($mod1)
|
if($mod1)
|
||||||
{
|
{
|
||||||
Log "NonDriver module" + $mod1.FullName
|
Log "NonDriver module" + $mod1.FullName
|
||||||
return IsExempted($mod1)
|
return IsExempted($mod1)
|
||||||
}
|
}
|
||||||
elseif($mod2)
|
elseif($mod2)
|
||||||
{
|
{
|
||||||
@ -184,15 +186,15 @@ function CheckFailedDriver($_ModName, $CIStats)
|
|||||||
}
|
}
|
||||||
if($Result.Contains("PASS"))
|
if($Result.Contains("PASS"))
|
||||||
{
|
{
|
||||||
$CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null
|
$CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null
|
||||||
}
|
}
|
||||||
elseif($FailingStat.Trim().Contains("execute-write"))
|
elseif($FailingStat.Trim().Contains("execute-write"))
|
||||||
{
|
{
|
||||||
$FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
|
$FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
$FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
|
$FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
|
||||||
}
|
}
|
||||||
Log "Result: " $Result
|
Log "Result: " $Result
|
||||||
}
|
}
|
||||||
@ -204,7 +206,7 @@ function ListCIStats($_ModName, $str1)
|
|||||||
{
|
{
|
||||||
Log "String := " $str1
|
Log "String := " $str1
|
||||||
Log "Warning! CI Stats are missing for " $_ModName
|
Log "Warning! CI Stats are missing for " $_ModName
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
$temp_str1 = $str1.Substring($i1)
|
$temp_str1 = $str1.Substring($i1)
|
||||||
$CIStats = $temp_str1.Substring(0).Trim()
|
$CIStats = $temp_str1.Substring(0).Trim()
|
||||||
@ -245,7 +247,7 @@ function ListDrivers($str)
|
|||||||
}
|
}
|
||||||
|
|
||||||
$DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile
|
$DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile
|
||||||
LogAndConsole $DriverScanCompletedMessage
|
LogAndConsole $DriverScanCompletedMessage
|
||||||
|
|
||||||
if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 )
|
if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 )
|
||||||
{
|
{
|
||||||
@ -254,7 +256,7 @@ function ListDrivers($str)
|
|||||||
{
|
{
|
||||||
LogAndConsoleError $WarningMessage
|
LogAndConsoleError $WarningMessage
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
LogAndConsoleWarning $WarningMessage
|
LogAndConsoleWarning $WarningMessage
|
||||||
}
|
}
|
||||||
@ -321,7 +323,7 @@ function ListSummary()
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"
|
LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"
|
||||||
if(!$HVCI -and !$DG)
|
if(!$HVCI -and !$DG)
|
||||||
{
|
{
|
||||||
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f '
|
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f '
|
||||||
@ -336,56 +338,56 @@ function ListSummary()
|
|||||||
|
|
||||||
|
|
||||||
function Instantiate-Kernel32 {
|
function Instantiate-Kernel32 {
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
Add-Type -TypeDefinition @"
|
Add-Type -TypeDefinition @"
|
||||||
using System;
|
using System;
|
||||||
using System.Diagnostics;
|
using System.Diagnostics;
|
||||||
using System.Runtime.InteropServices;
|
using System.Runtime.InteropServices;
|
||||||
|
|
||||||
public static class Kernel32
|
public static class Kernel32
|
||||||
{
|
{
|
||||||
[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
|
[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
|
||||||
public static extern IntPtr LoadLibrary(
|
public static extern IntPtr LoadLibrary(
|
||||||
[MarshalAs(UnmanagedType.LPStr)]string lpFileName);
|
[MarshalAs(UnmanagedType.LPStr)]string lpFileName);
|
||||||
|
|
||||||
[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
|
[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
|
||||||
public static extern IntPtr GetProcAddress(
|
public static extern IntPtr GetProcAddress(
|
||||||
IntPtr hModule,
|
IntPtr hModule,
|
||||||
string procName);
|
string procName);
|
||||||
}
|
}
|
||||||
|
|
||||||
"@
|
"@
|
||||||
}
|
}
|
||||||
catch
|
catch
|
||||||
{
|
{
|
||||||
Log $_.Exception.Message
|
Log $_.Exception.Message
|
||||||
LogAndConsole "Instantiate-Kernel32 failed"
|
LogAndConsole "Instantiate-Kernel32 failed"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function Instantiate-HSTI {
|
function Instantiate-HSTI {
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
Add-Type -TypeDefinition @"
|
Add-Type -TypeDefinition @"
|
||||||
using System;
|
using System;
|
||||||
using System.Diagnostics;
|
using System.Diagnostics;
|
||||||
using System.Runtime.InteropServices;
|
using System.Runtime.InteropServices;
|
||||||
using System.Net;
|
using System.Net;
|
||||||
|
|
||||||
public static class HstiTest3
|
public static class HstiTest3
|
||||||
{
|
{
|
||||||
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
|
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
|
||||||
public static extern int QueryHSTIdetails(
|
public static extern int QueryHSTIdetails(
|
||||||
ref HstiOverallError pHstiOverallError,
|
ref HstiOverallError pHstiOverallError,
|
||||||
[In, Out] HstiProviderErrorDuple[] pHstiProviderErrors,
|
[In, Out] HstiProviderErrorDuple[] pHstiProviderErrors,
|
||||||
ref uint pHstiProviderErrorsCount,
|
ref uint pHstiProviderErrorsCount,
|
||||||
byte[] hstiPlatformSecurityBlob,
|
byte[] hstiPlatformSecurityBlob,
|
||||||
ref uint pHstiPlatformSecurityBlobBytes);
|
ref uint pHstiPlatformSecurityBlobBytes);
|
||||||
|
|
||||||
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
|
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
|
||||||
public static extern int QueryHSTI(ref bool Pass);
|
public static extern int QueryHSTI(ref bool Pass);
|
||||||
|
|
||||||
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
|
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
|
||||||
public struct HstiProviderErrorDuple
|
public struct HstiProviderErrorDuple
|
||||||
{
|
{
|
||||||
@ -397,7 +399,7 @@ function Instantiate-HSTI {
|
|||||||
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)]
|
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)]
|
||||||
internal string ErrorString;
|
internal string ErrorString;
|
||||||
}
|
}
|
||||||
|
|
||||||
[FlagsAttribute]
|
[FlagsAttribute]
|
||||||
public enum HstiProviderErrors : int
|
public enum HstiProviderErrors : int
|
||||||
{
|
{
|
||||||
@ -425,8 +427,8 @@ function Instantiate-HSTI {
|
|||||||
BlobVersionMismatch = 0x00000080,
|
BlobVersionMismatch = 0x00000080,
|
||||||
PlatformSecurityVersionMismatch = 0x00000100,
|
PlatformSecurityVersionMismatch = 0x00000100,
|
||||||
ProviderError = 0x00000200
|
ProviderError = 0x00000200
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
"@
|
"@
|
||||||
|
|
||||||
@ -434,9 +436,9 @@ function Instantiate-HSTI {
|
|||||||
$FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails")
|
$FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails")
|
||||||
$FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI")
|
$FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI")
|
||||||
|
|
||||||
if ([System.IntPtr]::Size -eq 8)
|
if ([System.IntPtr]::Size -eq 8)
|
||||||
{
|
{
|
||||||
#assuming 64 bit
|
#assuming 64 bit
|
||||||
Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())"
|
Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())"
|
||||||
Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())"
|
Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())"
|
||||||
}
|
}
|
||||||
@ -450,7 +452,7 @@ function Instantiate-HSTI {
|
|||||||
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize)
|
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize)
|
||||||
|
|
||||||
[byte[]]$blob = New-Object byte[] $blobByteSize
|
[byte[]]$blob = New-Object byte[] $blobByteSize
|
||||||
[HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount
|
[HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount
|
||||||
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize)
|
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize)
|
||||||
$string = $null
|
$string = $null
|
||||||
$blob | foreach { $string = $string + $_.ToString("X2")+"," }
|
$blob | foreach { $string = $string + $_.ToString("X2")+"," }
|
||||||
@ -479,7 +481,7 @@ function Instantiate-HSTI {
|
|||||||
LogAndConsoleError $ErrorMessage
|
LogAndConsoleError $ErrorMessage
|
||||||
$DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null
|
$DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
LogAndConsoleWarning $ErrorMessage
|
LogAndConsoleWarning $ErrorMessage
|
||||||
$DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null
|
$DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null
|
||||||
@ -487,9 +489,9 @@ function Instantiate-HSTI {
|
|||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
catch
|
catch
|
||||||
{
|
{
|
||||||
LogAndConsoleError $_.Exception.Message
|
LogAndConsoleError $_.Exception.Message
|
||||||
LogAndConsoleError "Instantiate-HSTI failed"
|
LogAndConsoleError "Instantiate-HSTI failed"
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -613,10 +615,10 @@ function ExecuteCommandAndLog($_cmd)
|
|||||||
$CmdOutput = Invoke-Expression $_cmd | Out-String
|
$CmdOutput = Invoke-Expression $_cmd | Out-String
|
||||||
Log "Output: $CmdOutput"
|
Log "Output: $CmdOutput"
|
||||||
}
|
}
|
||||||
catch
|
catch
|
||||||
{
|
{
|
||||||
Log "Exception while exectuing $_cmd"
|
Log "Exception while exectuing $_cmd"
|
||||||
Log $_.Exception.Message
|
Log $_.Exception.Message
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@ -676,7 +678,7 @@ function CheckDriverCompat
|
|||||||
verifier.exe /flags 0x02000000 /all /log.code_integrity
|
verifier.exe /flags 0x02000000 /all /log.code_integrity
|
||||||
|
|
||||||
LogAndConsole "Enabling Driver Verifier and Rebooting system"
|
LogAndConsole "Enabling Driver Verifier and Rebooting system"
|
||||||
Log $verifier_state
|
Log $verifier_state
|
||||||
LogAndConsole "Please re-execute this script after reboot...."
|
LogAndConsole "Please re-execute this script after reboot...."
|
||||||
if($AutoReboot)
|
if($AutoReboot)
|
||||||
{
|
{
|
||||||
@ -692,7 +694,7 @@ function CheckDriverCompat
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
LogAndConsole "Driver verifier already enabled"
|
LogAndConsole "Driver verifier already enabled"
|
||||||
Log $verifier_state
|
Log $verifier_state
|
||||||
ListDrivers($verifier_state.Trim().ToLowerInvariant())
|
ListDrivers($verifier_state.Trim().ToLowerInvariant())
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -700,23 +702,23 @@ function IsDomainController
|
|||||||
{
|
{
|
||||||
$_isDC = 0
|
$_isDC = 0
|
||||||
$CompConfig = Get-WmiObject Win32_ComputerSystem
|
$CompConfig = Get-WmiObject Win32_ComputerSystem
|
||||||
foreach ($ObjItem in $CompConfig)
|
foreach ($ObjItem in $CompConfig)
|
||||||
{
|
{
|
||||||
$Role = $ObjItem.DomainRole
|
$Role = $ObjItem.DomainRole
|
||||||
Log "Role=$Role"
|
Log "Role=$Role"
|
||||||
Switch ($Role)
|
Switch ($Role)
|
||||||
{
|
{
|
||||||
0 { Log "Standalone Workstation" }
|
0 { Log "Standalone Workstation" }
|
||||||
1 { Log "Member Workstation" }
|
1 { Log "Member Workstation" }
|
||||||
2 { Log "Standalone Server" }
|
2 { Log "Standalone Server" }
|
||||||
3 { Log "Member Server" }
|
3 { Log "Member Server" }
|
||||||
4
|
4
|
||||||
{
|
{
|
||||||
Log "Backup Domain Controller"
|
Log "Backup Domain Controller"
|
||||||
$_isDC=1
|
$_isDC=1
|
||||||
break
|
break
|
||||||
}
|
}
|
||||||
5
|
5
|
||||||
{
|
{
|
||||||
Log "Primary Domain Controller"
|
Log "Primary Domain Controller"
|
||||||
$_isDC=1
|
$_isDC=1
|
||||||
@ -735,7 +737,7 @@ function CheckOSSKU
|
|||||||
Log "OSNAME:$osname"
|
Log "OSNAME:$osname"
|
||||||
$SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home")
|
$SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home")
|
||||||
$HLKAllowed = @("microsoft windows 10 pro")
|
$HLKAllowed = @("microsoft windows 10 pro")
|
||||||
foreach ($SKUent in $SKUarray)
|
foreach ($SKUent in $SKUarray)
|
||||||
{
|
{
|
||||||
if($osname.ToString().Contains($SKUent.ToLower()))
|
if($osname.ToString().Contains($SKUent.ToLower()))
|
||||||
{
|
{
|
||||||
@ -762,7 +764,7 @@ function CheckOSSKU
|
|||||||
}
|
}
|
||||||
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f '
|
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f '
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
LogAndConsoleError "This PC edition is Unsupported for Device Guard"
|
LogAndConsoleError "This PC edition is Unsupported for Device Guard"
|
||||||
$DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null
|
$DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null
|
||||||
@ -773,14 +775,14 @@ function CheckOSSKU
|
|||||||
function CheckOSArchitecture
|
function CheckOSArchitecture
|
||||||
{
|
{
|
||||||
$OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()
|
$OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()
|
||||||
Log $OSArch
|
Log $OSArch
|
||||||
if($OSArch.Contains("64-bit"))
|
if($OSArch -match ("^64\-?\s?bit"))
|
||||||
{
|
{
|
||||||
LogAndConsoleSuccess "64 bit archictecture"
|
LogAndConsoleSuccess "64 bit architecture"
|
||||||
}
|
}
|
||||||
elseif($OSArch.Contains("32-bit"))
|
elseif($OSArch -match ("^32\-?\s?bit"))
|
||||||
{
|
{
|
||||||
LogAndConsoleError "32 bit archictecture"
|
LogAndConsoleError "32 bit architecture"
|
||||||
$DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null
|
$DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
@ -878,7 +880,7 @@ function CheckTPM
|
|||||||
function CheckSecureMOR
|
function CheckSecureMOR
|
||||||
{
|
{
|
||||||
$isSecureMOR = CheckDGFeatures(4)
|
$isSecureMOR = CheckDGFeatures(4)
|
||||||
Log "isSecureMOR= $isSecureMOR "
|
Log "isSecureMOR= $isSecureMOR "
|
||||||
if($isSecureMOR -eq 1)
|
if($isSecureMOR -eq 1)
|
||||||
{
|
{
|
||||||
LogAndConsoleSuccess "Secure MOR is available"
|
LogAndConsoleSuccess "Secure MOR is available"
|
||||||
@ -904,7 +906,7 @@ function CheckSecureMOR
|
|||||||
function CheckNXProtection
|
function CheckNXProtection
|
||||||
{
|
{
|
||||||
$isNXProtected = CheckDGFeatures(5)
|
$isNXProtected = CheckDGFeatures(5)
|
||||||
Log "isNXProtected= $isNXProtected "
|
Log "isNXProtected= $isNXProtected "
|
||||||
if($isNXProtected -eq 1)
|
if($isNXProtected -eq 1)
|
||||||
{
|
{
|
||||||
LogAndConsoleSuccess "NX Protector is available"
|
LogAndConsoleSuccess "NX Protector is available"
|
||||||
@ -921,7 +923,7 @@ function CheckNXProtection
|
|||||||
function CheckSMMProtection
|
function CheckSMMProtection
|
||||||
{
|
{
|
||||||
$isSMMMitigated = CheckDGFeatures(6)
|
$isSMMMitigated = CheckDGFeatures(6)
|
||||||
Log "isSMMMitigated= $isSMMMitigated "
|
Log "isSMMMitigated= $isSMMMitigated "
|
||||||
if($isSMMMitigated -eq 1)
|
if($isSMMMitigated -eq 1)
|
||||||
{
|
{
|
||||||
LogAndConsoleSuccess "SMM Mitigation is available"
|
LogAndConsoleSuccess "SMM Mitigation is available"
|
||||||
@ -938,15 +940,15 @@ function CheckSMMProtection
|
|||||||
function CheckHSTI
|
function CheckHSTI
|
||||||
{
|
{
|
||||||
LogAndConsole "Copying HSTITest.dll"
|
LogAndConsole "Copying HSTITest.dll"
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
$HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded)
|
$HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded)
|
||||||
[System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded)
|
[System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded)
|
||||||
|
|
||||||
}
|
}
|
||||||
catch
|
catch
|
||||||
{
|
{
|
||||||
LogAndConsole $_.Exception.Message
|
LogAndConsole $_.Exception.Message
|
||||||
LogAndConsole "Copying and loading HSTITest.dll failed"
|
LogAndConsole "Copying and loading HSTITest.dll failed"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -959,7 +961,7 @@ function PrintToolVersion
|
|||||||
LogAndConsole ""
|
LogAndConsole ""
|
||||||
LogAndConsole "###########################################################################"
|
LogAndConsole "###########################################################################"
|
||||||
LogAndConsole ""
|
LogAndConsole ""
|
||||||
LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
|
LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
|
||||||
LogAndConsole ""
|
LogAndConsole ""
|
||||||
LogAndConsole "###########################################################################"
|
LogAndConsole "###########################################################################"
|
||||||
LogAndConsole ""
|
LogAndConsole ""
|
||||||
@ -1030,7 +1032,7 @@ if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -a
|
|||||||
}
|
}
|
||||||
|
|
||||||
$user = [Security.Principal.WindowsIdentity]::GetCurrent();
|
$user = [Security.Principal.WindowsIdentity]::GetCurrent();
|
||||||
$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
|
$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
|
||||||
|
|
||||||
if(!$TestForAdmin)
|
if(!$TestForAdmin)
|
||||||
{
|
{
|
||||||
@ -1065,7 +1067,7 @@ if($Ready)
|
|||||||
{
|
{
|
||||||
Log "_CGState: $_CGState"
|
Log "_CGState: $_CGState"
|
||||||
PrintCGDetails $_CGState
|
PrintCGDetails $_CGState
|
||||||
|
|
||||||
if($_CGState)
|
if($_CGState)
|
||||||
{
|
{
|
||||||
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f'
|
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f'
|
||||||
@ -1077,28 +1079,28 @@ if($Ready)
|
|||||||
}
|
}
|
||||||
elseif($DG)
|
elseif($DG)
|
||||||
{
|
{
|
||||||
Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
|
Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
|
||||||
|
|
||||||
PrintHVCIDetails $_HVCIState
|
PrintHVCIDetails $_HVCIState
|
||||||
PrintConfigCIDetails $_ConfigCIState
|
PrintConfigCIDetails $_ConfigCIState
|
||||||
|
|
||||||
if($_ConfigCIState -and $_HVCIState)
|
if($_ConfigCIState -and $_HVCIState)
|
||||||
{
|
{
|
||||||
LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running."
|
LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running."
|
||||||
|
|
||||||
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f'
|
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f'
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
LogAndConsoleWarning "Not all services are running."
|
LogAndConsoleWarning "Not all services are running."
|
||||||
|
|
||||||
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f'
|
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f'
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
|
Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
|
||||||
|
|
||||||
PrintCGDetails $_CGState
|
PrintCGDetails $_CGState
|
||||||
PrintHVCIDetails $_HVCIState
|
PrintHVCIDetails $_HVCIState
|
||||||
PrintConfigCIDetails $_ConfigCIState
|
PrintConfigCIDetails $_ConfigCIState
|
||||||
@ -1147,7 +1149,7 @@ if($Enable)
|
|||||||
{
|
{
|
||||||
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f'
|
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f'
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f'
|
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f'
|
||||||
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f'
|
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f'
|
||||||
@ -1158,8 +1160,8 @@ if($Enable)
|
|||||||
{
|
{
|
||||||
if(!$HVCI -and !$CG)
|
if(!$HVCI -and !$CG)
|
||||||
{
|
{
|
||||||
if(!$SIPolicyPath)
|
if(!$SIPolicyPath)
|
||||||
{
|
{
|
||||||
Log "Writing Decoded SIPolicy.p7b"
|
Log "Writing Decoded SIPolicy.p7b"
|
||||||
$SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded)
|
$SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded)
|
||||||
[System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded)
|
[System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded)
|
||||||
@ -1182,7 +1184,7 @@ if($Enable)
|
|||||||
if(!$_isRedstone)
|
if(!$_isRedstone)
|
||||||
{
|
{
|
||||||
LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately"
|
LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately"
|
||||||
#Enable/Disable IOMMU seperately
|
#Enable/Disable IOMMU separately
|
||||||
ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart'
|
ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart'
|
||||||
}
|
}
|
||||||
$CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String
|
$CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String
|
||||||
@ -1251,7 +1253,7 @@ if($Disable)
|
|||||||
if(!$_isRedstone)
|
if(!$_isRedstone)
|
||||||
{
|
{
|
||||||
LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately"
|
LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately"
|
||||||
#Enable/Disable IOMMU seperately
|
#Enable/Disable IOMMU separately
|
||||||
ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart'
|
ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart'
|
||||||
}
|
}
|
||||||
$CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String
|
$CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String
|
||||||
@ -1270,7 +1272,7 @@ if($Disable)
|
|||||||
}
|
}
|
||||||
|
|
||||||
#set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS
|
#set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS
|
||||||
#these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always
|
#these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always
|
||||||
#this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS
|
#this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS
|
||||||
$FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random
|
$FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random
|
||||||
Log "FreeDrive=$FreeDrive"
|
Log "FreeDrive=$FreeDrive"
|
||||||
@ -1314,7 +1316,7 @@ if($Capable)
|
|||||||
}
|
}
|
||||||
$_StepCount = 1
|
$_StepCount = 1
|
||||||
if(!$CG)
|
if(!$CG)
|
||||||
{
|
{
|
||||||
LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== "
|
LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== "
|
||||||
$_StepCount++
|
$_StepCount++
|
||||||
CheckDriverCompat
|
CheckDriverCompat
|
||||||
@ -1323,15 +1325,15 @@ if($Capable)
|
|||||||
LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== "
|
LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== "
|
||||||
$_StepCount++
|
$_StepCount++
|
||||||
CheckSecureBootState
|
CheckSecureBootState
|
||||||
|
|
||||||
if(!$HVCI -and !$DG -and !$CG)
|
if(!$HVCI -and !$DG -and !$CG)
|
||||||
{
|
{
|
||||||
#check only if sub-options are absent
|
#check only if sub-options are absent
|
||||||
LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== "
|
LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== "
|
||||||
$_StepCount++
|
$_StepCount++
|
||||||
CheckHSTI
|
CheckHSTI
|
||||||
}
|
}
|
||||||
|
|
||||||
LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== "
|
LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== "
|
||||||
$_StepCount++
|
$_StepCount++
|
||||||
CheckOSArchitecture
|
CheckOSArchitecture
|
||||||
@ -1345,11 +1347,11 @@ if($Capable)
|
|||||||
CheckVirtualization
|
CheckVirtualization
|
||||||
|
|
||||||
if(!$HVCI -and !$DG)
|
if(!$HVCI -and !$DG)
|
||||||
{
|
{
|
||||||
LogAndConsole " ====================== Step $_StepCount TPM version ====================== "
|
LogAndConsole " ====================== Step $_StepCount TPM version ====================== "
|
||||||
$_StepCount++
|
$_StepCount++
|
||||||
CheckTPM
|
CheckTPM
|
||||||
|
|
||||||
LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== "
|
LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== "
|
||||||
$_StepCount++
|
$_StepCount++
|
||||||
CheckSecureMOR
|
CheckSecureMOR
|
||||||
@ -1358,11 +1360,11 @@ if($Capable)
|
|||||||
LogAndConsole " ====================== Step $_StepCount NX Protector ====================== "
|
LogAndConsole " ====================== Step $_StepCount NX Protector ====================== "
|
||||||
$_StepCount++
|
$_StepCount++
|
||||||
CheckNXProtection
|
CheckNXProtection
|
||||||
|
|
||||||
LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== "
|
LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== "
|
||||||
$_StepCount++
|
$_StepCount++
|
||||||
CheckSMMProtection
|
CheckSMMProtection
|
||||||
|
|
||||||
LogAndConsole " ====================== End Check ====================== "
|
LogAndConsole " ====================== End Check ====================== "
|
||||||
|
|
||||||
LogAndConsole " ====================== Summary ====================== "
|
LogAndConsole " ====================== Summary ====================== "
|
||||||
@ -1371,7 +1373,6 @@ if($Capable)
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
# SIG # Begin signature block
|
# SIG # Begin signature block
|
||||||
## REPLACE
|
## REPLACE
|
||||||
# SIG # End signature block
|
# SIG # End signature block
|
||||||
|
|||||||
@ -63,7 +63,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
|
|||||||
|
|
||||||
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
|
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
|
||||||
|
|
||||||
The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
|
The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca).
|
||||||
|
|
||||||
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
|
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
|
||||||
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
|
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
|
||||||
@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind
|
|||||||
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
|
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
|
||||||
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
|
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
|
||||||
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
|
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
|
||||||
* The certificate template must have an extension that has the BMP data value "DomainController".
|
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
|
||||||
* The domain controller certificate must be installed in the local computer's certificate store.
|
* The domain controller certificate must be installed in the local computer's certificate store.
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user