Read Me Prakhar
Read Me Prakhar
Read Me Prakhar
Note:
* For enterprise IT Pros evaluating DG/CG:
Yellow warnings means that the machine has met baseline requirements
for enabling DG/CG, and therefore the features can be enabled.
For yellow and green outputs, we strongly recommend testing this
configuration in your lab before enabling broadly.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
1. OS SKUs: Device Guard and Credential Guard are available only on these OS SKUs
- Enterprise, Professional, Home, Education, Server and Enterprise IoT
2. OS Version: The minimum OS version to run the tool is Windows 10, Version 1607,
or Windows Server 2016
3. Hardware: Recent hardware that supports virtualization extension with SLAT
###########################################################################
If Execution-Policy is not already set to allow running script, then you should
manually set it as below and then use the readiness script:
Set-ExecutionPolicy Unrestricted
To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter
else the hardcoded default policy is used
Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to the
SIPolicy.p7b>
To enable only CG
Usage: DG_Readiness.ps1 -Enable -CG
To Disable DG/CG.
Usage: DG_Readiness.ps1 -Disable
To Verify if DG/CG is disabled
Usage: DG_Readiness.ps1 -Ready
###########################################################################
Readiness Tool with '-capable' is run the following RegKey values are set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities
CG_Capable
DG_Capable
HVCI_Capable
Value 0 = not possible to enable DG/CG/HVCI on this device
Value 1 = this device is capable of running DG/CG/HVCI, but some
firmware/hardware/software needed for additional security qualifications are
absent.
Value 2 = fully compatible for DG/CG/HVCI
###########################################################################
Helpful Resources:
PC OEM requirements for Device Guard and Credential Guard:
https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx
Deploying Credential Guard: https://technet.microsoft.com/en-us/itpro/windows/keep-
secure/credential-guard#hardware-and-software-requirements
Deploying Device Guard: https://technet.microsoft.com/en-us/itpro/windows/keep-
secure/requirements-and-deployment-planning-guidelines-for-device-guard
###########################################################################
Want to customize the script?
###########################################################################
This script has configuration to enable DG and CG without UEFI Lock: Below is the
list of Regkeys and its values for customization:
For RS1 and RS2 � to enable HVCI and CG without UEFI Lock:
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v
"EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f'
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v
"RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f'
#to make both Secure Boot and DMA as required then the value should be changed to 3
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t
REG_DWORD /d 0 /f'
#to lock VBS to UEFI variables the value should be 1
'REG ADD
"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCode
Integrity" /v "Enabled" /t REG_DWORD /d 1 /f'
'REG ADD
"HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCode
Integrity" /v "Locked" /t REG_DWORD /d 0 /f'
#to lock VBS to UEFI variables the value should be 1
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t
REG_DWORD /d 2 /f'