From 498ccc951823c3f83f9177f9823c00bac03df35a Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Wed, 8 Feb 2023 07:06:49 +0000 Subject: [PATCH 01/17] add require UEFI memory attributes table Signed-off-by: Diane Wang --- windows/utils/win_enable_vbs_guest.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/utils/win_enable_vbs_guest.yml b/windows/utils/win_enable_vbs_guest.yml index 97dfb8c94..3ba4192ce 100644 --- a/windows/utils/win_enable_vbs_guest.yml +++ b/windows/utils/win_enable_vbs_guest.yml @@ -9,14 +9,17 @@ # 1. enable VBS # 2. enable VBS with Secure Boot and DMA (value 3) # 3. enable VBS with UEFI lock (value 1) +# 4. enable VBS with Require UEFI Memory Attributes Table # 4. enable virtualization-based protection of Code Integrity policies # 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1) +# - include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequireUEFIMemoryAttributesTable" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f From 1fb826dc3f0ebb8d7441e3137a3b9390e47ed337 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Mon, 13 Feb 2023 09:04:25 +0000 Subject: [PATCH 02/17] add get security properties Signed-off-by: Diane Wang --- windows/utils/win_enable_vbs_guest.yml | 10 ++++-- .../utils/win_get_dg_security_properties.yml | 36 +++++++++++++++++++ .../vbs_enable_disable/vbs_enable_test.yml | 31 +++++++--------- 3 files changed, 56 insertions(+), 21 deletions(-) create mode 100644 windows/utils/win_get_dg_security_properties.yml diff --git a/windows/utils/win_enable_vbs_guest.yml b/windows/utils/win_enable_vbs_guest.yml index 3ba4192ce..ebd739a9a 100644 --- a/windows/utils/win_enable_vbs_guest.yml +++ b/windows/utils/win_enable_vbs_guest.yml @@ -9,9 +9,11 @@ # 1. enable VBS # 2. enable VBS with Secure Boot and DMA (value 3) # 3. enable VBS with UEFI lock (value 1) -# 4. enable VBS with Require UEFI Memory Attributes Table # 4. enable virtualization-based protection of Code Integrity policies # 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1) +# 6. enable virtualization-based protection of Code Integrity policies with Require UEFI Memory Attributes Table +# 7. enable CredentialGuard with UEFI lock (value 1) +# 8. enable System Guard Secure Launch and SMM protection # - include_tasks: win_execute_cmd.yml vars: @@ -19,9 +21,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequireUEFIMemoryAttributesTable" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f; + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f; + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f; + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /t REG_DWORD /d 1 /f # Restart guest OS after configuration in guest - include_tasks: win_shutdown_restart.yml diff --git a/windows/utils/win_get_dg_security_properties.yml b/windows/utils/win_get_dg_security_properties.yml new file mode 100644 index 000000000..d884afc4b --- /dev/null +++ b/windows/utils/win_get_dg_security_properties.yml @@ -0,0 +1,36 @@ +# Copyright 2023 VMware, Inc. +# SPDX-License-Identifier: BSD-2-Clause +--- +# Get available security properties for Windows Defender Device Guard. +# Refer to this page: https://docs.microsoft.com/en-us/windows/security/ +# threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity +# 1. If present, hypervisor support is available. +# 2. If present, Secure Boot is available. +# 3. If present, DMA protection is available. +# 4. If present, Secure Memory Overwrite is available. +# 5. If present, NX protections are available. +# 6. If present, SMM mitigations are available. +# 7. If present, MBEC/GMET is available. +# 8. If present, APIC virtualization is available. +# +- name: "Initialize the fact of Device Guard available security properties" + ansible.builtin.set_fact: + win_dg_security_properties: "" + +- name: "Get Device Guard available security properties" + include_tasks: win_execute_cmd.yml + vars: + win_powershell_cmd: "(CimInstance –ClassName Win32_DeviceGuard –Namespace root\\Microsoft\\Windows\\DeviceGuard).AvailableSecurityProperties" + +- name: "Set fact of Device Guard available security properties" + ansible.builtin.set_fact: + win_dg_security_properties: "{{ win_powershell_cmd_output.stdout_lines }}" + when: + - win_powershell_cmd_output is defined + - win_powershell_cmd_output.stdout_lines is defined + - win_powershell_cmd_output.stdout_lines | length != 0 + +- name: "Display the results" + ansible.builtin.debug: + msg: + - "AvailableSecurityProperties: {{ win_dg_security_properties }}" diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index ae9e3d437..e5431fef8 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -36,26 +36,21 @@ fail_msg: "VM VBS status is not enabled after enabling it." when: not vm_vbs_enabled_before -- name: "VM VBS is enabled" - block: - # Get VBS status in guest OS - - include_tasks: ../utils/win_get_vbs_guest.yml - - name: "Set fact of HVCI and VBS running status in guest before enable" - ansible.builtin.set_fact: - guest_vbs_enabled_before: true - when: - - win_vbs_status_guest | int == 2 - - "'2' in win_vbs_running_service" - when: vm_vbs_enabled_before +- name: "Get Device Guard available security properties in guest OS" + include_tasks: ../utils/win_get_dg_security_properties.yml -# Enable VBS in guest OS if HVCI is not running or VBS is not running -- name: "Enable VBS in guest OS" - block: - - include_tasks: ../utils/win_enable_vbs_guest.yml - - include_tasks: ../utils/win_get_vbs_guest.yml - when: not guest_vbs_enabled_before +- name: "Enable VBS and security services in guest OS" + include_tasks: ../utils/win_enable_vbs_guest.yml + +- name: "Get running security services" + include_tasks: ../utils/win_get_vbs_guest.yml -# SecurityServicesRunning: 2 means HVCI is running +# SecurityServicesRunning: +# 0. No services running. +# 1. If present, Windows Defender Credential Guard is running. +# 2. If present, HVCI is running. +# 3. If present, System Guard Secure Launch is running. +# 4. If present, SMM Firmware Measurement is running. # VirtualizationBasedSecurityStatus: 2 means VBS is enabled and running - name: "Check VBS and running security service status" ansible.builtin.assert: From cf88abe53686617b4013a094cc9b9f578f85ef48 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Wed, 15 Feb 2023 02:33:34 +0000 Subject: [PATCH 03/17] add check security property Signed-off-by: Diane Wang --- windows/vbs_enable_disable/vbs_enable_test.yml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index e5431fef8..8ad489213 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -45,6 +45,22 @@ - name: "Get running security services" include_tasks: ../utils/win_get_vbs_guest.yml +# AvailableSecurityProperties: +# 0. If present, no relevant properties exist on the device. +# 1. If present, hypervisor support is available. +# 2. If present, Secure Boot is available. +# 3. If present, DMA protection is available. +# 4. If present, Secure Memory Overwrite is available. +# 5. If present, NX protections are available. +# 6. If present, SMM mitigations are available. +# 7. If present, MBEC/GMET is available. +# 8. If present, APIC virtualization is available. +- name: "Check available security properties got in guest OS" + ansible.builtin.assert: + that: + - win_dg_security_properties | sort == ['1', '2', '3', '4', '5', '6', '7'] + fail_msg: "Got available security properties in guest OS is: {{ win_dg_security_properties }}, which missing '{{ ['1', '2', '3', '4', '5', '6', '7'] | difference(win_dg_security_properties) }}' compared with the expected list." + # SecurityServicesRunning: # 0. No services running. # 1. If present, Windows Defender Credential Guard is running. From c859f805a92d39e2c07239edbb8dd02981ee6b18 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Mon, 27 Feb 2023 07:49:40 +0000 Subject: [PATCH 04/17] add check credential guard Signed-off-by: Diane Wang --- windows/utils/win_enable_vbs_guest.yml | 37 +++++++++++++++---- .../vbs_enable_disable/vbs_enable_test.yml | 3 +- 2 files changed, 31 insertions(+), 9 deletions(-) diff --git a/windows/utils/win_enable_vbs_guest.yml b/windows/utils/win_enable_vbs_guest.yml index ebd739a9a..adc8743ab 100644 --- a/windows/utils/win_enable_vbs_guest.yml +++ b/windows/utils/win_enable_vbs_guest.yml @@ -12,10 +12,9 @@ # 4. enable virtualization-based protection of Code Integrity policies # 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1) # 6. enable virtualization-based protection of Code Integrity policies with Require UEFI Memory Attributes Table -# 7. enable CredentialGuard with UEFI lock (value 1) -# 8. enable System Guard Secure Launch and SMM protection # -- include_tasks: win_execute_cmd.yml +- name: "Enable VBS and HVCI in guest OS" + include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; @@ -23,11 +22,33 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard" /v "Enabled" /t REG_DWORD /d 1 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f -# Restart guest OS after configuration in guest -- include_tasks: win_shutdown_restart.yml +# Enable CredentialGuard with UEFI lock (value 1) +# Starting in Windows 11 Enterprise, version 22H2 and Windows 11 Education, version 22H2, +# compatible systems have Windows Defender Credential Guard turned on by default. +# +- name: "Enable Credential Guard in guest OS" + include_tasks: win_execute_cmd.yml + vars: + win_powershell_cmd: >- + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f + when: > + (guest_os_product_type | lower == 'server') or + (guest_os_build_num | int < 22621) or + (guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education']) + +# - include_tasks: win_execute_cmd.yml +# vars: +# win_powershell_cmd: >- +# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; +# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; +# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f; +# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f +# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f; +# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f + +- name: "Restart guest OS after configuration" + include_tasks: win_shutdown_restart.yml vars: set_win_power_state: "restart" diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index 8ad489213..6fa0dcb07 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -72,5 +72,6 @@ ansible.builtin.assert: that: - win_vbs_status_guest | int == 2 + - "'1' in win_vbs_running_service" - "'2' in win_vbs_running_service" - fail_msg: "VBS is not running '{{ win_vbs_status_guest }}', or HVCI is not running '{{ win_vbs_running_service }}'." + fail_msg: "VBS is not running '{{ win_vbs_status_guest }}', or HVCI/Credential Guard is not in the SecurityServicesRunning list: '{{ win_vbs_running_service }}'." From 17e31f44d00368fea1dbbef28305b4f76d1781e7 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Tue, 28 Feb 2023 01:55:20 +0000 Subject: [PATCH 05/17] add known issue Signed-off-by: Diane Wang --- windows/vbs_enable_disable/vbs_enable_test.yml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index 6fa0dcb07..3b6b5155f 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -55,11 +55,28 @@ # 6. If present, SMM mitigations are available. # 7. If present, MBEC/GMET is available. # 8. If present, APIC virtualization is available. +# +- name: "Handle known issue" + block: + - name: "Known issue - NX protections are not present in AvailableSecurityProperties on ESXi 7.0.3" + ansible.builtin.debug: + msg: + - "NX protections are not present in guest OS 'AvailableSecurityProperties' on ESXi 7.0.3, KB link TBD." + tags: + - known_issue + when: + - esxi_version is version('7.0.3', '=') + - esxi_build == '19193900' + - ['1', '2', '3', '4', '5', '6', '7'] | difference(win_dg_security_properties) == '5' + - name: "Check available security properties got in guest OS" ansible.builtin.assert: that: - win_dg_security_properties | sort == ['1', '2', '3', '4', '5', '6', '7'] fail_msg: "Got available security properties in guest OS is: {{ win_dg_security_properties }}, which missing '{{ ['1', '2', '3', '4', '5', '6', '7'] | difference(win_dg_security_properties) }}' compared with the expected list." + when: > + (esxi_version is version('7.0.3', '>') or esxi_version is version('7.0.3', '<')) or + (esxi_version is version('7.0.3', '=') and esxi_build | int > 19193900) # SecurityServicesRunning: # 0. No services running. @@ -68,6 +85,7 @@ # 3. If present, System Guard Secure Launch is running. # 4. If present, SMM Firmware Measurement is running. # VirtualizationBasedSecurityStatus: 2 means VBS is enabled and running +# - name: "Check VBS and running security service status" ansible.builtin.assert: that: From c92d55dd6b40c166e579ba711a6d56c8c8601763 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Tue, 28 Feb 2023 03:57:41 +0000 Subject: [PATCH 06/17] add known issue Signed-off-by: Diane Wang --- windows/vbs_enable_disable/vbs_enable_test.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index 3b6b5155f..78871fc36 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -65,9 +65,9 @@ tags: - known_issue when: - - esxi_version is version('7.0.3', '=') - - esxi_build == '19193900' - - ['1', '2', '3', '4', '5', '6', '7'] | difference(win_dg_security_properties) == '5' + - esxi_version is version('7.0.3', '==') + - esxi_build | int == 19193900 + - "['1', '2', '3', '4', '5', '6', '7'] | difference(win_dg_security_properties) == ['5']" - name: "Check available security properties got in guest OS" ansible.builtin.assert: @@ -76,7 +76,7 @@ fail_msg: "Got available security properties in guest OS is: {{ win_dg_security_properties }}, which missing '{{ ['1', '2', '3', '4', '5', '6', '7'] | difference(win_dg_security_properties) }}' compared with the expected list." when: > (esxi_version is version('7.0.3', '>') or esxi_version is version('7.0.3', '<')) or - (esxi_version is version('7.0.3', '=') and esxi_build | int > 19193900) + (esxi_version is version('7.0.3', '==') and esxi_build | int > 19193900) # SecurityServicesRunning: # 0. No services running. From 9392c646240524a987374236ef14d9e75b8aeace Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Tue, 28 Feb 2023 06:55:30 +0000 Subject: [PATCH 07/17] change condition Signed-off-by: Diane Wang --- windows/utils/win_enable_vbs_guest.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/utils/win_enable_vbs_guest.yml b/windows/utils/win_enable_vbs_guest.yml index adc8743ab..280a8cb01 100644 --- a/windows/utils/win_enable_vbs_guest.yml +++ b/windows/utils/win_enable_vbs_guest.yml @@ -13,13 +13,13 @@ # 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1) # 6. enable virtualization-based protection of Code Integrity policies with Require UEFI Memory Attributes Table # +#reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; - name: "Enable VBS and HVCI in guest OS" include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f @@ -34,9 +34,8 @@ win_powershell_cmd: >- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f when: > - (guest_os_product_type | lower == 'server') or (guest_os_build_num | int < 22621) or - (guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education']) + (guest_os_product_type | lower == 'client' and guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education']) # - include_tasks: win_execute_cmd.yml # vars: From 06a15c9734e75dc13cf413dad52ede58b8c90703 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Mon, 10 Apr 2023 05:48:42 +0000 Subject: [PATCH 08/17] change registry path Signed-off-by: Diane Wang --- windows/utils/win_enable_vbs_guest.yml | 27 +++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/windows/utils/win_enable_vbs_guest.yml b/windows/utils/win_enable_vbs_guest.yml index 280a8cb01..5240eb02d 100644 --- a/windows/utils/win_enable_vbs_guest.yml +++ b/windows/utils/win_enable_vbs_guest.yml @@ -13,16 +13,16 @@ # 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1) # 6. enable virtualization-based protection of Code Integrity policies with Require UEFI Memory Attributes Table # -#reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; +# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f not working - name: "Enable VBS and HVCI in guest OS" include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f + reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; + reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; + reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; + reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f; + reg add "HKLM\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f # Enable CredentialGuard with UEFI lock (value 1) # Starting in Windows 11 Enterprise, version 22H2 and Windows 11 Education, version 22H2, @@ -32,20 +32,21 @@ include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- - reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f + reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f when: > (guest_os_build_num | int < 22621) or (guest_os_product_type | lower == 'client' and guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education']) -# - include_tasks: win_execute_cmd.yml -# vars: -# win_powershell_cmd: >- # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f; -# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f -# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f; -# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f +- name: "Enable HVCIMATRequired" + include_tasks: win_execute_cmd.yml + vars: + win_powershell_cmd: >- + reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f; + reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f; + reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f - name: "Restart guest OS after configuration" include_tasks: win_shutdown_restart.yml From ffc104c807e88146517a36a3ac06497a257b1d4c Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Mon, 10 Apr 2023 07:54:19 +0000 Subject: [PATCH 09/17] add KB link Signed-off-by: Diane Wang --- windows/vbs_enable_disable/vbs_enable_test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index 78871fc36..b757a13fa 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -61,7 +61,7 @@ - name: "Known issue - NX protections are not present in AvailableSecurityProperties on ESXi 7.0.3" ansible.builtin.debug: msg: - - "NX protections are not present in guest OS 'AvailableSecurityProperties' on ESXi 7.0.3, KB link TBD." + - "NX protections are not present in guest OS 'AvailableSecurityProperties' on ESXi 7.0.3, please refer to this KB article: https://kb.vmware.com/s/article/91199." tags: - known_issue when: @@ -76,7 +76,7 @@ fail_msg: "Got available security properties in guest OS is: {{ win_dg_security_properties }}, which missing '{{ ['1', '2', '3', '4', '5', '6', '7'] | difference(win_dg_security_properties) }}' compared with the expected list." when: > (esxi_version is version('7.0.3', '>') or esxi_version is version('7.0.3', '<')) or - (esxi_version is version('7.0.3', '==') and esxi_build | int > 19193900) + (esxi_version is version('7.0.3', '==') and esxi_build | int >= 21424296) # SecurityServicesRunning: # 0. No services running. From b211556e75ee52b12af29bdf3bbd5370434a7cf0 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Mon, 10 Apr 2023 12:23:39 +0000 Subject: [PATCH 10/17] fix path issue Signed-off-by: Diane Wang --- windows/utils/win_enable_vbs_guest.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/utils/win_enable_vbs_guest.yml b/windows/utils/win_enable_vbs_guest.yml index 5240eb02d..d5fff8d72 100644 --- a/windows/utils/win_enable_vbs_guest.yml +++ b/windows/utils/win_enable_vbs_guest.yml @@ -18,11 +18,11 @@ include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- - reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; - reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; - reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; - reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f; - reg add "HKLM\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f; + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f # Enable CredentialGuard with UEFI lock (value 1) # Starting in Windows 11 Enterprise, version 22H2 and Windows 11 Education, version 22H2, @@ -32,21 +32,21 @@ include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- - reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f when: > (guest_os_build_num | int < 22621) or (guest_os_product_type | lower == 'client' and guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education']) -# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; -# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; -# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f; - name: "Enable HVCIMATRequired" include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- - reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f; - reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f; - reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f - name: "Restart guest OS after configuration" include_tasks: win_shutdown_restart.yml From aa6f0579ff872bb229fd93d1a2ef28b9db49acdb Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Tue, 11 Apr 2023 01:02:26 +0000 Subject: [PATCH 11/17] change vbs disable Signed-off-by: Diane Wang --- windows/utils/win_disable_vbs_guest.yml | 6 +- .../vbs_enable_disable/vbs_disable_test.yml | 62 +++++++++++-------- .../vbs_enable_disable/vbs_enable_test.yml | 43 +++++++------ 3 files changed, 64 insertions(+), 47 deletions(-) diff --git a/windows/utils/win_disable_vbs_guest.yml b/windows/utils/win_disable_vbs_guest.yml index bc316c696..bcf5d0747 100644 --- a/windows/utils/win_disable_vbs_guest.yml +++ b/windows/utils/win_disable_vbs_guest.yml @@ -7,7 +7,11 @@ # - include_tasks: win_execute_cmd.yml vars: - win_powershell_cmd: "reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity' /v 'Enabled' /t REG_DWORD /d 0 /f; reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard' /v 'EnableVirtualizationBasedSecurity' /t REG_DWORD /d 0 /f" + win_powershell_cmd: >- + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f; + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 0 /f # Restart guest OS after configuration in guest - include_tasks: win_shutdown_restart.yml diff --git a/windows/vbs_enable_disable/vbs_disable_test.yml b/windows/vbs_enable_disable/vbs_disable_test.yml index 4955dda44..5d37334a9 100644 --- a/windows/vbs_enable_disable/vbs_disable_test.yml +++ b/windows/vbs_enable_disable/vbs_disable_test.yml @@ -1,54 +1,62 @@ # Copyright 2022-2023 VMware, Inc. # SPDX-License-Identifier: BSD-2-Clause --- -# Shutdown guest OS to disable VBS on VM -- include_tasks: ../utils/win_shutdown_restart.yml +- name: "Shutdown guest OS to disable VBS on VM" + include_tasks: ../utils/win_shutdown_restart.yml vars: set_win_power_state: "shutdown" -# Disable VBS on VM -- include_tasks: ../utils/win_enable_vbs_vm.yml +- name: "Disable VBS on VM" + include_tasks: ../utils/win_enable_vbs_vm.yml vars: win_enable_vbs: false -# Power on VM -- include_tasks: ../../common/vm_set_power_state.yml +- name: "Power on VM" + include_tasks: ../../common/vm_set_power_state.yml vars: vm_power_state_set: "powered-on" -- include_tasks: ../utils/win_update_inventory.yml +- name: "Update in-memory inventory after VM power on" + include_tasks: ../utils/win_update_inventory.yml -# Check VM VBS status on VM -- include_tasks: ../../common/vm_get_vbs_status.yml -- name: "Check VM VBS status after enable" +- name: "Get VM VBS status" + include_tasks: ../../common/vm_get_vbs_status.yml +- name: "Check VM VBS status after disable" ansible.builtin.assert: that: - vm_vbs_enabled is defined - not vm_vbs_enabled | bool - fail_msg: "VM VBS status is not disabled after disabling it." - -# Get VBS status in guest OS -- include_tasks: ../utils/win_get_vbs_guest.yml - -# SecurityServicesRunning: 0 means No services running -# VirtualizationBasedSecurityStatus: 1 means VBS is enabled but not running + fail_msg: "VM VBS enabled status is '{{ vm_vbs_enabled | default('') }}', not disabled after disabling it." + +- name: "Get VBS status in guest OS" + include_tasks: ../utils/win_get_vbs_guest.yml + +# SecurityServicesRunning: +# 0. No services running. +# 1. If present, Windows Defender Credential Guard is running. +# 2. If present, HVCI is running. +# 3. If present, System Guard Secure Launch is running. +# 4. If present, SMM Firmware Measurement is running. +# VirtualizationBasedSecurityStatus: +# 2 means VBS is enabled and running +# 1 means VBS is enabled but not running +# 0 means VBS is not enabled +# - name: "Check VBS and running security service status" ansible.builtin.assert: that: - win_vbs_status_guest | int == 1 - - win_vbs_running_service[0] | int != 2 - fail_msg: "Either VBS is running '{{ win_vbs_status_guest }}', or HVCI is running '{{ win_vbs_running_service }}'." + - "'2' not in win_vbs_running_service" + fail_msg: "VBS status is '{{ win_vbs_status_guest }}', not expected '1', or HVCI '2' is in SecurityServicesRunning list '{{ win_vbs_running_service }}'." -# Disable VBS in guest -- include_tasks: ../utils/win_disable_vbs_guest.yml +- name: "Disable VBS in guest OS" + include_tasks: ../utils/win_disable_vbs_guest.yml -# Get VBS status in guest OS -- include_tasks: ../utils/win_get_vbs_guest.yml +- name: "Get VBS status in guest OS" + include_tasks: ../utils/win_get_vbs_guest.yml -# SecurityServicesRunning: 0 means No services running -# VirtualizationBasedSecurityStatus: 0 means VBS is not enabled - name: "Check VBS and running security service status" ansible.builtin.assert: that: - win_vbs_status_guest | int == 0 - - win_vbs_running_service[0] | int == 0 - fail_msg: "Either VBS is not disabled '{{ win_vbs_status_guest }}', or still running security service '{{ win_vbs_running_service }}'." + - win_vbs_running_service == ['0'] + fail_msg: "VBS status is '{{ win_vbs_status_guest }}', not expected '0', or SecurityServicesRunning list is '{{ win_vbs_running_service }}', not expected ['0']." diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index b757a13fa..fbf297621 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -6,34 +6,36 @@ vm_vbs_enabled_before: false guest_vbs_enabled_before: false -# Get VM VBS status before enable -- include_tasks: ../../common/vm_get_vbs_status.yml +- name: "Get VM VBS status before enable" + include_tasks: ../../common/vm_get_vbs_status.yml - name: "Set fact of VM VBS current status before enable" ansible.builtin.set_fact: vm_vbs_enabled_before: "{{ vm_vbs_enabled }}" - name: "VM VBS is not enabled" block: - # Shutdown guest OS before enabling VBS on VM - - include_tasks: ../utils/win_shutdown_restart.yml + - name: "Shutdown guest OS before enabling VBS on VM" + include_tasks: ../utils/win_shutdown_restart.yml vars: set_win_power_state: "shutdown" - # Enable VBS on VM - - include_tasks: ../utils/win_enable_vbs_vm.yml + - name: "Enable VBS on VM" + include_tasks: ../utils/win_enable_vbs_vm.yml vars: win_enable_vbs: true - - include_tasks: ../../common/vm_set_power_state.yml + - name: "Power on VM" + include_tasks: ../../common/vm_set_power_state.yml vars: vm_power_state_set: "powered-on" - - include_tasks: ../utils/win_update_inventory.yml - # Check VM VBS status - - include_tasks: ../../common/vm_get_vbs_status.yml + - name: "Update in-memory inventory after VM power on" + include_tasks: ../utils/win_update_inventory.yml + - name: "Get VM VBS status" + include_tasks: ../../common/vm_get_vbs_status.yml - name: "Check VM VBS status after enable" ansible.builtin.assert: that: - vm_vbs_enabled is defined - vm_vbs_enabled | bool - fail_msg: "VM VBS status is not enabled after enabling it." + fail_msg: "VM VBS status is '{{ vm_vbs_enabled | default('') }}', not enabled after enabling it." when: not vm_vbs_enabled_before - name: "Get Device Guard available security properties in guest OS" @@ -42,7 +44,7 @@ - name: "Enable VBS and security services in guest OS" include_tasks: ../utils/win_enable_vbs_guest.yml -- name: "Get running security services" +- name: "Get VBS status and running security services" include_tasks: ../utils/win_get_vbs_guest.yml # AvailableSecurityProperties: @@ -79,12 +81,15 @@ (esxi_version is version('7.0.3', '==') and esxi_build | int >= 21424296) # SecurityServicesRunning: -# 0. No services running. -# 1. If present, Windows Defender Credential Guard is running. -# 2. If present, HVCI is running. -# 3. If present, System Guard Secure Launch is running. -# 4. If present, SMM Firmware Measurement is running. -# VirtualizationBasedSecurityStatus: 2 means VBS is enabled and running +# 0. No services running. +# 1. If present, Windows Defender Credential Guard is running. +# 2. If present, HVCI is running. +# 3. If present, System Guard Secure Launch is running. +# 4. If present, SMM Firmware Measurement is running. +# VirtualizationBasedSecurityStatus: +# 2 means VBS is enabled and running +# 1 means VBS is enabled but not running +# 0 means VBS is not enabled # - name: "Check VBS and running security service status" ansible.builtin.assert: @@ -92,4 +97,4 @@ - win_vbs_status_guest | int == 2 - "'1' in win_vbs_running_service" - "'2' in win_vbs_running_service" - fail_msg: "VBS is not running '{{ win_vbs_status_guest }}', or HVCI/Credential Guard is not in the SecurityServicesRunning list: '{{ win_vbs_running_service }}'." + fail_msg: "VBS status is '{{ win_vbs_status_guest }}', not expected '2', or HVCI '2'/Credential Guard '1' is not in the SecurityServicesRunning list: '{{ win_vbs_running_service }}'." From b9ced2d4c5f91fc78db5c5b80e0277fed87a44e9 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Tue, 11 Apr 2023 02:57:31 +0000 Subject: [PATCH 12/17] use 7.0U3l build number Signed-off-by: Diane Wang --- windows/vbs_enable_disable/vbs_enable_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index fbf297621..90403153c 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -68,7 +68,7 @@ - known_issue when: - esxi_version is version('7.0.3', '==') - - esxi_build | int == 19193900 + - esxi_build | int < 21424296 - "['1', '2', '3', '4', '5', '6', '7'] | difference(win_dg_security_properties) == ['5']" - name: "Check available security properties got in guest OS" From d4ec4dbecde84b3ad8a1125eecd05a736598a66f Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Tue, 11 Apr 2023 06:32:51 +0000 Subject: [PATCH 13/17] change known issue message Signed-off-by: Diane Wang --- windows/utils/win_enable_vbs_guest.yml | 2 ++ windows/vbs_enable_disable/vbs_enable_test.yml | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/utils/win_enable_vbs_guest.yml b/windows/utils/win_enable_vbs_guest.yml index d5fff8d72..ab0a7b8a1 100644 --- a/windows/utils/win_enable_vbs_guest.yml +++ b/windows/utils/win_enable_vbs_guest.yml @@ -37,6 +37,8 @@ (guest_os_build_num | int < 22621) or (guest_os_product_type | lower == 'client' and guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education']) +# Try to enable 'HVCIMATRequired' feature from registry while it does not take effect. +# Refer to 3rd party issue: https://partner.microsoft.com/en-us/dashboard/collaborate/engagements/1759/feedback/wits/Bugs/786316 - name: "Enable HVCIMATRequired" include_tasks: win_execute_cmd.yml vars: diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index 90403153c..39529af05 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -63,7 +63,7 @@ - name: "Known issue - NX protections are not present in AvailableSecurityProperties on ESXi 7.0.3" ansible.builtin.debug: msg: - - "NX protections are not present in guest OS 'AvailableSecurityProperties' on ESXi 7.0.3, please refer to this KB article: https://kb.vmware.com/s/article/91199." + - "NX protections are not present in guest OS 'AvailableSecurityProperties' issue exists on ESXi 7.0.3 build {{ esxi_build }}, which is fixed in ESXi 7.0U3L patch build 21424296. Please refer to KB article: https://kb.vmware.com/s/article/91199." tags: - known_issue when: From 5140ed603619875569301954edbc1282e49ccfa8 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Tue, 11 Apr 2023 06:38:11 +0000 Subject: [PATCH 14/17] add task name Signed-off-by: Diane Wang --- windows/utils/win_disable_vbs_guest.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/utils/win_disable_vbs_guest.yml b/windows/utils/win_disable_vbs_guest.yml index bcf5d0747..bd4941731 100644 --- a/windows/utils/win_disable_vbs_guest.yml +++ b/windows/utils/win_disable_vbs_guest.yml @@ -5,7 +5,8 @@ # Refer to this page: https://docs.microsoft.com/en-us/windows/security/ # threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity # -- include_tasks: win_execute_cmd.yml +- name: "Disable VBS and HVCI in guest OS" + include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f; @@ -13,7 +14,7 @@ reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f; reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 0 /f -# Restart guest OS after configuration in guest -- include_tasks: win_shutdown_restart.yml +- name: "Restart guest OS after disabling VBS and HVCI" + include_tasks: win_shutdown_restart.yml vars: set_win_power_state: "restart" From 72ff9eb4ffe083aa9b31916f830b3d44f365a7fb Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Tue, 11 Apr 2023 11:20:21 +0000 Subject: [PATCH 15/17] address comments Signed-off-by: Diane Wang --- windows/utils/win_get_dg_security_properties.yml | 4 ++-- windows/vbs_enable_disable/vbs_disable_test.yml | 4 ++-- windows/vbs_enable_disable/vbs_enable_test.yml | 10 +++++----- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/utils/win_get_dg_security_properties.yml b/windows/utils/win_get_dg_security_properties.yml index d884afc4b..f6b0f88d2 100644 --- a/windows/utils/win_get_dg_security_properties.yml +++ b/windows/utils/win_get_dg_security_properties.yml @@ -15,7 +15,7 @@ # - name: "Initialize the fact of Device Guard available security properties" ansible.builtin.set_fact: - win_dg_security_properties: "" + win_dg_security_properties: [] - name: "Get Device Guard available security properties" include_tasks: win_execute_cmd.yml @@ -24,7 +24,7 @@ - name: "Set fact of Device Guard available security properties" ansible.builtin.set_fact: - win_dg_security_properties: "{{ win_powershell_cmd_output.stdout_lines }}" + win_dg_security_properties: "{{ win_powershell_cmd_output.stdout_lines | map('int') }}" when: - win_powershell_cmd_output is defined - win_powershell_cmd_output.stdout_lines is defined diff --git a/windows/vbs_enable_disable/vbs_disable_test.yml b/windows/vbs_enable_disable/vbs_disable_test.yml index 5d37334a9..6996a6dee 100644 --- a/windows/vbs_enable_disable/vbs_disable_test.yml +++ b/windows/vbs_enable_disable/vbs_disable_test.yml @@ -46,7 +46,7 @@ that: - win_vbs_status_guest | int == 1 - "'2' not in win_vbs_running_service" - fail_msg: "VBS status is '{{ win_vbs_status_guest }}', not expected '1', or HVCI '2' is in SecurityServicesRunning list '{{ win_vbs_running_service }}'." + fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '1', or HVCI '2' is in SecurityServicesRunning list '{{ win_vbs_running_service }}'." - name: "Disable VBS in guest OS" include_tasks: ../utils/win_disable_vbs_guest.yml @@ -59,4 +59,4 @@ that: - win_vbs_status_guest | int == 0 - win_vbs_running_service == ['0'] - fail_msg: "VBS status is '{{ win_vbs_status_guest }}', not expected '0', or SecurityServicesRunning list is '{{ win_vbs_running_service }}', not expected ['0']." + fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '0', or SecurityServicesRunning list is '{{ win_vbs_running_service }}', not expected ['0']." diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index 39529af05..6870a2d49 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -63,19 +63,19 @@ - name: "Known issue - NX protections are not present in AvailableSecurityProperties on ESXi 7.0.3" ansible.builtin.debug: msg: - - "NX protections are not present in guest OS 'AvailableSecurityProperties' issue exists on ESXi 7.0.3 build {{ esxi_build }}, which is fixed in ESXi 7.0U3L patch build 21424296. Please refer to KB article: https://kb.vmware.com/s/article/91199." + - "The issue of 'NX protections are not present in guest OS AvailableSecurityProperties' exists on this ESXi 7.0.3 build '{{ esxi_build }}', which is fixed in ESXi 7.0U3l patch build 21424296. Please refer to KB article: https://kb.vmware.com/s/article/91199." tags: - known_issue when: - esxi_version is version('7.0.3', '==') - esxi_build | int < 21424296 - - "['1', '2', '3', '4', '5', '6', '7'] | difference(win_dg_security_properties) == ['5']" + - range(1, 8) | difference(win_dg_security_properties) == [5] - name: "Check available security properties got in guest OS" ansible.builtin.assert: that: - - win_dg_security_properties | sort == ['1', '2', '3', '4', '5', '6', '7'] - fail_msg: "Got available security properties in guest OS is: {{ win_dg_security_properties }}, which missing '{{ ['1', '2', '3', '4', '5', '6', '7'] | difference(win_dg_security_properties) }}' compared with the expected list." + - win_dg_security_properties | sort == range(1, 8) + fail_msg: "Available security properties list got in guest OS: {{ win_dg_security_properties }}, '{{ range(1, 8) | difference(win_dg_security_properties) }}' is missed compared with expected list '{{ range(1, 8) }}'." when: > (esxi_version is version('7.0.3', '>') or esxi_version is version('7.0.3', '<')) or (esxi_version is version('7.0.3', '==') and esxi_build | int >= 21424296) @@ -97,4 +97,4 @@ - win_vbs_status_guest | int == 2 - "'1' in win_vbs_running_service" - "'2' in win_vbs_running_service" - fail_msg: "VBS status is '{{ win_vbs_status_guest }}', not expected '2', or HVCI '2'/Credential Guard '1' is not in the SecurityServicesRunning list: '{{ win_vbs_running_service }}'." + fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '2', or HVCI '2'/Credential Guard '1' is not in the SecurityServicesRunning list: '{{ win_vbs_running_service }}'." From e363dedf0ed24251d1b8e9a8f3365f8030ba7c37 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Wed, 12 Apr 2023 00:16:02 +0000 Subject: [PATCH 16/17] fix range list Signed-off-by: Diane Wang --- windows/vbs_enable_disable/vbs_enable_test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index 6870a2d49..06d566ef6 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -74,7 +74,7 @@ - name: "Check available security properties got in guest OS" ansible.builtin.assert: that: - - win_dg_security_properties | sort == range(1, 8) + - win_dg_security_properties | sort == range(1, 8) | list fail_msg: "Available security properties list got in guest OS: {{ win_dg_security_properties }}, '{{ range(1, 8) | difference(win_dg_security_properties) }}' is missed compared with expected list '{{ range(1, 8) }}'." when: > (esxi_version is version('7.0.3', '>') or esxi_version is version('7.0.3', '<')) or From 057965d06d71a662735b1f224df5f863e122d05e Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Wed, 12 Apr 2023 02:50:00 +0000 Subject: [PATCH 17/17] add list filter Signed-off-by: Diane Wang --- windows/vbs_enable_disable/vbs_enable_test.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index 06d566ef6..8a32eb8c6 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -69,13 +69,13 @@ when: - esxi_version is version('7.0.3', '==') - esxi_build | int < 21424296 - - range(1, 8) | difference(win_dg_security_properties) == [5] + - (range(1, 8) | list) | difference(win_dg_security_properties) == [5] - name: "Check available security properties got in guest OS" ansible.builtin.assert: that: - win_dg_security_properties | sort == range(1, 8) | list - fail_msg: "Available security properties list got in guest OS: {{ win_dg_security_properties }}, '{{ range(1, 8) | difference(win_dg_security_properties) }}' is missed compared with expected list '{{ range(1, 8) }}'." + fail_msg: "Available security properties list got in guest OS: {{ win_dg_security_properties }}, '{{ (range(1, 8) | list) | difference(win_dg_security_properties) }}' is missed compared with expected list '{{ range(1, 8) }}'." when: > (esxi_version is version('7.0.3', '>') or esxi_version is version('7.0.3', '<')) or (esxi_version is version('7.0.3', '==') and esxi_build | int >= 21424296)