###########################################################################
Readiness Tool Version 3.6 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
How to read the output:
1. Red Errors: Basic hardware/firmware features are missing that will prevent enabling and using DG/CG
2. Yellow Warnings: This device is capable of running DG/CG, but some additional security qualifications are absent. To learn more, please go through: https://aka.ms/dgwhcr
3. Green Messages: This device is fully compliant with DG/CG requirements
Note:
* For enterprise IT Pros evaluating DG/CG:
Yellow warnings means that the machine has met baseline requirements for enabling DG/CG, and therefore the features can be enabled.
For yellow and green outputs, we strongly recommend testing this configuration in your lab before enabling broadly.
* For OEMs using this tool to evaluate DG/CG hardware compatibility:
When evaluating client and server compatibility with DG/CG, the device must meet all of the hardware requirements, including additional
security qualifications, depending on the release timeframe.
The current version of the tool evaluates against Windows 10, version 1703 requirements.
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
1. OS SKUs: Device Guard and Credential Guard are available only on these OS SKUs - Enterprise, Professional, Home, Education, Server and Enterprise IoT
2. OS Version: The minimum OS version to run the tool is Windows 10, Version 1607, or Windows Server 2016
3. Hardware: Recent hardware that supports virtualization extension with SLAT
###########################################################################
If Execution-Policy is not already set to allow running script, then you should manually set it as below and then use the readiness script:
Set-ExecutionPolicy Unrestricted
Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable] -[DG/CG/HVCI] -[AutoReboot] -Path
Log file with details is found here: C:\DGLogs
To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used
Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to the SIPolicy.p7b>
To enable only HVCI
Usage: DG_Readiness.ps1 -Enable -HVCI
To enable only CG
Usage: DG_Readiness.ps1 -Enable -CG
To Verify if DG/CG is enabled
Usage: DG_Readiness.ps1 -Ready
To Disable DG/CG.
Usage: DG_Readiness.ps1 -Disable
To Verify if DG/CG is disabled
Usage: DG_Readiness.ps1 -Ready
To Verify if this device is DG/CG Capable
Usage: DG_Readiness.ps1 -Capable
To Verify if this device is HVCI Capable
Usage: DG_Readiness.ps1 -Capable -HVCI
To auto reboot with each option
Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot
###########################################################################
Readiness Tool with '-capable' is run the following RegKey values are set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities
CG_Capable
DG_Capable
HVCI_Capable
Value 0 = not possible to enable DG/CG/HVCI on this device
Value 1 = this device is capable of running DG/CG/HVCI, but some firmware/hardware/software needed for additional security qualifications are absent.
Value 2 = fully compatible for DG/CG/HVCI
###########################################################################
Helpful Resources:
PC OEM requirements for Device Guard and Credential Guard: https://msdn.microsoft.com/library/windows/hardware/mt767514(v=vs.85).aspx
Deploying Credential Guard: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard#hardware-and-software-requirements
Deploying Device Guard: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard
###########################################################################
Want to customize the script?
###########################################################################
This script has configuration to enable DG and CG without UEFI Lock: Below is the list of Regkeys and its values for customization:
For RS1 and RS2 � to enable HVCI and CG without UEFI Lock:
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f'
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f'
#to make both Secure Boot and DMA as required then the value should be changed to 3
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f'
#to lock VBS to UEFI variables the value should be 1
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f'
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f'
#to lock VBS to UEFI variables the value should be 1
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 2 /f'
For TH2 � to enable HVCI and CG without UEFI Lock:
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f'
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f'
#to make both Secure Boot and DMA as required then the value should be changed to 3
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f'
#to lock VBS to UEFI variables the value should be 0 or the key deleted
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f'
'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 2 /f'
没有合适的资源?快使用搜索试试~ 我知道了~
dgreadiness_v3.6.zip
共12个文件
xml:4个
p7b:4个
ps1:2个
5星 · 超过95%的资源 需积分: 50 14 下载量 186 浏览量
2020-11-25
14:07:58
上传
评论
收藏 63KB ZIP 举报
温馨提示
dgreadiness3.6 Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool...
资源详情
资源评论
资源推荐
收起资源包目录
dgreadiness3.6.zip (12个子文件)
dgreadiness3.6
dgreadiness_v3.6
DefaultWindows_Audit.xml 11KB
DG_Readiness_Tool_v3.6.ps1 76KB
DefaultWindows_Audit_sipolicy.p7b 2KB
ReadMe.txt 6KB
DefaultWindows_Enforced.xml 11KB
DefaultWindows_Enforced_sipolicy.p7b 2KB
dgreadiness_v3.6
DefaultWindows_Audit.xml 11KB
DG_Readiness_Tool_v3.6.ps1 76KB
DefaultWindows_Audit_sipolicy.p7b 2KB
ReadMe.txt 6KB
DefaultWindows_Enforced.xml 11KB
DefaultWindows_Enforced_sipolicy.p7b 2KB
共 12 条
- 1
sky_castle
- 粉丝: 3
- 资源: 10
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
最新资源
- STM8L101F3P6单片机+CC1100模块433M遥控器设计硬件(原理图+PCB)工程文件.zip
- 上传下载铁人下载系统 Liuxing 1.0-liuxing1.0.rar
- 南京邮电大学数学实验实力雄厚,凭借其优秀的师资力量、丰富的实践教学资源和卓越的科研成果,成为国内一流的数学实验教学和科研基地
- 【火爆朋友圈的今天吃什么源码 v1.0】随机的为用户带来每一天的用餐选择和推荐.rar
- MPU6050中文版数据手册
- 上传下载手机电影下载-mobiledy.rar
- 响应式旅游网站源码下载 马尔代夫旅游网站.rar
- CMS小涴熊漫画连载系统漫画网站源码 带采集API.rar
- 福袋点点.apk
- 基于STM32的电子秤采用0.96寸OLED显示UI界面源码.zip
资源上传下载、课程学习等过程中有任何疑问或建议,欢迎提出宝贵意见哦~我们会及时处理!
点击此处反馈
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功
评论5