Blog Show
post views: 13,766 Windows 10 Credential Guard is currently another hot topic considering cyber security. Credential Guard is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash. To be able to enable Credential Guard in Windows, you need to have virtualization enabled on the CPU in the BIOS. Virtualization is rarely enabled by default, and as such you will need to enable it manually (F1, enter BIOS, modify the setting) or better yet, find a solution to do so remotely and automatically. I have created following script in Powershell, that initially enables virtualization in the BIOS (Note: We only use Lenovo laptops, hence this is made for Lenovo laptops only) and then apply the registry-keys to enable Credential Guard. All steps are logged into c:\Windows\EnableCredentialGuard.log The script can be targeted to the proper Windows 10 versions through SCCM collections (I this example I only target W10 1607 and 1703, as these Windows 10 versions no longer require the Isolated User Mode feature when enabling Credential Guard, as it’s now embedded into the Hypervisor) When deploying powershell script from SCCM, remember to create the program with a command line like this: powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -WindowStyle Hidden -File .\CredentialGuard\Enable-VirtualizationCredentialGuard.ps1  <#
.SYNOPSIS
Enable virtualization in Lenovo Bios and enable Credential Guard in Windows 10
.DESCRIPTION
This script will only run on Lenovo computers. If run on Lenovo computer, the script will check if virtualization is enabled in BIOS.
If not, virtualization will be enabled in the process of enabling CredentialGuard.
Also appends actions to logfile: EnableCredentialGuard.log
.NOTES
FileName: Enable-VirtualizationCredentialGuard.ps1
Author: Martin Bengtsson
Created: 19-07-2017
#>
$Logfile = "C:\Windows\EnableCredentialGuard.log"
#Create LogWrite function
Function LogWrite
{
Param ([string]$Logstring)
Add-Content $Logfile -Value $Logstring
}
#Get computermanufacturer
$Lenovo = Get-WmiObject Win32_ComputerSystemProduct | Select-Object Vendor
#If not a Lenovo laptop, write to log and exit script
If ($Lenovo.Vendor -ne "Lenovo"){
LogWrite "Not a Lenovo laptop - exiting script"
Write-Warning -Message "Not a Lenovo laptop - exiting script" ; exit 1
}
Else {
Write-Host -ForegroundColor Yellow "Collecting Lenovo_BiosSetting information" ; LogWrite "Collecting Lenovo_BiosSetting information"
$VirtEnabled = Get-WmiObject -Class Lenovo_BiosSetting -Namespace root\WMI | Where-Object {$_.CurrentSetting -match "Virtualization*"} | Select-Object CurrentSetting
If ($VirtEnabled.CurrentSetting -eq "VirtualizationTechnology,Disable"){
Write-Host -ForegroundColor Cyan "Virtualization disabled - trying to enable virtualization" ; LogWrite "Virtualization disabled - trying to enable virtualization"
Try {
(Get-WmiObject -Class Lenovo_SetBiosSetting -Namespace root\wmi).SetBiosSetting("VirtualizationTechnology,Enable")
(Get-WmiObject -Class Lenovo_SaveBiosSettings -Namespace root\wmi).SaveBiosSettings()
}
Catch {
Write-Host -ForegroundColor Cyan "An error occured when enabling virtualization in the BIOS" ; LogWrite "An error occured when enabling virtualization in the BIOS" ; exit 1
}
cls
Write-Host -ForegroundColor Cyan "Virtualization Successfully enabled" ; LogWrite "Virtualization Successfully enabled"
}
#Add required registry key for Credential Guard
$RegistryKeyPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"
If (-not(Test-Path -Path $RegistryKeyPath)) {
Write-Host -ForegroundColor Yellow "Creating HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard registry key" ; LogWrite "Creating HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard registry key"
New-Item -Path $RegistryKeyPath -ItemType Directory -Force
}
#Add registry key: RequirePlatformSecurityFeatures - 1 for Secure Boot only, 3 for Secure Boot and DMA Protection
New-ItemProperty -Path $RegistryKeyPath -Name RequirePlatformSecurityFeatures -PropertyType DWORD -Value 1
Write-Host -ForegroundColor Yellow "Successfully added RequirePlatformSecurityFeatures regkey" ; LogWrite "Successfully added RequirePlatformSecurityFeatures regkey"
#Add registry key: EnableVirtualizationBasedSecurity - 1 for Enabled, 0 for Disabled
New-ItemProperty -Path $RegistryKeyPath -Name EnableVirtualizationBasedSecurity -PropertyType DWORD -Value 1
Write-Host -ForegroundColor Yellow "Successfully added EnableVirtualizationBasedSecurity regkey" ; LogWrite "Successfully added EnableVirtualizationBasedSecurity regkey"
#Add registry key: LsaCfgFlags - 1 enables Credential Guard with UEFI lock, 2 enables Credential Guard without lock, 0 for Disabled
New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa -Name LsaCfgFlags -PropertyType DWORD -Value 2
Write-Host -ForegroundColor Yellow "Successfully added LsaCfgFlags regkey" ; LogWrite "Successfully added LsaCfgFlags regkey"
Write-Host -ForegroundColor Yellow "Successfully enabled Credential Guard - please reboot the computer" ; LogWrite "Successfully enabled Credential Guard - please reboot the computer"
}
Snip of the logfile when everything succeeds: How do I enable virtualization in Click BIOS?[How To] Enable/Disable AMD virtualization in BIOS. Open BIOS menu.. Go to Advanced- > IOMMU and enable/disable AMD IOMMU. B. AMD SVM.. Go to Advanced -> SVM Mode and enable/disable AMD SVM.. How do I enable HyperSelect Control Panel. Select Programs and Features (View by: Large icons). Select Turn Windows features on or off. Select both Hyper-V Management Tools and Hyper-V Platform options.
How do you enable virtualization is enabled Windows 10?Enable the Hyper-V role through Settings. Right click on the Windows button and select 'Apps and Features'.. Select Programs and Features on the right under related settings.. Select Turn Windows Features on or off.. Select Hyper-V and click OK.. How do I enter BIOS on Lenovo laptop?Turn the PC off. Turn the PC on. Immediately and repeatedly press F2 or (Fn+F2). Accessing the BIOS may take multiple attempts.
|
