Add handling VBS known issue on ESXi 7.0.3 (#429)

Signed-off-by: Diane Wang <dianew@vmware.com>

windows/utils/win_disable_vbs_guest.yml

@@ -5,11 +5,16 @@
 # Refer to this page: https://docs.microsoft.com/en-us/windows/security/
 # threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
 #
-- include_tasks: win_execute_cmd.yml
+- name: "Disable VBS and HVCI in guest OS"
+  include_tasks: win_execute_cmd.yml
   vars:
-    win_powershell_cmd: "reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity' /v 'Enabled' /t REG_DWORD /d 0 /f; reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard' /v 'EnableVirtualizationBasedSecurity' /t REG_DWORD /d 0 /f"
+    win_powershell_cmd: >-
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f;
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f;
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f;
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 0 /f
 
-# Restart guest OS after configuration in guest
-- include_tasks: win_shutdown_restart.yml
+- name: "Restart guest OS after disabling VBS and HVCI"
+  include_tasks: win_shutdown_restart.yml
   vars:
     set_win_power_state: "restart"

windows/utils/win_enable_vbs_guest.yml

@@ -11,7 +11,11 @@
 # 3. enable VBS with UEFI lock (value 1)
 # 4. enable virtualization-based protection of Code Integrity policies
 # 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)
-- include_tasks: win_execute_cmd.yml
+# 6. enable virtualization-based protection of Code Integrity policies with Require UEFI Memory Attributes Table
+#
+# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f not working
+- name: "Enable VBS and HVCI in guest OS"
+  include_tasks: win_execute_cmd.yml
   vars:
     win_powershell_cmd: >-
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f;
@@ -20,7 +24,33 @@
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f;
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
 
-# Restart guest OS after configuration in guest
-- include_tasks: win_shutdown_restart.yml
+# Enable CredentialGuard with UEFI lock (value 1)
+# Starting in Windows 11 Enterprise, version 22H2 and Windows 11 Education, version 22H2,
+# compatible systems have Windows Defender Credential Guard turned on by default.
+#
+- name: "Enable Credential Guard in guest OS"
+  include_tasks: win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: >-
+      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f
+  when: >
+    (guest_os_build_num | int < 22621) or
+    (guest_os_product_type | lower == 'client' and guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education'])
+
+# Try to enable 'HVCIMATRequired' feature from registry while it does not take effect.
+# Refer to 3rd party issue: https://partner.microsoft.com/en-us/dashboard/collaborate/engagements/1759/feedback/wits/Bugs/786316
+- name: "Enable HVCIMATRequired"
+  include_tasks: win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: >-
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f;
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f;
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f;
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f;
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f;
+      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f
+
+- name: "Restart guest OS after configuration"
+  include_tasks: win_shutdown_restart.yml
   vars:
     set_win_power_state: "restart"

windows/utils/win_get_dg_security_properties.yml

@@ -0,0 +1,36 @@
+# Copyright 2023 VMware, Inc.
+# SPDX-License-Identifier: BSD-2-Clause
+---
+# Get available security properties for Windows Defender Device Guard.
+# Refer to this page: https://docs.microsoft.com/en-us/windows/security/
+# threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
+# 1. 	If present, hypervisor support is available.
+# 2. 	If present, Secure Boot is available.
+# 3. 	If present, DMA protection is available.
+# 4. 	If present, Secure Memory Overwrite is available.
+# 5. 	If present, NX protections are available.
+# 6. 	If present, SMM mitigations are available.
+# 7. 	If present, MBEC/GMET is available.
+# 8. 	If present, APIC virtualization is available.
+#
+- name: "Initialize the fact of Device Guard available security properties"
+  ansible.builtin.set_fact:
+    win_dg_security_properties: []
+
+- name: "Get Device Guard available security properties"
+  include_tasks: win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: "(CimInstance –ClassName Win32_DeviceGuard –Namespace root\\Microsoft\\Windows\\DeviceGuard).AvailableSecurityProperties"
+
+- name: "Set fact of Device Guard available security properties"
+  ansible.builtin.set_fact:
+    win_dg_security_properties: "{{ win_powershell_cmd_output.stdout_lines | map('int') }}"
+  when:
+    - win_powershell_cmd_output is defined
+    - win_powershell_cmd_output.stdout_lines is defined
+    - win_powershell_cmd_output.stdout_lines | length != 0
+
+- name: "Display the results"
+  ansible.builtin.debug:
+    msg:
+      - "AvailableSecurityProperties: {{ win_dg_security_properties }}"

windows/vbs_enable_disable/vbs_disable_test.yml

@@ -1,54 +1,62 @@
 # Copyright 2022-2023 VMware, Inc.
 # SPDX-License-Identifier: BSD-2-Clause
 ---
-# Shutdown guest OS to disable VBS on VM
-- include_tasks: ../utils/win_shutdown_restart.yml
+- name: "Shutdown guest OS to disable VBS on VM"
+  include_tasks: ../utils/win_shutdown_restart.yml
   vars:
     set_win_power_state: "shutdown"
 
-# Disable VBS on VM
-- include_tasks: ../utils/win_enable_vbs_vm.yml
+- name: "Disable VBS on VM"
+  include_tasks: ../utils/win_enable_vbs_vm.yml
   vars:
     win_enable_vbs: false
 
-# Power on VM
-- include_tasks: ../../common/vm_set_power_state.yml
+- name: "Power on VM"
+  include_tasks: ../../common/vm_set_power_state.yml
   vars:
     vm_power_state_set: "powered-on"
-- include_tasks: ../utils/win_update_inventory.yml
+- name: "Update in-memory inventory after VM power on"
+  include_tasks: ../utils/win_update_inventory.yml
 
-# Check VM VBS status on VM
-- include_tasks: ../../common/vm_get_vbs_status.yml
-- name: "Check VM VBS status after enable"
+- name: "Get VM VBS status"
+  include_tasks: ../../common/vm_get_vbs_status.yml
+- name: "Check VM VBS status after disable"
   ansible.builtin.assert:
     that:
       - vm_vbs_enabled is defined
       - not vm_vbs_enabled | bool
-    fail_msg: "VM VBS status is not disabled after disabling it."
-
-# Get VBS status in guest OS
-- include_tasks: ../utils/win_get_vbs_guest.yml
-
-# SecurityServicesRunning: 0 means No services running
-# VirtualizationBasedSecurityStatus: 1 means VBS is enabled but not running
+    fail_msg: "VM VBS enabled status is '{{ vm_vbs_enabled | default('') }}', not disabled after disabling it."
+
+- name: "Get VBS status in guest OS"
+  include_tasks: ../utils/win_get_vbs_guest.yml
+
+# SecurityServicesRunning:
+# 0.    No services running.
+# 1.    If present, Windows Defender Credential Guard is running.
+# 2.    If present, HVCI is running.
+# 3.    If present, System Guard Secure Launch is running.
+# 4.    If present, SMM Firmware Measurement is running.
+# VirtualizationBasedSecurityStatus:
+# 2 means VBS is enabled and running
+# 1 means VBS is enabled but not running
+# 0 means VBS is not enabled
+#
 - name: "Check VBS and running security service status"
   ansible.builtin.assert:
     that:
       - win_vbs_status_guest | int == 1
-      - win_vbs_running_service[0] | int != 2
-    fail_msg: "Either VBS is running '{{ win_vbs_status_guest }}', or HVCI is running '{{ win_vbs_running_service }}'."
+      - "'2' not in win_vbs_running_service"
+    fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '1', or HVCI '2' is in SecurityServicesRunning list '{{ win_vbs_running_service }}'."
 
-# Disable VBS in guest
-- include_tasks: ../utils/win_disable_vbs_guest.yml
+- name: "Disable VBS in guest OS"
+  include_tasks: ../utils/win_disable_vbs_guest.yml
 
-# Get VBS status in guest OS
-- include_tasks: ../utils/win_get_vbs_guest.yml
+- name: "Get VBS status in guest OS"
+  include_tasks: ../utils/win_get_vbs_guest.yml
 
-# SecurityServicesRunning: 0 means No services running
-# VirtualizationBasedSecurityStatus: 0 means VBS is not enabled
 - name: "Check VBS and running security service status"
   ansible.builtin.assert:
     that:
       - win_vbs_status_guest | int == 0
-      - win_vbs_running_service[0] | int == 0
-    fail_msg: "Either VBS is not disabled '{{ win_vbs_status_guest }}', or still running security service '{{ win_vbs_running_service }}'."
+      - win_vbs_running_service == ['0']
+    fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '0', or SecurityServicesRunning list is '{{ win_vbs_running_service }}', not expected ['0']."

windows/vbs_enable_disable/vbs_enable_test.yml

@@ -6,60 +6,95 @@
     vm_vbs_enabled_before: false
     guest_vbs_enabled_before: false
 
-# Get VM VBS status before enable
-- include_tasks: ../../common/vm_get_vbs_status.yml
+- name: "Get VM VBS status before enable"
+  include_tasks: ../../common/vm_get_vbs_status.yml
 - name: "Set fact of VM VBS current status before enable"
   ansible.builtin.set_fact:
     vm_vbs_enabled_before: "{{ vm_vbs_enabled }}"
 
 - name: "VM VBS is not enabled"
   block:
-    # Shutdown guest OS before enabling VBS on VM
-    - include_tasks: ../utils/win_shutdown_restart.yml
+    - name: "Shutdown guest OS before enabling VBS on VM"
+      include_tasks: ../utils/win_shutdown_restart.yml
       vars:
         set_win_power_state: "shutdown"
-    # Enable VBS on VM
-    - include_tasks: ../utils/win_enable_vbs_vm.yml
+    - name: "Enable VBS on VM"
+      include_tasks: ../utils/win_enable_vbs_vm.yml
       vars:
         win_enable_vbs: true
-    - include_tasks: ../../common/vm_set_power_state.yml
+    - name: "Power on VM"
+      include_tasks: ../../common/vm_set_power_state.yml
       vars:
         vm_power_state_set: "powered-on"
-    - include_tasks: ../utils/win_update_inventory.yml
-    # Check VM VBS status
-    - include_tasks: ../../common/vm_get_vbs_status.yml
+    - name: "Update in-memory inventory after VM power on"
+      include_tasks: ../utils/win_update_inventory.yml
+    - name: "Get VM VBS status"
+      include_tasks: ../../common/vm_get_vbs_status.yml
     - name: "Check VM VBS status after enable"
       ansible.builtin.assert:
         that:
           - vm_vbs_enabled is defined
           - vm_vbs_enabled | bool
-        fail_msg: "VM VBS status is not enabled after enabling it."
+        fail_msg: "VM VBS status is '{{ vm_vbs_enabled | default('') }}', not enabled after enabling it."
   when: not vm_vbs_enabled_before
 
-- name: "VM VBS is enabled"
-  block:
-    # Get VBS status in guest OS
-    - include_tasks: ../utils/win_get_vbs_guest.yml
-    - name: "Set fact of HVCI and VBS running status in guest before enable"
-      ansible.builtin.set_fact:
-        guest_vbs_enabled_before: true
-      when:
-        - win_vbs_status_guest | int == 2
-        - "'2' in win_vbs_running_service"
-  when: vm_vbs_enabled_before
+- name: "Get Device Guard available security properties in guest OS"
+  include_tasks: ../utils/win_get_dg_security_properties.yml
+
+- name: "Enable VBS and security services in guest OS"
+  include_tasks: ../utils/win_enable_vbs_guest.yml
+
+- name: "Get VBS status and running security services"
+  include_tasks: ../utils/win_get_vbs_guest.yml
 
-# Enable VBS in guest OS if HVCI is not running or VBS is not running
-- name: "Enable VBS in guest OS"
+# AvailableSecurityProperties:
+# 0. 	If present, no relevant properties exist on the device.
+# 1. 	If present, hypervisor support is available.
+# 2. 	If present, Secure Boot is available.
+# 3. 	If present, DMA protection is available.
+# 4. 	If present, Secure Memory Overwrite is available.
+# 5. 	If present, NX protections are available.
+# 6. 	If present, SMM mitigations are available.
+# 7. 	If present, MBEC/GMET is available.
+# 8. 	If present, APIC virtualization is available.
+#
+- name: "Handle known issue"
   block:
-    - include_tasks: ../utils/win_enable_vbs_guest.yml
-    - include_tasks: ../utils/win_get_vbs_guest.yml
-  when: not guest_vbs_enabled_before
+    - name: "Known issue - NX protections are not present in AvailableSecurityProperties on ESXi 7.0.3"
+      ansible.builtin.debug:
+        msg:
+          - "The issue of 'NX protections are not present in guest OS AvailableSecurityProperties' exists on this ESXi 7.0.3 build '{{ esxi_build }}', which is fixed in ESXi 7.0U3l patch build 21424296. Please refer to KB article: https://kb.vmware.com/s/article/91199."
+      tags:
+        - known_issue
+  when:
+    - esxi_version is version('7.0.3', '==')
+    - esxi_build | int < 21424296
+    - (range(1, 8) | list) | difference(win_dg_security_properties) == [5]
+
+- name: "Check available security properties got in guest OS"
+  ansible.builtin.assert:
+    that:
+      - win_dg_security_properties | sort == range(1, 8) | list
+    fail_msg: "Available security properties list got in guest OS: {{ win_dg_security_properties }}, '{{ (range(1, 8) | list) | difference(win_dg_security_properties) }}' is missed compared with expected list '{{ range(1, 8) }}'."
+  when: >
+    (esxi_version is version('7.0.3', '>') or esxi_version is version('7.0.3', '<')) or
+    (esxi_version is version('7.0.3', '==') and esxi_build | int >= 21424296)
 
-# SecurityServicesRunning: 2 means HVCI is running
-# VirtualizationBasedSecurityStatus: 2 means VBS is enabled and running
+# SecurityServicesRunning:
+# 0.    No services running.
+# 1.    If present, Windows Defender Credential Guard is running.
+# 2.    If present, HVCI is running.
+# 3.    If present, System Guard Secure Launch is running.
+# 4.    If present, SMM Firmware Measurement is running.
+# VirtualizationBasedSecurityStatus:
+# 2 means VBS is enabled and running
+# 1 means VBS is enabled but not running
+# 0 means VBS is not enabled
+#
 - name: "Check VBS and running security service status"
   ansible.builtin.assert:
     that:
       - win_vbs_status_guest | int == 2
+      - "'1' in win_vbs_running_service"
       - "'2' in win_vbs_running_service"
-    fail_msg: "VBS is not running '{{ win_vbs_status_guest }}', or HVCI is not running '{{ win_vbs_running_service }}'."
+    fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '2', or HVCI '2'/Credential Guard '1' is not in the SecurityServicesRunning list: '{{ win_vbs_running_service }}'."