diff --git a/windows/utils/win_disable_vbs_guest.yml b/windows/utils/win_disable_vbs_guest.yml index bc316c696..bd4941731 100644 --- a/windows/utils/win_disable_vbs_guest.yml +++ b/windows/utils/win_disable_vbs_guest.yml @@ -5,11 +5,16 @@ # Refer to this page: https://docs.microsoft.com/en-us/windows/security/ # threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity # -- include_tasks: win_execute_cmd.yml +- name: "Disable VBS and HVCI in guest OS" + include_tasks: win_execute_cmd.yml vars: - win_powershell_cmd: "reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity' /v 'Enabled' /t REG_DWORD /d 0 /f; reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard' /v 'EnableVirtualizationBasedSecurity' /t REG_DWORD /d 0 /f" + win_powershell_cmd: >- + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f; + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 0 /f -# Restart guest OS after configuration in guest -- include_tasks: win_shutdown_restart.yml +- name: "Restart guest OS after disabling VBS and HVCI" + include_tasks: win_shutdown_restart.yml vars: set_win_power_state: "restart" diff --git a/windows/utils/win_enable_vbs_guest.yml b/windows/utils/win_enable_vbs_guest.yml index 97dfb8c94..ab0a7b8a1 100644 --- a/windows/utils/win_enable_vbs_guest.yml +++ b/windows/utils/win_enable_vbs_guest.yml @@ -11,7 +11,11 @@ # 3. enable VBS with UEFI lock (value 1) # 4. enable virtualization-based protection of Code Integrity policies # 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1) -- include_tasks: win_execute_cmd.yml +# 6. enable virtualization-based protection of Code Integrity policies with Require UEFI Memory Attributes Table +# +# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f not working +- name: "Enable VBS and HVCI in guest OS" + include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; @@ -20,7 +24,33 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f -# Restart guest OS after configuration in guest -- include_tasks: win_shutdown_restart.yml +# Enable CredentialGuard with UEFI lock (value 1) +# Starting in Windows 11 Enterprise, version 22H2 and Windows 11 Education, version 22H2, +# compatible systems have Windows Defender Credential Guard turned on by default. +# +- name: "Enable Credential Guard in guest OS" + include_tasks: win_execute_cmd.yml + vars: + win_powershell_cmd: >- + reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f + when: > + (guest_os_build_num | int < 22621) or + (guest_os_product_type | lower == 'client' and guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education']) + +# Try to enable 'HVCIMATRequired' feature from registry while it does not take effect. +# Refer to 3rd party issue: https://partner.microsoft.com/en-us/dashboard/collaborate/engagements/1759/feedback/wits/Bugs/786316 +- name: "Enable HVCIMATRequired" + include_tasks: win_execute_cmd.yml + vars: + win_powershell_cmd: >- + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f; + reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f + +- name: "Restart guest OS after configuration" + include_tasks: win_shutdown_restart.yml vars: set_win_power_state: "restart" diff --git a/windows/utils/win_get_dg_security_properties.yml b/windows/utils/win_get_dg_security_properties.yml new file mode 100644 index 000000000..f6b0f88d2 --- /dev/null +++ b/windows/utils/win_get_dg_security_properties.yml @@ -0,0 +1,36 @@ +# Copyright 2023 VMware, Inc. +# SPDX-License-Identifier: BSD-2-Clause +--- +# Get available security properties for Windows Defender Device Guard. +# Refer to this page: https://docs.microsoft.com/en-us/windows/security/ +# threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity +# 1. If present, hypervisor support is available. +# 2. If present, Secure Boot is available. +# 3. If present, DMA protection is available. +# 4. If present, Secure Memory Overwrite is available. +# 5. If present, NX protections are available. +# 6. If present, SMM mitigations are available. +# 7. If present, MBEC/GMET is available. +# 8. If present, APIC virtualization is available. +# +- name: "Initialize the fact of Device Guard available security properties" + ansible.builtin.set_fact: + win_dg_security_properties: [] + +- name: "Get Device Guard available security properties" + include_tasks: win_execute_cmd.yml + vars: + win_powershell_cmd: "(CimInstance –ClassName Win32_DeviceGuard –Namespace root\\Microsoft\\Windows\\DeviceGuard).AvailableSecurityProperties" + +- name: "Set fact of Device Guard available security properties" + ansible.builtin.set_fact: + win_dg_security_properties: "{{ win_powershell_cmd_output.stdout_lines | map('int') }}" + when: + - win_powershell_cmd_output is defined + - win_powershell_cmd_output.stdout_lines is defined + - win_powershell_cmd_output.stdout_lines | length != 0 + +- name: "Display the results" + ansible.builtin.debug: + msg: + - "AvailableSecurityProperties: {{ win_dg_security_properties }}" diff --git a/windows/vbs_enable_disable/vbs_disable_test.yml b/windows/vbs_enable_disable/vbs_disable_test.yml index 4955dda44..6996a6dee 100644 --- a/windows/vbs_enable_disable/vbs_disable_test.yml +++ b/windows/vbs_enable_disable/vbs_disable_test.yml @@ -1,54 +1,62 @@ # Copyright 2022-2023 VMware, Inc. # SPDX-License-Identifier: BSD-2-Clause --- -# Shutdown guest OS to disable VBS on VM -- include_tasks: ../utils/win_shutdown_restart.yml +- name: "Shutdown guest OS to disable VBS on VM" + include_tasks: ../utils/win_shutdown_restart.yml vars: set_win_power_state: "shutdown" -# Disable VBS on VM -- include_tasks: ../utils/win_enable_vbs_vm.yml +- name: "Disable VBS on VM" + include_tasks: ../utils/win_enable_vbs_vm.yml vars: win_enable_vbs: false -# Power on VM -- include_tasks: ../../common/vm_set_power_state.yml +- name: "Power on VM" + include_tasks: ../../common/vm_set_power_state.yml vars: vm_power_state_set: "powered-on" -- include_tasks: ../utils/win_update_inventory.yml +- name: "Update in-memory inventory after VM power on" + include_tasks: ../utils/win_update_inventory.yml -# Check VM VBS status on VM -- include_tasks: ../../common/vm_get_vbs_status.yml -- name: "Check VM VBS status after enable" +- name: "Get VM VBS status" + include_tasks: ../../common/vm_get_vbs_status.yml +- name: "Check VM VBS status after disable" ansible.builtin.assert: that: - vm_vbs_enabled is defined - not vm_vbs_enabled | bool - fail_msg: "VM VBS status is not disabled after disabling it." - -# Get VBS status in guest OS -- include_tasks: ../utils/win_get_vbs_guest.yml - -# SecurityServicesRunning: 0 means No services running -# VirtualizationBasedSecurityStatus: 1 means VBS is enabled but not running + fail_msg: "VM VBS enabled status is '{{ vm_vbs_enabled | default('') }}', not disabled after disabling it." + +- name: "Get VBS status in guest OS" + include_tasks: ../utils/win_get_vbs_guest.yml + +# SecurityServicesRunning: +# 0. No services running. +# 1. If present, Windows Defender Credential Guard is running. +# 2. If present, HVCI is running. +# 3. If present, System Guard Secure Launch is running. +# 4. If present, SMM Firmware Measurement is running. +# VirtualizationBasedSecurityStatus: +# 2 means VBS is enabled and running +# 1 means VBS is enabled but not running +# 0 means VBS is not enabled +# - name: "Check VBS and running security service status" ansible.builtin.assert: that: - win_vbs_status_guest | int == 1 - - win_vbs_running_service[0] | int != 2 - fail_msg: "Either VBS is running '{{ win_vbs_status_guest }}', or HVCI is running '{{ win_vbs_running_service }}'." + - "'2' not in win_vbs_running_service" + fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '1', or HVCI '2' is in SecurityServicesRunning list '{{ win_vbs_running_service }}'." -# Disable VBS in guest -- include_tasks: ../utils/win_disable_vbs_guest.yml +- name: "Disable VBS in guest OS" + include_tasks: ../utils/win_disable_vbs_guest.yml -# Get VBS status in guest OS -- include_tasks: ../utils/win_get_vbs_guest.yml +- name: "Get VBS status in guest OS" + include_tasks: ../utils/win_get_vbs_guest.yml -# SecurityServicesRunning: 0 means No services running -# VirtualizationBasedSecurityStatus: 0 means VBS is not enabled - name: "Check VBS and running security service status" ansible.builtin.assert: that: - win_vbs_status_guest | int == 0 - - win_vbs_running_service[0] | int == 0 - fail_msg: "Either VBS is not disabled '{{ win_vbs_status_guest }}', or still running security service '{{ win_vbs_running_service }}'." + - win_vbs_running_service == ['0'] + fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '0', or SecurityServicesRunning list is '{{ win_vbs_running_service }}', not expected ['0']." diff --git a/windows/vbs_enable_disable/vbs_enable_test.yml b/windows/vbs_enable_disable/vbs_enable_test.yml index ae9e3d437..8a32eb8c6 100644 --- a/windows/vbs_enable_disable/vbs_enable_test.yml +++ b/windows/vbs_enable_disable/vbs_enable_test.yml @@ -6,60 +6,95 @@ vm_vbs_enabled_before: false guest_vbs_enabled_before: false -# Get VM VBS status before enable -- include_tasks: ../../common/vm_get_vbs_status.yml +- name: "Get VM VBS status before enable" + include_tasks: ../../common/vm_get_vbs_status.yml - name: "Set fact of VM VBS current status before enable" ansible.builtin.set_fact: vm_vbs_enabled_before: "{{ vm_vbs_enabled }}" - name: "VM VBS is not enabled" block: - # Shutdown guest OS before enabling VBS on VM - - include_tasks: ../utils/win_shutdown_restart.yml + - name: "Shutdown guest OS before enabling VBS on VM" + include_tasks: ../utils/win_shutdown_restart.yml vars: set_win_power_state: "shutdown" - # Enable VBS on VM - - include_tasks: ../utils/win_enable_vbs_vm.yml + - name: "Enable VBS on VM" + include_tasks: ../utils/win_enable_vbs_vm.yml vars: win_enable_vbs: true - - include_tasks: ../../common/vm_set_power_state.yml + - name: "Power on VM" + include_tasks: ../../common/vm_set_power_state.yml vars: vm_power_state_set: "powered-on" - - include_tasks: ../utils/win_update_inventory.yml - # Check VM VBS status - - include_tasks: ../../common/vm_get_vbs_status.yml + - name: "Update in-memory inventory after VM power on" + include_tasks: ../utils/win_update_inventory.yml + - name: "Get VM VBS status" + include_tasks: ../../common/vm_get_vbs_status.yml - name: "Check VM VBS status after enable" ansible.builtin.assert: that: - vm_vbs_enabled is defined - vm_vbs_enabled | bool - fail_msg: "VM VBS status is not enabled after enabling it." + fail_msg: "VM VBS status is '{{ vm_vbs_enabled | default('') }}', not enabled after enabling it." when: not vm_vbs_enabled_before -- name: "VM VBS is enabled" - block: - # Get VBS status in guest OS - - include_tasks: ../utils/win_get_vbs_guest.yml - - name: "Set fact of HVCI and VBS running status in guest before enable" - ansible.builtin.set_fact: - guest_vbs_enabled_before: true - when: - - win_vbs_status_guest | int == 2 - - "'2' in win_vbs_running_service" - when: vm_vbs_enabled_before +- name: "Get Device Guard available security properties in guest OS" + include_tasks: ../utils/win_get_dg_security_properties.yml + +- name: "Enable VBS and security services in guest OS" + include_tasks: ../utils/win_enable_vbs_guest.yml + +- name: "Get VBS status and running security services" + include_tasks: ../utils/win_get_vbs_guest.yml -# Enable VBS in guest OS if HVCI is not running or VBS is not running -- name: "Enable VBS in guest OS" +# AvailableSecurityProperties: +# 0. If present, no relevant properties exist on the device. +# 1. If present, hypervisor support is available. +# 2. If present, Secure Boot is available. +# 3. If present, DMA protection is available. +# 4. If present, Secure Memory Overwrite is available. +# 5. If present, NX protections are available. +# 6. If present, SMM mitigations are available. +# 7. If present, MBEC/GMET is available. +# 8. If present, APIC virtualization is available. +# +- name: "Handle known issue" block: - - include_tasks: ../utils/win_enable_vbs_guest.yml - - include_tasks: ../utils/win_get_vbs_guest.yml - when: not guest_vbs_enabled_before + - name: "Known issue - NX protections are not present in AvailableSecurityProperties on ESXi 7.0.3" + ansible.builtin.debug: + msg: + - "The issue of 'NX protections are not present in guest OS AvailableSecurityProperties' exists on this ESXi 7.0.3 build '{{ esxi_build }}', which is fixed in ESXi 7.0U3l patch build 21424296. Please refer to KB article: https://kb.vmware.com/s/article/91199." + tags: + - known_issue + when: + - esxi_version is version('7.0.3', '==') + - esxi_build | int < 21424296 + - (range(1, 8) | list) | difference(win_dg_security_properties) == [5] + +- name: "Check available security properties got in guest OS" + ansible.builtin.assert: + that: + - win_dg_security_properties | sort == range(1, 8) | list + fail_msg: "Available security properties list got in guest OS: {{ win_dg_security_properties }}, '{{ (range(1, 8) | list) | difference(win_dg_security_properties) }}' is missed compared with expected list '{{ range(1, 8) }}'." + when: > + (esxi_version is version('7.0.3', '>') or esxi_version is version('7.0.3', '<')) or + (esxi_version is version('7.0.3', '==') and esxi_build | int >= 21424296) -# SecurityServicesRunning: 2 means HVCI is running -# VirtualizationBasedSecurityStatus: 2 means VBS is enabled and running +# SecurityServicesRunning: +# 0. No services running. +# 1. If present, Windows Defender Credential Guard is running. +# 2. If present, HVCI is running. +# 3. If present, System Guard Secure Launch is running. +# 4. If present, SMM Firmware Measurement is running. +# VirtualizationBasedSecurityStatus: +# 2 means VBS is enabled and running +# 1 means VBS is enabled but not running +# 0 means VBS is not enabled +# - name: "Check VBS and running security service status" ansible.builtin.assert: that: - win_vbs_status_guest | int == 2 + - "'1' in win_vbs_running_service" - "'2' in win_vbs_running_service" - fail_msg: "VBS is not running '{{ win_vbs_status_guest }}', or HVCI is not running '{{ win_vbs_running_service }}'." + fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '2', or HVCI '2'/Credential Guard '1' is not in the SecurityServicesRunning list: '{{ win_vbs_running_service }}'."