Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add handling VBS known issue on ESXi 7.0.3 #429

Merged
merged 17 commits into from
Apr 12, 2023
13 changes: 9 additions & 4 deletions windows/utils/win_disable_vbs_guest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,16 @@
# Refer to this page: https://docs.microsoft.com/en-us/windows/security/
# threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
#
- include_tasks: win_execute_cmd.yml
- name: "Disable VBS and HVCI in guest OS"
include_tasks: win_execute_cmd.yml
vars:
win_powershell_cmd: "reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity' /v 'Enabled' /t REG_DWORD /d 0 /f; reg add 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard' /v 'EnableVirtualizationBasedSecurity' /t REG_DWORD /d 0 /f"
win_powershell_cmd: >-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f;
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f;
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 0 /f;
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 0 /f
# Restart guest OS after configuration in guest
- include_tasks: win_shutdown_restart.yml
- name: "Restart guest OS after disabling VBS and HVCI"
include_tasks: win_shutdown_restart.yml
vars:
set_win_power_state: "restart"
36 changes: 33 additions & 3 deletions windows/utils/win_enable_vbs_guest.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,11 @@
# 3. enable VBS with UEFI lock (value 1)
# 4. enable virtualization-based protection of Code Integrity policies
# 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)
- include_tasks: win_execute_cmd.yml
# 6. enable virtualization-based protection of Code Integrity policies with Require UEFI Memory Attributes Table
#
# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f not working
- name: "Enable VBS and HVCI in guest OS"
include_tasks: win_execute_cmd.yml
vars:
win_powershell_cmd: >-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f;
Expand All @@ -20,7 +24,33 @@
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f;
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f

# Restart guest OS after configuration in guest
- include_tasks: win_shutdown_restart.yml
# Enable CredentialGuard with UEFI lock (value 1)
# Starting in Windows 11 Enterprise, version 22H2 and Windows 11 Education, version 22H2,
# compatible systems have Windows Defender Credential Guard turned on by default.
#
- name: "Enable Credential Guard in guest OS"
include_tasks: win_execute_cmd.yml
vars:
win_powershell_cmd: >-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f
when: >
(guest_os_build_num | int < 22621) or
(guest_os_product_type | lower == 'client' and guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education'])

# Try to enable 'HVCIMATRequired' feature from registry while it does not take effect.
# Refer to 3rd party issue: https://partner.microsoft.com/en-us/dashboard/collaborate/engagements/1759/feedback/wits/Bugs/786316
- name: "Enable HVCIMATRequired"
include_tasks: win_execute_cmd.yml
vars:
win_powershell_cmd: >-
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f;
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f;
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f;
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f;
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f;
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f

- name: "Restart guest OS after configuration"
include_tasks: win_shutdown_restart.yml
vars:
set_win_power_state: "restart"
36 changes: 36 additions & 0 deletions windows/utils/win_get_dg_security_properties.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
# Copyright 2023 VMware, Inc.
# SPDX-License-Identifier: BSD-2-Clause
---
# Get available security properties for Windows Defender Device Guard.
# Refer to this page: https://docs.microsoft.com/en-us/windows/security/
# threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
# 1. If present, hypervisor support is available.
# 2. If present, Secure Boot is available.
# 3. If present, DMA protection is available.
# 4. If present, Secure Memory Overwrite is available.
# 5. If present, NX protections are available.
# 6. If present, SMM mitigations are available.
# 7. If present, MBEC/GMET is available.
# 8. If present, APIC virtualization is available.
#
- name: "Initialize the fact of Device Guard available security properties"
ansible.builtin.set_fact:
win_dg_security_properties: []

- name: "Get Device Guard available security properties"
include_tasks: win_execute_cmd.yml
vars:
win_powershell_cmd: "(CimInstance –ClassName Win32_DeviceGuard –Namespace root\\Microsoft\\Windows\\DeviceGuard).AvailableSecurityProperties"

- name: "Set fact of Device Guard available security properties"
ansible.builtin.set_fact:
win_dg_security_properties: "{{ win_powershell_cmd_output.stdout_lines | map('int') }}"
when:
- win_powershell_cmd_output is defined
- win_powershell_cmd_output.stdout_lines is defined
- win_powershell_cmd_output.stdout_lines | length != 0

- name: "Display the results"
ansible.builtin.debug:
msg:
- "AvailableSecurityProperties: {{ win_dg_security_properties }}"
62 changes: 35 additions & 27 deletions windows/vbs_enable_disable/vbs_disable_test.yml
Original file line number Diff line number Diff line change
@@ -1,54 +1,62 @@
# Copyright 2022-2023 VMware, Inc.
# SPDX-License-Identifier: BSD-2-Clause
---
# Shutdown guest OS to disable VBS on VM
- include_tasks: ../utils/win_shutdown_restart.yml
- name: "Shutdown guest OS to disable VBS on VM"
include_tasks: ../utils/win_shutdown_restart.yml
vars:
set_win_power_state: "shutdown"

# Disable VBS on VM
- include_tasks: ../utils/win_enable_vbs_vm.yml
- name: "Disable VBS on VM"
include_tasks: ../utils/win_enable_vbs_vm.yml
vars:
win_enable_vbs: false

# Power on VM
- include_tasks: ../../common/vm_set_power_state.yml
- name: "Power on VM"
include_tasks: ../../common/vm_set_power_state.yml
vars:
vm_power_state_set: "powered-on"
- include_tasks: ../utils/win_update_inventory.yml
- name: "Update in-memory inventory after VM power on"
include_tasks: ../utils/win_update_inventory.yml

# Check VM VBS status on VM
- include_tasks: ../../common/vm_get_vbs_status.yml
- name: "Check VM VBS status after enable"
- name: "Get VM VBS status"
include_tasks: ../../common/vm_get_vbs_status.yml
- name: "Check VM VBS status after disable"
ansible.builtin.assert:
that:
- vm_vbs_enabled is defined
- not vm_vbs_enabled | bool
fail_msg: "VM VBS status is not disabled after disabling it."

# Get VBS status in guest OS
- include_tasks: ../utils/win_get_vbs_guest.yml

# SecurityServicesRunning: 0 means No services running
# VirtualizationBasedSecurityStatus: 1 means VBS is enabled but not running
fail_msg: "VM VBS enabled status is '{{ vm_vbs_enabled | default('') }}', not disabled after disabling it."

- name: "Get VBS status in guest OS"
include_tasks: ../utils/win_get_vbs_guest.yml

# SecurityServicesRunning:
# 0. No services running.
# 1. If present, Windows Defender Credential Guard is running.
# 2. If present, HVCI is running.
# 3. If present, System Guard Secure Launch is running.
# 4. If present, SMM Firmware Measurement is running.
# VirtualizationBasedSecurityStatus:
# 2 means VBS is enabled and running
# 1 means VBS is enabled but not running
# 0 means VBS is not enabled
#
- name: "Check VBS and running security service status"
ansible.builtin.assert:
that:
- win_vbs_status_guest | int == 1
- win_vbs_running_service[0] | int != 2
fail_msg: "Either VBS is running '{{ win_vbs_status_guest }}', or HVCI is running '{{ win_vbs_running_service }}'."
- "'2' not in win_vbs_running_service"
fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '1', or HVCI '2' is in SecurityServicesRunning list '{{ win_vbs_running_service }}'."

# Disable VBS in guest
- include_tasks: ../utils/win_disable_vbs_guest.yml
- name: "Disable VBS in guest OS"
include_tasks: ../utils/win_disable_vbs_guest.yml

# Get VBS status in guest OS
- include_tasks: ../utils/win_get_vbs_guest.yml
- name: "Get VBS status in guest OS"
include_tasks: ../utils/win_get_vbs_guest.yml

# SecurityServicesRunning: 0 means No services running
# VirtualizationBasedSecurityStatus: 0 means VBS is not enabled
- name: "Check VBS and running security service status"
ansible.builtin.assert:
that:
- win_vbs_status_guest | int == 0
- win_vbs_running_service[0] | int == 0
fail_msg: "Either VBS is not disabled '{{ win_vbs_status_guest }}', or still running security service '{{ win_vbs_running_service }}'."
- win_vbs_running_service == ['0']
fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '0', or SecurityServicesRunning list is '{{ win_vbs_running_service }}', not expected ['0']."
95 changes: 65 additions & 30 deletions windows/vbs_enable_disable/vbs_enable_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,60 +6,95 @@
vm_vbs_enabled_before: false
guest_vbs_enabled_before: false

# Get VM VBS status before enable
- include_tasks: ../../common/vm_get_vbs_status.yml
- name: "Get VM VBS status before enable"
include_tasks: ../../common/vm_get_vbs_status.yml
- name: "Set fact of VM VBS current status before enable"
ansible.builtin.set_fact:
vm_vbs_enabled_before: "{{ vm_vbs_enabled }}"

- name: "VM VBS is not enabled"
block:
# Shutdown guest OS before enabling VBS on VM
- include_tasks: ../utils/win_shutdown_restart.yml
- name: "Shutdown guest OS before enabling VBS on VM"
include_tasks: ../utils/win_shutdown_restart.yml
vars:
set_win_power_state: "shutdown"
# Enable VBS on VM
- include_tasks: ../utils/win_enable_vbs_vm.yml
- name: "Enable VBS on VM"
include_tasks: ../utils/win_enable_vbs_vm.yml
vars:
win_enable_vbs: true
- include_tasks: ../../common/vm_set_power_state.yml
- name: "Power on VM"
include_tasks: ../../common/vm_set_power_state.yml
vars:
vm_power_state_set: "powered-on"
- include_tasks: ../utils/win_update_inventory.yml
# Check VM VBS status
- include_tasks: ../../common/vm_get_vbs_status.yml
- name: "Update in-memory inventory after VM power on"
include_tasks: ../utils/win_update_inventory.yml
- name: "Get VM VBS status"
include_tasks: ../../common/vm_get_vbs_status.yml
- name: "Check VM VBS status after enable"
ansible.builtin.assert:
that:
- vm_vbs_enabled is defined
- vm_vbs_enabled | bool
fail_msg: "VM VBS status is not enabled after enabling it."
fail_msg: "VM VBS status is '{{ vm_vbs_enabled | default('') }}', not enabled after enabling it."
when: not vm_vbs_enabled_before

- name: "VM VBS is enabled"
block:
# Get VBS status in guest OS
- include_tasks: ../utils/win_get_vbs_guest.yml
- name: "Set fact of HVCI and VBS running status in guest before enable"
ansible.builtin.set_fact:
guest_vbs_enabled_before: true
when:
- win_vbs_status_guest | int == 2
- "'2' in win_vbs_running_service"
when: vm_vbs_enabled_before
- name: "Get Device Guard available security properties in guest OS"
include_tasks: ../utils/win_get_dg_security_properties.yml

- name: "Enable VBS and security services in guest OS"
include_tasks: ../utils/win_enable_vbs_guest.yml

- name: "Get VBS status and running security services"
include_tasks: ../utils/win_get_vbs_guest.yml

# Enable VBS in guest OS if HVCI is not running or VBS is not running
- name: "Enable VBS in guest OS"
# AvailableSecurityProperties:
# 0. If present, no relevant properties exist on the device.
# 1. If present, hypervisor support is available.
# 2. If present, Secure Boot is available.
# 3. If present, DMA protection is available.
# 4. If present, Secure Memory Overwrite is available.
# 5. If present, NX protections are available.
# 6. If present, SMM mitigations are available.
# 7. If present, MBEC/GMET is available.
# 8. If present, APIC virtualization is available.
#
- name: "Handle known issue"
block:
- include_tasks: ../utils/win_enable_vbs_guest.yml
- include_tasks: ../utils/win_get_vbs_guest.yml
when: not guest_vbs_enabled_before
- name: "Known issue - NX protections are not present in AvailableSecurityProperties on ESXi 7.0.3"
ansible.builtin.debug:
msg:
- "The issue of 'NX protections are not present in guest OS AvailableSecurityProperties' exists on this ESXi 7.0.3 build '{{ esxi_build }}', which is fixed in ESXi 7.0U3l patch build 21424296. Please refer to KB article: https://kb.vmware.com/s/article/91199."
tags:
- known_issue
when:
- esxi_version is version('7.0.3', '==')
- esxi_build | int < 21424296
- range(1, 8) | difference(win_dg_security_properties) == [5]

- name: "Check available security properties got in guest OS"
ansible.builtin.assert:
that:
- win_dg_security_properties | sort == range(1, 8) | list
fail_msg: "Available security properties list got in guest OS: {{ win_dg_security_properties }}, '{{ range(1, 8) | difference(win_dg_security_properties) }}' is missed compared with expected list '{{ range(1, 8) }}'."
when: >
(esxi_version is version('7.0.3', '>') or esxi_version is version('7.0.3', '<')) or
(esxi_version is version('7.0.3', '==') and esxi_build | int >= 21424296)

# SecurityServicesRunning: 2 means HVCI is running
# VirtualizationBasedSecurityStatus: 2 means VBS is enabled and running
# SecurityServicesRunning:
# 0. No services running.
# 1. If present, Windows Defender Credential Guard is running.
# 2. If present, HVCI is running.
# 3. If present, System Guard Secure Launch is running.
# 4. If present, SMM Firmware Measurement is running.
# VirtualizationBasedSecurityStatus:
# 2 means VBS is enabled and running
# 1 means VBS is enabled but not running
# 0 means VBS is not enabled
#
- name: "Check VBS and running security service status"
ansible.builtin.assert:
that:
- win_vbs_status_guest | int == 2
- "'1' in win_vbs_running_service"
- "'2' in win_vbs_running_service"
fail_msg: "VBS is not running '{{ win_vbs_status_guest }}', or HVCI is not running '{{ win_vbs_running_service }}'."
fail_msg: "VBS status is '{{ win_vbs_status_guest }}' not expected '2', or HVCI '2'/Credential Guard '1' is not in the SecurityServicesRunning list: '{{ win_vbs_running_service }}'."