Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Device Guard check #647

Open
TSpreier opened this issue Nov 25, 2024 · 2 comments
Open

Device Guard check #647

TSpreier opened this issue Nov 25, 2024 · 2 comments
Assignees
@qngngyn
Labels
enhancement New feature or request patch Includes bug fixes, focusing on enhancing stability.
Milestone
5.11

Comments

@TSpreier
Copy link

Description

The current tool does not support a comprehensive check of Device Guard on Windows systems. The aim is to extend the tool so that it can perform a Device Guard check.

What are the benefits?

Identification of vulnerabilities through a more detailed review of Device Guard.

Acceptance Criteria!

The tool can detect whether Device Guard is activated.
Detailed information on the configuration guidelines (e.g. HVCI, Credential Guard) is displayed.

Linked Issues?

No response

Additional Information!

No response
@TSpreier TSpreier added the enhancement New feature or request label Nov 25, 2024
@TuemmlerKelch TuemmlerKelch added the patch Includes bug fixes, focusing on enhancing stability. label Jan 6, 2025
@TuemmlerKelch
Copy link
Collaborator

Device Guard is the name of a set of features:
As of now, there seem to be 6/7 different security services associated with Device Guard, which we can check with (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

# Service
0 No services running
1 Credential Guard
2 Memory Integrity (HVCI)
3 System Guard Secure Launch
4 SMM Firmware Measurement
5 Kernel-mode Hardware-enforced Stack Protection
6 Kernel-mode Hardware-enforced Stack Protection is configured in Audit mode
7 Hypervisor-Enforced Paging Translation

Source: https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity?tabs=security#securityservicesrunning

@TuemmlerKelch
Copy link
Collaborator

TuemmlerKelch commented Jan 7, 2025
edited
Loading

As discussed, we can make sure this is properly tagged as a device guard setting.

We will rename the two related titles:

old new
Ensure Virtualization Based Security is enabled and running. Virtualization Based Security: Ensure Virtualization Based Security is enabled and running.
Ensure Hypervisor-protected Code Integrity (HVCI) is running. Virtualization Based Security: Ensure Hypervisor-protected Code Integrity (HVCI) is running.
Ensure Credential Guard is running. Virtualization Based Security: Ensure Credential Guard is running.
Ensure the system is using SecureBoot. Virtualization Based Security: Ensure the system is using SecureBoot.

I believe all these checks should be placed in the Platform Security Section

@TuemmlerKelch TuemmlerKelch added this to the 5.11 milestone Jan 7, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@qngngyn qngngyn

Labels
enhancement New feature or request patch Includes bug fixes, focusing on enhancing stability.
Projects
None yet
Milestone
5.11
Development

No branches or pull requests
4 participants
@SteffenWinternheimer @TuemmlerKelch @TSpreier @qngngyn