change registry path

Signed-off-by: Diane Wang <dianew@vmware.com>

windows/utils/win_enable_vbs_guest.yml

@@ -13,16 +13,16 @@
 # 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)
 # 6. enable virtualization-based protection of Code Integrity policies with Require UEFI Memory Attributes Table
 #
-#reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f;
+# reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f not working
 - name: "Enable VBS and HVCI in guest OS"
   include_tasks: win_execute_cmd.yml
   vars:
     win_powershell_cmd: >-
-      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f;
-      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f;
-      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f;
-      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f;
-      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f
+      reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f;
+      reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f;
+      reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f;
+      reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f;
+      reg add "HKLM\SYSTEM\\CurrentControlSet\\Control\\DeviceGuard\\Scenarios\\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
 
 # Enable CredentialGuard with UEFI lock (value 1)
 # Starting in Windows 11 Enterprise, version 22H2 and Windows 11 Education, version 22H2,
@@ -32,20 +32,21 @@
   include_tasks: win_execute_cmd.yml
   vars:
     win_powershell_cmd: >-
-      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f
+      reg add "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f
   when: >
     (guest_os_build_num | int < 22621) or
     (guest_os_product_type | lower == 'client' and guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education'])
 
-# - include_tasks: win_execute_cmd.yml
-# vars:
-# win_powershell_cmd: >-
 # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f;
 # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f;
 # reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f;
-# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f
-# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f;
-# reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f
+- name: "Enable HVCIMATRequired"
+  include_tasks: win_execute_cmd.yml
+  vars:
+    win_powershell_cmd: >-
+      reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f;
+      reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f;
+      reg add "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\DeviceGuard" /v "ConfigureSystemGuardLaunch" /t REG_DWORD /d 1 /f
 
 - name: "Restart guest OS after configuration"
   include_tasks: win_shutdown_restart.yml