change condition

Signed-off-by: Diane Wang <dianew@vmware.com>

windows/utils/win_enable_vbs_guest.yml

@@ -13,13 +13,13 @@
 # 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)
 # 6. enable virtualization-based protection of Code Integrity policies with Require UEFI Memory Attributes Table
 #
+#reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f;
 - name: "Enable VBS and HVCI in guest OS"
   include_tasks: win_execute_cmd.yml
   vars:
     win_powershell_cmd: >-
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f;
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f;
-      reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f;
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f;
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f;
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f
@@ -34,9 +34,8 @@
     win_powershell_cmd: >-
       reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f
   when: >
-    (guest_os_product_type | lower == 'server') or
     (guest_os_build_num | int < 22621) or
-    (guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education'])
+    (guest_os_product_type | lower == 'client' and guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education'])
 
 # - include_tasks: win_execute_cmd.yml
 # vars: