From 691fd500f87cde0d23505ce40afb8de60b6b5725 Mon Sep 17 00:00:00 2001 From: Diane Wang Date: Tue, 28 Feb 2023 06:55:30 +0000 Subject: [PATCH] change condition Signed-off-by: Diane Wang --- windows/utils/win_enable_vbs_guest.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/utils/win_enable_vbs_guest.yml b/windows/utils/win_enable_vbs_guest.yml index adc8743ab..280a8cb01 100644 --- a/windows/utils/win_enable_vbs_guest.yml +++ b/windows/utils/win_enable_vbs_guest.yml @@ -13,13 +13,13 @@ # 5. enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1) # 6. enable virtualization-based protection of Code Integrity policies with Require UEFI Memory Attributes Table # +#reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; - name: "Enable VBS and HVCI in guest OS" include_tasks: win_execute_cmd.yml vars: win_powershell_cmd: >- reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f; - reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f; reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "HVCIMATRequired" /t REG_DWORD /d 1 /f @@ -34,9 +34,8 @@ win_powershell_cmd: >- reg add "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 1 /f when: > - (guest_os_product_type | lower == 'server') or (guest_os_build_num | int < 22621) or - (guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education']) + (guest_os_product_type | lower == 'client' and guest_os_build_num | int >= 22621 and guest_os_edition | lower not in ['enterprise', 'education']) # - include_tasks: win_execute_cmd.yml # vars: