Enabling Credential Guard

Qlik01 · ‎05-30-2019

I’m trying to enable Credential Guard for the following computers via ivanti

All computers running Windows 10 Enterprise

HP Elitebook 840 G1

HP Elitebook 840 G2

HP Elitebook 840 G3

HP Elitebook 840 G4

HP Elitebook 840 G5

HP zBook Studio G3 & G4

I need to script the entire process but I’m running into an issue with getting Hyper V enabled in the BIOS. Credential Guard works if I enable HyperV manually. Anyone able to assist with scripting to enable hyper V in bios?

Current Script

# This script will enable Microsoft Credential Guard

# Set variables to be used in script

$DeviceGuardRegKey = "HKLM:\System\CurrentControlSet\Control\DeviceGuard"

$LSARegKey = "HKLM:\System\CurrentControlSet\Control\LSA"

$EnableSecurityRegKeyValue = "EnableVirtualizationBasedSecurity"

$DeviceGuardRegKeyValue = "RequirePlatformSecurityFeatures"

$LSARegKeyValue = "LsaCfgFlags"

$xxxITRegKey = "HKLM:\Software\xxxxIT"

$xxxITRegKeyTested = Test-Path $xxxITRegKey

$xxxITRegKeyValue = 'CredentialGuard'

# Check and create Enable Security registry key

If (Get-ItemProperty -Path $DeviceGuardRegKey -Name $EnableSecurityRegKeyValue -ErrorAction SilentlyContinue) {

Break

} Else {

New-ItemProperty -Path $DeviceGuardRegKey -Name $EnableSecurityRegKeyValue -PropertyType DWORD -Value 1

}

# Check and create DeviceGuard registry key

If (Get-ItemProperty -Path $DeviceGuardRegKey -Name $DeviceGuardRegKeyValue -ErrorAction SilentlyContinue) {

Break

} Else {

New-ItemProperty -Path $DeviceGuardRegKey -Name $DeviceGuardRegKeyValue -PropertyType DWORD -Value 1

}

# Check and create LSA registry key

If (Get-ItemProperty -Path $LSARegKey -Name $LSARegKeyValue -ErrorAction SilentlyContinue) {

Break

} Else {

New-ItemProperty -Path $LSARegKey -Name $LSARegKeyValue -PropertyType DWORD -Value 1

}

# Check existence of xxxIT Software Registry Key and create if not present

IF ($xxxITRegKeyTested -eq $false) {New-Item -Path $xxxITRegKey}

# Check CredentialGuard registry values and create if not present

If (Get-ItemProperty -Path $xxxITRegKey -Name $xxxITRegKeyValue -ErrorAction SilentlyContinue) {

Break

} Else {

New-ItemProperty -Path $xxxITRegKey -Name $xxxITRegKeyValue -PropertyType String -Value Installed

}

# Run full inventory scan

Start-Process -Wait -FilePath "C:\Program Files (X86)\LANDesk\LDClient\LDISCN32.exe" -ArgumentList '/F /SYNC'

Kenneth_S · ‎09-01-2019

Qlik01,

Hello! I would like to start off with a thank you sir. I am obtaining a couple HP EliteBook 840 G3s in the next couple days. I haven't physically seen them yet but looked at HPEs document showing which devices currently supported Credential Guard and Device Guard. I did not see the EliteBooks listed and thought it wasn't supported. I probably wouldn't have looked again, and the laptops would have had to stay off my company network because of the security policies I have implemented.

Would you possibly be okay with a already made powershell script? I have not tried it yet, however, Microsoft makes one ready for download. It's called DG_Readiness.ps1.

I stumped across it when I was doing my research on the EliteBook. You can find the download here:

https://www.microsoft.com/en-us/download/details.aspx?id=53337

Create an account on the HP Community to personalize your profile and ask a question