您的主机不满足在启用 Hyper-V 或 Device/Credential Guard 的情况下运行 VMware Workstation 的最低要求

终于解决了啊啊啊啊啊啊啊啊啊啊啊啊啊啊！

安装教程你可以查看这篇文章

本人下载的vm版本是：VMware-workstation-full-15.5.6-16341506.exe

解锁MacOS工具是: unlocker-v3.0.2

电脑为win10 家庭中文版，家庭版是没有gpedit.msc的，所以按照网上大多数的解决方案是行不通的

错误提示：您的主机不满足在启用 Hyper-V 或 Device/Credential Guard 的情况下运行 VMware Workstation 的最低要求

意思是：你的电脑开启了Hyper-V或者开启了Device/Credential Guard，这两个必须都关闭，才能满足VMware运行的最低要求。

一、关闭Hyper-v

控制面板→程序和功能→右侧工具栏：启用或关闭Windows功能→取消勾选：Hyper-V 整个大项

重启电脑生效，可以等第二项改完再重启

二、禁用Windows Defender凭据防护

微软官方文档

我按照官网的步骤：将工具脚本保存到本地文件中，文件名为DG_Readiness_Tool_v3.6.ps1，
然后使用管理员省份运行powershell，执行下面命令，会在1分钟后重启，重启后会提示是否禁用，按F3确认禁用：

DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot

脚本如下：

# Script to find out if a machine is Device Guard compliant.
# The script requires a driver verifier present on the system.param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)$path = "C:\DGLogs\"
$LogFile = $path + "DeviceGuardCheckLog.txt"$CompatibleModules = New-Object System.Text.StringBuilder
$FailingModules = New-Object System.Text.StringBuilder
$FailingExecuteWriteCheck = New-Object System.Text.StringBuilder$DGVerifyCrit = New-Object System.Text.StringBuilder
$DGVerifyWarn = New-Object System.Text.StringBuilder
$DGVerifySuccess = New-Object System.Text.StringBuilder$Sys32Path = "$env:windir\system32"
$DriverPath = "$env:windir\system32\drivers"#generated by certutil -encode
$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA
HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC
NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC
NwoDFQwAAAABCisGAQQBgjdMAwEMAAAAAQorBgEEAYI3TAUBDAAAAAEKKwYBBAGC
N0wLAQEAAAAGAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AQAAAAYAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA
BgAAAAEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAA
AQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAUAAAABAAAA
AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABAAAAAEAAAABAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAYAAAABAAAAAgAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABgAAAAEAAAADAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAQAAAAUAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAABAAAADgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAEAAAAOAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AQAAAA4AAAABAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA
DgAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAA
AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAA4AAAABAAAA
AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADgAAAAEAAAADAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAAAQAAAAEAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQAAAABAAAAAQAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAPye3j3MoJGGstO/m3OKIFDLGlVN
otyttV8/cu4XchN4AQAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AQAAAAYAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA
DgAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAHAAAA
AQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAoAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAKAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAQAAAAYAAAABAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAABAAAABwAAAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAABAAAAFAAAAIMAAAAAAAAADIAAAAsAAAAAAAAAAAAAAAEAAAAAAAAA
AgAAAAAAAAADAAAAAAAAAAQAAAAAAAAABQAAAAAAAAALAAAAAAAAAAwAAAAAAAAA
DQAAAAAAAAAOAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAMAAAAAAAAAAyAAAASAAAABgAAAAAAAAAHAAAAAAAAAAgAAAAAAAAA
CQAAAAAAAAAKAAAAAAAAABMAAAAAAAAADwAAAAAAAAAQAAAAAAAAABEAAAAAAAAA
EgAAAAAAAAAUAAAAAAAAABUAAAAAAAAAGgAAAAAAAAAbAAAAAAAAABwAAAAAAAAA
FgAAAAAAAAAXAAAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAgAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA
SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAQAAABJAGQAAAAAAAMAAAAMAAAA
MAAzADEAMAAxADcAAAAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA
SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAgAAABOAGEAbQBlAAAAAAADAAAA
JgAAAEQAZQBmAGEAdQBsAHQAVwBpAG4AZABvAHcAcwBBAHUAZABpAHQAAAAAAAAA
AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAA
BQAAAAYAAAA="$HSTITest_Encoded = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADxXZfstTz5v7U8+b+1PPm/2GH4vrc8+b+8RGq/ojz5v9hh+r63PPm/2GH9vr48+b+1PPi/qjz5v9hh+b60PPm/2GHwvrc8+b/YYfu+tDz5v1JpY2i1PPm/AAAAAAAAAABQRQAAZIYFAGt3EVgAAAAAAAAAAPAAIiALAg4AABIAAAAaAAAAAAAAkBsAAAAQAAAAAACAAQAAAAAQAAAAAgAACgAAAAoAAAAKAAAAAAAAAABwAAAABAAAxcwAAAMAYEEAAAQAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAEDkAAGQAAAB0OQAABAEAAAAAAAAAAAAAAFAAACABAAAAAAAAAAAAAABgAAAYAAAAwDUAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAA0AAAAAAAAAAAAAAA4DAAAEgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAMURAAAAEAAAABIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAB4DwAAADAAAAAQAAAAFgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAwAUAAABAAAAAAgAAACYAAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAACABAAAAUAAAAAIAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAYAAAAAGAAAAACAAAAKgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIiVwkCFVWV0FWQVdIi+xIg+wwM/9IjUU4TIv5iX1ISI1NSIl9QEUzyYl9OEyNRUBIiUQkIDPS6AwJAACL2D1XAAeAD4WrAAAAi0VASGnYDCIAAP8V/yAAAI13CEyLw0iLyIvW/xX2IAAATIvwSIXAdQe7DgAHgOtxi104/xXWIAAARIvDi9ZIi8j/FdAgAABIi/BIhcB1B7sOAAeA6x5IjUU4TIvOTI1FQEiJRCQgSYvWSI1NSOiNCAAAi9j/FZUgAABNi8Yz0kiLyP8VlyAAAEiF9nQU/xV8IAAATIvGM9JIi8j/FX4gAAA5fUhAD5THQYk/i8NIi1wkYEiDxDBBX0FeX15dw8zMzMzMzMzMzOkzCAAAzMzMzMzMzEiJXCQYSIl0JCBXSIHscAEAAEiLBbsuAABIM8RIiYQkYAEAAA8QBRkhAACL8kiL+TPSSI1MJGBBuPQAAADzD39EJFDo6g4AAEiDZCQwAEiNTCRQg2QkQABFM8nHRCQogAAAALoAAABAx0QkIAMAAABFjUEB/xWSHwAASIvYSIP4/3RGQbkCAAAARTPAM9JIi8j/FX0fAACD+P90HkiDZCQgAEyNTCRARIvGSIvXSIvL/xVmHwAAhcB1Bv8VPB8AAEiLy/8VYx8AAEiLjCRgAQAASDPM6AsLAABMjZwkcAEAAEmLWyBJi3MoSYvjX8PMzMzMzMxIg+woM9JMi8lIhcl0Hrr///9/M8BEi8I4AXQJSP/BSYPoAXXzTYXAdSEz0rhXAAeAM8mFwEgPScp4C41RAUmLyejG/v//SIPEKMNJK9Dr4czMzMzMzMzMSIlcJAhIiXQkEFdIg+wgQYvZSYv4SIvy6Iv///+L00iLz+iN/v//SIvOSItcJDBIi3QkOEiDxCBf6WrMzMzMzMyJVCQQSIPsKAkRSI0Nsx8AAOhOugQAAABIjUwkOOhL/v//SI0NqB8AAOgzSIPEKMPMzMzMzMxAVVNWV0FUQVVBVkFXSI1sJOFIgeyYAAAASIsF6CwAAEgzxEiJRQ9FM/ZIiVXnM9JIiU3vRIl1p0GL3kiJXbdJi8BIiUXXTYvpRIl1r0GL/kSJdfdFi+ZIiVX7RYv+SIlVA0yJdc9IhckPhBEFAABIhcAPhAgFAABNhckPhP8EAABBgzkBdBHHRaeAAAAAvwJAAIDp7QQAAEiNDQkfAADohP7//0WLfQREiX2/SWnfDCIAAP8Vtx0AAEyLw7oIAAAASIvI/xWuHQAATIvgSIXAdShIjQ3vHgAA6Er+FUwdAAAPt/iBzwAAB4CFwA9O+EmL3umLBAAASI0N9x4AAOgi/v//RIl1s0WF/w+EiwIAAEmNXQhIiV3HSY20JAwCAABIjQ32HgAA6Pn9//+LQwiJhvT9//+FwHktPbsAAMB1EUiNDe4eAADo2f3//+kaAgAASI0N/R4AAOjI/f//g02nQOkFAgAAixtJA92DOwN0Gw+6bacIugEAAABIjY78/f//6Dv+///p4AEAAEyNhgD+//+6BAAAAEmLwEiNSwgPEAFIjYmAAAAADxEASI2AgAAAAA8QSZAPEUiQDxBBoA8RQKAPEEmwDxFIsA8QQcAPEUDADxBJ0A8RSNAPEEHgDxFA4A8QSfAPEUjwSIPqAXWuQbkAAgAASI0VgB4AAEiNDYEeAADodP3//4uLCAIAALoAEAAAQYv+TI0ES0iBwQwCAABMA8FIi85MK8ZIjYL+7/9/SIXAdBdBD7cECGaFwHQNZokBSIPBAkiD6gF13UiF0nUJSIPpAr96AAeAZkSJMUiNFSYeAABIjQ0nHgAAQbkAIAAATIvG6AH9//9MjXMEQYsOjUH/g/gDD4fDAAAA/0SN90iNFQMeAACJjvj9//9BuQQAAABIjQ34HQAATYvG6Mj8//9BiwaDfIX3AXZESI2O/P3//7oEAAAA6PH8//9Biw6D6QF0JYPpAXQag+kBdA+D+QEPhaIAAACDTacI63eDTacE63GDTacC62uDTacB62WD+AF1YIuDCAIAAEyNRa9BuQQAAACJRa9IjRWTHQAASI0NrB0AAOhP/P//RTP2RDl1r3UOD7ptpwlBjVYI6TX+//9IjYMMAgAASIlFz+sZD7ptpwlIjY78/f//ugIAAADoWfz//0Uz9otFs0iBxgwiAABIg0XHDP/AiUWzQTvHcxdIi13H6ZP9//+/BUAAgEiLXbfp5wEAAEQ5dad0DkiNDU0dAADoePv//+vji12v/xW1GgAARIvDuggAAABIi8j/FawaAABIiUW3SIvYSIXAdRZIjQ1JHQAA6ET7//+/FwAA0OmXAQAASI0NYx0AAOgu+///i0WvRI2wBgEAAEaNNHBEiXWzRYX/D4TFAAAASY1cJAhJjXUISI0N+xsAAOj++v//gXv4uwAAwHUOSI0N/hsAAOjp+v//63xEOXYEcxS6EAAAAA+6bacJSIvL6Gv7///rYosOSQPNi4EIAgAAO0WvdAe6CAAAAOvaRTPATI0MQUyNFAhEOUWvdjpMi3W3Qw+2jBAMAgAA99FDhIwIDAIAAHQID7ptpwmDCyBDioQIDAIAAEMIBDBB/8BEO0Wvcs5Ei3WzSIPGDEiBwwwiAABJg+8BD4VMRIt9v0iLXbdFM/ZEOXWndBFIjQ0OHAAA6Dn6///pkQAAAEGL9kQ5da8PhoQAAABMi3W3TIttz0iNDYgcAADoE/r//4vGTI1Fq0G5AQAAAEiNFZgcAABCigwwSo0cKCILiE2rSI0NlBwAAOg/+v//QbkBAAAASI0VkhwAAEyLw0iNDZgcAADoI/r//4oDOEWrdBBIjQ2dHAAA6Lj5//+DTacg/8Y7da9yjuly+///v1cAB4BIjQ2sHAAA6Jf5//9BuQQAAABMjUWnSI0VphwAAEiNDa8cAADo0vn//02F5HRdTIt150iLdddNhfZ0NEQ5PnIvSI0NnBwAAOhX+f//QYvHSYvUTGnADCIAAEmLzuh0BwAASI0NmxwAAOg2+f//6wW/VwAHgESJPv8VbhgAAE2LxDPSSIvI/xVwGAAASIXbdBT/FVUYAABMi8Mz0kiLyP8VVxgAAEiLRe9IhcB0BYtNp4kIi8dIi00PSDPM6NMDAABIgcSYAAAAQV9BXkFdQVxfXltdw8zMzMzMzMxIi8RIiVgISIloEEiJcBhXQVZBV0iD7DCDYNgATYvxSYv4TI1I2EiL8kyL+UUzwDPSuaYAAAD/FWwYAACL2D0EAADAdAkPuusc6dkAAACDfCQgFHMKuwVAAIDpyAAAAItcJCD/FacXAABEi8O6CAAAAEiLyP8VnhcAAEiL6EiFwHUKuw4AB4DpmwAAAESLRCQgRTPJSIvQuaYAAAD/FQYYAACL2IXAeQYPuusc6zdIjQ2TGwAA6A74//+LVCQgSIvN6A73//9IjQ2LGwAA6Pb3//9Mi81Mi8dIi9ZJi8/ovfj//4vYSIt8JHCLdCQgSIX/dBk5N3IVTYX2dBBEi8ZIi9VJi87o8AUAAOsFu1cAB4CJN/8V9xYAAEyLxTPSSIvI/xX5FgAASItsJFiLw0iLXCRQSIt0JGBIg8QwQV9BXl/DzMzMzMzMSIlcJAhXSIPsIIP6AXU8SI0VmhcAAEiNDYsXAADoaAMAAIXAdAczwOmjAAAASI0VbBcAAEiNDV0XAADoVgMAAP8FKiUAAOmAAAAAhdJ1fDkVUyUAAHRtSIsNGiUAAOgxAgAASIsNFiUAAEiL+OgiAgAASI1Y+OsXSIsL6BQCAABIhcB0Bv8VBRcAAEiD6whIO99z5IM9DSUAAAR2FP8VJRYAAEyLxzPSSIvI/xUnFgAA6O4BAABIiQXDJAAASIkFtCQAAIMlpSQAAAC4AQAAAEiLXCQwSIPEIF/DzMzMzMzMzMzMzMzMzMzMzMzMzMzMSIlcJAhIiXQkEFdIg+wgSYv4i9pIi/GD+gF1BeijAQAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pBwAAAMzMzMzMzMxMiUQkGIlUJBBIiUwkCFNWV0iB7JAAAACL+kiL8cdEJCABAAAAhdJ1EzkVDSQAAHULM9uJXCQg6d8AAACNQv+D+AF3MkyLhCTAAAAA6Hv+//+L2IlEJCDrFTPbiVwkIIu8JLgAAABIi7QksAAAAIXbD4SlAAAATIuEJMAAAACL10iLzujoAQAAi9iJRCQg6xUz24lcJCCLvCS4AAAASIu0JLAAAACD/wF1SIXbdURFM8Az0kiLzui1AQAA6xOLvCS4AAAASIu0JLAAAACLXCQgRTPAM9JIi87o7/3//+sTi7wkuAAAAEiLtCSwAAAAi1wkIIX/dAWD/wN1IEyLhCTAAAAAi9dIi87ov/3//4vYiUQkIOsGM9uJXCQgi8NIgcSQAAAAX15bw8zMzMzMzMzMzMxmZg8fhAAAAAAASDsN6SIAAHUQSMHBEGb3wf//dQHDSMHJEOmSAQAAzMzMzMzMSP8ltRQAAMzMzMzMzMzMzDPJSP8lmxQAAMzMzMzMzMxIiVwkIFVIi+xIg+wgSINlGABIuzKi3y2ZKwAASIsFiSIAAEg7ww+FjwAAAEiNTRj/FU4UAABIi0UYSIlFEP8VABQAAIvASDFFEP8V/BMAAIvASDFFEP8VIBQAAIvASMHgGEgxRRD/FRAUAACLwEiNTRBIM0UQSDPBSI1NIEiJRRD/FeUTAACLRSBIuf///wAASMHgIEgzRSBIM0UQSCPBSLkzot8tmSsAAEg7w0gPRMFIiQXxIQAASItcJEhI99BIiQXqIQAASIPEIF3DzMzMzMzM/yXYEgAAzMzMzMzM/yXEEgAAzMzMzMzMzMxIg+wog/oBdQb/FTUTAAC4AQAAAEiDxCjDzMzMzMzMzMzMzMzMzMzMzMzMzMIAAMzMzMzMzMzMzEBTSIPsIEiL2TPJ/xWTEgAASIvL/xWCEgAA/xUUEwAASIvIugkEAMBIg8QgW0j/JfgSAADMzMzMzMzMzMzMzMzMzMzMSIlMJAhIgeyIAAAASI0NHSIAAP8VLxMAAEiLBQgjAABIiUQkSEUzwEiNVCRQSItMJEj/FSATAABIiUQkQEiDfCRAAHRCSMdEJDgAAAAASI1EJFhIiUQkMEiNRCRgSIlEJChIjQXHIQAASIlEJCBMi0wkQEyLRCRISItUJFAzyf8VyxIAAOsjSIsFOiIAAEiLAEiJBZAiAABIiwUpIgAASIPACEiJBR4iAABIiwV3IgAASIkF6CAAAEiLhCSQAAAASIkF6SEAAMcFvyAAAAkEAMDHBbkgAAABAAAAxwXDIAAAAwAAALgIAAAASGvAAEiNDbsgAABIxwQBAgAAALgIAAAASGvAAUiNDaMgAABIixUsIAAASIkUAbgIAAAASGvAAkiNDYggAABIixUZIAAASIkUAbgIAAAASGvAAEiLDf0fAABIiUwEaLgIAAAASGvAAUiLDfAfAABIiUwEaEiNDdwPAADoU/7//0iBxIgAAADDzMzMzMzMzMzMzMzMzMzMzMzMzMzM/yWUEAAAzMzMzMzM/yWQEAAAzMzMzMzM/yWMEAAAzMzMzMzMzMxIg+woTYtBOEiLykmL0egRAAAAuAEAAABIg8Qow8zMzMzMzMxAU0WLGEiL2kGD4/hMi8lB9gAETIvRdBNBi0AITWNQBPfYTAPRSGPITCPRSWPDSosUEEiLQxCLSAhIA0sI9kEDD3QMD7ZBA4Pg8EiYTAPITDPKSYvJW+kl/P//zMzMzMzMzMzMzMxmZg8fhAAAAAAA/+DMzMzMzMxAVUiD7CBIi+pIiU04SIsBixCJVSRIiU1AM8BIg8QgXcPMQFVIg+wgSIvqSIlNSEiLAYsQiVUoSIlNUDPASIPEIF3DzEBVSIPsIEiL6kiJTVhIiwGLEIlVLEiJTWAzwEiDxCBdw8xAVUiD7CBIi+pIiU1oSIsBixCJVTBIiU1wM8BIg8QgXcPMQFVIg+wgSIvqSIlNeEiLAYsQiVU0SImNgAAAADPASIPEIF3DzEBVSIPsIEiL6kiDxCBdw8wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBAAIABAAAA8EAAgAEAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAgAEAAAAAAAAAAAAAAAAAAAAAAAAAKDIAgAEAAAAwMgCAAQAAAFgyAIABAAAABQAAAAAAAAAANQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeD4AAAAAAABkPwAAAAAAAG4/AAAAAAAAAAAAAAAAAADOOwAAAAAAAMA7AAAAAAAAAAAAAAAAAAAQPQAAAAAAACw9AAAAAAAA6j4AAAAAAAAAAAAAAAAAAPo+AAAAAAAA2D4AAAAAAADMPgAAAAAAAAAAAAAAAAAACD8AAAAAAAAAAAAAAAAAAFI8AAAAAAAAFj8AAAAAAABGPAAAAAAAAAAAAAAAAAAA9DwAAAAAAAAAAAAAAAAAAJ48AAAAAAAAtDwAAAAAAABePQAAAAAAAEo9AAAAAAAAAAAAAAAAAACEPAAAAAAAAAAAAAAAAAAA5DwAAAAAAADKPAAAAAAAAAAAAAAAAAAAZDwAAAAAAAB0PAAAAAAAAAAAAAAAAAAAsD4AAAAAAAD6OwAAAAAAACg8AAAAAAAADjwAAAAAAAAAAAAAAAAAAHAeAIABAAAAACEAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAgEQAAkBsAAHAeAADAHgAAAAAAAC5caHN0aXRyYWNlLmxvZwAgUHJvdmlkZXJFcnJvcjoAOlByb3ZpZGVyRXJyb3IgAERldGVybWluaW5nIENvdW50LiAAAAAAAAAAAAAAAAAAICEhISBFcnJvciBidWZmZXIgZmFpbGVkIGFsbG9jYXRpb24gISEhIAAAAAAAAAAARGV0ZXJtaW5lIFNlY3VyaXR5RmVhdHVyZXNTaXplLiAAAAAAAAAAAExvb3AuLi4gAAAAAAAAAAAAAAAAAAAAACBVbnN1cHBvcnRlZCBBSVAgaWdub3JlZCAAAAAAAAAAICEhISBVRUZJIFByb3RvY29sIEVycm9yIERldGVjdGVkICEhISAAADpJRCAAAAAAIElEOgAAAAA6RVJST1IgACBFUlJPUjoAOlJPTEUgAAAgUk9MRToAAAAAAAAAAAAAOnNlY3VyaXR5RmVhdHVyZXNTaXplIAAAAAAAAAAAAAAgc2VjdXJpdHlGZWF0dXJlc1NpemU6AAAAAAAAAAAAACAhISEgRXJyb3IgZGV0ZWN0ZWQsIGJhaWxpbmcgb3V0ICEhISAAAAAAAAAAAAAAAFZlcmlmaWVkIGJ1ZmZlciBhbGxvY2F0aW9uIGZhaWxlZC4AAAAAAAAAAAAAAAAAAExvb3Bpbmcgb24gcHJvdmlkZXJzIHRvIGFjY3VtdWxhdGUgaW1wbGVtZW50ZWQgYW5kIHZlcmlmaWVkLgAAAABDb21wYXJpbmcgcmVxdWlyZWQgYnl0ZSB0byB2ZXJpZmllZC4uLgAAOlZFUklGSUVEIAAAAAAAACBWRVJJRklFRDoAAAAAAAA6UkVRVUlSRUQgAAAAAAAAIFJFUVVJUkVEOgAAAAAAAAAAAAAAAAAAISEhIHZlcmlmaWVkIGJ5dGUgZG9lcyBub3QgbWF0Y2ggcmVxdWlyZWQgISEhAAAAQ0xFQU5VUCAAAAAAAAAAADpPVkVSQUxMAAAAAAAAAABPVkVSQUxMOgAAAAAAAAAAUHJvdmlkZXIgRXJyb3JzIGNvcHkgc3RhcnQAAAAAAABQcm92aWRlciBFcnJvcnMgY29weSBlbmQAAAAAAAAAAEJMT0IgU3RhcnQ6AAAAAAA6QkxPQiBFbmQgIAAAAAAAAAAAAGt3EVgAAAAAAgAAACUAAAD4NQAA+BsAAAAAAABrdxFYAAAAAA0AAACgAQAAIDYAACAcAABSU0RT1J4Ttoijw0G4zY0uYG3g7wEAAABIc3RpVGVzdC5wZGIAAAAAR0NUTAAQAADwEAAALnRleHQkbW4AAAAA8CAAABIAAAAudGV4dCRtbiQwMAACIQAAwwAAAC50ZXh0JHgAADAAAOAAAAAucmRhdGEkYnJjAADgMAAASAEAAC5pZGF0YSQ1AAAAACgyAAAQAAAALjAwY2ZnAAA4MgAACAAAAC5DUlQkWENBAAAAAEAyAAAIAAAALkNSVCRYQ1oAAAAASDIAAAgAAAAuQ1JUJFhJQQAAAABQMgAACAAAAC5DUlQkWElaAAAAAFgyAAAYAAAALmNmZ3VhcmQAAAAAcDIAAIgDAAAucmRhdGEAAPg1AADIAQAALnJkYXRhJHp6emRiZwAAAMA3AABQAQAALnhkYXRhAAAQOQAAZAAAAC5lZGF0YQAAdDkAAPAAAAAuaWRhdGEkMgAAAABkOgAAFAAAAC5pZGF0YSQzAAAAAHg6AABIAQAALmlkYXRhJDQAAAAAwDsAALgDAAAuaWRhdGEkNgAAAAAAQAAAEAAAAC5kYXRhAAAAEEAAALAFAAAuYnNzAAAAAABQAAAgAQAALnBkYXRhAAABEwgAEzQMABNSDPAK4AhwB2AGUBkkBwASZDMAEjQyABIBLgALcAAAbCAAAGABAAABBAEABEIAAAEPBgAPZAcADzQGAA8yC3ABCAEACEIAABknCgAZARMADfAL4AnQB8AFcARgAzACUGwgAACIAAAAARgKABhkDAAYVAsAGDQKABhSFPAS4BBwGRgFABgBEgARcBBgDzAAAEYgAAAGAAAAGBwAAC0cAAAIIQAALRwAAEocAABkHAAAKiEAAGQcAACCHAAAkRwAAEwhAACRHAAApBwAALMcAABuIQAAsxwAAM8cAADpHAAAkCEAAOkcAAD5GwAA7xwAALUhAAAAAAAAAQYCAAYyAlABCgQACjQGAAoyBnAAAAAAAQAAAAENBAANNAkADTIGUAEGAgAGMgIwAQwCAAwBEQABAAAAAQIBAAIwAAAAAAAAAAAAAAAAAAAAAAAAd24RWAAAAABMOQAAAQAAAAIAAAACAAAAODkAAEA5AABIOQAAEBAAACARAABZOQAAYzkAAAAAAQBIU1RJVEVTVC5kbGwAUXVlcnlIU1RJAFF1ZXJ5SFNUSWRldGFpbHMAmDoAAAAAAAAAAAAA2jsAAAAxAACYOwAAAAAAAAAAAAA8PAAAADIAAAA7AAAAAAAAAAAAAHI9AABoMQAAgDsAAAAAAAAAAAAAkj0AAOgxAABYOwAAAAAAAAAAAACyPQAAwDEAADA7AAAAAAAAAAAAANY9AACYMQAAaDsAAAAAAAAAAAAAAD4AANAxAAAgOwAAAAAAAAAAAAAkPgAAiDEAALA6AAAAAAAAAAAAAE4+AAAYMQAAeDoAAAAAAAAAAAAAkD4AAOAwAADQOgAAAAAAAAAAAAAiPwAAODEAAPA6AAAAAAAAAAAAAEI/AABYMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4PgAAAAAAAGQ/AAAAAAAAbj8AAAAAAAAAAAAAAAAAAM47AAAAAAAAwDsAAAAAAAAAAAAAAAAAABA9AAAAAAAALD0AAAAAAADqPgAAAAAAAAAAAAAAAAAA+j4AAAAAAADYPgAAAAAAAMw+AAAAAAAAAAAAAAAAAAAIPwAAAAAAAAAAAAAAAAAAUjwAAAAAAAAWPwAAAAAAAEY8AAAAAAAAAAAAAAAAAAD0PAAAAAAAAAAAAAAAAAAAnjwAAAAAAAC0PAAAAAAAAF49AAAAAAAASj0AAAAAAAAAAAAAAAAAAIQ8AAAAAAAAAAAAAAAAAADkPAAAAAAAAMo8AAAAAAAAAAAAAAAAAABkPAAAAAAAAHQ8AAAAAAAAAAAAAAAAAACwPgAAAAAAAPo7AAAAAAAAKDwAAAAAAAAOPAAAAAAAAAAAAAAAAAAABwBfaW5pdHRlcm1fZQAGAF9pbml0dGVybQBhcGktbXMtd2luLWNvcmUtY3J0LWwyLTEtMC5kbGwAANACUnRsQ2FwdHVyZUNvbnRleHQAjQRSdGxMb29rdXBGdW5jdGlvbkVudHJ5AAC3BVJ0bFZpcnR1YWxVbndpbmQAAG50ZGxsLmRsbAAGAEhlYXBGcmVlAAAAAEdldFByb2Nlc3NIZWFwAAAEAEVuY29kZVBvaW50ZXIAAQBEZWNvZGVQb2ludGVyAAAAUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIADQBHZXRDdXJyZW50UHJvY2Vzc0lkABEAR2V0Q3VycmVudFRocmVhZElkAAAUAEdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lABgAR2V0VGlja0NvdW50AAABAERpc2FibGVUaHJlYWRMaWJyYXJ5Q2FsbHMAEQBVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAA8AU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAwAR2V0Q3VycmVudFByb2Nlc3MATQBUZXJtaW5hdGVQcm9jZXNzAABhcGktbXMtd2luLWNvcmUtaGVhcC1sMS0yLTAuZGxsAGFwaS1tcy13aW4tY29yZS11dGlsLWwxLTEtMC5kbGwAYXBpLW1zLXdpbi1jb3JlLXByb2ZpbGUtbDEtMS0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLXByb2Nlc3N0aHJlYWRzLWwxLTEtMi5kbGwAYXBpLW1zLXdpbi1jb3JlLXN5c2luZm8tbDEtMi0xLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWxpYnJhcnlsb2FkZXItbDEtMi0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWVycm9yaGFuZGxpbmctbDEtMS0xLmRsbAAAAABfX0Nfc3BlY2lmaWNfaGFuZGxlcgAAYXBpLW1zLXdpbi1jb3JlLWNydC1sMS0xLTAuZGxsAADbAU50UXVlcnlTeXN0ZW1JbmZvcm1hdGlvbgAAWQBXcml0ZUZpbGUAUwBTZXRGaWxlUG9pbnRlcgAABQBHZXRMYXN0RXJyb3IAAAUAQ3JlYXRlRmlsZUEAAABDbG9zZUhhbmRsZQACAEhlYXBBbGxvYwBhcGktbXMtd2luLWNvcmUtZmlsZS1sMS0yLTEuZGxsAGFwaS1tcy13aW4tY29yZS1oYW5kbGUtbDEtMS0wLmRsbAAzAG1lbWNweQAANwBtZW1zZXQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyot8tmSsAAM1dINJm1P//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAXEQAAwDcAACwRAAAaEgAA1DcAACASAABwEgAA8DcAAHgSAAC2EgAA+DcAALwSAADyEgAACDgAAPgSAABRGQAAEDgAAFgZAACaGgAAMDgAAKAaAAB7GwAAyDgAAJAbAADNGwAA+DcAANQbAAD8HAAASDgAABAdAAAuHQAA2DgAAFQdAAAkHgAA3DgAAEQeAABdHgAA8DcAAHweAACwHgAA6DgAAMAeAAAxIAAA8DgAAGwgAACJIAAA8DcAAJAgAADrIAAA/DgAAAAhAAACIQAA+DgAAAghAAAqIQAAwDgAACohAABMIQAAwDgAAEwhAABuIQAAwDgAAG4hAACQIQAAwDgAAJAhAAC1IQAAwDgAALUhAADFIQAAwDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAABgAAAAAoAigaKCAoIigkKAoojCiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="function Log($message)
{$message | Out-File $LogFile -Append -Force
}function LogAndConsole($message)
{Write-Host $messageLog $message
}function LogAndConsoleWarning($message)
{Write-Host $message -foregroundcolor "Yellow"Log $message
}function LogAndConsoleSuccess($message)
{Write-Host $message -foregroundcolor "Green"Log $message
}function LogAndConsoleError($message)
{Write-Host $message -foregroundcolor "Red"Log $message
}function IsExempted([System.IO.FileInfo] $item)
{$cert = (Get-AuthenticodeSignature $item.FullName).SignerCertificateif($cert.ToString().Contains("CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")){Log $item.FullName + "MS Exempted"return 1}else{Log $item.FullName + "Not-exempted"Log $cert.ToString()return 0}
}function CheckExemption($_ModName)
{$mod1 = Get-ChildItem $Sys32Path $_ModName$mod2 = Get-ChildItem $DriverPath $_ModNameif($mod1){Log "NonDriver module" + $mod1.FullNamereturn IsExempted($mod1)}elseif($mod2){Log "Driver Module" + $mod2.FullNamereturn IsExempted($mod2)}}function CheckFailedDriver($_ModName, $CIStats)
{Log "Module: " $_ModName.Trim()if(CheckExemption($_ModName.Trim()) - eq 1){$CompatibleModules.AppendLine("Windows Signed: " + $_ModName.Trim()) | Out-Nullreturn}$index = $CIStats.IndexOf("execute pool type count:".ToLower())if($index -eq -1){return}$_tempStr = $CIStats.Substring($index)$Result = "PASS"$separator = "`r`n",""$option = [System.StringSplitOptions]::RemoveEmptyEntries$stats = $_tempStr.Split($separator,$option)Log $stats.Count$FailingStat = ""foreach( $stat in $stats){$_t =$stat.Split(":")if($_t.Count -eq 2 -and $_t[1].trim() -ne "0"){$Result = "FAIL"$FailingStat = $statbreak}}if($Result.Contains("PASS")){$CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null}elseif($FailingStat.Trim().Contains("execute-write")){$FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null}else{$FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null}Log "Result: " $Result
}function ListCIStats($_ModName, $str1)
{$i1 = $str1.IndexOf("Code Integrity Statistics:".ToLower())if($i1 -eq -1 ){Log "String := " $str1Log "Warning! CI Stats are missing for " $_ModNamereturn}$temp_str1 = $str1.Substring($i1)$CIStats = $temp_str1.Substring(0).Trim()CheckFailedDriver $_ModName $CIStats
}function ListDrivers($str)
{$_tempStr= $str$separator = "module:",""$option = [System.StringSplitOptions]::RemoveEmptyEntries$index1 = $_tempStr.IndexOf("MODULE:".ToLower())if($index1 -lt 0){return}$_tempStr = $_tempStr.Substring($Index1)$_SplitStr = $_tempStr.Split($separator,$option)Log $_SplitStr.CountLogAndConsole "Verifying each module please wait ... "foreach($ModuleDetail in $_Splitstr){#LogAndConsole $Module$Index2 = $ModuleDetail.IndexOf("(")if($Index2 -eq -1){"Skipping .."continue}$ModName = $ModuleDetail.Substring(0,$Index2-1)Log "Driver: " $ModNameLog "Processing module: " $ModNameListCIStats $ModName $ModuleDetail}$DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFileLogAndConsole $DriverScanCompletedMessageif($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 ){$WarningMessage = "Incompatible HVCI Kernel Driver Modules found"if($HLK){LogAndConsoleError $WarningMessage}else{LogAndConsoleWarning $WarningMessage}LogAndConsoleError $FailingExecuteWriteCheck.ToString()if($HLK){LogAndConsoleError $FailingModules.ToString()}else{LogAndConsoleWarning $FailingModules.ToString()}if($FailingModules.Length -ne 0 -or $FailingExecuteWriteCheck.Length -ne 0 ){if($HLK){$DGVerifyCrit.AppendLine($WarningMessage) | Out-Null}else{$DGVerifyWarn.AppendLine($WarningMessage) | Out-Null}}}else{LogAndConsoleSuccess "No Incompatible Drivers found"}
}function ListSummary()
{if($DGVerifyCrit.Length -ne 0 ){LogAndConsoleError "Machine is not Device Guard / Credential Guard compatible because of the following:"LogAndConsoleError $DGVerifyCrit.ToString()LogAndConsoleWarning $DGVerifyWarn.ToString()if(!$HVCI -and !$DG){ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 0 /f '}if(!$CG){ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 0 /f 'ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 0 /f '}}elseif ($DGVerifyWarn.Length -ne 0 ){LogAndConsoleSuccess "Device Guard / Credential Guard can be enabled on this machine.`n"LogAndConsoleWarning "The following additional qualifications, if present, can enhance the security of Device Guard / Credential Guard on this system:"LogAndConsoleWarning $DGVerifyWarn.ToString()if(!$HVCI -and !$DG){ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 1 /f '}if(!$CG){ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 1 /f 'ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 1 /f '}}else{LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"if(!$HVCI -and !$DG){ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f '}if(!$CG){ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 2 /f 'ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 2 /f '}}
}function Instantiate-Kernel32 {try{Add-Type -TypeDefinition @"using System;using System.Diagnostics;using System.Runtime.InteropServices;public static class Kernel32{[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]public static extern IntPtr LoadLibrary([MarshalAs(UnmanagedType.LPStr)]string lpFileName);[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]public static extern IntPtr GetProcAddress(IntPtr hModule,string procName);}"@}catch{Log $_.Exception.MessageLogAndConsole "Instantiate-Kernel32 failed"}
}function Instantiate-HSTI {try{Add-Type -TypeDefinition @"using System;using System.Diagnostics;using System.Runtime.InteropServices;using System.Net;public static class HstiTest3{[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]public static extern int QueryHSTIdetails(ref HstiOverallError pHstiOverallError,[In, Out] HstiProviderErrorDuple[] pHstiProviderErrors,ref uint pHstiProviderErrorsCount,byte[] hstiPlatformSecurityBlob,ref uint pHstiPlatformSecurityBlobBytes);[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]public static extern int QueryHSTI(ref bool Pass);[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]public struct HstiProviderErrorDuple{internal uint protocolError;internal uint role;internal HstiProviderErrors providerError;[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)]internal string ID;[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)]internal string ErrorString;}[FlagsAttribute]public enum HstiProviderErrors : int{None              = 0x00000000,VersionMismatch   = 0x00000001,RoleUnknown       = 0x00000002,RoleDuplicated    = 0x00000004,SecurityFeatureSizeMismatch   = 0x00000008,SizeTooSmall      = 0x00000010,VerifiedMoreThanImplemented   = 0x00000020,VerifiedNotMatchImplemented   = 0x00000040}[FlagsAttribute]public enum HstiOverallError : int{None                               = 0x00000000,RoleTooManyPlatformReference       = 0x00000001,RoleTooManyIbv                     = 0x00000002,RoleTooManyOem                     = 0x00000004,RoleTooManyOdm                     = 0x00000008,RoleMissingPlatformReference       = 0x00000010,VerifiedIncomplete                 = 0x00000020,ProtocolErrors                     = 0x00000040,BlobVersionMismatch                = 0x00000080,PlatformSecurityVersionMismatch    = 0x00000100,ProviderError                      = 0x00000200}}
"@$LibHandle = [Kernel32]::LoadLibrary("C:\Windows\System32\hstitest.dll")$FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails")$FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI")if ([System.IntPtr]::Size -eq 8){#assuming 64 bitLog "`nKernel32::LoadLibrary   64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())"Log "HstiTest2::QueryHSTIdetails  64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())"}else{return}$overallError = New-Object HstiTest3+HstiOverallError$providerErrorDupleCount = New-Object int$blobByteSize = New-Object int$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize)[byte[]]$blob = New-Object byte[] $blobByteSize[HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize)$string = $null$blob | foreach { $string = $string + $_.ToString("X2")+"," }$hstiStatus = New-Object bool$hr = [HstiTest3]::QueryHSTI([ref] $hstiStatus)LogAndConsole "HSTI Duple Count: $providerErrorDupleCount"LogAndConsole "HSTI Blob size: $blobByteSize"LogAndConsole "String: $string"LogAndConsole "HSTIStatus: $hstiStatus"if(($blobByteSize -gt 512) -and ($providerErrorDupleCount -gt 0) -and $hstiStatus){LogAndConsoleSuccess "HSTI validation successful"}elseif(($providerErrorDupleCount -eq 0) -or ($blobByteSize -le 512)){LogAndConsoleWarning "HSTI is absent"$DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null}else{$ErrorMessage = "HSTI validation failed"if($HLK){LogAndConsoleError $ErrorMessage$DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null}else{LogAndConsoleWarning $ErrorMessage$DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null}}}catch{LogAndConsoleError $_.Exception.MessageLogAndConsoleError "Instantiate-HSTI failed"}
}function CheckDGRunning($_val)
{$DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuardfor($i=0; $i -lt $DGObj.SecurityServicesRunning.length; $i++){if($DGObj.SecurityServicesRunning[$i] -eq $_val){return 1}}return 0
}function CheckDGFeatures($_val)
{$DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuardLog "DG_obj $DG_obj"Log "DG_obj.AvailableSecurityProperties.length $DG_obj.AvailableSecurityProperties.length"for($i=0; $i -lt $DGObj.AvailableSecurityProperties.length; $i++){if($DGObj.AvailableSecurityProperties[$i] -eq $_val){return 1}}return 0
}function PrintConfigCIDetails($_ConfigCIState)
{$_ConfigCIRunning = "Config-CI is enabled and running."$_ConfigCIDisabled = "Config-CI is not running."$_ConfigCIMode = "Not Enabled"switch ($_ConfigCIState){0 { $_ConfigCIMode = "Not Enabled" }1 { $_ConfigCIMode = "Audit mode" }2 { $_ConfigCIMode = "Enforced mode" }default { $_ConfigCIMode = "Not Enabled" }}if($_ConfigCIState -ge 1){LogAndConsoleSuccess "$_ConfigCIRunning ($_ConfigCIMode)"}else{LogAndConsoleWarning "$_ConfigCIDisabled ($_ConfigCIMode)"}
}function PrintHVCIDetails($_HVCIState)
{$_HvciRunning = "HVCI is enabled and running."$_HvciDisabled = "HVCI is not running."if($_HVCIState){LogAndConsoleSuccess $_HvciRunning}else{LogAndConsoleWarning $_HvciDisabled}
}function PrintCGDetails ($_CGState)
{$_CGRunning = "Credential-Guard is enabled and running."$_CGDisabled = "Credential-Guard is not running."if($_CGState){LogAndConsoleSuccess $_CGRunning}else{LogAndConsoleWarning $_CGDisabled}
}if(![IO.Directory]::Exists($path))
{New-Item -ItemType directory -Path $path
}
else
{#Do Nothing!!
}function IsRedstone
{$_osVersion = [environment]::OSVersion.VersionLog $_osVersion#Check if build Major is Windows 10if($_osVersion.Major -lt 10){return 0}#Check if the build is post Threshold2 (1511 release) => Redstoneif($_osVersion.Build -gt 10586){return 1}#default return Falsereturn 0
}function ExecuteCommandAndLog($_cmd)
{try{Log "Executing: $_cmd"$CmdOutput = Invoke-Expression $_cmd | Out-StringLog "Output: $CmdOutput"}catch{Log "Exception while exectuing $_cmd"Log $_.Exception.Message}}function PrintRebootWarning
{LogAndConsoleWarning "Please reboot the machine, for settings to be applied."
}function AutoRebootHelper
{if($AutoReboot){LogAndConsole "PC will restart in 30 seconds"ExecuteCommandAndLog 'shutdown /r /t 30'}else{PrintRebootWarning}}function VerifierReset
{$verifier_state = verifier /query | Out-Stringif(!$verifier_state.ToString().Contains("No drivers are currently verified.")){ExecuteCommandAndLog 'verifier.exe /reset'}AutoRebootHelper
}function PrintHardwareReq
{LogAndConsole "###########################################################################"LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard"LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home"LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT"LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr"LogAndConsole "########################################################################### `n"
}function CheckDriverCompat
{$_HVCIState = CheckDGRunning(2)if($_HVCIState){LogAndConsoleWarning "HVCI is already enabled on this machine, driver compat list might not be complete."LogAndConsoleWarning "Please disable HVCI and run the script again..."}$verifier_state = verifier /query | Out-Stringif($verifier_state.ToString().Contains("No drivers are currently verified.")){LogAndConsole "Enabling Driver verifier"verifier.exe /flags 0x02000000 /all /log.code_integrityLogAndConsole "Enabling Driver Verifier and Rebooting system"Log $verifier_stateLogAndConsole "Please re-execute this script after reboot...."if($AutoReboot){LogAndConsole "PC will restart in 30 seconds"ExecuteCommandAndLog 'shutdown /r /t 30'}else{LogAndConsole "Please reboot manually and run the script again...."}exit}else{LogAndConsole "Driver verifier already enabled"Log $verifier_stateListDrivers($verifier_state.Trim().ToLowerInvariant())}
}
function IsDomainController
{$_isDC = 0$CompConfig = Get-WmiObject Win32_ComputerSystemforeach ($ObjItem in $CompConfig){$Role = $ObjItem.DomainRoleLog "Role=$Role"Switch ($Role){0 { Log "Standalone Workstation" }1 { Log "Member Workstation" }2 { Log "Standalone Server" }3 { Log "Member Server" }4{Log "Backup Domain Controller"$_isDC=1break}5{Log "Primary Domain Controller"$_isDC=1break}default { Log "Unknown Domain Role" }}}return $_isDC
}function CheckOSSKU
{$osname = $((gwmi win32_operatingsystem).Name).ToLower()$_SKUSupported = 0Log "OSNAME:$osname"$SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home")$HLKAllowed = @("microsoft windows 10 pro")foreach ($SKUent in $SKUarray){if($osname.ToString().Contains($SKUent.ToLower())){$_SKUSupported = 1break}}# For running HLK tests only, professional SKU's are marked as supported.if($HLK){if($osname.ToString().Contains($HLKAllowed.ToLower())){$_SKUSupported = 1}}$_isDomainController = IsDomainControllerif($_SKUSupported){LogAndConsoleSuccess "This PC edition is Supported for DeviceGuard";if(($_isDomainController -eq 1) -and !$HVCI -and !$DG){LogAndConsoleError "This PC is configured as a Domain Controller, Credential Guard is not supported on DC."}ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f '}else{LogAndConsoleError "This PC edition is Unsupported for Device Guard"$DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-NullExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 0 /f '}
}function CheckOSArchitecture
{$OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()Log $OSArchif($OSArch -match ("^64\-?\s?bit")){LogAndConsoleSuccess "64 bit architecture"}elseif($OSArch -match ("^32\-?\s?bit")){LogAndConsoleError "32 bit architecture"$DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null}else{LogAndConsoleError "Unknown architecture"$DGVerifyCrit.AppendLine("Unknown OS, OS Architecture failure.") | Out-Null}
}function CheckSecureBootState
{$_secureBoot = Confirm-SecureBootUEFILog $_secureBootif($_secureBoot){LogAndConsoleSuccess "Secure Boot is present"ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 2 /f '}else{LogAndConsoleError "Secure Boot is absent / not enabled."LogAndConsoleError "If Secure Boot is supported on the system, enable Secure Boot in the BIOS and run the script again."ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 0 /f '$DGVerifyCrit.AppendLine("Secure boot validation failed.") | Out-Null}
}function CheckVirtualization
{$_vmmExtension = $(gwmi -Class Win32_processor).VMMonitorModeExtensions$_vmFirmwareExtension = $(gwmi -Class Win32_processor).VirtualizationFirmwareEnabled$_vmHyperVPresent =  (gcim -Class Win32_ComputerSystem).HypervisorPresentLog "VMMonitorModeExtensions $_vmmExtension"Log "VirtualizationFirmwareEnabled $_vmFirmwareExtension"Log "HyperVisorPresent $_vmHyperVPresent"#success if either processor supports and enabled or if hyper-v is presentif(($_vmmExtension -and $_vmFirmwareExtension) -or $_vmHyperVPresent ){LogAndConsoleSuccess "Virtualization firmware check passed"ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 2 /f '}else{LogAndConsoleError "Virtualization firmware check failed."LogAndConsoleError "If Virtualization extensions are supported on the system, enable hardware virtualization (Intel Virtualization Technology, Intel VT-x, Virtualization Extensions, or similar) in the BIOS and run the script again."ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 0 /f '$DGVerifyCrit.AppendLine("Virtualization firmware check failed.") | Out-Null}
}function CheckTPM
{$TPMLockout = $(get-tpm).LockoutCountif($TPMLockout){if($TPMLockout.ToString().Contains("Not Supported for TPM 1.2")){if($HLK){LogAndConsoleSuccess "TPM 1.2 is present."}else{$WarningMsg = "TPM 1.2 is Present. TPM 2.0 is Preferred."LogAndConsoleWarning $WarningMsg$DGVerifyWarn.AppendLine($WarningMsg) | Out-Null}}else{LogAndConsoleSuccess "TPM 2.0 is present."}ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 2 /f '}else{$WarningMsg = "TPM is absent or not ready for use"if($HLK){LogAndConsoleError $WarningMsg$DGVerifyCrit.AppendLine($WarningMsg) | Out-Null}else{LogAndConsoleWarning $WarningMsg$DGVerifyWarn.AppendLine($WarningMsg) | Out-Null}ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 0 /f '}
}function CheckSecureMOR
{$isSecureMOR = CheckDGFeatures(4)Log "isSecureMOR= $isSecureMOR "if($isSecureMOR -eq 1){LogAndConsoleSuccess "Secure MOR is available"ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 2 /f '}else{$WarningMsg = "Secure MOR is absent"if($HLK){LogAndConsoleError $WarningMsg$DGVerifyCrit.AppendLine($WarningMsg) | Out-Null}else{LogAndConsoleWarning $WarningMsg$DGVerifyWarn.AppendLine($WarningMsg) | Out-Null}ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 0 /f '}
}function CheckNXProtection
{$isNXProtected = CheckDGFeatures(5)Log "isNXProtected= $isNXProtected "if($isNXProtected -eq 1){LogAndConsoleSuccess "NX Protector is available"ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 2 /f '}else{LogAndConsoleWarning "NX Protector is absent"$DGVerifyWarn.AppendLine("NX Protector is absent") | Out-NullExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 0 /f '}
}function CheckSMMProtection
{$isSMMMitigated = CheckDGFeatures(6)Log "isSMMMitigated= $isSMMMitigated "if($isSMMMitigated -eq 1){LogAndConsoleSuccess "SMM Mitigation is available"ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 2 /f '}else{LogAndConsoleWarning "SMM Mitigation is absent"$DGVerifyWarn.AppendLine("SMM Mitigation is absent") | Out-NullExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 0 /f '}
}function CheckHSTI
{LogAndConsole "Copying HSTITest.dll"try{$HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded)[System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded)}catch{LogAndConsole $_.Exception.MessageLogAndConsole "Copying and loading HSTITest.dll failed"}Instantiate-Kernel32Instantiate-HSTI
}function PrintToolVersion
{LogAndConsole ""LogAndConsole "###########################################################################"LogAndConsole ""LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."LogAndConsole ""LogAndConsole "###########################################################################"LogAndConsole ""}PrintToolVersionif(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -and !($ResetVerifier))
{#Print Usage if none of the options are specifiedLogAndConsoleWarning "How to read the output:"LogAndConsoleWarning ""LogAndConsoleWarning " 1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG"LogAndConsoleWarning " 2. Yellow Warnings: This device can be used to enable and use DG/CG, but `n    additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr"LogAndConsoleWarning " 3. Green Messages: This device is fully compliant with DG/CG requirements`n"LogAndConsoleWarning "###########################################################################"LogAndConsoleWarning ""LogAndConsoleWarning "Hardware requirements for enabling Device Guard and Credential Guard"LogAndConsoleWarning " 1. Hardware: Recent hardware that supports virtualization extension with SLAT"LogAndConsoleWarning ""LogAndConsoleWarning "########################################################################### `n"LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path"LogAndConsoleWarning "Log file with details is found here: C:\DGLogs `n"LogAndConsoleWarning "To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used"LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path <full path to the SIPolicy.p7b> `n"LogAndConsoleWarning "To Enable only HVCI"LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -HVCI `n"LogAndConsoleWarning "To Enable only CG"LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -CG `n"LogAndConsoleWarning "To Verify if DG/CG is enabled"LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n"LogAndConsoleWarning "To Disable DG/CG."LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Disable `n"LogAndConsoleWarning "To Verify if DG/CG is disabled"LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n"LogAndConsoleWarning "To Verify if this device is DG/CG Capable"LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable`n"LogAndConsoleWarning "To Verify if this device is HVCI Capable"LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable -HVCI`n"LogAndConsoleWarning "To Auto reboot with each option"LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot`n"LogAndConsoleWarning "###########################################################################"LogAndConsoleWarning ""LogAndConsoleWarning "When the Readiness Tool with '-capable' is run the following RegKey values are set:"LogAndConsoleWarning ""LogAndConsoleWarning "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities"LogAndConsoleWarning "CG_Capable"LogAndConsoleWarning "DG_Capable"LogAndConsoleWarning "HVCI_Capable"LogAndConsoleWarning ""LogAndConsoleWarning "Value 0 = not possible to enable DG/CG/HVCI on this device"LogAndConsoleWarning "Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI"LogAndConsoleWarning "Value 2 = fully compatible for DG/CG/HVCI"LogAndConsoleWarning ""LogAndConsoleWarning "########################################################################### `n"
}$user = [Security.Principal.WindowsIdentity]::GetCurrent();
$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)if(!$TestForAdmin)
{LogAndConsoleError "This script requires local administrator privileges. Please execute this script as a local administrator."exit
}$isRunningOnVM = (get-wmiobject win32_computersystem).model
if($isRunningOnVM.Contains("Virtual"))
{LogAndConsoleWarning "Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization."
}<# Check the DG status if enabled or disabled, meaning if the device is ready or not #>
if($Ready)
{PrintHardwareReq$DGRunning = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning$_ConfigCIState = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).CodeIntegrityPolicyEnforcementStatusLog "Current DGRunning = $DGRunning, ConfigCI= $_ConfigCIState"$_HVCIState = CheckDGRunning(2)$_CGState = CheckDGRunning(1)if($HVCI){Log "_HVCIState: $_HVCIState"PrintHVCIDetails $_HVCIState}elseif($CG){Log "_CGState: $_CGState"PrintCGDetails $_CGStateif($_CGState){ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f'}else{ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 0 /f'}}elseif($DG){Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"PrintHVCIDetails $_HVCIStatePrintConfigCIDetails $_ConfigCIStateif($_ConfigCIState -and $_HVCIState){LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running."ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f'}else{LogAndConsoleWarning "Not all services are running."ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f'}}else{Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"PrintCGDetails $_CGStatePrintHVCIDetails $_HVCIStatePrintConfigCIDetails $_ConfigCIStateif(($DGRunning.Length -ge 2) -and ($_CGState) -and ($_HVCIState) -and ($_ConfigCIState -ge 1)){LogAndConsoleSuccess "HVCI, Credential Guard, and Config CI are enabled and running."}else{LogAndConsoleWarning "Not all services are running."}}
}<# Enable and Disable #>
if($Enable)
{PrintHardwareReqLogAndConsole "Enabling Device Guard and Credential Guard"LogAndConsole "Setting RegKeys to enable DG/CG"ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f'#Only SecureBoot is required as part of RequirePlatformSecurityFeaturesExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f'$_isRedstone = IsRedstoneif(!$_isRedstone){ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f'}else{ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f'}if(!$HVCI -and !$DG){# value is 2 for both Th2 and RS1ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 2 /f'}if(!$CG){if(!$_isRedstone){ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f'}else{ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f'ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f'}}try{if(!$HVCI -and !$CG){if(!$SIPolicyPath){Log "Writing Decoded SIPolicy.p7b"$SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded)[System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded)}else{LogAndConsole "Copying user provided SIpolicy.p7b"$CmdOutput = Copy-Item $SIPolicyPath "$env:windir\System32\CodeIntegrity\SIPolicy.p7b" | Out-StringLog $CmdOutput}}}catch{LogAndConsole "Writing SIPolicy.p7b file failed"}LogAndConsole "Enabling Hyper-V and IOMMU"$_isRedstone = IsRedstoneif(!$_isRedstone){LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately"#Enable/Disable IOMMU separatelyExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart'}$CmdOutput =  DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-Stringif(!$CmdOutput.Contains("The operation completed successfully.")){$CmdOutput =  DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Online /All /NoRestart | Out-String}Log $CmdOutputif($CmdOutput.Contains("The operation completed successfully.")){LogAndConsoleSuccess "Enabling Hyper-V and IOMMU successful"#Reg key for HLK validation of DISM.EXE stepExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 1 /f'}else{LogAndConsoleWarning "Enabling Hyper-V failed please check the log file"#Reg key for HLK validation of DISM.EXE stepExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 0 /f'}AutoRebootHelper
}if($Disable)
{LogAndConsole "Disabling Device Guard and Credential Guard"LogAndConsole "Deleting RegKeys to disable DG/CG"ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f'ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f'$_isRedstone = IsRedstoneif(!$_isRedstone){ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f'}else{ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f'}if(!$CG){ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f'if($_isRedstone){ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f'}}if(!$HVCI -and !$DG){ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f'}if(!$HVCI -and !$CG){ExecuteCommandAndLog 'del  "$env:windir\System32\CodeIntegrity\SIPolicy.p7b"'}if(!$HVCI -and !$DG -and !$CG){LogAndConsole "Disabling Hyper-V and IOMMU"$_isRedstone = IsRedstoneif(!$_isRedstone){LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately"#Enable/Disable IOMMU separatelyExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart'}$CmdOutput =  DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-Stringif(!$CmdOutput.Contains("The operation completed successfully.")){$CmdOutput =  DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Online /NoRestart | Out-String}Log $CmdOutputif($CmdOutput.Contains("The operation completed successfully.")){LogAndConsoleSuccess "Disabling Hyper-V and IOMMU successful"}else{LogAndConsoleWarning "Disabling Hyper-V failed please check the log file"}#set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS#these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always#this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS$FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | randomLog "FreeDrive=$FreeDrive"ExecuteCommandAndLog 'mountvol $FreeDrive /s'$CmdOutput = Copy-Item "$env:windir\System32\SecConfig.efi" $FreeDrive\EFI\Microsoft\Boot\SecConfig.efi -Force | Out-StringLogAndConsole $CmdOutputExecuteCommandAndLog 'bcdedit /create "{0cb3b571-2f2e-4343-a879-d86a476d7215}" /d DGOptOut /application osloader'ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" path \EFI\Microsoft\Boot\SecConfig.efi'ExecuteCommandAndLog 'bcdedit /set "{bootmgr}" bootsequence "{0cb3b571-2f2e-4343-a879-d86a476d7215}"'ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" loadoptions DISABLE-LSA-ISO,DISABLE-VBS'ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" device partition=$FreeDrive'ExecuteCommandAndLog 'mountvol $FreeDrive /d'#steps complete}AutoRebootHelper
}if($Clear)
{ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" /f'VerifierReset
}if($ResetVerifier)
{VerifierReset
}<# Is machine Device Guard / Cred Guard Capable and Verify #>
if($Capable)
{PrintHardwareReqLogAndConsole "Checking if the device is DG/CG Capable"$_isRedstone = IsRedstoneif(!$_isRedstone){LogAndConsoleWarning "Capable is currently fully supported in Redstone only.."}$_StepCount = 1if(!$CG){LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== "$_StepCount++CheckDriverCompat}LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== "$_StepCount++CheckSecureBootStateif(!$HVCI -and !$DG -and !$CG){#check only if sub-options are absentLogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== "$_StepCount++CheckHSTI}LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== "$_StepCount++CheckOSArchitectureLogAndConsole " ====================== Step $_StepCount Supported OS SKU ====================== "$_StepCount++CheckOSSKULogAndConsole " ====================== Step $_StepCount Virtualization Firmware ====================== "$_StepCount++CheckVirtualizationif(!$HVCI -and !$DG){LogAndConsole " ====================== Step $_StepCount TPM version ====================== "$_StepCount++CheckTPMLogAndConsole " ====================== Step $_StepCount Secure MOR ====================== "$_StepCount++CheckSecureMOR}LogAndConsole " ====================== Step $_StepCount NX Protector ====================== "$_StepCount++CheckNXProtectionLogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== "$_StepCount++CheckSMMProtectionLogAndConsole " ====================== End Check ====================== "LogAndConsole " ====================== Summary ====================== "ListSummaryLogAndConsole "To learn more about required hardware and software please visit: https://aka.ms/dgwhcr"
}# SIG # Begin signature block
## REPLACE
# SIG # End signature block

重启电脑后发现还是无法启动虚拟机。这时候我怀疑上面执行的脚本没啥用。我们如何知道Device/Credential Guard这玩意有没有关闭呢。

win+r运行中输入：msinfo32，回车，打开系统信息，如下图：

你会发现基于虚拟化的安全性还是处于运行状态，这样是不行的。下面说说如何将它关闭：
下面的操作非常重要哦

1.win+r运行→输入：regedit→打开注册表编辑器

2.在地址栏粘贴复制（或者一个个文件夹点击进入）：计算机\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
如图：

3.修改或新增4项内容，分别为：
ConfigureSystemGuardLaunch值为2
EnableVirtualizationBasedSecurity值为0
RequireMicrosoftSignedBootChain值为1
RequirePlatformSecurityFeatures值为1

名字不能错，从上面粘贴复制，新建项都为DWORD(32位)，关于这4项的官方说明

4.在地址栏粘贴复制（或者一个个文件夹点击进入）：计算机\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
如图：

5.新增1项内容，如下：
LsaCfgFlags值为0

名字不能错，从上面粘贴复制，新建项为DWORD(32位)，关于这1项的官方说明

6.重启，一定要重启才能生效！

7.win+r运行中输入：msinfo32，回车，打开系统信息，这时候跟我最上面的图应该是一样的了："基于虚拟化的安全性"这一项已经关闭了

8.重新打开VMware启动你的虚拟机，发现可以成功运行了

如果我的文章对你有帮助，请点个赞或者关注哦~~，让更多的人看见。