Forum Discussion
Turn on Memory Integrity via Intune
Hi,
I want to turn on Memory Integrity via Intune.
I used the following script to turn on Memory Integrity, but it didn't.
Also, there are no errors or failure statuses on the Intune Scripts Status page.
Could someone please suggest
This is the script I used:
# Registry key path
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
# Desired value for Memory Integrity (1 for enabled with UEFI lock)
$desiredValue = 1
# Initialize exit code
$exitCode = 0 # 0 indicates success by convention
try {
# Check if the key exists
if (Test-Path -Path $registryPath) {
$currentValue = Get-ItemProperty -Path $registryPath | Select-Object -ExpandProperty "Enabled"
# Check if the value is already set to the desired value
if ($currentValue -eq $desiredValue) {
Write-Host "Memory Integrity is already enabled with UEFI lock. No changes made."
} else {
# If the key exists but the value is not as desired, set it to the desired value
Set-ItemProperty -Path $registryPath -Name "Enabled" -Value $desiredValue
Write-Host "Memory Integrity enabled with UEFI lock successfully."
}
} else {
# If the key does not exist, create it and set it to the desired value
New-Item -Path $registryPath -Force
Set-ItemProperty -Path $registryPath -Name "Enabled" -Value $desiredValue
Write-Host "Memory Integrity enabled with UEFI lock successfully."
}
} catch {
Write-Host "An error occurred: $_"
$exitCode = 1 # 1 indicates failure
}
# Exit with the specified exit code
exit $exitCode
Output of the regedit:
Enabled : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry
- rahuljindal-MVPBronze Contributor
- newtotechcom-JBrass ContributorWell, I also tried that before.
But it didn't turn on Memory integrity.- rahuljindal-MVPBronze ContributorDid you restart the device? I recall that being a requirement.
- JosvanderVaartIron Contributor
newtotechcom-J To achieve this, I used the settings catalog. This setting is named differently here but gives the desired result: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#virtualizationbasedtechnology-hypervisorenforcedcodeintegrity
- newtotechcom-JBrass Contributor
- newtotechcom-JBrass Contributor
I have Memory Integrity turned ON for me.
And these are the registry values for me:PS C:\WINDOWS\system32> Get-ItemProperty -Path Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
Enabled : 1
HVCIMATRequired : 0
Locked : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry
And, this is the registry value for the user where it is not turned ON using my script:PS C:\Users\XX> Get-ItemProperty -Path Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
Enabled : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\RegistryHow can I have the same registry value for the users where it is not turned ON.