Turn on Memory Integrity via Intune

Brass Contributor

Hi,

I want to turn on Memory Integrity via Intune.

I used the following script to turn on Memory Integrity, but it didn't.
Also, there are no errors or failure statuses on the Intune Scripts Status page.
Could someone please suggest

This is the script I used:

# Registry key path
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"

# Desired value for Memory Integrity (1 for enabled with UEFI lock)
$desiredValue = 1

# Initialize exit code
$exitCode = 0 # 0 indicates success by convention

try {
# Check if the key exists
if (Test-Path -Path $registryPath) {
$currentValue = Get-ItemProperty -Path $registryPath | Select-Object -ExpandProperty "Enabled"

# Check if the value is already set to the desired value
if ($currentValue -eq $desiredValue) {
Write-Host "Memory Integrity is already enabled with UEFI lock. No changes made."
} else {
# If the key exists but the value is not as desired, set it to the desired value
Set-ItemProperty -Path $registryPath -Name "Enabled" -Value $desiredValue
Write-Host "Memory Integrity enabled with UEFI lock successfully."
}
} else {
# If the key does not exist, create it and set it to the desired value
New-Item -Path $registryPath -Force
Set-ItemProperty -Path $registryPath -Name "Enabled" -Value $desiredValue
Write-Host "Memory Integrity enabled with UEFI lock successfully."
}
} catch {
Write-Host "An error occurred: $_"
$exitCode = 1 # 1 indicates failure
}

# Exit with the specified exit code
exit $exitCode

 

Output of the regedit:
Enabled      : 1
PSPath       : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName  : HypervisorEnforcedCodeIntegrity
PSProvider   : Microsoft.PowerShell.Core\Registry


newtotechcomJ_0-1699447031359.png

 

newtotechcomJ_1-1699447082220.png

 

 



7 Replies
Well, I also tried that before.
But it didn't turn on Memory integrity.

@newtotechcom-J To achieve this, I used the settings catalog. This setting is named differently here but gives the desired result: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechno...

Schermafbeelding 2023-11-08 141918.png

@JosvanderVaart 

I already tried this but it didn't work.

This is the error I see.

newtotechcomJ_1-1699450238952.png

 

 

newtotechcomJ_0-1699450141561.png

 

Did you restart the device? I recall that being a requirement.

@JosvanderVaart 

 

I have Memory Integrity turned ON for me.

newtotechcomJ_0-1699525621946.png

 


And these are the registry values for me:

PS C:\WINDOWS\system32> Get-ItemProperty -Path Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity


Enabled : 1
HVCIMATRequired : 0
Locked : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry

And, this is the registry value for the user where it is not turned ON using my script:

PS C:\Users\XX> Get-ItemProperty -Path Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity


Enabled : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry

 

How can I have the same registry value for the users where it is not turned ON.

@rahuljindal-MVP 

Yes, I did.

 

I have Memory Integrity turned ON for me.

newtotechcomJ_0-1699525621946.png

 


And these are the registry values for me:

PS C:\WINDOWS\system32> Get-ItemProperty -Path Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity


Enabled : 1
HVCIMATRequired : 0
Locked : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry

And, this is the registry value for the user where it is not turned ON using my script:

PS C:\Users\XX> Get-ItemProperty -Path Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity


Enabled : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry

 

How can I have the registry value same as me for the users where it is not turned ON.