Nov 08 2023 04:45 AM
Hi,
I want to turn on Memory Integrity via Intune.
I used the following script to turn on Memory Integrity, but it didn't.
Also, there are no errors or failure statuses on the Intune Scripts Status page.
Could someone please suggest
This is the script I used:
# Registry key path
$registryPath = "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity"
# Desired value for Memory Integrity (1 for enabled with UEFI lock)
$desiredValue = 1
# Initialize exit code
$exitCode = 0 # 0 indicates success by convention
try {
# Check if the key exists
if (Test-Path -Path $registryPath) {
$currentValue = Get-ItemProperty -Path $registryPath | Select-Object -ExpandProperty "Enabled"
# Check if the value is already set to the desired value
if ($currentValue -eq $desiredValue) {
Write-Host "Memory Integrity is already enabled with UEFI lock. No changes made."
} else {
# If the key exists but the value is not as desired, set it to the desired value
Set-ItemProperty -Path $registryPath -Name "Enabled" -Value $desiredValue
Write-Host "Memory Integrity enabled with UEFI lock successfully."
}
} else {
# If the key does not exist, create it and set it to the desired value
New-Item -Path $registryPath -Force
Set-ItemProperty -Path $registryPath -Name "Enabled" -Value $desiredValue
Write-Host "Memory Integrity enabled with UEFI lock successfully."
}
} catch {
Write-Host "An error occurred: $_"
$exitCode = 1 # 1 indicates failure
}
# Exit with the specified exit code
exit $exitCode
Output of the regedit:
Enabled : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry
Nov 08 2023 05:03 AM
Nov 08 2023 05:15 AM
Nov 08 2023 05:20 AM
@newtotechcom-J To achieve this, I used the settings catalog. This setting is named differently here but gives the desired result: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-VirtualizationBasedTechno...
Nov 08 2023 05:30 AM - edited Nov 09 2023 02:10 AM
Nov 09 2023 02:22 AM
Nov 09 2023 02:31 AM - edited Nov 09 2023 02:31 AM
I have Memory Integrity turned ON for me.
And these are the registry values for me:
PS C:\WINDOWS\system32> Get-ItemProperty -Path Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
Enabled : 1
HVCIMATRequired : 0
Locked : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry
And, this is the registry value for the user where it is not turned ON using my script:
PS C:\Users\XX> Get-ItemProperty -Path Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
Enabled : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry
How can I have the same registry value for the users where it is not turned ON.
Nov 09 2023 03:38 AM
@rahuljindal-MVP
Yes, I did.
I have Memory Integrity turned ON for me.
And these are the registry values for me:
PS C:\WINDOWS\system32> Get-ItemProperty -Path Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
Enabled : 1
HVCIMATRequired : 0
Locked : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry
And, this is the registry value for the user where it is not turned ON using my script:
PS C:\Users\XX> Get-ItemProperty -Path Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
Enabled : 1
PSPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity
PSParentPath : Microsoft.PowerShell.Core\Registry::\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
PSChildName : HypervisorEnforcedCodeIntegrity
PSProvider : Microsoft.PowerShell.Core\Registry
How can I have the registry value same as me for the users where it is not turned ON.