HotCakeX
commented
1 year ago After multiple successful tests, merged this.
Closed HotCakeX closed 1 year ago
HotCakeX
commented
1 year ago After multiple successful tests, merged this.
innovatodev
commented
1 year ago That's beautiful. I come also with good news, i will maybe be able to test the full script with full features, i found iommu and all the others options manually with the search option in the bios, i was unable to find these even when going to all menus and sub menus, but with direct search they appear, most was in auto or disabled i turned everything to enabled. I hope it will works now, ill be able to try this week 😄 😄 😄 😄 😄 😄 (sorry i'm happy lol)
I'm in a hurry to test that out when i got some time ! And since you added the non DMA version, in case it fails, ill have that as a reward haha Good work really.
HotCakeX
commented
1 year ago @innovatodev Oh very glad to know that ^^ UEFI manufacturers don't make it easy for us to find them xD could you mention the exact name of those features in your UEFI in here so that it can help others find similar settings, or maybe take pictures :D
Thank you ty, you too 🙂
innovatodev
commented
1 year ago On my msi click bios 5 : IOMMU was in auto => enabled sr-iov was disabled => enabled (single root virtualization) SVM Mode was already enabled but that one of the different names for the amd-v so need to search SVM Mode or AMD-V) SMT Control (that one is required if want to sleep or hibernate) Re-Size BAR thats the DMA/Direct memory access/Smart memory access)
the easiest way is just to serch for them with the search function, by example the sr-iov is totally a ghost, i searched for him manually on each categories and sub categories and cant find it at all, and it was disabled by default. Maybe it is because i updated the firmware to the last version, last release note say it updated some secure boot related things, it added some linux distributions into the default variables provision (deb and ubuntu) support without disabling the secure boot, thats great. ill test tomorow if i can get full access to secureboot+dma setting :D
HotCakeX
commented
1 year ago Thank you, I'll use those options in a Wiki post to let other AMD users know about them ^^ looking forward to the result of your test!
innovatodev
commented
1 year ago No luck :( even when the script is in Non-dma mod, it bug out the code integry in disabled mod, but the readiness tool from microsoft do not
both english and frensh VM do not work.
that is maybe the cause ... need the host to be english at bare minimum, if the host is english, maybe the vm dont have to.
there a difference on my english and french vm, the english one, the script show only yellow and green output (microsoft say its compatible if no red flags) even if for my case it does not work ..
but on the french vm
but i downloaded both iso from mediacreationtool a few minutes ago, thats maybe because my host is not in english mod, i cant see any reason because all test check are passed (just not the OS sku for the french one).
The good news is : i dont see any error about the account id when importing your baseline X, something changed about that
i was having an error between the import and the purple run windows security message, now i dont have anymore
Since your script enable constrained language mode for powershell, i cant use the microsoft tool after using your because their script use some c# type ( streamreader/streamwriter) and clm only allow pure powershell commands so it say access denied ^^
but in all cases even the microsoft script is not able to fully activate the secureboot + dma even if i dont have red messages (on english vm) so its not a problem on your script at all, when i activate secure boot + dma the gpo bug out, manually, with your script or with the microsoft one.
Ill be busy for 2 days and then ill test more things, ill try to install windows en-us on my host on a random ssd to see if its only a problem of french on host like the yellow message suggest 😢 haha
HotCakeX
commented
1 year ago @innovatodev
Thank you for testing,
First I wanna show you what Windows Security => Device Security looks like when I clean install Windows from ISO file and don't modify anything. I just update Windows, restart and then this is what I see:
https://1drv.ms/v/s!AtCaUNAJbbvIhslVEKYKW_peXqKKhQ?e=ybqirD
That video is from i7 7700K old CPU of mine. You can see in the video that Enhanced hardware security is enabled by default without my intervention.
If my hardware supported System Guard Secure Launch, it'd be enabled by default too and then I'd have Secured-core PC specifications instead of Enhanced hardware security.
I want to know if all of those features get turned on by default (without you turning them on manually), on your hardware too.
So, could you please show me full Windows Security (Defender) GUI and also System information, after just clean installing Windows, fully updating it, restart ?
I want to see what your hardware is capable of by default, when no user configuration is applied.
About constrained language mode in PowerShell, it will only be enforced when User-Mode Code Integrity is enabled. by default, Kernel-mode Code Integrity is enabled and User-mode Code Integrity (UMCI) is in Audit mode, but when we use WDAC policy or Smart App Control, then UMCI will also be enabled and enforced.
¹ MSFT employee answer ² WDAC documentation
Windows Device Guard features in latest Windows 11 build are turned on by default when 1) the hardware supports them and 2) those features are enabled in UEFI. the only reason Device Guard category exist in the Security Baseline X is to make sure UEFI lock is enabled for some of those features, where available.
After you show them to me, we can decide what to do next.
I could switch to registry-based enablement instead of Group Policy so that I can only target UEFI lock for those features and don't touch anything else.
innovatodev
commented
1 year ago I made a complete report with msinfo32. Ill show you here the important things, if you want, hit me on discord (sent you my discord name on reddit pm) for the complete report if you want to investigate (since there a lot of informations) i'm not at home for 2-3 days so i cant really test anything until home.
On my host : french: Propriétés de sécurité disponibles pour la sécurité basée sur la virtualisation Prise en charge de la virtualisation de base, Démarrage sécurisé, Protection DMA, Remplacement de mémoire sécurisé, Code UEFI en lecture seule, SMM Security Mitigations 1.0, Contrôle d'exécution basé sur le mode
Services en cours d’exécution pour la sécurité basée sur la virtualisation Credential Guard, Intégrité du code appliquée par l'hyperviseur
[DMA]
Ressource Périphérique Statut
Canal 4 Contrôleur d'accès direct à la mémoire OK
traduced : Security Properties Available for Virtualization-Based Security :
Running services for virtualization-based security
[DMA] Resource Device Status Channel 4 Direct Memory Access Controller OK
As i can see, i'm pretty compliant with all the stuff, i think i need my host to be DMA enabled in order to have it on my vm, thats the only think i see.
(your device meets the requirements for enhanced hardware security)
But i'm not seeing anything on security health.
My windows build is the latest 22h2 retail one, no insider, but latest retail possible.
I cant activate dma and all the stuff on my host atm for different reasons, but ill unplug my nvme and test on a random ssd a fresh windows to see if i need to have all this stuff on my host in order to get it in my vms.
Since the dmacheck script is showing it need english on both host and vm, i think they dont offer this as default on windows non-english (at least the host seems to be required to be english) thats what ill test later this week.
This is an upcoming version of the script that only enables Bitlocker DMA protection if Kernel DMA protection is unavailable/disabled.
the Security Baseline X zip file that this script uses is the one in this pull request and points to it, instead of the live one.
https://github.com/HotCakeX/Harden-Windows-Security/pull/9