collects the Device Guard properties and running services (e.g. Credential Guard) from a system and maps it as CSV format to find systems where e.g. Credential Guard is not running even it is configured.
After we activated Credential Guard via GPO in the company I work for, we discovered that this does not work on all systems for various reasons, for example not activated Secure Boot, to name one.
After subsequent data collection, the data can be imported into the XLSX template and evaluated for security configuration gaps. The meaning of the different keys and their values was taken from the following Microsoft documentation. https://learn.microsoft.com/en-us/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity
In order to find out which systems are affected, I wrote a Powershell script that collects all the properties that I thought were needed and mapped them into a CSV format and wrote them to a file share. For example, the script can also be distributed to the desired target group of devices via GPO. Setting a registry key ensures that the script is only executed once on the corresponding target system.
As one of the main issues was that the collected data was not up to date, I have now restructured the project to make the implementation of the topic easier and more complete:
API:
- I have implemented a Web API to centrally collect, update, and export data from each host.
- The data can be exported as a CSV file and then filtered with Excel or any other tool
Client:
- A PowerShell agent now runs on the clients, which reads the data and sends it to the API when the system is started up or shut down.
- If no changes have been made to the settings, only the "lastConnected" column in the database is updated.
- If changes have been made, the "lastUpdated" column and all other columns are also updated.