Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Get-ComputerInfo is not updated to reflect current DeviceGuardAvailableSecurityProperties #16357

Copy link
Copy link
Closed
Closed
Get-ComputerInfo is not updated to reflect current DeviceGuardAvailableSecurityProperties#16357
Copy link
Labels
Issue-Enhancementthe issue is more of a feature request than a bugthe issue is more of a feature request than a bugResolution-FixedThe issue is fixed.The issue is fixed.WG-Cmdlets-Managementcmdlets in the Microsoft.PowerShell.Management modulecmdlets in the Microsoft.PowerShell.Management module
@mattifestation

Description

@mattifestation
mattifestation
opened on Nov 2, 2021
Issue body actions

Prerequisites

Steps to reproduce

On a system that has support for Windowd Defender Application Control (WDAC), Get-ComputerInfo will return available Virtualization-Based Security (VBS) features via the DeviceGuardAvailableSecurityProperties property. The DeviceGuardHardwareSecure enum does not support the latest features, however.

To reproduce, run the following:

Get-ComputerInfo | Select-Object -ExpandProperty DeviceGuardAvailableSecurityProperties

The issue is surfaced when returned values are output as numbers instead of human-readable strings.

To fix the issue, all that is needed is to add the following enum values to DeviceGuardHardwareSecure:

        /// <summary>
        /// UEFI Code Readonly.
        /// </summary>
        UEFICodeReadonly = 5,

        /// <summary>
        /// SMM Security Mitigations 1.0.
        /// </summary>
        SMMSecurityMitigations = 6,

        /// <summary>
        /// Mode Based Execution Control.
        /// </summary>
        ModeBasedExecutionControl = 7

These human-readable values were obtained from msinfo32.exe (System Summary->Virtualization-based security Available Security Properties)

The Get-ComputerInfo cmdlet obtains this information from the Win32_DeviceGuard class which was updated to support additional enum values:

PS> ([WmiClass] 'root\Microsoft\Windows\DeviceGuard:Win32_DeviceGuard').GetText('mof')
[dynamic: ToInstance, provider("Win32_DeviceGuard"): ToInstance, locale(1033)]
class Win32_DeviceGuard
{
        [key] string InstanceIdentifier;
        string Version;
        [ValueMap{"1", "2", "3", "4", "5", "6", "7"}: ToSubClass, ArrayType("Indexed"): DisableOverride ToSubClass] uint32 RequiredSecurityProperties[];
        [ValueMap{"1", "2", "3", "4", "5", "6", "7", "8"}: ToSubClass, ArrayType("Indexed"): DisableOverride ToSubClass] uint32 AvailableSecurityProperties[];
        [ValueMap{"0", "1", "2"}: ToSubClass] uint32 VirtualizationBasedSecurityStatus;
        [ValueMap{"1", "2", "3", "4"}: ToSubClass, ArrayType("Indexed"): DisableOverride ToSubClass] uint32 SecurityServicesConfigured[];
        [ValueMap{"1", "2", "3", "4", "5"}: ToSubClass, ArrayType("Indexed"): DisableOverride ToSubClass] uint32 SecurityServicesRunning[];
        [ValueMap{"0", "1", "2"}: ToSubClass] uint32 CodeIntegrityPolicyEnforcementStatus;
        [ValueMap{"0", "1", "2"}: ToSubClass] uint32 UsermodeCodeIntegrityPolicyEnforcementStatus;
        boolean VirtualMachineIsolation;
        [ValueMap{"1", "2"}: ToSubClass, ArrayType("Indexed"): DisableOverride ToSubClass] uint32 VirtualMachineIsolationProperties[];
};

This issue is also applicable to Windows PowerShell.

Expected behavior

PS> Get-ComputerInfo | Select-Object -ExpandProperty DeviceGuardAvailableSecurityProperties

BaseVirtualizationSupport
SecureBoot
DMAProtection
SecureMemoryOverwrite
UEFICodeReadonly
SMMSecurityMitigations
ModeBasedExecutionControl

Actual behavior

PS> Get-ComputerInfo | Select-Object -ExpandProperty DeviceGuardAvailableSecurityProperties

BaseVirtualizationSupport
SecureBoot
DMAProtection
SecureMemoryOverwrite
5
6
7

Error details

No response

Environment data

PS> $PSVersionTable

Name                           Value
----                           -----
PSVersion                      7.1.5
PSEdition                      Core
GitCommitId                    7.1.5
OS                             Microsoft Windows 10.0.22000
Platform                       Win32NT
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0…}
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1
WSManStackVersion              3.0

Visuals

No response

Reactions are currently unavailable

Metadata

Metadata

Assignees

No one assigned

    Labels

    Issue-Enhancementthe issue is more of a feature request than a bugthe issue is more of a feature request than a bugResolution-FixedThe issue is fixed.The issue is fixed.WG-Cmdlets-Managementcmdlets in the Microsoft.PowerShell.Management modulecmdlets in the Microsoft.PowerShell.Management module

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      Morty Proxy This is a proxified and sanitized view of the page, visit original site.