Credential Guard Is Set To Ingeschakeld Met Uefi Lock

<# .SYNOPSIS Intune Security Options: Credential Guard with UEFI Lock .DESCRIPTION CIS - Credential Guard met UEFI lock (permanente bescherming). .NOTES Filename: credential-guard-uefi.ps1|Author: Nederlandse Baseline voor Veilige Cloud|Feature: Credential Guard|Expected: UEFI Lock #> #Requires -Version 5.1 #Requires -RunAsAdministrator [CmdletBinding()]param([switch]$WhatIf, [switch]$Monitoring, [switch]$Remediation, [switch]$Revert) $ErrorActionPreference = 'Stop'; $RegPath = "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"; $RegName = "LsaCfgFlags"; $ExpectedValue = 2 function Connect-RequiredServices { $p = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); return $p.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) } function Test-Compliance { $r = [PSCustomObject]@{ScriptName = "cred-uefi.ps1"; PolicyName = "Credential Guard UEFI"; IsCompliant = $false; CurrentValue = $null; Details = @() }; function Invoke-Revert { Write-Host "UEFI lock cannot be reverted!" -ForegroundColor Red } try { if (Test-Path $RegPath) { $v = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction SilentlyContinue; if ($v -and $v.$RegName -eq $ExpectedValue) { $r.IsCompliant = $true; $r.Details += "Credential Guard with UEFI lock" }else { $r.Details += "Credential Guard: $($v.$RegName)" } }else { $r.Details += "Not configured" } }catch { $r.Details += "Error: $($_.Exception.Message)" }; return $r } function Invoke-Remediation { if (-not(Test-Path $RegPath)) { New-Item -Path $RegPath -Force | Out-Null }; Set-ItemProperty -Path $RegPath -Name $RegName -Value $ExpectedValue -Type DWord -Force; Write-Host "Credential Guard with UEFI lock - REBOOT REQUIRED" -ForegroundColor Yellow; Write-Host "WARNING: UEFI lock cannot be disabled via registry!" -ForegroundColor Red } function Invoke-Monitoring { $r = Test-Compliance; Write-Host "`n$($r.PolicyName): $(if($r.IsCompliant){'COMPLIANT'}else{'NON-COMPLIANT'})" -ForegroundColor $(if ($r.IsCompliant) { 'Green' }else { 'Red' }); return $r } function Invoke-Revert { Write-Host "UEFI lock cannot be reverted!" -ForegroundColor Red } try { if (-not(Connect-RequiredServices)) { exit 1 }; if ($Monitoring) { $r = Invoke-Monitoring; exit $(if ($r.IsCompliant) { 0 }else { 1 }) }elseif ($Remediation) { if (-not $WhatIf) { Invoke-Remediation } }elseif ($Revert) { Invoke-Revert }else { $r = Test-Compliance; exit $(if ($r.IsCompliant) { 0 }else { 1 }) } }catch { Write-Error $_; exit 1 }