<#
 #   It is recommended to test the script on a local machine for its purpose and effects. 
 #   ManageEngine Endpoint Central will not be responsible for any 
 #   damage/loss to the data/setup based on the behavior of the script.

 #   Description: Script will enable the Defender Device guard feature in windows with its core functions

 #   Remarks: The script has to be deployed as Computer Configuration
 #   Configuration Type - Computer
#>


# Check if the DeviceGuard key exists and create it if it doesn't
if (!(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard"))
{
    New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" | Out-Null
}

# Enable virtualization-based security
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -PropertyType DWORD -Value 1 -Force | Out-Null
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -PropertyType DWORD -Value 3 -Force | Out-Null

# Check if the Lsa key exists and create it if it doesn't
if (!(Test-Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"))
{
    New-Item -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" | Out-Null
}

# Enable Windows Defender Credential Guard
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -PropertyType DWORD -Value 1 -Force | Out-Null