How to add inventory for Secure Boot and Credential Guard settings
Article ID: 239298
Updated On:
Products
CA Client Automation - IT Client Manager
CA Client Automation
CA Client Automation - Asset Management
Issue/Introduction
Secure Boot or Credential Guard settings are not present in General Hardware Inventory. How to add them in as Additional inventory ?
Environment
Client Automation - Any Versions
Resolution
1- In DSM Explorer, under Jobs/Asset Jobs create a new Asset Job of type script.
Give it a name (ex : Secure Boot)
In Script Tab, copy/paste the content of attached file secureboot.dms
2- In Scheduling Options, in Miscellaneous tab make sure that option "This job is allowed to run unattended" is checked.
3- Link this job to computers group
4- A new Additional Inventory "Windows Security" is created for the computer.
It contains 2 groups
Credential Guard
Secure Boot
Secure Boot group contains one inventory "Secure Boot Enabled" which could has one of these 3 values :
False
True
Not Supported
Credential Guard group contains one inventory "Credential Guard Enabled" which could has one of these 2 values :
False
True
Additional Information
Following powershell command returns the state of Secure Boot:
powershell.exe -noprofile -executionpolicy bypass -Command Confirm-SecureBootUEFI
It returns True, False or "Confirm-SecureBootUEFI : Cmdlet not supported on this platform: 0xC0000002" if Secure Boot is not supported.
Following powershell command returns the state of Credential Guard state :
powershell.exe -noprofile -executionpolicy bypass -Command "(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning"
it returns 0 or 1 :
0 : Credential Guard is disabled (not running)
1 : Credential Guard is enabled (running)
1 : Credential Guard is enabled (running)
Attachments
Feedback
Yes
No
Powered by
