#Requires -Version 5.1
<#  SilverMetal Enhanced - Windows | Domain D: Kernel & credential isolation
    VBS + HVCI + Credential Guard + LSA protection + Kernel DMA Protection.
    The genuinely strong, hardware-backed part of hardened Windows.
    Spec: ../hardening-spec.md (D)   |   SCAFFOLD (M1).
#>
[CmdletBinding()] param()
Set-StrictMode -Version Latest; $ErrorActionPreference = 'Stop'
Write-Host '[D] Kernel & credential isolation'

# VBS + HVCI (Memory Integrity)
$dg = 'HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard'
New-Item $dg -Force | Out-Null
Set-ItemProperty $dg -Name EnableVirtualizationBasedSecurity -Type DWord -Value 1
Set-ItemProperty $dg -Name RequirePlatformSecurityFeatures   -Type DWord -Value 1   # Secure Boot
$hvci = "$dg\Scenarios\HypervisorEnforcedCodeIntegrity"
New-Item $hvci -Force | Out-Null
Set-ItemProperty $hvci -Name Enabled -Type DWord -Value 1

# Credential Guard
$lsacfg = "$dg\Scenarios\CredentialGuard"
New-Item $lsacfg -Force | Out-Null
Set-ItemProperty $lsacfg -Name Enabled -Type DWord -Value 1

# LSA protection (RunAsPPL)
$lsa = 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa'
Set-ItemProperty $lsa -Name RunAsPPL -Type DWord -Value 1

# Kernel DMA Protection: on AMD this is firmware-gated (ACPI IVRS DMA_REMAP bit).
# Block new DMA devices while locked as the compensating control (see Domain G).
$ki = 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\Kernel DMA Protection'
New-Item $ki -Force | Out-Null
Set-ItemProperty $ki -Name DeviceEnumerationPolicy -Type DWord -Value 0   # block until authorized

# TODO-M1: confirm msinfo32 reports VBS=Running + Credential Guard + HVCI after reboot;
#          confirm whether Kernel DMA Protection shows On (IVRS bit) -- open question §8.

Write-Host '   [D] policy set (VBS/HVCI/CredGuard/LSA-PPL/DMA). Effective after reboot.'