use Get-CimInstance to get Win32_DeviceGuard

Question

hi
I've found on Microsoft site - https://learn.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage
the command get-ciminstance to get credential guard status
cording to site 0 means Windows Defender Credential Guard is disabled (not running), 1 means Windows Defender Credential Guard is enabled (running)
after using it on couple servers it return output of 0, 1, 2
my questions is

1. that is 2 mean?
2. how can I get the command to operate on list of servers and return list of ComputerName, status (as 0\1)?

for list of computer I used this script:

$ComputerList = (Get-ADComputer -server DomainName -Filter 'OperatingSystem -like "Windows Server 2019*" -or OperatingSystem -like "Windows Server 2022*"').name  
foreach ($PcName in $ComputerList) {  
         (Get-CimInstance -ComputerName $PcName -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning  
}  

thanks for the help

Answer 1

I believe this is the information you're looking for:

SecurityServicesRunning	This field indicates whether the Credential Guard or HVCI service is running.	  
0. No services running.  
1. If present, Credential Guard is running.  
2. If present, HVCI is running  

Answer 2

I was able to get to something that works for me

$computers = (Get-ADComputer -server YourDomainName -Filter 'OperatingSystem -like "*2019*" -or OperatingSystem -like "*2022*"').name  
Get-CimInstance -ComputerName $computers -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |  Format-Table pscomputername, SecurityServicesRunning