Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, January 4, 2017 10:37 PM | 1 vote
I'm having a hard time getting Credential Guard running. I'm following the guide here: https:://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard. I make sure Secure Boot, TPM, and the Virtualization Options are set in the BIOS and run the DG_CG Readiness Tool with the -Enable -CG flags I've also tried the -Enable -Autoreboot flags. When I run the Readiness Tool with the -Capable Flag here is my output:
Checking if the device is DG/CG Capable
====================== Step 1 Driver Compat ======================
Driver verifier already enabled
Verifing each module please wait ....
Compatible Modules
Windows Signed: hal.dll.sys
...Windows Signed: mslldp.sys
InCompatible HVCI Kernel Driver Modules found
Module: igdkmd64.sys
Reason: execute pool type count: 1072
Module: rtkvhd64.sys
Reason: execute page mapping count: 5
====================== Step 2 Secure boot present ======================
Secure boot is present
====================== Step 3 MS UEFI HSTI tests ======================
Copying HSTITest.dll
HSTI Duple Count: 0
HSTI Blob size: 20
String: 01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HSTIStatus: True
HSTI is absent
====================== Step 4 OS Architecture ======================
64 bit arch.....
====================== Step 5 Supported OS SKU ======================
This PC edition is Supported for DeviceGuard
====================== Step 6 Virtualization Firmware ======================
Virtualization firmware check passed
====================== Step 7 TPM version ======================
TPM 1.2 is Present. TPM 2.0 is Preferred.
====================== Step 8 Secure MOR ======================
Secure MOR is available
====================== Step 9 NX Protector ======================
NX Protector is absent
====================== Step 10 SMM Mitigation ======================
SMM Mitigation is absent
====================== End Check ======================
====================== Summary ======================
Device Guard / Credential Guard can be enabled on this machine.
Following features are missing/absent which could further enhance security when present.
InCompatible HVCI Kernel Driver Modules found
HSTI is absent
TPM 1.2 is Present. TPM 2.0 is Preferred.
NX Protector is absent
SMM Mitigation is absent
I don't have any Red Warnings in the Output. If I look in msinfo32.exe under Device Guard Security Services Running it is blank. The output from the Readiness Tool with the -Ready flag is this:
Credential-Guard is not running.
HVCI is not running.
Config-CI is enabled and running. (Audit mode)
Not all services are running.
When I look in the registry everything looks right. **HKEY_**LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard\EnableVirtualizationBasedSecurity is set to 1. RequirePlatformSecurityFeatures is set to 1. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA\LsaCfgFlags is set to 1.
When I look in appwiz.cpl under Turn Windows Features on or off I can see the Hyper-V features are all checked. I'm running Windows 10 Enterprise x64 LTSB 2016. The hardware I'm running is HP Prodesk 600 G2 SFF. I've tried enabling it with Group Policy and that doesn't seem to make a difference. Any help greatly appreciated.
All replies (15)
Thursday, January 5, 2017 7:36 AM
Hi Bill,
You could enable it again follow these steps:
How to Enable or Disable Credential Guard in Windows 10
https://www.tenforums.com/tutorials/68935-credential-guard-enable-disable-windows-10-a.html
Please Note: Since the website is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, January 5, 2017 4:08 PM
I've tried enabling it as mentioned in that article both via GPO and local policies. They both set the same registry values which are set on my system, but Credential Guard still not running. I see there is a known issue with KB3206632 and that KB3213522 is supposed to fix it, but I have KB3213522 installed and am still having the issue.
https://support.microsoft.com/en-us/kb/3213522
http://en.community.dell.com/support-forums/software-os/f/4997/p/20000273/20963932
Monday, January 9, 2017 2:31 AM
Hi,
If it's possible, give us a screenshot of system info.
In addition, based on the tool's UEFI checking, HSTI is absent. The key point is that the system's UEFI must support Secure Boot.
You machine wouldn't work with UEFI, so you can see that Credential Guard is enabled but not running.
Here please check its requirement:
PC OEM requirements for Device Guard and Credential Guard
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Monday, January 9, 2017 3:24 PM
Working on getting my account verified so I can post images. Have requested verification at this link:
Monday, January 9, 2017 3:53 PM
Here's the output from systeminfo command:
C:\Windows\system32>systeminfo
Host Name: IMAGE1-2017
OS Name: Microsoft Windows 10 Enterprise 2016 LTSB
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Member Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00378-20000-00003-AA175
Original Install Date: 1/4/2017, 10:52:49 AM
System Boot Time: 1/6/2017, 1:47:47 PM
System Manufacturer: HP
System Model: HP ProDesk 600 G2 SFF
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: Intel64 Family 6 Model 94 Stepping 3 GenuineIntel ~3192 Mhz
BIOS Version: HP N02 Ver. 02.17, 11/1/2016
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-08:00) Pacific Time (US & Canada)
Total Physical Memory: 8,073 MB
Available Physical Memory: 6,619 MB
Virtual Memory: Max Size: 9,993 MB
Virtual Memory: Available: 8,531 MB
Virtual Memory: In Use: 1,462 MB
Page File Location(s): C:\pagefile.sys
Domain:
Logon Server: N/A
Hotfix(s): 3 Hotfix(s) Installed.
[01]: KB3199986
[02]: KB3209498
[03]: KB3213522
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) Ethernet Connection (2) I219-LM
Connection Name: Ethernet
DHCP Enabled: No
IP address(es)
Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
Monday, January 9, 2017 6:26 PM
Experiencing the same issue. Windows 10 1607.
Thursday, January 12, 2017 9:24 AM
Hi Bill,
Please input the msinfo32.exe into Run box, and the press Enter to get the following screenshot:
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Wednesday, January 18, 2017 5:30 PM
Wednesday, January 18, 2017 5:35 PM
you have Secure Boot Off, you should turn it on for Credential Guard...
http://support.hp.com/us-en/document/c03653226
Wednesday, January 18, 2017 5:49 PM
Sorry I had disabled Secure Boot while doing some testing on that machine. I've re-enabled it and it looks like Credential Guard is running. I'm positive Secure Boot was enabled originally and then I temporarily disabled it and forgot to re-enable it until now. However disabling Secure Boot and re-enabling it might have fixed the issue. When I run the DG_CG_hardware_readiness_tool with the -Capable flag it still shows that "Machine is not Device Guard / Credential Guard compatible because of the following: HSTI validation failed", but it looks like Credential Guard is running in msinfo32 so maybe this is an issue with that script or maybe HSTI validation doesn't affect Credential Guard.
Wednesday, January 18, 2017 5:53 PM
I have the same issue on DELL Latitude E5270 on Win10 1607:
HSTI validation failed, but it seems to work, I see the needed lsaiso process running.
Neither Dell nor MS reacted to the question...
And I didn´t had the balls to test it with Mimikatz ;-)
Thursday, January 26, 2017 3:47 AM | 1 vote
I'm having the exact same issue on some new Lenovo T460p machines. Credential Guard is enabled fine when running LTSB 2015, but I can't enable it when running LTSB 2016 or Windows 10 CSB.
[Update]
I just tried the following and it worked on Windows 10 CSB:
Setup prerequisites on the machine including Secure Boot, Virtualization Extensions, and TPM Enabled in BIOS
Ran DG Readiness Tool with the -Enable flag and rebooted. After reboot, Readiness Tool and msinfo32.exe showed Credential Guard services configured but services not running.
I then disabled Secure Boot in BIOS and rebooted. Oddly, upon reboot msinfo32.exe showed Credential Guard service running. I then re-enabled Secure Boot in the BIOS and the Credential Guard service continues to show as running in msinfo32.exe.
Monday, February 20, 2017 6:32 PM
I can confirm the same solution fixed the problem for me too.
Friday, May 5, 2017 12:43 PM
I have the same issue, but I'm running on Hyper-V. Everything is set like the pictures above. But I had the balls to test it with Mimikatz ;-) and it seems that Credential Guard is not preventing Mimikatz from accessing the NTLM hashes. So maybe I did something wrong, or Mimikatz 2.1.1 has found another way to read it from the memory.
Saturday, May 6, 2017 6:14 PM
The reason scripts show incompatible is due to error below. There are some drivers on your box which are not HVCI compatible meaning they have pages that are both writable and executable.
How to build compatible drivers
Since memory pages and sections can never be writable and executable, the first step is to ensure a clear separation of data and code and not to attempt to directly modify code pages.
- Opt-in to NX by default
- Use NX APIs/flags for memory allocation – NonPagedPoolNx
- Don’t use sections that are both writable and executable
- Don’t attempt to directly modify executable system memory
- Don’t use dynamic code in kernel
- Don’t load data files as executable
- Section Alignment must be a multiple of 0x1000 (PAGE_SIZE). E.g. DRIVER_ALIGNMENT=0x1000
Refer:
====================== Step 1 Driver Compat ======================
Driver verifier already enabled
Verifing each module please wait ....
Compatible Modules
Windows Signed: hal.dll.sys
...Windows Signed: mslldp.sys
InCompatible HVCI Kernel Driver Modules found
Module: igdkmd64.sys
Reason: execute pool type count: 1072
Module: rtkvhd64.sys
Reason: execute page mapping count: 5