Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Wednesday, July 26, 2017 2:03 PM
I have enabled Credential Guard in our environment via group policy, and it is working on most computers. Recently, we re-imaged the first of our Lenovo A70z computers with the windows 10 image. When going through it to make sure everything is working properly, we found that Credential Guard is not running.
I've gone over everything I can think of, and everything looks right. I found a few other threads mentioning this same issue, but they are either unsolved or the solution doesn't apply to my case. One thread suggested that disabling and re-enabling secure boot in bios resolved the issue for multiple people, but I have tried that with no success.
Here's what I see in System Information:
I've also tried running the CG/DG readiness tool, and got these results:
Checking if the device is DG/CG Capable
====================== Step 1 Driver Compat ======================
Driver verifier already enabled
Verifing each module please wait ....
Compatible Modules
Windows Signed: hal.dll
Windows Signed: kdcom.dll
Windows Signed: werkernel.sys
Windows Signed: clfs.sys
Windows Signed: tm.sys
Windows Signed: pshed.dll
Windows Signed: bootvid.dll
Windows Signed: fltmgr.sys
Windows Signed: msrpc.sys
Windows Signed: ksecdd.sys
Windows Signed: clipsp.sys
Windows Signed: cmimcext.sys
Windows Signed: ntosext.sys
Windows Signed: ci.dll
Windows Signed: cng.sys
Windows Signed: wdf01000.sys
Windows Signed: wdfldr.sys
Windows Signed: acpiex.sys
Windows Signed: wpprecorder.sys
Windows Signed: acpi.sys
Windows Signed: wmilib.sys
Windows Signed: msisadrv.sys
Windows Signed: pci.sys
Windows Signed: tpm.sys
Windows Signed: intelpep.sys
Windows Signed: windowstrustedrt.sys
Windows Signed: windowstrustedrtproxy.sys
Windows Signed: pcw.sys
Windows Signed: vdrvroot.sys
Windows Signed: pdc.sys
Windows Signed: cea.sys
Windows Signed: partmgr.sys
Windows Signed: spaceport.sys
Windows Signed: volmgr.sys
Windows Signed: volmgrx.sys
Windows Signed: mountmgr.sys
Windows Signed: storahci.sys
Windows Signed: storport.sys
Windows Signed: ehstorclass.sys
Windows Signed: fileinfo.sys
Windows Signed: wof.sys
Windows Signed: wdfilter.sys
Windows Signed: ntfs.sys
Windows Signed: fs_rec.sys
Windows Signed: ndis.sys
Windows Signed: netio.sys
Windows Signed: ksecpkg.sys
Windows Signed: tcpip.sys
Windows Signed: fwpkclnt.sys
Windows Signed: wfplwfs.sys
amdkmpfd.sys
Windows Signed: fvevol.sys
Windows Signed: volume.sys
Windows Signed: volsnap.sys
Windows Signed: rdyboost.sys
Windows Signed: mup.sys
Windows Signed: iorate.sys
Windows Signed: disk.sys
Windows Signed: classpnp.sys
Windows Signed: crashdmp.sys
dump_storport.sys
dump_storahci.sys
dump_dumpfve.sys
Windows Signed: cdrom.sys
Windows Signed: tbs.sys
Windows Signed: filecrypt.sys
Windows Signed: null.sys
Windows Signed: beep.sys
Windows Signed: watchdog.sys
Windows Signed: basicdisplay.sys
Windows Signed: dxgkrnl.sys
Windows Signed: basicrender.sys
Windows Signed: npfs.sys
Windows Signed: msfs.sys
Windows Signed: tdi.sys
Windows Signed: tdx.sys
Windows Signed: netbt.sys
Windows Signed: afd.sys
Windows Signed: vwififlt.sys
Windows Signed: pacer.sys
Windows Signed: netbios.sys
Windows Signed: serial.sys
Windows Signed: rdbss.sys
Windows Signed: csc.sys
Windows Signed: nsiproxy.sys
Windows Signed: npsvctrig.sys
Windows Signed: mssmbios.sys
Windows Signed: gpuenergydrv.sys
Windows Signed: dfsc.sys
Windows Signed: ahcache.sys
compositebus.sys
Windows Signed: kdnic.sys
Windows Signed: umbus.sys
Windows Signed: usbxhci.sys
Windows Signed: ucx01000.sys
teedriverw8x64.sys
Windows Signed: serenum.sys
Windows Signed: e1i63x64.sys
Windows Signed: usbport.sys
Windows Signed: usbehci.sys
Windows Signed: ks.sys
Windows Signed: drmk.sys
Windows Signed: portcls.sys
Windows Signed: hdaudbus.sys
netwew01.sys
Windows Signed: vwifibus.sys
Windows Signed: intelppm.sys
Windows Signed: wmiacpi.sys
Windows Signed: ndisvirtualbus.sys
Windows Signed: swenum.sys
iwdbus.sys
Windows Signed: rdpbus.sys
Windows Signed: usbd.sys
Windows Signed: usbhub.sys
Windows Signed: usbhub3.sys
Windows Signed: ksthunk.sys
Windows Signed: hdaudio.sys
Windows Signed: hidparse.sys
Windows Signed: hidclass.sys
Windows Signed: hidusb.sys
Windows Signed: usbccgp.sys
Windows Signed: mouhid.sys
Windows Signed: mouclass.sys
Windows Signed: kbdhid.sys
Windows Signed: kbdclass.sys
ibtfltcoex.sys
Windows Signed: bthport.sys
Windows Signed: bthusb.sys
Windows Signed: usbvideo.sys
Windows Signed: bthleenum.sys
Windows Signed: rfcomm.sys
Windows Signed: bthenum.sys
Windows Signed: bthpan.sys
Windows Signed: fastfat.sys
Windows Signed: win32kbase.sys
Windows Signed: win32kfull.sys
Windows Signed: win32k.sys
Windows Signed: dxgmms1.sys
Windows Signed: monitor.sys
Windows Signed: dxgmms2.sys
Windows Signed: tsddd.dll
Windows Signed: cdd.dll
Windows Signed: winhvr.sys
Windows Signed: hvservice.sys
Windows Signed: wcifs.sys
Windows Signed: luafv.sys
Windows Signed: storqosflt.sys
Windows Signed: wcnfs.sys
Windows Signed: registry.sys
Windows Signed: mmcss.sys
Windows Signed: rdpvideominiport.sys
Windows Signed: tunnel.sys
Windows Signed: condrv.sys
Windows Signed: mslldp.sys
Windows Signed: rdpdr.sys
Windows Signed: lltdio.sys
Windows Signed: rspndr.sys
Windows Signed: ndisuio.sys
Windows Signed: nwifi.sys
Windows Signed: tsusbhub.sys
Windows Signed: bowser.sys
Windows Signed: mrxsmb.sys
Windows Signed: mrxsmb20.sys
Windows Signed: http.sys
Windows Signed: wudfpf.sys
Windows Signed: mpsdrv.sys
Windows Signed: srvnet.sys
Windows Signed: vwifimp.sys
Windows Signed: peauth.sys
Windows Signed: ndu.sys
Windows Signed: tcpipreg.sys
Windows Signed: srv2.sys
Windows Signed: wdnisdrv.sys
Windows Signed: mrxdav.sys
Windows Signed: mssecflt.sys
InCompatible HVCI Kernel Driver Modules found
Module: igdkmd64.sys
Reason: execute pool type count: 4578
Module: lbai.sys
Reason: execute pool type count: 1
Module: rtkvhd64.sys
Reason: execute page mapping count: 4
Module: prepdrv.sys
Reason: execute pool type count: 2
====================== Step 2 Secure boot present ======================
Secure boot is present
====================== Step 3 MS UEFI HSTI tests ======================
Copying HSTITest.dll
HSTI Duple Count: 0
HSTI Blob size: 20
String: 01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HSTIStatus: True
HSTI is absent
====================== Step 4 OS Architecture ======================
64 bit arch.....
====================== Step 5 Supported OS SKU ======================
This PC edition is Supported for DeviceGuard
====================== Step 6 Virtualization Firmware ======================
Virtualization firmware check passed
====================== Step 7 TPM version ======================
TPM 1.2 is present. TPM 2.0 is Required.
====================== Step 8 Secure MOR ======================
Secure MOR is absent
====================== Step 9 NX Protector ======================
NX Protector is absent
====================== Step 10 SMM Mitigation ======================
SMM Mitigation is absent
====================== End Check ======================
====================== Summary ======================
Device Guard / Credential Guard can be enabled on this machine.
Following features are missing/absent which could further enhance security when present.
InCompatible HVCI Kernel Driver Modules found
HSTI is absent
TPM 1.2 is present. TPM 2.0 is Required.
Secure MOR is absent
NX Protector is absent
SMM Mitigation is absent
I know that this hardware isn't going to support all of the more advanced features of Device Guard, but my understanding is that it is capable of using Credential Guard at least. What would be causing credential guard to be 'enabled but not running', as shown in system information?
All replies (3)
Friday, September 20, 2019 6:24 PM ✅Answered
I recently ran into this issue again, and came across this thread while researching it. I'm not sure what the original issue turned out to be, but having just resolved the current issue I wanted to post the solution -
In today's case, the problem was that the cpu's virtualization extensions were not enabled in bios. The clues that lead me to this were in the event log, specifically:
Event ID 15 from WinInit - Credential Guard is configured but the secure kernel is not running; continuing without Credential Guard.
Event ID 124 from Kernel-Boot - The virtualization-based security enablement policy check at phase 0 failed with status: Virtual Secure Mode (VSM) is not initialized. The hypervisor or VSM may not be present or enabled.
Event ID 41 from Hyper-V-Hypervisor - Hypervisor launch failed; Either VMX not present or not enabled in BIOS.
Hope that helps whoever finds this thread next. Who knows, maybe it will be me! :)
Thursday, July 27, 2017 2:47 AM
You could try to reset the bios or rebuild boot loader to check result.
Besides, I see your CG/DG tool report, TPM version is 1.2, beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on computers, 1.2 is not enough.
Regards
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact [email protected].
Thursday, July 27, 2017 1:08 PM
I believe we've already tried re-imaging the computer, but I can try resetting the bios
Besides applying to new computers being shipped by OEMs, I believe that TPM 2.0 is required for some of the more advanced device guard features. My understanding is that the basic features of VBS, including credential guard, are still supported without TPM 2.0. I believe the info just above and below the note that you quoted support that understanding:
All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
Baseline protections
| Baseline Protections | Description | Security benefits |
|---|---|---|
| Hardware: Trusted Platform Module (TPM) | Requirement: TPM 1.2 or TPM 2.0, either discrete or firmware. TPM recommendations |
A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
Also, on the page in the "TPM Recommendations" link above, I found this section which says that Credential Guard is supported even without a TPM:
| Credential Guard | Required | Required | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. |
That does specify v1511, but I'm not sure if that's because Credential Guard was not available before v1511, or if something has changed since then. I would expect that if it is saying v1511 had different requirements than newer builds, it would probably also call out what those requirements are for versions newer than v1511...
In fact, as I think about it, I know for certain that Credential Guard will run on a computer w/o a TPM, because I have an older desktop here beside me that does not have a TPM in it, but shows credential guard as running.