none
Device/Credential Guard RRS feed

  • Question

  • I'm about to rebuild my machine with Windows 10 Enterprise Creators Update (1703) when it comes out and would like to learn/use Device and Credential Guard. I downloaded the Device Guard Readiness Tool and ran it with: DG_Readiness_Tool_v3.0.ps1 -Capable

    The results were as follows:

     ====================== Summary ======================
    Device Guard / Credential Guard  can be enabled on this machine.
    Following features are missing/absent which could further enhance security when present.
    Incompatible HVCI Kernel Driver Modules found
    HSTI is absent
    TPM is absent or not ready for use
    Secure MOR is absent
    NX Protector is absent
    SMM Mitigation is absent

    ====================================================

    I know for sure that my machine does NOT have a TPM chip and I can't add one.

    It also says this in the output:

    ====================================================

    Incompatible HVCI Kernel Driver Modules found

    Module: zamguard64.sys
            Reason: execute pool type count:              185
    Module: zam64.sys
            Reason: execute pool type count:            10622
    Module: igdkmd64.sys
            Reason: execute pool type count:            30577
    Module: intcdaud.sys
            Reason: execute pool type count:              204
    Module: gemccid.sys
            Reason: execute pool type count:               63
    Module: npf_devolo.sys
            Reason: execute pool type count:              197
    Module: veeamfsr.sys
            Reason: execute pool type count:                7
    Module: vstor2-mntapi20-shared.sys
            Reason: execute pool type count:                3

    ======================================

    So I have the following questions:

    1) I'll be the only person using this machine so can I safely use DG/CG without a TPM chip?

    2) Should I be worried about the Incompatible HVCI Kernel Driver Modules found?

    3) What is HSTI,  Secure MOR, NX Protector and SMM Mitigation? Do I need it since it says it is absent?

    4) Can I use DG/CG on a machine that is in a workgroup (with no domain available)? Can I still sign/enable trusted software?

    Thanks for reading.

    Monday, April 3, 2017 7:34 PM

All replies

  • Hi, 

    First, I would like to say that we can enable CG without TPM. But please know that If you don’t have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM. Without a TPM enabled and ready for use, Credential Guard keys are stored in a less secure method using software. 

    Second, yes, we need to care about HVCI, HVCI Compatible drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode.

    To improve Hardware Rooted Trust Platform Secure Boot, HSTI is required, and it provides additional security assurance for correctly secured silicon and platform.

    A secure MOR bit prevents certain memory attacks so this is necessary for Credential Guard. This will further enhance security of Credential Guard. For more information, see Secure MOR implementation.

    Other components you have mentioned are the protections also used to improved security level besides implementing the baseline feature of DG and CG. 

    You can check more details here: 

    https://technet.microsoft.com/en-us/itpro/windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard

    According to my knowledge, CG required domain network. 

    If the trusted software you mentioned means to be security applications, we may not need. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 4, 2017 6:39 AM
    Owner
  • Are you sure that my machine needs to be joined to a domain for CG to work? When I ran the readiness tool on my workgroup joined machine it didn't fail the tests. In fact it said: "Device Guard / Credential Guard  can be enabled on this machine". I can't seem to find anything about this online so is a workgroup based machine ok for CG and DG?

    What I was asking in my last question (Can I still sign/enable trusted software?) is, once I have DG/CG enabled and configured, how do I add new applications and/or existing applications to be trusted/verified/signed so that they can run?

    Tuesday, April 4, 2017 7:43 AM
  • Hi, 

    Thanks for clarifying this question, I have to say we can enable CG and DG on computer which is not joined to any domain. 

    But, we recommended to use credential guard in Domain since Some ways to store credentials are not protected by Credential Guard, including: Local accounts and Microsoft Accounts related. 

    For another question, check this article:

    Use Windows 10 Device Guard to Trust Your Software
    http://blog.edentechnologies.com/use-windows-10-device-guard-to-trust-your-software

    Please Note: Since the websites are not hosted by Microsoft, the links may change without notice. Microsoft does not guarantee the accuracy of this information. 


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, April 5, 2017 8:40 AM
    Owner