none
Credential Guard: Enabled but not Running RRS feed

  • Question

  • I have enabled Credential Guard in our environment via group policy, and it is working on most computers.  Recently, we re-imaged the first of our Lenovo A70z computers with the windows 10 image.  When going through it to make sure everything is working properly, we found that Credential Guard is not running.  

    I've gone over everything I can think of, and everything looks right.  I found a few other threads mentioning this same issue, but they are either unsolved or the solution doesn't apply to my case.  One thread suggested that disabling and re-enabling secure boot in bios resolved the issue for multiple people, but I have tried that with no success.

    Here's what I see in System Information: 

    

    I've also tried running the CG/DG readiness tool, and got these results:

    Checking if the device is DG/CG Capable
     ====================== Step 1 Driver Compat ======================
    Driver verifier already enabled
    Verifing each module please wait ....
    Compatible Modules
    Windows Signed: hal.dll
    Windows Signed: kdcom.dll
    Windows Signed: werkernel.sys
    Windows Signed: clfs.sys
    Windows Signed: tm.sys
    Windows Signed: pshed.dll
    Windows Signed: bootvid.dll
    Windows Signed: fltmgr.sys
    Windows Signed: msrpc.sys
    Windows Signed: ksecdd.sys
    Windows Signed: clipsp.sys
    Windows Signed: cmimcext.sys
    Windows Signed: ntosext.sys
    Windows Signed: ci.dll
    Windows Signed: cng.sys
    Windows Signed: wdf01000.sys
    Windows Signed: wdfldr.sys
    Windows Signed: acpiex.sys
    Windows Signed: wpprecorder.sys
    Windows Signed: acpi.sys
    Windows Signed: wmilib.sys
    Windows Signed: msisadrv.sys
    Windows Signed: pci.sys
    Windows Signed: tpm.sys
    Windows Signed: intelpep.sys
    Windows Signed: windowstrustedrt.sys
    Windows Signed: windowstrustedrtproxy.sys
    Windows Signed: pcw.sys
    Windows Signed: vdrvroot.sys
    Windows Signed: pdc.sys
    Windows Signed: cea.sys
    Windows Signed: partmgr.sys
    Windows Signed: spaceport.sys
    Windows Signed: volmgr.sys
    Windows Signed: volmgrx.sys
    Windows Signed: mountmgr.sys
    Windows Signed: storahci.sys
    Windows Signed: storport.sys
    Windows Signed: ehstorclass.sys
    Windows Signed: fileinfo.sys
    Windows Signed: wof.sys
    Windows Signed: wdfilter.sys
    Windows Signed: ntfs.sys
    Windows Signed: fs_rec.sys
    Windows Signed: ndis.sys
    Windows Signed: netio.sys
    Windows Signed: ksecpkg.sys
    Windows Signed: tcpip.sys
    Windows Signed: fwpkclnt.sys
    Windows Signed: wfplwfs.sys
    amdkmpfd.sys
    Windows Signed: fvevol.sys
    Windows Signed: volume.sys
    Windows Signed: volsnap.sys
    Windows Signed: rdyboost.sys
    Windows Signed: mup.sys
    Windows Signed: iorate.sys
    Windows Signed: disk.sys
    Windows Signed: classpnp.sys
    Windows Signed: crashdmp.sys
    dump_storport.sys
    dump_storahci.sys
    dump_dumpfve.sys
    Windows Signed: cdrom.sys
    Windows Signed: tbs.sys
    Windows Signed: filecrypt.sys
    Windows Signed: null.sys
    Windows Signed: beep.sys
    Windows Signed: watchdog.sys
    Windows Signed: basicdisplay.sys
    Windows Signed: dxgkrnl.sys
    Windows Signed: basicrender.sys
    Windows Signed: npfs.sys
    Windows Signed: msfs.sys
    Windows Signed: tdi.sys
    Windows Signed: tdx.sys
    Windows Signed: netbt.sys
    Windows Signed: afd.sys
    Windows Signed: vwififlt.sys
    Windows Signed: pacer.sys
    Windows Signed: netbios.sys
    Windows Signed: serial.sys
    Windows Signed: rdbss.sys
    Windows Signed: csc.sys
    Windows Signed: nsiproxy.sys
    Windows Signed: npsvctrig.sys
    Windows Signed: mssmbios.sys
    Windows Signed: gpuenergydrv.sys
    Windows Signed: dfsc.sys
    Windows Signed: ahcache.sys
    compositebus.sys
    Windows Signed: kdnic.sys
    Windows Signed: umbus.sys
    Windows Signed: usbxhci.sys
    Windows Signed: ucx01000.sys
    teedriverw8x64.sys
    Windows Signed: serenum.sys
    Windows Signed: e1i63x64.sys
    Windows Signed: usbport.sys
    Windows Signed: usbehci.sys
    Windows Signed: ks.sys
    Windows Signed: drmk.sys
    Windows Signed: portcls.sys
    Windows Signed: hdaudbus.sys
    netwew01.sys
    Windows Signed: vwifibus.sys
    Windows Signed: intelppm.sys
    Windows Signed: wmiacpi.sys
    Windows Signed: ndisvirtualbus.sys
    Windows Signed: swenum.sys
    iwdbus.sys
    Windows Signed: rdpbus.sys
    Windows Signed: usbd.sys
    Windows Signed: usbhub.sys
    Windows Signed: usbhub3.sys
    Windows Signed: ksthunk.sys
    Windows Signed: hdaudio.sys
    Windows Signed: hidparse.sys
    Windows Signed: hidclass.sys
    Windows Signed: hidusb.sys
    Windows Signed: usbccgp.sys
    Windows Signed: mouhid.sys
    Windows Signed: mouclass.sys
    Windows Signed: kbdhid.sys
    Windows Signed: kbdclass.sys
    ibtfltcoex.sys
    Windows Signed: bthport.sys
    Windows Signed: bthusb.sys
    Windows Signed: usbvideo.sys
    Windows Signed: bthleenum.sys
    Windows Signed: rfcomm.sys
    Windows Signed: bthenum.sys
    Windows Signed: bthpan.sys
    Windows Signed: fastfat.sys
    Windows Signed: win32kbase.sys
    Windows Signed: win32kfull.sys
    Windows Signed: win32k.sys
    Windows Signed: dxgmms1.sys
    Windows Signed: monitor.sys
    Windows Signed: dxgmms2.sys
    Windows Signed: tsddd.dll
    Windows Signed: cdd.dll
    Windows Signed: winhvr.sys
    Windows Signed: hvservice.sys
    Windows Signed: wcifs.sys
    Windows Signed: luafv.sys
    Windows Signed: storqosflt.sys
    Windows Signed: wcnfs.sys
    Windows Signed: registry.sys
    Windows Signed: mmcss.sys
    Windows Signed: rdpvideominiport.sys
    Windows Signed: tunnel.sys
    Windows Signed: condrv.sys
    Windows Signed: mslldp.sys
    Windows Signed: rdpdr.sys
    Windows Signed: lltdio.sys
    Windows Signed: rspndr.sys
    Windows Signed: ndisuio.sys
    Windows Signed: nwifi.sys
    Windows Signed: tsusbhub.sys
    Windows Signed: bowser.sys
    Windows Signed: mrxsmb.sys
    Windows Signed: mrxsmb20.sys
    Windows Signed: http.sys
    Windows Signed: wudfpf.sys
    Windows Signed: mpsdrv.sys
    Windows Signed: srvnet.sys
    Windows Signed: vwifimp.sys
    Windows Signed: peauth.sys
    Windows Signed: ndu.sys
    Windows Signed: tcpipreg.sys
    Windows Signed: srv2.sys
    Windows Signed: wdnisdrv.sys
    Windows Signed: mrxdav.sys
    Windows Signed: mssecflt.sys
    
    InCompatible HVCI Kernel Driver Modules found
    
    Module: igdkmd64.sys
            Reason: execute pool type count:             4578
    Module: lbai.sys
            Reason: execute pool type count:                1
    Module: rtkvhd64.sys
            Reason: execute page mapping count:             4
    Module: prepdrv.sys
            Reason: execute pool type count:                2
    
     ====================== Step 2 Secure boot present ======================
    Secure boot is present
     ====================== Step 3 MS UEFI HSTI tests ======================
    Copying HSTITest.dll
    HSTI Duple Count: 0
    HSTI Blob size: 20
    String: 01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
    HSTIStatus: True
    HSTI is absent
     ====================== Step 4 OS Architecture ======================
    64 bit arch.....
     ====================== Step 5 Supported OS SKU ======================
    This PC edition is Supported for DeviceGuard
     ====================== Step 6 Virtualization Firmware ======================
    Virtualization firmware check passed
     ====================== Step 7 TPM version ======================
    TPM 1.2 is present. TPM 2.0 is Required.
     ====================== Step 8 Secure MOR ======================
    Secure MOR is absent
     ====================== Step 9 NX Protector ======================
    NX Protector is absent
     ====================== Step 10 SMM Mitigation ======================
    SMM Mitigation is absent
     ====================== End Check ======================
     ====================== Summary ======================
    Device Guard / Credential Guard  can be enabled on this machine.
    Following features are missing/absent which could further enhance security when present.
    InCompatible HVCI Kernel Driver Modules found
    HSTI is absent
    TPM 1.2 is present. TPM 2.0 is Required.
    Secure MOR is absent
    NX Protector is absent
    SMM Mitigation is absent

    I know that this hardware isn't going to support all of the more advanced features of Device Guard, but my understanding is that it is capable of using Credential Guard at least.  What would be causing credential guard to be 'enabled but not running', as shown in system information?

    Wednesday, July 26, 2017 2:03 PM

Answers

  • I recently ran into this issue again, and came across this thread while researching it.  I'm not sure what the original issue turned out to be, but having just resolved the current issue I wanted to post the solution - 

    In today's case, the problem was that the cpu's virtualization extensions were not enabled in bios.  The clues that lead me to this were in the event log, specifically:

    Event ID 15 from WinInit - Credential Guard is configured but the secure kernel is not running; continuing without Credential Guard.

    Event ID 124 from Kernel-Boot - The virtualization-based security enablement policy check at phase 0 failed with status: Virtual Secure Mode (VSM) is not initialized. The hypervisor or VSM may not be present or enabled.

    Event ID 41 from Hyper-V-Hypervisor - Hypervisor launch failed; Either VMX not present or not enabled in BIOS.

    Hope that helps whoever finds this thread next.  Who knows, maybe it will be me! :)

    • Marked as answer by NeighborGeek Friday, September 20, 2019 6:24 PM
    Friday, September 20, 2019 6:24 PM

All replies

  • You could try to reset the bios or rebuild boot loader to check result.

    Besides, I see your CG/DG tool report, TPM version is 1.2, beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on computers, 1.2 is not enough.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, July 27, 2017 2:47 AM
    Moderator
  • I believe we've already tried re-imaging the computer, but I can try resetting the bios

    Besides applying to new computers being shipped by OEMs, I believe that TPM 2.0 is required for some of the more advanced device guard features.  My understanding is that the basic features of VBS, including credential guard, are still supported without TPM 2.0.  I believe the info just above and below the note that you quoted support that understanding:

    All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard. Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
    The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.

    Baseline protections

    Baseline Protections Description Security benefits
    Hardware: Trusted Platform Module (TPM) Requirement: TPM 1.2 or TPM 2.0, either discrete or firmware.
    TPM recommendations
    A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access.

    Also, on the page in the "TPM Recommendations" link above, I found this section which says that Credential Guard is supported even without a TPM:

    Credential Guard Required Required For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.

    That does specify v1511, but I'm not sure if that's because Credential Guard was not available before v1511, or if something has changed since then.  I would expect that if it is saying v1511 had different requirements than newer builds, it would probably also call out what those requirements are for versions newer than v1511...

    In fact, as I think about it, I know for certain that Credential Guard will run on a computer w/o a TPM, because I have an older desktop here beside me that does not have a TPM in it, but shows credential guard as running.



    Thursday, July 27, 2017 1:08 PM
  • I recently ran into this issue again, and came across this thread while researching it.  I'm not sure what the original issue turned out to be, but having just resolved the current issue I wanted to post the solution - 

    In today's case, the problem was that the cpu's virtualization extensions were not enabled in bios.  The clues that lead me to this were in the event log, specifically:

    Event ID 15 from WinInit - Credential Guard is configured but the secure kernel is not running; continuing without Credential Guard.

    Event ID 124 from Kernel-Boot - The virtualization-based security enablement policy check at phase 0 failed with status: Virtual Secure Mode (VSM) is not initialized. The hypervisor or VSM may not be present or enabled.

    Event ID 41 from Hyper-V-Hypervisor - Hypervisor launch failed; Either VMX not present or not enabled in BIOS.

    Hope that helps whoever finds this thread next.  Who knows, maybe it will be me! :)

    • Marked as answer by NeighborGeek Friday, September 20, 2019 6:24 PM
    Friday, September 20, 2019 6:24 PM