Windows-itpro-docs: DG_Readiness_Tool.ps1 reports Credential-Guard is enabled and running but i does not work as expacted
[Enter feedback here]
running the _DG_Readiness_Tool_v3.7.2.ps1 -Ready_
tells everything is running.
lsalso.exe is running too.
but credetial dumping from LSASS.exe is still possible:
found out on running _.DG_Readiness_Tool_v3.7.2.ps1 -Capable_
that there is SSM Mitigation an HSTI absent:
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: c12e9c4a-af05-9ecd-a791-ac89aa43787c
- Version Independent ID: 76517523-a960-c5fb-ce76-2c3efe642f37
- Content: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool - Microsoft 365 Security
- Content Source: windows/security/identity-protection/credential-guard/dg-readiness-tool.md
- Product: w10
- Technology: windows
- GitHub Login: @SteveSyfuhs
- Microsoft Alias: stsyfuhs
mario-sit
All 6 comments
Hello @mario-sit - Thank you for your feedback on the document. Can you please confirm what changes is required on the document side? Is this the code somewhere or anything else.
Thanks.
Imran.
joinimran
on 25 Oct 2020
This ticket appears to be about whether the security improvement is available and enabled, or not available and disabled, when running the DG Readiness Tool.
See for example closed issue ticket #5787 (Blue Screen Enabling DG/CG with DG Readiness Tool) and How do I enable HSTI, NX and SMM on Windows 10 Enterprise? (https://answers.microsoft.com/en-us/windows/forum/all/how-do-i-enable-hsti-nx-and-smm-on-windows-10/333c0fe1-6dd5-4ae2-b9f8-dce615de21c9?auth=1)
- https://www.bing.com/search?q=HSTI+SMM+Mitigation
- https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/uefi-security
- https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/fixed-combuffer-and-windows-smm-security-mitigation-table
- https://docs.microsoft.com/en-us/windows-hardware/drivers/bringup/hardware-security-test-interface-1-1a
illfated
on 25 Oct 2020
Hi @joinimran!
i think it is wrong in the description and the result of the ps1 script that there is mentioned, that device guard is working on all SKU's. it is only working on the Enterprise Edition. it does not take affect for example on win10 pro. it gives people a wrong confidence when running the script, and it tells that Credential Guard is running. even if it is not supported on other SKU's then the enterprise edition.
thank you, Mario
mario-sit
on 27 Oct 2020
i think it is wrong in the description and the result of the ps1 script that there is mentioned, that device guard is working on all SKU's. it is only working on the Enterprise Edition. it does not take affect for example on win10 pro. it gives people a wrong confidence when running the script, and it tells that Credential Guard is running. even if it is not supported on other SKU's then the enterprise edition.
But Windows (Pro) itself provide this feature in group policy editor (gpedit.msc) under:
Computer Configuration -> Administrative templates -> System -> Device Guard -> Turn on Virtualization Based Security
And there isn't such an info too.
beerisgood
on 27 Dec 2020
Regarding a document update and note to the effect of stating that the tool may only be effective on Windows 10 Enterprise:
PR #8869 is ready for review, comments, and suggestions.
illfated
on 28 Dec 2020
8869 has been merged. Thank you.
e0i
on 15 Jan 2021
Related issues
helloitsliam
·
3Comments
LanceMcCarthy
·
3Comments
michalzobec
·
3Comments
zjalexander
·
3Comments
ATR-Master
·
3Comments