Published on

Remediate Credential Guard

Authors

This blog post will cover how you can use Remediations in Intune when Credential Guard reports as "Not Applicable" on Windows Devices.

remediate-CG

Recently in an environment we noticed plenty of errors on different Endpoints within Endpoint Security from the Windows 10 MDM Security Baseline. Assignment status reports back as Error and digging a bit deeper on the individual settings of the Security Baseline per endpoint, Not applicable was the status for these values:

not-applicable

Since the status is not applicable, are all requirements fulfilled?

A quick recap on the requirements of Credential Guard:

  • 64-bit CPU with support for Virtualization-based security
  • Secure Boot
  • Trusted Platform Module (TPM)
  • UEFI-Lock (recommended)
  • Windows 10 Enterprise License (to support Virtualization based security features)

Investigation

Locally we have multiple options of verifying that Credential Guard and it’s requirements are correct.

Powershell

With the Win32_DeviceGuard Class we can collect information about the current status. See example output below:

$CredentialguardStatus = (Get-CimInstance -ClassName Win32_DeviceGuard 
-Namespace root\Microsoft\Windows\DeviceGuard)

$CredentialguardStatus.SecurityServicesConfigured
0: Windows Defender Credential Guard is not configured.
1: Windows Defender Credential Guard is configured.

$CredentialguardStatus.SecurityServicesRunning
0: Windows Defender Credential Guard is not running.
1: Windows Defender Credential Guard is running.

Event Log

Application and services log/Microsoft/Windows/Device Guard

Fixing The Issue

Considering that the values reported back of the Security Baseline stated “Not Applicable”, the Windows Enterprise-license came to mind. Rightly so, after verifying these users they did not have their Windows Enterprise-license assigned to them (their devices were provisioned earlier). Strangely enough assigning the Enterprise license and rebooting their machines did not mitigate the issue. To solve this issue, we have a few options. We can use an application, a regular Powershell script or Remediations. In this case I decided to go with Remediations.

To mitigate the issue, add these remediations. Test and verify on a few select devices before rollout in production. If you are unsure, start by deploying the Detection script only to detect the current output on devices (this has no impact).

Detection

Checks status of Credential Guard services and returns output based on if services are configured, running or not. If virtualization based security is not running the script return that information and then exit. If required registry settings for Credential Guard are missing the script will return the script for Remediation.

Remediation

The remediation script will remove certain Credential Guard related registry keys related to Intune-reporting and will also add required Credential Guard configuration into the registry (UEFI Lock Enabled). Important! After the remdiation has executed a reboot will be required for proper configuration and reporting.