Highlighted
pkornel
1 Nickel

Cannot enable credential guard on Latitude E5470

Hi,


I'm trying to enable credential guard on my e5470, without success.
Device Guard and Credential Guard hardware readiness tool says:
"Machine is not Device Guard / Credential Guard compatible because of the following:
HSTI validation failed"
Another issue is when Hyper-v Hypervisor feature is enabled, I can't shut down the notebook. When I click on shut down, the machine puts itself into airplane mode, and goes to sleep instead.
All drivers and bios are up-to-date, the OS also.
Do you guys have any idea what could be a solution?

Thanks

21 Replies
cumbrianblues
1 Nickel

RE: Cannot enable credential guard on Latitude E5470

getting the same thing here too, latest BIOS and TPM firmware upgraded to 2.0

0 Kudos
mjdavison
1 Nickel

RE: Cannot enable credential guard on Latitude E5470

Which version of windows 10 are you using. Credential Guard and Device guard are completely broken in the most recent patch for 1607 (KB3206632). We run these services on E5470s and on older devices (E5450 and E5440) without issue on the latest BIOS, despite the HSTI validation errors, and with the previous month's security patch (KB3200970) they work correctly.

0 Kudos
pkornel
1 Nickel

RE: Cannot enable credential guard on Latitude E5470

I'm using version 1607. I have the KB3206632 patch installed since 14 dec, but DG and CG wasn't working before this update. If I turn on DG and CG, I dont get any errors - except I can't shutdown the notebook - but lsaiso is not running.

0 Kudos
mjdavison
1 Nickel

RE: Cannot enable credential guard on Latitude E5470

Just FYI. The issues we have been having are fixed in the latest update released 20th Dec, KB3213522. This update appears to be distributed via WSUS and the Microsoft Update Catalog only, and is not being pushed to Windows Update proper as far as I can see.

Some other issues that occurred when trying to enable this model for CG/DG that might help:

There are known restart/shutdown issues when running anything but the very latest BIOS (1.11.3).

By default, Windows Update installs a very old graphics driver on this model. There seems to be an old version on Windows Update that is a better match than any of the generic Intel drivers, and so it installs the old version as part of the automatic driver check after installation. This driver causes a lot of issues with flickering screen and freezes with DG enabled. The latest version direct from dell, however, works correctly, but in our tests windows sometimes chooses the older even then.

We also found we needed to install a lot of drivers using the dell-provided versions to avoid errors (even things like the Airplane mode switch driver apparently needed updating to support DG).

Hope that helps.

pkornel
1 Nickel

RE: Cannot enable credential guard on Latitude E5470

Thanks, I've tried installing the KB3213522 update. Still no luck, CG is not running - but at least the notebook shuts off, it's an improvement...

All drivers are from dell, and the very latest version.

Situation is the same, i can turn on DG/CG, no error, but no lsaiso process, and the scipt says CG is not running...

0 Kudos
mjdavison
1 Nickel

RE: Cannot enable credential guard on Latitude E5470

I don't suppose your devices were upgraded to TPM 2.0 from 1.2?

We ran into an issue with the first Optiplex 3040 we upgraded and converted to TPM 2.0 from 1.2.

Device guard works on this device, but credential guard fails, and an eventID 124 from Kernel-Boot is logged in the system event log saying that there was an issue initialising virtualisation based security.

For us on a normal device, the powershell command:

Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

returns:

SecurityServicesConfigured                   : {1, 2}

SecurityServicesRunning                      : {1, 2}

Whereas on the failed device:

SecurityServicesConfigured                   : {1, 2}

SecurityServicesRunning                      : {2}

Does that sound like it matches the issue you have?

pdorsch
1 Nickel

RE: Cannot enable credential guard on Latitude E5470

i have the same issue and tried uninstalling the new Cumulative updates until "KB3200970" the issue still persists on our Dell Latitude 5270+5570 Laptops

0 Kudos
pdorsch
1 Nickel

RE: Cannot enable credential guard on Latitude E5470

Dell Support:

[..]

thank you for your request.

please contact Mirosoft for solved the problem.

Thants no Hardware problem from Dell System.

0 Kudos
pkornel
1 Nickel

RE: Cannot enable credential guard on Latitude E5470

TPM was upgraded to 2.0.

the ps cmd returns:

RequiredSecurityProperties                   : {1, 2, 3}

SecurityServicesConfigured                   : {1, 2}

SecurityServicesRunning                      : {2}

UsermodeCodeIntegrityPolicyEnforcementStatus : 1

Version                                      :                  1.0

VirtualizationBasedSecurityStatus            : 2

It looks like the issue you mentioned above is similar to mine.

I also have the event:

"The Virtualization Based Security enablement policy check at phase 6 failed with status: Unknown NTSTATUS Error code: 0xc0290104"

0 Kudos