Cannot enable credential guard on Latitude E5470

getting the same thing here too, latest BIOS and TPM firmware upgraded to 2.0

Which version of windows 10 are you using. Credential Guard and Device guard are completely broken in the most recent patch for 1607 (KB3206632). We run these services on E5470s and on older devices (E5450 and E5440) without issue on the latest BIOS, despite the HSTI validation errors, and with the previous month's security patch (KB3200970) they work correctly.

I'm using version 1607. I have the KB3206632 patch installed since 14 dec, but DG and CG wasn't working before this update. If I turn on DG and CG, I dont get any errors - except I can't shutdown the notebook - but lsaiso is not running.

Just FYI. The issues we have been having are fixed in the latest update released 20th Dec, KB3213522. This update appears to be distributed via WSUS and the Microsoft Update Catalog only, and is not being pushed to Windows Update proper as far as I can see.

Some other issues that occurred when trying to enable this model for CG/DG that might help:

There are known restart/shutdown issues when running anything but the very latest BIOS (1.11.3).

By default, Windows Update installs a very old graphics driver on this model. There seems to be an old version on Windows Update that is a better match than any of the generic Intel drivers, and so it installs the old version as part of the automatic driver check after installation. This driver causes a lot of issues with flickering screen and freezes with DG enabled. The latest version direct from dell, however, works correctly, but in our tests windows sometimes chooses the older even then.

We also found we needed to install a lot of drivers using the dell-provided versions to avoid errors (even things like the Airplane mode switch driver apparently needed updating to support DG).

Hope that helps.

Thanks, I've tried installing the KB3213522 update. Still no luck, CG is not running - but at least the notebook shuts off, it's an improvement...

All drivers are from dell, and the very latest version.

Situation is the same, i can turn on DG/CG, no error, but no lsaiso process, and the scipt says CG is not running...

I don't suppose your devices were upgraded to TPM 2.0 from 1.2?

We ran into an issue with the first Optiplex 3040 we upgraded and converted to TPM 2.0 from 1.2.

Device guard works on this device, but credential guard fails, and an eventID 124 from Kernel-Boot is logged in the system event log saying that there was an issue initialising virtualisation based security.

For us on a normal device, the powershell command:

Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

returns:

SecurityServicesConfigured                   : {1, 2}

SecurityServicesRunning                      : {1, 2}

Whereas on the failed device:

SecurityServicesConfigured                   : {1, 2}

SecurityServicesRunning                      : {2}

Does that sound like it matches the issue you have?

Dell Support:

[..]

thank you for your request.

please contact Mirosoft for solved the problem.

Thants no Hardware problem from Dell System.

TPM was upgraded to 2.0.

the ps cmd returns:

RequiredSecurityProperties                   : {1, 2, 3}

SecurityServicesConfigured                   : {1, 2}

SecurityServicesRunning                      : {2}

UsermodeCodeIntegrityPolicyEnforcementStatus : 1

Version                                      :                  1.0

VirtualizationBasedSecurityStatus            : 2

It looks like the issue you mentioned above is similar to mine.

I also have the event:

"The Virtualization Based Security enablement policy check at phase 6 failed with status: Unknown NTSTATUS Error code: 0xc0290104"

Yes, this is exactly the same issue, and I believe the same error code, as we see on on the test device we updated from TPM 1.2 to TPM 2.0. Our remaining devices of the same model are still using TPM 1.2, and credential guard works correctly.

As I understand it, on the E5470, the TPM can be reverted to TPM 1.2, and this is compatible with credential guard on Windows to 1511 and later.

In our case reverting the TPM to 1.2 failed, as the installer doesn't seem to work on the Optiplex 3040. but this seems like it might allow you to use Credential Guard on your devices if you don't need any other functionality that requires TPM 2.0.

It appears that there is some difference between devices that ship from the factory with TPM 2.0 and one that is upgraded to this in the field.

(I don't have access to the test device right now, but the only thing left that I can think of that might cause it that can be fixed without a firmware fix from Dell is the UEFI boot variables. It seems possible that Windows stores some data about the TPM there. I know that changing the TPM mode changes the attestation key and it may be the error here relates to a TPM mismatch. I'm hoping to test this next week and will post again if it gets me anywhere.)

Hope that helps.

To provide an update, I've had no luck with the UEFI variables.

Using the microsoft-supported method to remove the UEFI lock does seem to remove all the variables related to the feature, and even after that, the same error occurs.

I'd be interested to hear if anyone had any luck reverting to TPM 1.2 on a device where this actually works?

Unfortunately reverting to 1.2 seems to be an unsupported thing for the e5470 (on a 7470, if I remember correctly, it can be done). Googled everything, but always got to the same tool - which does not support e5470...

I'm wondering if a clean install can do some improvement?

Don't really want to reinstall my notebook since I have a lot stuff on it, but maybe I'll give it a try as a last resort.

I know from experience that a E5470 can be reverted, as I've done it while troubleshooting the bug they fixed in bios 1.11.3. I successfully went from TPM2.0->1.2->2.0 on that device, which shipped from the factory with 2.0. I'd give it a go anyway.

I believe you have to clear the TPM before the installer will work, however.

A clean install doesn't fix the issue. The Optiplex 3040 we have this issue with has been reimaged several times, including a bios clear and a replacement hard drive, and the issue is still occurring there, so whatever is causing the issue, the trigger is firmware related.

What tool did you use to revert tpm version?

The one I've found started the downgrade, but on the firmware flashing screen it said that the machine is not compatible.

I believe I used the tool linked here:

en.community.dell.com/.../11850.how-to-change-tpm-modes-1-2-2-0

Which lists the E5470 as a supported model and links to:

www.dell.com/.../DriversDetails

But that is the one that didn't work on the Optiplex 3040 for me. Is this the tool that you already tried?