I'm attempting to run Device Guard on a Windows Server 2016 box. It is hosted on vCenter ESXi 6.7, virtualization-based security is enabled in vCenter (along with secure boot), and the Device Guard Compatibility Tool informs me my device is compatible and ready for Device Guard. I have tried enabling Device Guard through the local group policies, through the device guard script using the -enable flag (which gave a successful output), and through setting the registries themselves. I have rebuilt this VM in case it was the VM which was the issue. It was not. I have searched the Event Logs, as I'd read that previously some people were able to find events in the Kernel-Boot, HyperV, or WinInit logs that helped point them to the issue. I've found nothing in these logs or others to indicate any issues. I've further verified that Credential Guard is indeed not running, as I can grab passwords using Mimikatz still.
Attached is the system info and the output of the DG tool. I hope someone knows of a fix to this issue, thanks!
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################
Checking if the device is DG/CG Capable
====================== Step 1 Driver Compat ======================
Driver verifier already enabled
Verifying each module please wait ....
Completed scan. List of Compatible Modules can be found at C:\DGLogs\DeviceGuardCheckLog.txt
No Incompatible Drivers found
====================== Step 2 Secure boot present ======================
Secure Boot is present
====================== Step 3 MS UEFI HSTI tests ======================
Copying HSTITest.dll
HSTI Duple Count: 0
HSTI Blob size: 20
String: 01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,
HSTIStatus: True
HSTI is absent
====================== Step 4 OS Architecture ======================
64 bit arch.....
====================== Step 5 Supported OS SKU ======================
This PC edition is Supported for DeviceGuard
====================== Step 6 Virtualization Firmware ======================
Virtualization firmware check passed
====================== Step 7 TPM version ======================
get-tpm : The TBS service is not running and could not be started. (Exception from HRESULT: 0x80284008)
At C:\Users\Administrator\Downloads\dgreadiness_v3.6\dgreadiness_v3.6\DG_Readiness_Tool_v3.6.ps1:818 char:21
+ $TPMLockout = $(get-tpm).LockoutCount
+ ~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-Tpm], TpmWmiException
+ FullyQualifiedErrorId : Microsoft.Tpm.Commands.TpmWmiException,Microsoft.Tpm.Commands.GetTpmCommand
TPM is absent or not ready for use
====================== Step 8 Secure MOR ======================
Secure MOR is available
====================== Step 9 NX Protector ======================
NX Protector is available
====================== Step 10 SMM Mitigation ======================
SMM Mitigation is available
====================== End Check ======================
====================== Summary ======================
Device Guard / Credential Guard can be enabled on this machine.
The following additional qualifications, if present, can enhance the security of Device Guard / Credential Guard on this system:
HSTI is absent
TPM is absent or not ready for use
System Information: