Windows Server 2016 DeviceGuard "Enabled but not running"

MartinPJones 1 Reputation point
2021-01-06T22:14:26.05+00:00

I'm attempting to run Device Guard on a Windows Server 2016 box. It is hosted on vCenter ESXi 6.7, virtualization-based security is enabled in vCenter (along with secure boot), and the Device Guard Compatibility Tool informs me my device is compatible and ready for Device Guard. I have tried enabling Device Guard through the local group policies, through the device guard script using the -enable flag (which gave a successful output), and through setting the registries themselves. I have rebuilt this VM in case it was the VM which was the issue. It was not. I have searched the Event Logs, as I'd read that previously some people were able to find events in the Kernel-Boot, HyperV, or WinInit logs that helped point them to the issue. I've found nothing in these logs or others to indicate any issues. I've further verified that Credential Guard is indeed not running, as I can grab passwords using Mimikatz still.

Attached is the system info and the output of the DG tool. I hope someone knows of a fix to this issue, thanks! 

   ###########################################################################  
   Readiness Tool Version 3.4 Release.  
   Tool to check if your device is capable to run Device Guard and Credential Guard.  
   ###########################################################################  
   ###########################################################################  
   OS and Hardware requirements for enabling Device Guard and Credential Guard  
    1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home  
    2. Hardware: Recent hardware that supports virtualization extension with SLAT  
   To learn more please visit: https://aka.ms/dgwhcr  
   ###########################################################################  
     
   Checking if the device is DG/CG Capable  
    ====================== Step 1 Driver Compat ======================  
   Driver verifier already enabled  
   Verifying each module please wait ....  
   Completed scan. List of Compatible Modules can be found at C:\DGLogs\DeviceGuardCheckLog.txt  
   No Incompatible Drivers found  
    ====================== Step 2 Secure boot present ======================  
   Secure Boot is present  
    ====================== Step 3 MS UEFI HSTI tests ======================  
   Copying HSTITest.dll  
   HSTI Duple Count: 0  
   HSTI Blob size: 20  
   String: 01,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,  
   HSTIStatus: True  
   HSTI is absent  
    ====================== Step 4 OS Architecture ======================  
   64 bit arch.....  
    ====================== Step 5 Supported OS SKU ======================  
   This PC edition is Supported for DeviceGuard  
    ====================== Step 6 Virtualization Firmware ======================  
   Virtualization firmware check passed  
    ====================== Step 7 TPM version ======================  
   get-tpm : The TBS service is not running and could not be started. (Exception from HRESULT: 0x80284008)  
   At C:\Users\Administrator\Downloads\dgreadiness_v3.6\dgreadiness_v3.6\DG_Readiness_Tool_v3.6.ps1:818 char:21  
   +     $TPMLockout = $(get-tpm).LockoutCount  
   +                     ~~~~~~~  
       + CategoryInfo          : NotSpecified: (:) [Get-Tpm], TpmWmiException  
       + FullyQualifiedErrorId : Microsoft.Tpm.Commands.TpmWmiException,Microsoft.Tpm.Commands.GetTpmCommand  
     
   TPM is absent or not ready for use  
    ====================== Step 8 Secure MOR ======================  
   Secure MOR is available  
    ====================== Step 9 NX Protector ======================  
   NX Protector is available  
    ====================== Step 10 SMM Mitigation ======================  
   SMM Mitigation is available  
    ====================== End Check ======================  
    ====================== Summary ======================  
   Device Guard / Credential Guard can be enabled on this machine.  
     
   The following additional qualifications, if present, can enhance the security of Device Guard / Credential Guard on this system:  
   HSTI is absent  
   TPM is absent or not ready for use

System Information:

54129-screenshot-185.png

Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,371 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jenny Yan-MSFT 9,321 Reputation points
    2021-01-07T07:22:28.167+00:00

    Hi,
    It will be difficult to troubleshoot further without useful info in the event logs. But based on the details you shared that: TPM is absent or not ready for use. Kindly try to turn on the TPM as a test.
    https://learn.microsoft.com/en-us/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm#turn-on-the-tpm

    Or check the suggestion provided in below thread, which has similar error for VBS enabled but not running.
    https://www.reddit.com/r/intelnuc/comments/6va7wq/nuc6i5syh_win_server_2016_hyperv_use_vtpm_issue/

    Furthermore, one user also shared his experience on enable both Intel Virtualization Technology and Intel Vt-d feature.
    https://social.technet.microsoft.com/Forums/office/en-US/d0ef2b8b-c679-4fdb-b6b0-f64b64a57483/credential-guard?forum=win10itprosecurity

    ----------

    Hope this helps and please help to accept as Answer if the response is useful.

    Thanks,
    Jenny

    0 comments