Share This Post

Uncategorized / Windows 10

ConfigMgr: Identifying Win10 Credential Guard Hardware Requirements

HP-InstrumentedBIOS  – OMCI_SMS_DEFTPM

Using Microsoft Windows 10 (Enterprise), organizations can now take advantage of a new technology called Credential Guard, which isolates certain types of sensitive data so that only privileged system software can access it. As a result, credential theft attacks (Pass-the-Hash, Pass-The-Ticket, etc.) are prevented by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.

While Credential Guard is an effective way to protect against these types of attacks, it comes with a set of specific hardware requirements that must be met in order to implement this new technology.

The sections below describe just one scenario for how to use System Center Configuration Manager (2012 or current branch) to identify which systems support/do not support the core requirements such as UEFI, secure boot, virtualization and TPM 1.2 or above, which are needed to enable Credential Guard protection.

 

Extending Inventory

Extending Configuration Manager’s hardware inventory capabilities is the core process for obtaining the Credential Guard requirements from the client systems. Import each of the attached MOF files (save each file and rename with .MOF extension) to ensure that all of the required WMI classes and attributes are included within the inventory collection settings.

NOTE: If the site already has a Win32_TPM class, compare it to contents of the TPM MOF. If the existing class is missing any of the attributes in the file, delete it and import the new TPM.mof

 

Deployment of Proprietary Client Tools

Some hardware manufacturers and models will require additional configuration before the systems will report the desired WMI data to Configuration Manager.

To satisfy the requirements described here, the Dell Command | Monitor tool must be deployed to the clients because this is how the WMI namespace that stores the data is created on each system. Simply extract the MSI from the downloaded EXE, use it to create a new application in ConfigMgr and then deploy it to a collection of Dell systems.

Note: The OMCI_SMS_DEF.mof that Dell provides with the Command | Monitor tool contains a syntax error, which will prevent it from being imported into Configuration Manager. The MOF attached here has already been corrected, and should be used in place of the MOF provided by Dell.

In addition to the Dell Command | Monitor tool, you will also need to download the Dell Command | Configure tool, and then use its GUI to create a “multiplatform” self-contained executable (SCE) that contains the system configuration detail required to enable TPM and any other hardware components. At the very least, the TPM chip will need to be enabled; otherwise, Dell TPM data will not be available in WMI.

Use the SCE to create a new package in ConfigMgr, and deploy it to the same Dell collection. While the SCE runs silently, you’ll need to add a /nolog option to the command line to prevent the program from creating a log file within the directory that it’s located. It could fail if this option isn’t used.

NOTE: Since each manufacturer and model varies, additional deployments and configurations using these or other tools may be necessary to obtain all of the data you need from your environment. Refer to the Dell documentation for the Command Monitor and Configure tools for usage details as well as the documentation for any additional tools that will be used.

 

Reporting the New Data

After everything described in the sections above has been completed, and all of the systems have run any other required client software, ensure that machine policy updates and hardware inventory cycles are performed on the targeted ConfigMgr clients.

This will ensure that the Configuration Manager database has all of the new inventory classes, attributes and data required for the SQL statement below.

NOTE: Use SQL Server Management Studio to execute the query, and ensure that it doesn’t contain any syntax errors, or errors related to missing SQL views/fields.

 

Select

CS.Manufacturer0 [Manufacturer],

CS.Model0 [Model],

CS.Name0 [Name],

Dell.AttributeName0 [BIOS Attribute],

Dell.CurrentValue0 [BIOS Value],

Dell.PossibleValuesDescription0 [Possible Values],

TPM.IsEnabled_InitialValue0 [TPM Enabled],

TPM.IsOwned_InitialValue0 [TPM Owned],

TPM.IsActivated_InitialValue0 [TPM Activated],

TPM.PhysicalPresenceVersionInfo0 [TPM Version]

From

v_GS_Computer_System as CS

Join

v_GS_Dell_DCIM_BIOSEnumeration0 as Dell on CS.ResourceID = Dell.ResourceID

Left join

v_GS_TPM as TPM on TPM.ResourceID = CS.ResourceID

Where

Dell.AttributeName0 = ‘Secure Boot’ or Dell.AttributeName0 Like ‘%UEFI%’ or Dell.AttributeName0 = ‘Boot Mode’ or Dell.AttributeName0 like ‘%Virtual%’

Union –Used to combine the results of these two queries into a single result-set

Select

CS.Manufacturer0 [Manufacturer],

CS.Model0 [Model],

CS.Name0 [Name],

HP.Name0 [BIOS Attribute],

HP.CurrentValue0 [BIOS Value],

HP.PossibleValues0 [Possible Values],

TPM.IsEnabled_InitialValue0 [TPM Enabled],

TPM.IsOwned_InitialValue0 [TPM Owned],

TPM.IsActivated_InitialValue0 [TPM Activated],

TPM.PhysicalPresenceVersionInfo0 [TPM Version]

From

v_GS_Computer_System as CS

Join

v_GS_HPBIOS_BIOSENUMERATION as HP on CS.ResourceID = HP.ResourceID

Left Join

v_GS_TPM as TPM on TPM.ResourceID = CS.ResourceID

Where

HP.Name0 = ‘Secure Boot’ or HP.Name0 = ‘UEFI Boot Mode’ or HP.Name0 = ‘Virtualization Technology’ or HP.Name0 Like ‘%(Vtx)%’
Order By

cs.Manufacturer0, cs.Model0

Share This Post

Senior Premier Field Engineer - Microsoft Corporation Mark has been working as a Manageability PFE (SCCM/SCOM) for Microsoft, since April 2006, supporting various CONUS/OCONUS engagements for the federal government. Prior to this, he has worked with SMS/SCCM for various other organizations since approx. 1997 (starting with SMS v1.2). A native Texan, Mark lives in Virginia with his wife Christy. They have three children and one grandchild. LinkedIn Profile: https://www.linkedin.com/in/markserafine

Leave a Reply