Your company's ad could live here and reach over 50,000 people a month!

Share This Post

Windows 10

Integrating Device Guard and Credential Guard H/W Readiness Tool w/ConfigMgr

Microsoft’s DG/CG Hardware Readiness Tool is a Windows PowerShell script that needs to run with elevated permissions, and it is designed to not only evaluate Windows 10 (and Windows Server 2016) devices to determine if they’re capable of using these two security features, but also enable them. The tool can be downloaded here:

Microsoft Device Guard and Credential Guard Hardware Readiness Tool

It can also be used to check for Hypervisor Code Integrity (HVCI) compatibility of all installed drivers on the device; however, while running this feature of the Readiness Tool, Device Guard must be disabled, as it could prevent the driver from loading, and make it unavailable for the Readiness Tool to test.

NOTE: This tool requires Windows 10 or Windows Server 2016. To identify DG and CG capabilities for earlier operating systems, refer to this article:

ConfigMgr – Identifying Windows 10 Credential Guard Hardware Requirements

Features

Usage:

DG_Readiness.ps1 –[Enable/Disable/Capable/Ready] –[DG/CG/HVCI/HLK] -Path <ConfigCI policy> -AutoReboot

Read the tool’s associated Readme.txt file for additional detail:

  • Verify, enable and disable device’s Device Guard or Credential Guard capability
  • Check devices compatibility with partners’ Hardware Lab Kit tests
  • Check the status of Device Guard or Credential Guard on the device
  • Integrate with ConfigMgr or other deployment mechanism to configure registry settings reflective of device capabilities
  • Use an embedded ConfigCI policy in audit mode that can be used by default to enable Device Guard when a custom policy is not provided


System Center Configuration Manager Inventory Extensions

Configuration changes to the hardware inventory settings of System Center Configuration Manger sites and clients must be made before ConfigMgr can be used with the readiness tool to report the data. Follow these steps, using the attached DG-CG HINV.mof file below, to complete these changes.

DG-CG HINV

Step Details
1. Make a backup copy of the ConfigMgr site’s inboxes\clifiles.src\hinv\configuration.mof file
2. Copy the contents of the DG-CG HINV.mof file, and paste them into the Add extensions section of the lower part of the site’s inboxes\clifiles.src\hinv\configuration.mof and save the file.
3. Use mofcomp.exe to compile the DG-CG HINV.mof file on an active ConfigMgr client, which will be used to add the readiness tool registry settings to the site’s HINV client settings.
From the ConfigMgr console, navigate to Administration\Client Settings
5. Double-click the Default Client Settings and select Hardware Inventory from the left pane.
6. Click the Set Classes button
7. Click the Add button, and then click the Connect button in the Add Hardware Inventory Class window.
8. Enter the computer name of the system that already contains the WMI namespace and classes to be imported (Step 3 above). (leave the WMI Namespace at the default root\cimv2).

NOTE: If the system that is running the ConfigMgr Console is one of these manufacturers and already has the WMI namespace, leave the pre-populated computer name.

Check the Recursive box, and enter credentials if connecting to a remote system

9. Click the Connect button when done
10. Locate and check the box next to the Device_Credential_Guard class. Click OK.
11. Ensure that all of the newly imported inventory settings are unchecked for the Default Client Settings.
12. Create a new Custom Client Device Settings (with the new settings checked) and deploy to a collection of Windows 10 devices in your organization.
13. Once the collections are created, deploy the new Custom Client Device Settings to each one.

Create and Deploy the DG/CG Readiness Tool (Application)

Follow the steps below to create and deploy the Application for the readiness tool.

NOTE: ConfigMgr 2007 sites do not support this Application model, which was introduced with ConfigMgr 2012.

Step Details
1. From the ConfigMgr console, navigate to Software Library\Application Management\Applications
2. Right-click Applications and select Create Application.
3. Select the Manually specify the application information option. Click Next.
4. Enter the Name, Publisher and Software Version. Click Next.
5. Accept default settings for the Application Catalog entry page. Click Next.
6. Click the Add button on the Deployment Types page.
7. In the Create Deployment Type Wizard, change the Type to Script Installer.
8. Enter a Name for the Deployment Type. Click Next. (Ex. DG-CG Capability Check)
9. Click the Browse button to specify the correct Content Location.
10. Enter the name and extension of the ps1 script and the –Capable option for the Installation program command. Click Next. (Ex. DG_Readiness_Tool_v2.1.ps1 –Capable)
11. Click the Add Clause button on the Detection Method page.
12. Change the Setting Type of the Detection Rule to Registry, Select the HKEY_LOCAL_MACHINE hive, and enter System\CurrentControlSet\Control\DeviceGuard\Capabilities for the key.
13. Click OK, and then click Next to proceed to the User Experience page.
14. Change the Installation behavior to Install for system, change the Logon requirement to Whether or not a user is logged on, and the visibility to Hidden. Click Next.
15. Click Next through the remaining pages to complete the Deployment Type and Application wizards.


Create and Deploy the DG/CG Readiness Tool (Legacy Package)

Follow the steps below to create and deploy the package for the readiness tool.

NOTE: These steps are recommended for ConfigMgr 2007 sites that do not support the Application model introduced with ConfigMgr 2012.

Step Details
1. From the ConfigMgr console, navigate to Software Library\Application Management\Packages
2. Right-click Packages and select New Package.
3. Enter the necessary Name and other information for the package.
4. Select the This package contains source files check box, click the Browse button and navigate to the folder containing the files extracted from the downloaded ZIP file.
5. Click Next.
6. Ensure Standard Program is selected, and click Next.
7. Enter a Name for the new program.
8. Enter the following command line:

Powershell.exe –executionpolicy bypass .\DG_Readiness_Tool_v2.1.ps1 -Capable

9. Change the Run behavior to Hidden.
10. Change the Program can run option to Whether or not a user is logged on.
11. Click Next.
12. On the Requirements page, select This program can only run on the specified platforms, and check each of the Windows 10 platforms that are listed.
13. Click Next, and complete the wizard.
14. Follow the standard ConfigMgr processes for distributing the new package content to the required distribution points.
15. Follow the standard ConfigMgr processes to deploy the new package to the appropriate Windows 10 collection.

Reporting Results

After each client performs the following actions, the SQL query at the end of this section can be used as an example for retrieving the new data from the ConfigMgr database.

  • Hardware inventory settings for the site updated
  • Clients received the updated policy
  • The DG/CG Readiness Tool has been deployed to the necessary devices.
  • Clients have executed an updated hardware inventory cycle.


select s.Name0, cs.Manufacturer0, cs.Model0, os.Caption0, dg.CGCapable0, dg.DGCapable0, dg.HVCICapable0
from v_GS_DEVICE_CREDENTIAL_GUARD dg
inner join v_R_System s on dg.ResourceID = s.ResourceID
inner join v_GS_COMPUTER_SYSTEM cs on dg.ResourceID = cs.ResourceID
inner join v_GS_OPERATING_SYSTEM os on dg.ResourceID = os.ResourceID
/*
Uncomment the WHERE clause to filter out all of the systems that have no DG/CG/HVCI capability.
*/
–where dg.CGCapable0 > 0 or dg.DGCapable0 > 0 or dg.HVCICapable0 > 0
order by cs.Manufacturer0, cs.Model0, s.Name0

Share This Post

Senior Premier Field Engineer - Microsoft Corporation Mark has been working as a Manageability PFE (SCCM/SCOM) for Microsoft, since April 2006, supporting various CONUS/OCONUS engagements for the federal government. Prior to this, he has worked with SMS/SCCM for various other organizations since approx. 1997 (starting with SMS v1.2). A native Texan, Mark lives in Virginia with his wife Christy. They have three children and one grandchild. LinkedIn Profile: https://www.linkedin.com/in/markserafine

Leave a Reply