Implementing Credential Guard using Device Guard Readiness Tool

Credential Guard is a security feature that has been available in Windows 10 since Build 1511.  Enabling it on a Windows 10 laptop requires that the system disk is formatted with GPT.  You must also have secure boot turned on, and you are supposed to have a Trusted Platform Module (TPM 2.0).  I have read in Microsoft’s docs that you can use Credential Guard without a TPM, but then the keys are not secured in the TPM.  Not sure if this is still the case now in the latest Windows Builds, because they do say that a TPM is required.  First you should download the Device Guard and Credential Guard Readiness Kit from Microsoft’s download center.  Next, I will show you the commands you need to run in powershell to use the Readiness Kit.

The Device Guard and Credential Guard Readiness Kit includes a PowerShell script that can be used to check if the device is capable of running credential guard, check if Credential Guard is already running or enabled, and it also does the same for Device Guard and Hyper-V Code Integrity policies.

Make sure you download the new version3.0 of the toolkit. If you may have downloaded the older (version 2.1) script, make sure you go to the link above and re-download the tool.

Okay so you downloaded the tool, next step is to unblock the zip file and unpack the zip file into a directory. Personally, I like to use D:\DistributionShare\DeviceGuardReadinessToolv3.0 . The next thing to do is right click on PowerShell or the PowerShell_ISE and run PowerShell ISE as Administrator. Once you get the ISE opened up you should changed to the directory where you unzipped the Device Guard/Credential Guard Readiness Tool to. Set-Location D:\DistributionShare\DeviceGuardReadinessToolv3
Next we want to run the following script to run the Device Guard Readiness Tool and check if the device is capable of running Credential Guard, Device Guard, or HyperVisor Code Integrity: .\DG_Readiness_Tool_v3.0.ps1 -Capable -DG -CG -HVCI
Now you are going to have to reboot the machine.

After the reboot Open up the PowerShell ISE as Administrator again, and run the script again, or run the script with the switches
-Enable -CG -DG -HVCI, or whichever of the three you want to enable. You can also use the switch -Ready if you have want to see if any of the three security features are already enabled and running.
You should see some immediate feedback in the console, but you are going to want to find the folder C:\DGLOGS and in there will be a log file that will tell you if your computer is capable of enabling Credential Guard, Device Guard, and Hypervisor Code Integrity.


New Windows 10 services appearing in latest preview builds

Windows Spectrum – This service has the name of Spectrum, and is described with the following caption “Synthesizes perceived environment captured through reality understanding modules”. This service will most likely be used with Hololens and Augmented Reality or Virtual Reality accessories. If you are just using Windows 10 as a computer and not with any hololens-type devices, it should be safe to disable this service or just leave it set to manual.

WFDSConMgrSvc – This service is used with wireless devices, the exact description states “Manages connections to wireless services, including wireless display and docking.” It should also be safe to disable this service if you are not using any wireless screens or docking stations.

PrintWorkflowUserSvc_290d03 – This service is also new and could have a different combination of letters and numbers at the end of its name. Not much information here, its related to some type of printing workflow, perhaps 3D printing?

Payments and NFC/SE Manager – This service is named “SEMgrSvc” and should only be necessary if you are running windows on a newer mobile type pc that has Near Field Communications capabilities. On an old PC you can disable this service.

LPA Service – Also Named the wlpasvc – This service provides profile management for subscriber identity modules.

Dusmsvc – The Dusmsvc does not have an explanation, however Microsoft documentation explains that DUSM stands for Data Usage Subscription Management, so if you are just using your computer at home and don’t have to worry about data usage limits, than you can leave this service alone as well. You may want to leave it if you are ever curious how much data that Windows 10 uses, since it could be measured with the help of this service. MSDN Documentation explains that “The Data Usage Subscription Management (DUSM) schema defines elements that are used to describe cost information for a subscriber’s connection to a metered network.”




Protect Yourself with PepperSpray