SkipToTheEndpoint
Device Guard, Credential Guard and HVCI - 65000 errors
I am having an issue with the policy "Win - OIB - Device Security - U - Device Guard, Credential Guard and HVCI - v3.1". I assign to All Users but get 65000 errors on all of them for: Enable Virtualization Based Security Hypervisor Enforced Code Integrity Require UEFI Memory Attributes Table
Although some Microsoft documentation says to assign these to User or Device groups, the CSP details all seem to suggest they are Device scope rather than User: https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#enablevirtualizationbasedsecurity
I have just assigned this policy to All Users and All Devices to test the results, I will update once I onboard a device.
Hi there @incedIT.
So you're correct that the CSP docs state they only have a Device scope. This is true, but doesn't stop you assigning them to users, it just means that policy would apply in HKLM to all users on that device: https://learn.microsoft.com/en-us/mem/intune/configuration/settings-catalog?tabs=sc-search-filter%2Csc-reporting#device-scope-vs-user-scope-settings
Those settings entirely rely on various hardware requirements, and also that they're enabled in the BIOS, so I'd start there: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs and Device Guard and Credential Guard hardware readiness tool
Thanks, I have researched this before but wasn't aware of that tool, that has helped find a breadcrumb! The issue seems to be that Bus Prem licensing automatically switches my Win 11 Pro devices to Win 11 Business. The tool flags that the only issue is the OS SKU is unsupported, everything else passes the readiness check. I will try and find out what can be done about this, if anything.
The odd thing is, although the tool states "OS and Hardware requirements for enabling Device Guard and Credential Guard OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home", the Credential Guard site says Pro is not supported.
To make this even more strange, after I assigned the policy to All Devices I onboarded another two devices which are identical to the ones I had errors with (Lenovo Thinkpad T14 G1) and both have successfully applied that policy. The only thing to note is the user has to sign in again between the Device and Account ESP phases which is a known limitation of Device assignment for that policy.
On all these devices I enable optimised defaults in BIOS and then set them to default values before I install Windows, so either I'm missing something, or device assignment fixed it and the readiness tool is just glitching as "Windows 11 Business" is not specified in the script. I'll do some more testing.
Aha. So yes, as it says in the docs, the baseline is made for a device running Windows Enterprise, so you've likely stumbled upon one of the settings that isn't valid on a Pro SKU. The whole "Business" thing is a problem and I'm sure I've historically seen something that does work on Pro but not on Business, which is utterly nonsensical.
Honestly, you could turn off the Windows Business part of the M365 BP licensing and not lose anything at all and avoid that potential weird situation. But on this one, it's unlikely to work due to the necessity for an Enterprise license.
Do you have any thoughts on why these last two devices show succeeded but the others didn't? All I changed was assigning to the device group (as well as user group). Now I have no errors, just not applicable for the features that my Windows SKU does not support, namely Credential Guard: Configure Lsa Protected Process - Succeeded Configure System Guard Launch - Succeeded Credential Guard - Not applicable Enable Virtualization Based Security - Succeeded Hypervisor Enforced Code Integrity - Succeeded Require Platform Security Features - Not applicable Require UEFI Memory Attributes Table - Succeeded
I'll switch back to User assigned to simplify ESP and see if it starts failing again.
Bizarrely, this morning I removed the Device assignment and onboarded another identical laptop, this time the policy applied successfully. The timeline of this: Policy assigned to All Users - every device showed the 65000 error, 90 devices in total spanning a period of months (policy added in June) Added All Devices to assignment (left All Users in place too) - onboarded two devices without error Removed All Devices assignment, leaving All Users in place - onboarded one device without error
I just had a thought though, I am replacing third party AV with Defender for Business, previously DfB was in passive mode. This could coincide and explain the strange results, but I'm not aware of DfB being a prereq and I see mention that other third party AV works with Device Guard.
Good to know you're seeing more positive results, wish I could explain them!
Welcome to the world of Intune policy application I guess? 🥲
I spoke too soon, I onboarded another 6 today and all have errors when the policy is assigned to All Users. Very strange, will try assigning to Devices again although it makes it harder to bulk onboard due to the reboot/login prompt between ESP phases. All of these are using DfB so that was just a coincidence.
Is it actually causing a problem for you or impacting the device onboarding? Otherwise I'd probably just ignore it and it'd likely work itself out into a Not Applicable state after a day and/or a reboot.
It's not impacting the onboarding, but even after months it remains in error state. I suspect that although Credential Guard is not applicable to my setup (Win Pro rather than Edu/Enterprise), Device Guard is. For some reason it will only succeed when assigned to a device group. When I get time I will assign to user group and try to find anything in the logs that helps work out the issue.