Jun 21 2017 08:52 AM
When I run the PowerShell script and review the log, DeviceGuardCheckLog.txt, I see that it says "Incompatible HVCI Kernal Driver Modules Found" as well as "HSTI is absent". But it still allows me to enable Device Guard and Credential Guard. Is this a mistake? Is it a "false" enable, leaving me vulnerable??
Jun 21 2017 08:59 AM
SolutionThe Readiness Tool is looking for both Device Guard and Credential Guard compatibility. These two warnings are related to Device Guard, so nothing related to Credential Guard is showing as an issue.
For the two issues you are mentioning HSTI is optional, lack of HSTI does not prevent anything from running. The advantage of HSTI is to ensure that teh hardware security capabilites are present and enabled. The incompatible HVCI driver output will be color coded, if yellow there is a potential compatibility issue with hypervisor preotecion of Code Integrity, but in many cases it will still work. If red, then there is a blocking issue.
You can enable Credential Guard and may well be able to enable Device Guard Virtualization Based Security too.
Jun 21 2017 08:59 AM
SolutionThe Readiness Tool is looking for both Device Guard and Credential Guard compatibility. These two warnings are related to Device Guard, so nothing related to Credential Guard is showing as an issue.
For the two issues you are mentioning HSTI is optional, lack of HSTI does not prevent anything from running. The advantage of HSTI is to ensure that teh hardware security capabilites are present and enabled. The incompatible HVCI driver output will be color coded, if yellow there is a potential compatibility issue with hypervisor preotecion of Code Integrity, but in many cases it will still work. If red, then there is a blocking issue.
You can enable Credential Guard and may well be able to enable Device Guard Virtualization Based Security too.