Device Guard, Credential Guard and HVCI - 65000 errors #30
Comments
|
Hi there @incedIT. So you're correct that the CSP docs state they only have a Device scope. This is true, but doesn't stop you assigning them to users, it just means that policy would apply in HKLM to all users on that device: Those settings entirely rely on various hardware requirements, and also that they're enabled in the BIOS, so I'd start there: |
|
Thanks, I have researched this before but wasn't aware of that tool, that has helped find a breadcrumb! The issue seems to be that Bus Prem licensing automatically switches my Win 11 Pro devices to Win 11 Business. The tool flags that the only issue is the OS SKU is unsupported, everything else passes the readiness check. I will try and find out what can be done about this, if anything. The odd thing is, although the tool states "OS and Hardware requirements for enabling Device Guard and Credential Guard |
|
To make this even more strange, after I assigned the policy to All Devices I onboarded another two devices which are identical to the ones I had errors with (Lenovo Thinkpad T14 G1) and both have successfully applied that policy. The only thing to note is the user has to sign in again between the Device and Account ESP phases which is a known limitation of Device assignment for that policy. On all these devices I enable optimised defaults in BIOS and then set them to default values before I install Windows, so either I'm missing something, or device assignment fixed it and the readiness tool is just glitching as "Windows 11 Business" is not specified in the script. I'll do some more testing. |
|
Aha. So yes, as it says in the docs, the baseline is made for a device running Windows Enterprise, so you've likely stumbled upon one of the settings that isn't valid on a Pro SKU. The whole "Business" thing is a problem and I'm sure I've historically seen something that does work on Pro but not on Business, which is utterly nonsensical. Honestly, you could turn off the Windows Business part of the M365 BP licensing and not lose anything at all and avoid that potential weird situation. But on this one, it's unlikely to work due to the necessity for an Enterprise license. |
|
Do you have any thoughts on why these last two devices show succeeded but the others didn't? All I changed was assigning to the device group (as well as user group). Now I have no errors, just not applicable for the features that my Windows SKU does not support, namely Credential Guard: I'll switch back to User assigned to simplify ESP and see if it starts failing again. |
|
Bizarrely, this morning I removed the Device assignment and onboarded another identical laptop, this time the policy applied successfully. The timeline of this: I just had a thought though, I am replacing third party AV with Defender for Business, previously DfB was in passive mode. This could coincide and explain the strange results, but I'm not aware of DfB being a prereq and I see mention that other third party AV works with Device Guard. |
|
Good to know you're seeing more positive results, wish I could explain them! Welcome to the world of Intune policy application I guess? 🥲 |
|
I spoke too soon, I onboarded another 6 today and all have errors when the policy is assigned to All Users. Very strange, will try assigning to Devices again although it makes it harder to bulk onboard due to the reboot/login prompt between ESP phases. All of these are using DfB so that was just a coincidence. |
|
Is it actually causing a problem for you or impacting the device onboarding? Otherwise I'd probably just ignore it and it'd likely work itself out into a Not Applicable state after a day and/or a reboot. |
|
It's not impacting the onboarding, but even after months it remains in error state. I suspect that although Credential Guard is not applicable to my setup (Win Pro rather than Edu/Enterprise), Device Guard is. For some reason it will only succeed when assigned to a device group. When I get time I will assign to user group and try to find anything in the logs that helps work out the issue. |
I am having an issue with the policy "Win - OIB - Device Security - U - Device Guard, Credential Guard and HVCI - v3.1". I assign to All Users but get 65000 errors on all of them for:
Enable Virtualization Based Security
Hypervisor Enforced Code Integrity
Require UEFI Memory Attributes Table
Although some Microsoft documentation says to assign these to User or Device groups, the CSP details all seem to suggest they are Device scope rather than User:
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-virtualizationbasedtechnology
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceguard#enablevirtualizationbasedsecurity
I have just assigned this policy to All Users and All Devices to test the results, I will update once I onboard a device.
The text was updated successfully, but these errors were encountered: