I am trying to enable Credential Guard on my copy of Windows 10 Pro v1809. I downloaded the DG_Readiness_Tool_v3.5 from Microsoft's website, I run it on Powershell but this is the result:

###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
 2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################

Checking if the device is DG/CG Capable
 ====================== Step 1 Driver Compat ======================
Driver verifier already enabled
 ====================== Step 2 Secure boot present ======================
Secure Boot is present
 ====================== Step 3 MS UEFI HSTI tests ======================
Copying HSTITest.dll
HSTI Duple Count: 0
HSTI Blob size: 0
String:
HSTIStatus: False
HSTI is absent
 ====================== Step 4 OS Architecture ======================
Unknown architecture
 ====================== Step 5 Supported OS SKU ======================
This PC edition is Supported for DeviceGuard
 ====================== Step 6 Virtualization Firmware ======================
Virtualization firmware check passed
 ====================== Step 7 TPM version ======================
TPM 2.0 is present.
 ====================== Step 8 Secure MOR ======================
Secure MOR is absent
 ====================== Step 9 NX Protector ======================
NX Protector is absent
 ====================== Step 10 SMM Mitigation ======================
SMM Mitigation is absent
 ====================== End Check ======================
 ====================== Summary ======================
Machine is not Device Guard / Credential Guard compatible because of the following:
Unknown OS, OS Architecture failure..

HSTI is absent
Secure MOR is absent
NX Protector is absent
SMM Mitigation is absent

Why does it say "Unknown OS, OS Architecture failure"? I found this on the Microsoft forum but it doesn't have a solution.

  • Do you have multiple operating systems installed by chance? – Ramhound Oct 12 at 14:20
up vote 0 down vote accepted

Credential Guard is available only in Windows 10 Enterprise Edition. So if you are using Pro or Education, you won’t get by default to see this feature on your version of Windows. To install, your machine should be supporting Secure Boot and 64-bit virtualization.

To enable or turn on Credential Guard :

  • Run gpedit.msc to open the Group Policy Editor.

  • Navigate to :

    Computer Configuration > Administrative Templates > System > Device Guard
    
  • Double-click Turn On Virtualization Based Security and select Enabled.

  • In "Platform Security Level box", choose "Secure Boot" or "Secure Boot and DMA Protection"

  • In "Credential Guard Configuration", click Enabled with UEFI lock and then OK.

  • Click Apply/OK and exit.

  • Restart the computer.

Read well the text in the "Help" box to ensure making the right choices.

Reference :

Manage Windows Defender Credential Guard

Why does it say "Unknown OS, OS Architecture failure"? I found this on the Microsoft forum but it doesn't have a solution.

This is due to an error in the script itself. However, you are also not running, a supported version of Windows 10. So even if you were to fix the script it does not mean you will be able to enable Credential Guard if you are running Windows 10 Professional.

Ok, I found out that the OS architecture failure derives from a string comparison which is case sensitive and therefore ignores the output "64-Bit" because it's looking for "64-bit".

You would have to correct, .\DG_Readiness_Tool_v2.1.ps1, for the script to properly detect the architecture. It does appear that However, once the script properly detects your architecture, it would improperly notify you that your device was ready for Device Guard and Credential Guard to be enabled.

It’s worth noting here that these are enterprise features, and as such are included only in the Windows Enterprise client.

Sources:

Your Answer

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.