After much experimentation with Device Guard and Credential Guard on Windows platforms hosted with vCenter ESXi 6.7, I've found DG does not work with Windows Server 2016, however I was able to get it "working" with Windows Server 2019 and Windows 10 Pro hosted on the same ESXi rack. I use quotation marks around working as, though the CG compatibility tool tells me the security is running, as does System Information, I am still able to extract passwords from the system using Mimikatz (sekurlsa::logonpasswords). I am not doing any injections or work beforehand to allow this, and only download mimikatz after I have enabled Credential Guard and ensured it is running.
Does anyone know why Credential Guard may not be working as intended? Thanks!
System Information:
CG Compatibility Tool output:
PS C:\Users\Administrator\Downloads\dgreadiness_v3.6\dgreadiness_v3.6> .\DG_Readiness_Tool_v3.6.ps1 -Ready
###########################################################################
Readiness Tool Version 3.4 Release.
Tool to check if your device is capable to run Device Guard and Credential Guard.
###########################################################################
###########################################################################
OS and Hardware requirements for enabling Device Guard and Credential Guard
1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home
2. Hardware: Recent hardware that supports virtualization extension with SLAT
To learn more please visit: https://aka.ms/dgwhcr
###########################################################################
Credential-Guard is enabled and running.
HVCI is enabled and running.
Config-CI is enabled and running. (Audit mode)
HVCI, Credential-Guard, and Config-CI are enabled and running.
Mimikatz Output:
mimikatz # sekurlsa::logonpasswords
Authentication Id : 0 ; 248622 (00000000:0003cb2e)
Session : RemoteInteractive from 2
User Name : Administrator
Domain : VBS-2019
Logon Server : VBS-2019
Logon Time : 1/6/2021 12:17:26 PM
SID : S-1-5-21-3869050133-2886954220-3090916572-500
msv :
[00000003] Primary
* Username : Administrator
* Domain : VBS-2019
* NTLM : [Hash removed]
* SHA1 : [Hash removed]
tspkg :
wdigest :
* Username : Administrator
* Domain : VBS-2019
* Password : (null)
kerberos :
* Username : Administrator
* Domain : VBS-2019
* Password : (null)
ssp :
credman :