CA Client Automation

  • Private Community
 View Only
Back to discussions
Expand all | Collapse all

How to detect active Credential Guard?

  • 1.  How to detect active Credential Guard?

    Posted Sep 24, 2019 03:11 AM
    Hello,

    does anybody know of a way to detect an active Credential Guard on Windows 10?
    I would like to be able to use that in a query, so detection through an inventory task would be the preferred method.

    I was checking the WBEM inventory, but the Win32_DeviceGuard class is not visible there.

    Any ideas?

    Regards,

    Marco Lorenz


  • 2.  RE: How to detect active Credential Guard?

    Broadcom Employee
    Posted Sep 24, 2019 06:23 AM

    You could use a script to collect the registry settings as Inventory data.

     

    Enable virtualization-based security and Windows Defender Credential Guard

    1.    Open Registry Editor.

    2.    Enable virtualization-based security:

    ·         Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard.

    ·         Add a new DWORD value named EnableVirtualizationBasedSecurity. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.

    ·         Add a new DWORD value named RequirePlatformSecurityFeatures. Set the value of this registry setting to 1 to use Secure Boot only or set it to 3 to use Secure Boot and DMA protection.

    3.    Enable Windows Defender Credential Guard:

    ·         Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA.

    ·         Add a new DWORD value named LsaCfgFlags. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.

    4.    Close Registry Editor.

     

    https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage




    Original Message


  • 3.  RE: How to detect active Credential Guard?

    Posted Sep 24, 2019 06:41 AM
    Hmm... Where do I find the documentation or an example for integrating a scrip to collect said data? Is that connecting to custom .MIF files? I haven't meddled with that interface before. :-)​
    Original Message


  • 4.  RE: How to detect active Credential Guard?

    Broadcom Employee
    Posted Sep 24, 2019 08:54 AM

    You create a AM Agent script job.

     

    This is a sample script:

     

    DIM sDummy, sSiteName  AS String

    DIM hKey, iDummy, RC as Integer

     

    IF Instr(OSSTRING, "Window") then

     

       sSiteName = "Not Defined"

       hKey = RegOpenKey(HKEY_LOCAL_MACHINE, "SYSTEM\CurrentControlSet\services\Netlogon\Parameters")

       RC = RegQueryVariable(hKey,"DynamicSiteName",sSiteName,iDummy)

       If RC = 0 THEN sSiteName = "Not Defined"

     

       CreateMIFFile(localpath+"Customer_Specific.mif","Customer Specific Data","","")

       CreateMIFGroup(localpath+"Customer_Specific.mif","Registry Data","","7")

       CreateMIFString(localpath+"Customer_Specific.mif","Registry Data","Site Name",sSiteName,"")

    End If

     




    Original Message


  • 5.  RE: How to detect active Credential Guard?

    Posted Sep 24, 2019 10:05 AM
    Great! That was exactly what I was looking for. I just integrated the script to read the relevant registry data for Credential Guard and it worked like a charm.

    Two things I was wondering about:

    - Where can I find the different MIF classes (What does "7" stand for?)?
    - Is there a way to create the MIF file at thre right spot with a CLI or API call from another program or script?
     We are primarily using PowerShell for our scripting purposes)​
    Original Message


  • 6.  RE: How to detect active Credential Guard?
    Best Answer

    Broadcom Employee
    Posted Sep 24, 2019 10:24 AM

    You can use any language you like to create the MIF file that must be placed in the AM Agent directory E.G "C:\Program Files (x86)\CA\DSM\Agent\units\00000001\uam"

     

    Not sure what the 7 stands for.

     

    https://docops.ca.com/ca-client-automation/14-0/en/additional-product-documentation/desktop-and-server-management/agent-best-practices/common-components/ca-asset-management/creating-your-own-inventory-module/creating-a-mif-file-using-the-ca-dsm-script-language

     

    https://docops.ca.com/ca-client-automation/14-0/en/reference/desktop-management-scripting-language/functions/mif-and-inv-file-functions

     

     

    https://docops.ca.com/ca-client-automation/14-0/en/additional-product-documentation/desktop-and-server-management/agent-best-practices/common-components/ca-asset-management/creating-your-own-inventory-module/vbs-and-mif-files




    Original Message


  • 7.  RE: How to detect active Credential Guard?

    Broadcom Employee


  • 8.  RE: How to detect active Credential Guard?

    Posted Sep 24, 2019 11:08 AM

    Also see https://docops.ca.com/ca-client-automation/14-0/en/administrating/asset-management-administration/management-information-format-files-reference/group-definition. The "7" here is the class definition referenced in that page of the doc, but I'm not sure where the value came from, it doesn't really match the documentation. I vaguely recall about 20 years ago trying to get this to work and I found somewhere an example with a "7" in it, tried it and it worked so I just stuck with it.

     

    Steve McCormick

     




    Original Message


  • 9.  RE: How to detect active Credential Guard?

    Posted Sep 24, 2019 11:08 AM

    If you run the script as an Asset Job, the 'localpath' predefined constant referenced in each of the MIF function calls places the MIF in the correct location automatically. You'll notice it is not listed as a variable in either of the DIM statements.

     

    Steve McCormick

     




    Original Message


  • 10.  RE: How to detect active Credential Guard?

    Posted Sep 30, 2019 03:32 AM
    Thank you, Steve and Stephen for your great help so far!
    The DSM script works like a charm so far. I prepared a script with a few simple PowerShell functions to create a MIF based on the .VBS example. But I'd like to get the path for the MIF file using a function not a constant. So is there a value out of the confstore that I could read out or is there a sensible registry path where I could retrieve it?
    I guess that the only downside of "powershelling" it, would be that I need to call a program and can't have it declared as a script job.

    Marco Lorenz​
    Original Message


  • 11.  RE: How to detect active Credential Guard?

    Posted Sep 30, 2019 09:14 AM

    Hi Marco,

     

    There's no direct variable in comstore or registry which points directly to this location, but you can look for the install directory in HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ComputerAssociates\Unicenter ITRM, or you can use the environment variable SDROOT. If you use SDROOT you would use %SDROOT%\..\Agent\units\00000001\uam since it points to the Software Delivery path.

     

    Steve McCormick

     




    Original Message


  • 12.  RE: How to detect active Credential Guard?

    Posted Oct 02, 2019 02:02 AM
    Edited by Marco Lorenz Oct 02, 2019 02:30 AM
    ​Great. Thank you. That did nicely.

    But now I have a new bit of confusion... I had the .mif file of my scan job in that folder and then added a second one through my script in said folder. I had forgotten to change the name of the file and the group to begin with. So I did that. After my test, I wanted to restore the original state and deleted the branch that I added to the inventory bit. But now that branch doesn't show up anymore when I make ITCM initiate a hardware scan again.
    I deleted both .mif files and then let the job create one again.
    But still no dice.
    UPDATE: After performing a complete rescan, not just a delta scan, the group shows up again.
    The second set of questions still remains: If I want more data in the inventory, do I need to fill one .mif file with different jobs? Do I need to create different groups?

    Thanks again for the great assistance.

    Marco Lorenz
    Original Message


  • 13.  RE: How to detect active Credential Guard?

    Posted Oct 02, 2019 10:17 AM

    Hi Marco,

     

    Most likely you just need to force the Agent to do a full collect. By default the Agent sends only delta updates so if the inventory previously existed and did not change (even though you manually deleted the MIF, it got re-created with the same data), it would not be uploaded again.

     

    As for the second question, you can have as much or as little data in the same MIF as you want. You can create multiple MIFs with different data, or one MIF with all of it. Here's the breakdown:

     

    • Each MIF has ONE 'component' name
      • This is the 'Name' (not 'Filename') field of the CreateMIF function
      • This is the first branch of the tree under 'Inventory à Additional'
    • A MIF can contain multiple GROUPs
      • Groups appear as sub-branches of the components
      • Special groups can be created to create a table within the inventory to display rows of data

     

    So, if you want all of your company's additional inventory to appear in a branch called 'MyCorp Inventory', and just separate it by group, you can create one MIF with multiple groups to represent the inventory categories. In this case you would see the tree look like:

     

    Inventory           

    Additional

                                    MyCorp Inventory                                          

                                                    Category One

                                                                    VarName1 Value1

                                                                    VarName2 Value2

                                                    Category Two

                                                                    VarName1 Value1

     

    On the other hand, with multiple MIFs, therefore multiple component names, you might have:

     

    Inventory

                    Additional

                                    Credential Guard Inventory

                                                    Installation data

                                                                    VarName1 Value1

                                                                    VarName2 Value2

                                                    Settings

                                                                    VarName1 Value1

                                    AntiVirus

                                                    Signature Version

                                                                    VarName1 Value1

                                                                    VarName2 Value2

                                                    Settings

                                                                    VarName1 Value1

                                                   

     

    Steve McCormick

     

    Great. Thank you. That did nicely. But now I have a new bit of confusion... I had the .mif file of my scan job in that folder and then added a... -posted to the "Clarity Client Automation" community

    Broadcom

    Clarity Client Automation

      Post New Message

     

    Re: How to detect active Credential Guard?

    Marco Lorenz

    Oct 2, 2019 2:02 AM

    Marco Lorenz

    Great. Thank you. That did nicely.

    But now I have a new bit of confusion... I had the .mif file of my scan job in that folder and then added a second one through my script in said folder. I had forgotten to change the name of the file and the group to begin with. So I did that. After my test, I wanted to restore the original state and deleted the branch that I added to the inventory bit. But now that branch doesn't show up anymore when I make ITCM initiate a hardware scan again.
    I deleted both .mif files and then let the job create one again.
    But still no dice.
    So the question is: How do I get it to work again?
    And the second set of questions is: If I want more data in the inventory, do I need to fill one .mif file with different jobs? Do I need to create different groups?

    Thanks again for the great assistance.

    Marco Lorenz

      Reply to Group Online   View Thread   Recommend   Forward   Flag as Inappropriate  


    Original Message

    Hi Marco,

     

    There's no direct variable in comstore or registry which points directly to this location, but you can look for the install directory in HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ComputerAssociates\Unicenter ITRM, or you can use the environment variable SDROOT. If you use SDROOT you would use %SDROOT%\..\Agent\units\00000001\uam since it points to the Software Delivery path.

     

    Steve McCormick

     




    Original Message------

    Thank you, Steve and Stephen for your great help so far!
    The DSM script works like a charm so far. I prepared a script with a few simple PowerShell functions to create a MIF based on the .VBS example. But I'd like to get the path for the MIF file using a function not a constant. So is there a value out of the confstore that I could read out or is there a sensible registry path where I could retrieve it?
    I guess that the only downside of "powershelling" it, would be that I need to call a program and can't have it declared as a script job.

    Marco Lorenz



     

     

    You are subscribed to "Clarity Client Automation" as stephen.mccormick@fiserv.com. To change your subscriptions, go to My Subscriptions. To unsubscribe from this community discussion, go to Unsubscribe.

    Copyright © 2005-2019 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.

    Hosted by Higher Logic, LLC on the behalf of Broadcom - Privacy Policy | Cookie Policy | Supply Chain Transparency | Terms of Use




    Original Message------

    ​Great. Thank you. That did nicely.

    But now I have a new bit of confusion... I had the .mif file of my scan job in that folder and then added a second one through my script in said folder. I had forgotten to change the name of the file and the group to begin with. So I did that. After my test, I wanted to restore the original state and deleted the branch that I added to the inventory bit. But now that branch doesn't show up anymore when I make ITCM initiate a hardware scan again.
    I deleted both .mif files and then let the job create one again.
    But still no dice.
    UPDATE: After performing a complete rescan, not just a delta scan, the group shows up again.
    The second set of questions still remains: If I want more data in the inventory, do I need to fill one .mif file with different jobs? Do I need to create different groups?

    Thanks again for the great assistance.

    Marco Lorenz


  • 14.  RE: How to detect active Credential Guard?

    Posted Oct 09, 2019 02:31 AM
    Thank you. That was the last piece of the puzzle. :-)
    Now I just need to prepare the PowerShell variation of my script and try that out.
    Which type of job would that be? There's one called "Command" and the other "External Tool" (rough translation as I don't have the English version installed). Judging by the example jobs, I assume the later?

    Marco Lorenz​
    Original Message


  • 15.  RE: How to detect active Credential Guard?

    Posted Oct 09, 2019 10:27 AM
    Hi Marco,

    'External Utility' would be the correct option for a powershell script. You will use the 'create file' option to deliver the script, and provide the path to the file as the parameters.


    Original Message