Merge pull request #1871 from microsoft/dpaul-HcCredGuard

Improve Credential Guard Running Check
microsoft · Nov 2, 2023 · 9b738bd · 9b738bd
2 parents 9d5ca30 + 9af0d44
commit 9b738bd
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 14 deletions.
diff --git a/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerFrequentConfigurationIssues.ps1 b/Diagnostics/HealthChecker/Analyzer/Invoke-AnalyzerFrequentConfigurationIssues.ps1
@@ -107,14 +107,27 @@ function Invoke-AnalyzerFrequentConfigurationIssues {
     }
     Add-AnalyzedResultInformation @params
 
-    $displayValue = $credentialGuardValue = $osInformation.RegistryValues.CredentialGuard -ne 0
+    $credGuardRunning = $false
+    $credGuardUnknown = $osInformation.CredentialGuardCimInstance -eq "Unknown"
+
+    if (-not ($credGuardUnknown)) {
+        # CredentialGuardCimInstance is an array type and not sure if we can have multiple here, so just going to loop thru and handle it this way.
+        $credGuardRunning = $null -ne ($osInformation.CredentialGuardCimInstance | Where-Object { $_ -ne 0 })
+    }
+
+    $displayValue = $credentialGuardValue = $osInformation.RegistryValues.CredentialGuard -ne 0 -or $credGuardRunning
     $displayWriteType = "Grey"
 
     if ($credentialGuardValue) {
         $displayValue = "{0} `r`n`t`tError: Credential Guard is not supported on an Exchange Server. This can cause a performance hit on the server." -f $credentialGuardValue
         $displayWriteType = "Red"
     }
 
+    if ($credGuardUnknown -and (-not ($credentialGuardValue))) {
+        $displayValue = "Unknown `r`n`t`tWarning: Unable to determine Credential Guard status. If enabled, this can cause a performance hit on the server."
+        $displayWriteType = "Yellow"
+    }
+
     $params = $baseParams + @{
         Name                = "Credential Guard Enabled"
         Details             = $displayValue

diff --git a/...nostics/HealthChecker/DataCollection/ServerInformation/Get-OperatingSystemInformation.ps1 b/...nostics/HealthChecker/DataCollection/ServerInformation/Get-OperatingSystemInformation.ps1
@@ -44,6 +44,21 @@ function Get-OperatingSystemInformation {
             Invoke-CatchActions
         }
 
+        $credentialGuardCimInstance = $false
+        try {
+            $params = @{
+                ClassName    = "Win32_DeviceGuard"
+                Namespace    = "root\Microsoft\Windows\DeviceGuard"
+                ErrorAction  = "Stop"
+                ComputerName = $Server
+            }
+            $credentialGuardCimInstance = (Get-CimInstance @params).SecurityServicesRunning
+        } catch {
+            Write-Verbose "Failed to run Get-CimInstance for Win32_DeviceGuard"
+            Invoke-CatchActions
+            $credentialGuardCimInstance = "Unknown"
+        }
+
         $serverPendingReboot = (Get-ServerRebootPending -ServerName $Server -CatchActionFunction ${Function:Invoke-CatchActions})
         $timeZoneInformation = Get-TimeZoneInformation -MachineName $Server -CatchActionFunction ${Function:Invoke-CatchActions}
         $tlsSettings = Get-AllTlsSettings -MachineName $Server -CatchActionFunction ${Function:Invoke-CatchActions}
@@ -54,19 +69,20 @@ function Get-OperatingSystemInformation {
     } end {
         Write-Verbose "Exiting: $($MyInvocation.MyCommand)"
         return [PSCustomObject]@{
-            BuildInformation    = $buildInformation
-            NetworkInformation  = $networkInformation
-            PowerPlan           = $powerPlan
-            PageFile            = $pageFile
-            ServerPendingReboot = $serverPendingReboot
-            TimeZone            = $timeZoneInformation
-            TLSSettings         = $tlsSettings
-            ServerBootUp        = $serverBootUp
-            VcRedistributable   = [array]$vcRedistributable
-            RegistryValues      = $registryValues
-            Smb1ServerSettings  = $smb1ServerSettings
-            HotFixes            = $hotFixes
-            NETFramework        = $netFrameworkInformation
+            BuildInformation           = $buildInformation
+            NetworkInformation         = $networkInformation
+            PowerPlan                  = $powerPlan
+            PageFile                   = $pageFile
+            ServerPendingReboot        = $serverPendingReboot
+            TimeZone                   = $timeZoneInformation
+            TLSSettings                = $tlsSettings
+            ServerBootUp               = $serverBootUp
+            VcRedistributable          = [array]$vcRedistributable
+            RegistryValues             = $registryValues
+            Smb1ServerSettings         = $smb1ServerSettings
+            HotFixes                   = $hotFixes
+            NETFramework               = $netFrameworkInformation
+            CredentialGuardCimInstance = $credentialGuardCimInstance
         }
     }
 }
diff --git a/Diagnostics/HealthChecker/Tests/HealthCheckerTest.CommonMocks.NotPublished.ps1 b/Diagnostics/HealthChecker/Tests/HealthCheckerTest.CommonMocks.NotPublished.ps1
@@ -34,6 +34,8 @@ Mock Invoke-ScriptBlockHandler -ParameterFilter { $ScriptBlockDescription -eq "G
 # Handle IIS collection of files
 Mock Invoke-ScriptBlockHandler -ParameterFilter { $ScriptBlockDescription -eq "Getting applicationHost.config" } -MockWith { return Get-Content "$Script:MockDataCollectionRoot\Exchange\IIS\applicationHost.config" -Raw }
 
+Mock Get-CimInstance -ParameterFilter { $ClassName -eq "Win32_DeviceGuard" } -MockWith { return [PSCustomObject]@{ SecurityServicesRunning = @(0 , 0) } }
+
 # WebAdministration
 function Get-WebSite { param($Name) }
 Mock Get-WebSite -ParameterFilter { $null -eq $Name } -MockWith { return Import-Clixml "$Script:MockDataCollectionRoot\Exchange\IIS\GetWebSite.xml" }