Custom compliance policies have been around for a long time, and it is a really great feature. I have argued many times that we should not block users from working when they cannot make the device compliant themselves. But with more and more tasks being added on top of managing devices, being proactive is something I see IT has a harder time to prioritize. That is why it makes perfect sense to use Custom compliance policies to get the end user to call ServiceDesk and then sort out the problem. All organizations have a working Incident process and then we can utilize this to drive security related incidents.
Why check if Credential Guard is running then?
Credential guard is an important security feature and in Windows 11 22H2 it is enabled by default for new installations only.
More information can be found here: Credential Guard overview – Windows Security | Microsoft Learn
When we turn Credential Guard on using either Group Policy or Intune Configuration Profile, we configure the “Configured value” and that is what Intune Policy status reports back and not the status of Credential Guard actual state. That is where Custom Compliance policy comes in.
Below is an example from a computer that is experiencing the issue. Intune will still reporting that is has applied the setting as the Configured value is configured to run Credential Guard. Microsoft Defender for Endpoint will report back the correct state = Credential Guard is not running. We have seen a mix of different reasons, BIOS upgrade, misconfigured after hardware repair to mention a few.
Custom Compliance policy to check that Credential Guard is running.
Custom compliance policies in Intune consists of a PowerShell script and a .JSON file used to verify the output of the PowerShell script to determine if it is compliant or not. The end-user experience is great. We can configure a custom text and link for the end-user to click on to get more information and most likely contact ServiceDesk. It could look something like the message below.
Both the script and the .JSON file can be downloaded from GitHub here: https://github.com/Ccmexec/Intune-MEM/tree/master/Custom%20Compliance
The PowerShell script:
$DevGuard = Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard
$CredGuardStatus = @{"CredentialGuardRunning" = ($DevGuard.SecurityServicesRunning -contains 1)}
Return $CredGuardStatus | ConvertTo-Json -Compress
The .JSON file we use looks like this:
{
"Rules":[
{
"SettingName":"CredentialGuardRunning",
"Operator":"IsEquals",
"DataType":"Boolean",
"Operand":true,
"MoreInfoUrl":"https://ccmexec.com",
"RemediationStrings":[
{
"Language":"en_US",
"Title":"Credential Guard is not enabled",
"Description": "Please make sure that Credential Guard is enabled on your device. For more information, contact servicedesk"
}
]
}
]
}
Implementing the custom compliance policy
- In the Intune Admin portal under Endpoint Security/Device Compliance under scripts, select Add and “Windows 10 and later”
- Give the script a name for example “Check that Credential Guard is running”
- In the next dialog, paste the script with the following settings.
- Review and create the Device Compliance Script
Creating the custom Compliance policy
- Under compliance policy, create a new Compliance policy for Windows 10 and later
- Give the Compliance policy a name for example, “Credential Guard – Test”
- In the next dialog upload the .JSON file mentioned above.
- As we are deploying it for testing purpose, select 10 days or more for the device to be marked as non-compliant.
- Finish creating the policy and deploy it to an Entra ID group with test devices and test it out.
When testing it out without marking the devices non-compliant we can troubleshoot any issues with credential guard in your environment and work out how it can be remediated.
Remember to inform servicedesk that you are doing it and when you have troubleshooted some of the issues in your environment, inform them what to check when a user calls in with the issue.