Why doesn't IntelNUC10 support Windows Defender System Guard?

SEike · ‎03-01-2020

It doesn't support HSTI either it seems, based on the output from the Device Guard and Credential Guard hardware readiness tool.

I'm surprised such new system have such limitations, it exclude it from some enterprise environments where you cannot apply MDM Security Baseline default settings without killing the Tpm if System Guard is set to enable.

Anyway to get Intel to consider improving this with next release of NUC?

AdrianM_Intel · ‎03-02-2020

Hello SEike,

Thank you for posting on the Intel® communities.

Can you please provide more details about the Windows Defender System Guard?

What is the model of your Intel NUC?
How can Windows Defender System Guard be installed on Intel® NUC?
What is the error that you are getting?
Does HSTI refer to (Hardware Security Testability Specification from Windows)?
Could you please share a link where to download and find the specifications of these tools?

Best regards,

Adrian M.

Intel Customer Support Technician

SEike · ‎03-03-2020

Hello

NUC10i7FNH.

In my setup I have Windows 10-1909 Enterprise, managed using Intune, I enable Device Guard features such as Virtualization-based security, credential guard and system guard using Intune. You can also do it using GPO.

More information about System Guard:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection

If you enable System Guard, Tpm stops working. You can check in Device Manager.

HSTI - yes. If you run the Device Guard and Credential Guard hardware readines script you will see some warnings:

https://www.microsoft.com/en-us/download/details.aspx?id=53337

I really want Intel NUC to be an enterprise alternative when you need smaller devices to perform tasks such as kiosk, displaying something on monitors etc. The alternative would be to buy an business device from a manufacturer such as DELL, LENOVO or HP etc.

AdrianM_Intel · ‎03-03-2020

Hello SEike,

Thank you for your response.

Please allow me some time to update the thread and take a look at this.

Best regards,

Adrian M.

Intel Customer Support Technician

AdrianM_Intel · ‎03-05-2020

Hello SEike,

I would like to update the thread.

Based on the requirements for System requirements for Windows Defender Application Guard the Intel® NUC10i7FNH should support this feature, our recommendation is to contact Microsoft* for more details regarding the installation of this software since this is related to the Operating System.

Best regards,

Adrian M.

Intel Customer Support Technician

SEike · ‎03-07-2020

Hello and thank you for your reply.

I'm not refering to Application Guard, that works just fine. I'm refering to System Guard which does not work.

Do you have the ability to reproduce this issue or forward the issue to an escalation engineer or something similar?

You can use local GPO editor to reproduce the issue, so it's easy to reproduce:

1) Install Windows 10 Enterprise, latest version and updates.

2) Using local GPO, configure the following to enable System Guard:

Computer Configuration | Administrative Templates | System | Devic Guard.

Turn On Virtualization Based Security. Enabled. Only select Secure Boot and DMA Protection + Secure Lunch Configuration to Enabled.

3) Restart.

4) Open Device Manager and notice that Trusted Platfom Module 2.0 is now reporting: This device cannot start. Code 10. The requested operation was unsuccessful.

Note that System Guard actually consist of two features: Secure Launch and Firmware Protection, the latter I haven't even started talking about so that would be the next item on the list...

I find Intel to be a serious manufacturer, and the market for Intel products and also Windows 10 is rather big. I would really appreciate that Intel could reproduce this issue and talk to Microsoft.

Thanks.

AdrianM_Intel · ‎03-09-2020

Hello SEike,

Thank you for your reply.

We appreciate the clarification, please allow me some time to update the thread and test this behavior on my end.

Regards,

Adrian M.

Intel Customer Support Technician

SEike · ‎03-31-2020

Any news?

Ronny_G_Intel · ‎04-01-2020

Hello SEike,

I apologize for the delay in getting back to you. It took us a while to get confirmation on this specific request.

I have confirmation from the product team that the NUC10i7FNH doesn't support Windows* Defender System Guard.

Windows Defender System Guard requires hardware TPM (also known as discrete TPM or dTPM). Intel NUC10i7FNH doesn't have dTPM, it uses firmware TPM (fTPM) instead.

Please, refer to [https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection]:

Trusted Platform Module (TPM) 2.0: Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported.

We assume that enabling Secure Launch Configuration may affect fTPM functionality which is some kind of expected behavior, because this feature is not supported on NUC10i7FNH. That's the reason why you see error 10 code.

Device Guard and Credential Guard hardware readiness tool shows that NUC10i7FNH doesn’t support HSTI.

We see the same with NUC10i7FNH and other Intel NUCs with fTPM doesn't support HSTI. Our understanding is that HSTI also requires dTPM, therefore it is not available on NUC10i7FNH.

Regards,

Ronny G

SEike · ‎04-02-2020

Hi

Thank you for confirming. Is it possible to take this input to the product group so they might learn that this could be really cool if they focus on some of the security features such as System Guard? I mean it would expand the scenarios where companies can use Intel NUC. Personally I'm looking forward to next Intel NUC, but not if it have security limitations.