1 Reply Latest reply on Jan 9, 2016 2:24 AM by joegasper

    Windows 10 and Credential Guard - Isolated User Mode enabled breaks vid driver

    joegasper

      I've been trying to enable advanced security in Windows 10, I'm looking to enable Credential Guard:

      https://technet.microsoft.com/en-us/library/mt483740%28v=vs.85%29.aspx?

       

       

      I have a Dell 9020 with 2 Radeon R5 240 graphics cards.

       

      The first steps to enable Credential Guard is to enable Hyper-V and Isolated User Mode (both are Windows Features).

      With Isolated User Mode enabled, the Radeon drivers fail to load.

       

      From Device Manager on the two R5 240 cards:

      This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)

      {Operation Failed}

      The requested operation was unsuccessful.

       

      I'm left with basic Windows display driver and only one monitor available.

       

      I've tried drivers:

      15.201.2201-151019a-296268C-Dell

      radeon-crimson-15.12-win10-64bit (15.300.1025.1001 - autodetect suggested version)

       

       

      AMD states the R5 240 fully supports Windows 10.  (As does Dell for the 9020).

       

      Anyone successfully enabled Isolated User Mode and Credential Guard?

       

      Thank your for your time.

        • Re: Windows 10 and Credential Guard - Isolated User Mode enabled breaks vid driver
          joegasper

          Fixed this and got back to a happy video subsystem.

           

          In Device Guard, don't enable "Virtualization Based Protection of Code Integrity"

           

          If you do enable that option as a test, you have to run below to actually disable it (after changing the GPO setting to off):

           

          mountvol X: /s

          copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y

          bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader

          bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} path "\EFI\Microsoft\Boot\SecConfig.efi"

          bcdedit /set {bootmgr} bootsequence {0cb3b571-2f2e-4343-a879-d86a476d7215}

          bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS

          bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} device partition=X:

          mountvol X: /d