Understanding Windows Defender Credential Guard

Windows Server 2022 and Windows Enterprise use a security measure called Windows Defender Credential Guard. Windows Defender Credential Guard is a virtualization- based security service to help isolate critical files so that only system software that is privileged can access those critical files.


Once the feature is enabled, a Windows client machine that is part of Active Directory or Azure AD will have the system’s credentials protected by Windows Defender Credential Guard.

After you enable Windows Defender Credential Guard, the Local Security Authority (LSA) process in the operating system works with a new component called the isolated LSA. The isolated process stores and protects the system’s critical data.


Once data is stored by the isolated LSA process, the system then uses the virtualization- based security to protect the data and that data is no longer accessible to the rest of the operating system.

To enable Windows Defender Credential Guard, you must meet the following requirements:
■ Machine must support virtualization- based security (required)
■ Secure boot (required)
■ TPM 1.2 or 2.0, either discrete or firmware (preferred; provides binding to hardware)
■ UEFI lock (preferred; prevents attacker from disabling with a simple Registry key change)
The virtualization- based security requires the following:
■ 64- bit CPU
■ CPU virtualization extensions plus extended page tables
■ Windows hypervisor (does not require Hyper- V Windows Feature to be installed)
If you want to use Windows Defender Credential Guard in a Hyper-V virtual machine, the following requirements need to be met:
■ Windows 10 (version 1607 or higher) or Windows Server 2016 or higher and the system must have Hyper- V with Input Output Memory Management Unit (IOMMU).
■ The Hyper- V virtual machine must be set as Generation 2 and virtual TPM needs to be enabled.
Once you have met the minimum requirements for setting up Windows Defender Credential Guard, you can enable it with any of the following methods:
■ Using Group Policy
■ Modifying the Registry
■ Using the Hypervisor- Protected Code Integrity (HVCI)
■ Using the Windows Defender Credential Guard hardware readiness tool
In Exercise 15.6, I will show you how to enable Windows Defender Credential Guard using a Group Policy Object (GPO).


EXERCISE 15.6
Enabling Windows Defender Credential Guard Using a GPO

  1. Open the Group Policy Management editor on a Windows Server machine.
  2. Create a new GPO, click the GPO, and choose Edit.
  3. Go to Computer Configuration ➢ Administrative Templates ➢ System ➢ Device Guard.
  4. Select Turn On Virtualization Based Security and then choose the Enabled option (see Figure 15.36).
    FIGURE 15.36 Turn On Virtualization Based Security setting
  1. In the Select Platform Security Level box, choose Secure Boot or Secure Boot And DMA Protection.
  2. In the Credential Guard Configuration box, select Enabled With UEFI Lock, and then click OK. (If you want to be able to turn off Windows Defender Credential Guard remotely, choose Enabled Without Lock.)
  3. In the Secure Launch Configuration box, choose Not Configured, Enabled, or Disabled.
  4. Click OK and then close the Group Policy Management Console.
  5. To enforce processing of the Group Policy, run gpupdate/force.

You can also enable Windows Defender Credential Guard by using Microsoft Endpoint Manager. To do so, perform the following steps:

  1. From the Microsoft Endpoint Manager admin center, select Devices.
  2. Select Configuration Profiles.
  3. Select Create Profile ➢ Windows 10 And Later ➢ Settings Catalog ➢ + Create.
  4. Under Configuration Settings, select Device Guard as the category and add your required settings.

Leave a Reply

Your email address will not be published. Required fields are marked *