Understanding Windows Defender Credential Guard
Windows Defender Credential Guard is a security feature introduced in Windows 10 that helps protect against credential theft attacks. By utilizing virtualization-based security (VBS), Credential Guard isolates sensitive information, such as NTLM password hashes and Kerberos Ticket Granting Tickets (TGTs), from the rest of the operating system. This makes it much more difficult for malware or unauthorized processes to access and steal these credentials, which are commonly targeted in attacks like pass-the-hash and pass-the-ticket.
When enabled, Credential Guard provides several key benefits:
- Protects Sensitive Credentials: Credential Guard prevents unauthorized access to NTLM password hashes, Kerberos TGTs, and other credentials stored by applications as domain credentials. This helps mitigate the risk of credential theft attacks.
- Improves Overall Security: By isolating these sensitive secrets, Credential Guard makes it significantly more difficult for attackers to leverage stolen credentials to move laterally within a network or escalate their privileges.
- Enhances Compliance: Enabling Credential Guard can help organizations meet various compliance requirements related to credential protection and data security.
Credential Guard Configuration and Deployment Considerations
Default Enablement in Windows 11 and Windows Server 2025
Starting with Windows 11, version 22H2, and Windows Server 2025, VBS and Credential Guard are now enabled by default on devices that meet the hardware, firmware, and software requirements. This default enablement is done without UEFI lock, allowing administrators to remotely disable Credential Guard if needed.
It’s important to note that if Credential Guard was explicitly disabled on a device before the update to Windows 11, 22H2 or Windows Server 2025, the default enablement will not override the existing settings. The device will continue to have Credential Guard disabled even after the update.
Hardware and Software Requirements
For Credential Guard to provide effective protection, the device must meet certain hardware, firmware, and software requirements. These include:
- Hardware Requirements: Secure Boot, UEFI, and a Trusted Platform Module (TPM) version 2.0 or later.
- Firmware Requirements: UEFI firmware that supports the required virtualization features.
- Software Requirements: Windows 10 Enterprise, Windows 11 Enterprise, or Windows Server 2019/2022 (or later).
Additionally, the following features are recommended for improved security:
- DMA Protection: Enables I/O Memory Management Unit (IOMMU) or Intel Virtualization Technology for Directed I/O (Intel VT-d) to protect against Direct Memory Access (DMA) attacks.
- Hypervisor-Protected Code Integrity (HVCI): Helps protect the integrity of kernel mode code execution.
Application and Authentication Compatibility Considerations
When Credential Guard is enabled, certain application and authentication capabilities may be blocked or affected. It’s essential to thoroughly test operational scenarios within your organization before updating devices that utilize Credential Guard, as newer versions of Windows running Credential Guard might impact previously functional scenarios.
Some key compatibility considerations include:
- NTLM Classic Authentication (NTLMv1): Credential Guard blocks the use of NTLM classic authentication (NTLMv1) for single sign-on (SSO), forcing users to manually re-enter their credentials.
- MS-CHAP v2 for WiFi and VPN: Connections based on MS-CHAP v2 are subject to similar attacks as NTLMv1 and should be migrated to certificate-based authentication (e.g., PEAP-TLS, EAP-TLS).
- Credential Manager: Credential Guard protects domain credentials stored in Credential Manager, but not generic credentials or applications that require clear-text passwords.
- CredSSP-based Delegation: Credential Guard blocks the use of CredSSP-based delegation, which is not a recommended practice. Instead, Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation are recommended for delegation scenarios.
- Kerberos Unconstrained Delegation and DES: These authentication methods are blocked by Credential Guard, as they pose security risks.
- Custom Security Support Providers (SSPs) and Authentication Packages (APs): Some non-Microsoft SSPs and APs may not be compatible with Credential Guard, as it doesn’t allow them to request password hashes from the Local Security Authority (LSA).
Disabling Credential Guard
In scenarios where Credential Guard is causing compatibility issues or needs to be disabled for other reasons, there are a few options available:
- Before Updating to Windows 11, 22H2 or Windows Server 2025: If you want to prevent the default enablement of Credential Guard, you can explicitly disable it before the device is updated. This will ensure that Credential Guard remains disabled after the update.
- After Credential Guard is Enabled: If Credential Guard has already been enabled, you can follow the steps to disable it, either through Intune or by configuring the appropriate registry keys.
It’s important to note that disabling Credential Guard removes the security protections it provides, so it should be done with caution and only after thoroughly evaluating the impact on your organization’s security posture and application compatibility.
Maintaining Credential Guard Effectiveness
To ensure the continued effectiveness of Credential Guard, it’s crucial to keep your Windows devices up-to-date with the latest security updates and patches. Additionally, consider the following best practices:
- Migrate Away from Passwords: Microsoft recommends that organizations move away from password-based authentication methods and adopt more secure options, such as Windows Hello for Business, FIDO2 security keys, or smart cards.
- Regularly Test Compatibility: Thoroughly test your organization’s applications and services to identify any potential compatibility issues with Credential Guard, especially when upgrading to newer versions of Windows.
- Monitor Credential Guard Status: Regularly monitor the status of Credential Guard on your Windows devices to ensure it’s enabled and functioning correctly. You can use tools like the Windows Security app or PowerShell cmdlets to check the Credential Guard configuration.
- Establish Backup and Recovery Procedures: Develop a plan for backing up and recovering Credential Guard-protected data in the event of a hardware failure or other issue, such as a TPM reset.
By understanding the capabilities, configuration, and management practices of Windows Defender Credential Guard, IT professionals can effectively implement and maintain this critical security feature to protect their organization’s sensitive credentials and mitigate the risk of credential theft attacks.
Additional Resources
For more information on Windows Defender Credential Guard and related security features, visit the IT Fix blog or explore the following Microsoft resources: