Microsoft Windows Defender Credential Guard

Microsoft Windows Defender Credential Guard is a security feature that isolates users' login information from the rest of the operating system to prevent theft.

Microsoft introduced Credential Guard in Windows 10 Enterprise and Windows Server 2016. When Credential Guard is active, privileged system software is the only thing that can access user credentials. It is particularly effective against pass-the-hash attacks because it protects NT LAN Manager (NTLM) password hashes and Kerberos Ticket Granting Tickets. Microsoft Windows Defender Credential Guard stores randomized full-length hashes to fight back against trial-and-error threats such as brute-force attacks. In addition, Credential Guard defends any credentials that applications store as domain credentials.

How Windows Credential Guard works

Microsoft Windows Defender Credential Guard uses virtualization to store credentials in protected containers separate from the OS. As a result, the information Credential Guard protects is safe even if malware or some other malicious attack penetrates an organization's network.

In Windows 10, the Local Security Authority (LSA) is responsible for validating users when they log on. When Credential Guard is active, Windows 10 stores credentials in an isolated LSA, which contains only the signed, certified and virtualization-based security trusted binaries it needs to keep the credentials safe. The isolated LSA communicates with the regular LSA through remote procedure calls and validates each binary before it launches a file inside the protected area.

IT can turn Credential Guard on using Group Policies, the Windows registry or the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool, which determines if a device can handle Credential Guard.

Windows Credential Guard requirements and limitations

For Credential Guard to work, the device must support virtualization-based security and have secure boot functions. Virtualization-based security only works if the device has a 64-bit CPU, CPU virtualization extensions and extended page table, and a Windows hypervisor. The device must also include Trusted Platform Module (TPM) 2.0 and Unified Extensible Firmware Interface lock. 

Credential Guard can function on virtual machines in the same way it does on physical machines. To work on a VM, however, it must be a Generation 2 VM with a TPM enabled. In addition, the Microsoft Hyper-V host must run at least Windows Server 2016 and Windows 10 version 1607 and have an input-output memory management unit.  

Applications that require certain authentication capabilities, including Kerberos Data Encryption Standard encryption support, Kerberos unconstrained delegation and NTLMv1, will break because Credential Guard does not allow them. Any applications using digest authentication, credential delegation and Microsoft Challenge Handshake Authentication Protocol version 2 will not be fully protected by Credential Guard.

Microsoft Windows Defender Credential Guard cannot support domain controller, Active Directory database or Security Accounts Manager credential protection. It also does not work with some third-party security tools because it will not share password hashes with third-party products. In addition, some user credentials will no longer work after a Windows 10 update.

This was last updated in January 2018

Continue Reading About Microsoft Windows Defender Credential Guard

Dig Deeper on Windows OS and management

Virtual Desktop