Enhance Windows Security with Enabling Credential Guard : Step by step guide

I - What is credentil guard ?

Credential Guard is a security feature introduced by Microsoft from Windows 10 and Windows Server 2016, which protects credentials by isolating certain critical processes in a secure environment. It uses Virtualization Based Security (VBS) to protect security secrets such as user credentials, including NTLM hashes, Kerberos tickets and other sensitive information that can be used for attacks such as Pass-the-Hash or Pass-the-Ticket.

II - Advantages of enabling Credential Guard :

When enabled, Credential Guard provides the following benefits:

• Hardware security : NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials
• Virtualization-based security : NTLM, Kerberos derived credentials, and other secrets run in a protected environment that is isolated from the running operating system
• Protection against advanced persistent threats : when credentials are protected using VBS, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by VBS

III - Integration in Windows versions

Credential Guard is available and can be activated on the following versions of Windows :

• Windows 10 (from version 1511)
• Windows 11
• Windows Server 2016 and later

Starting in Windows 11, 22H2 and Windows Server 2025 (preview), VBS and Credential Guard are enabled by default on devices that meet the requirements.

The default enablement is without UEFI Lock, thus allowing administrators to disable Credential Guard remotely if needed.

When Credential Guard is enabled, VBS (Virtualization-based security) is automatically enabled too.

IV - Hardware and software requirements

To use Credential Guard, the following prerequisites must be met :

1 - Hardware requirements :

• 64-bit processor with Intel VT-x/AMD-V Hardware virtualization-capability and SLAT (Second Level Address Translation)
• TPM v2.0 (Trusted Platform Module)
• UEFI version 2.3.1 or higher with Secure Boot
• Minimum 8 GB RAM recommended

2 - Software requirements :

• Windows 10 Enterprise / Education (starting from 1511).
• Windows 11 Enterprise / Education / Pro for workstation.
• Windows Server 2016 or above.
• Virtualization-based security (VBS) must be enabled.

V - Enabling Credantial Guard through PowerShell :

The script first checks that the basic prerequisites are met (TPM and Secure Boot), then enables the necessary Hyper-V features and configures registry settings for Credential Guard. It will then request a reboot to apply the changes.

Important points to note:

This script requires administrator privileges to run.

It modifies important system parameters, so be sure to test it in a controlled environment before applying it on a large scale.

After activation, we recommend that you check that Credential Guard is working correctly using the Microsoft Security Compliance Toolkit, or by running msinfo32 and checking the “Virtualization-based security” status.

Enabling Credential Guard may have implications for the compatibility of certain applications or drivers. It is therefore important to thoroughly test your environment before deploying Credential Guard on a large scale.

# Check whether PowerShell is run as administrator
if (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")) {
    Write-Warning "You need execute this script as administrator."
    Break
}

# Check that the system meets basic requirements
$tpm = Get-Tpm
if (-not $tpm.TpmPresent) {
    Write-Warning "TPM 2.0 is not present or enabled on system."
    Break
}

$secureBootState = Confirm-SecureBootUEFI
if (-not $secureBootState) {
    Write-Warning "Secure Boot Is not enabled on this device"
    Break
}

# Enabling Hyper-V fonctionalities
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -NoRestart

# Configing Credential Guard
$hvciSettings = @{
    "EnableVirtualizationBasedSecurity" = $true
    "RequirePlatformSecurityFeatures" = "3" # Secure Boot and DMA Protection
    "LsaCfgFlags" = "1" # Credential Guard with UEFI lock
}

# Appliquer les paramètres
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value $hvciSettings.EnableVirtualizationBasedSecurity -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard" -Name "RequirePlatformSecurityFeatures" -Value $hvciSettings.RequirePlatformSecurityFeatures -PropertyType DWORD -Force
New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name "LsaCfgFlags" -Value $hvciSettings.LsaCfgFlags -PropertyType DWORD -Force

Write-Host "Credential Guard is succefully configured. you need to reboot to apply changes."
Read-Host "Press any key to reboot..."
Restart-Computer        

• You can see here the result of script execution :

VI - Enabling Credantial Guard through Microsoft Intune :

To enable Credential Guard through Microsoft Intune, follow these steps :

1 - Sign in to Microsoft Endpoint Manager Admin Center : endpoint.microsoft.com.

2 - Create a Configuration Profile:

• Navigate to Devices > Configuration profiles > Create profile.
• Select Platform: Windows 10 and later.
• Choose Profile type : Settings catalog.

3 - Configure Credential Guard Settings:

• Click Create and complete the Name field.
• Click Next .

• In Browse category, search for and select "Device Guard".
• Set Credential Guard to Enabled with UEFI lock or Enabled without lock.

4 - Assign the Profile:

• Assign the profile to a device group containing the target Windows devices.
• Sync the devices with Intune and restart them.
• Select "Next" then "Create".

• Here is configuration Policy is created

This process ensures that Credential Guard is properly enabled and protecting your devices.

VII - Conclusion:

Enabling Credential Guard significantly enhances the security of Windows systems by isolating critical credentials in a secure environment. By following the steps described, administrators can effectively protect their networks against advanced threats and credential theft attacks.

Thanks

Aymen EL JAZIRI

System Administrator