Credential Guard in Windows Server 2016 allows you to protect in-memory credentials. This article explains how Credential Guard works and how you can configure it via Group Policy.
Credential Guard requirementsAt first blush, the Credential Guard hardware and software requirements seem pretty steep, at least if your shop doesn’t have fairly current hardware. Here’s the list:
- Operating systems: 64-bit Windows 10 Enterprise or Windows Server 2016
- Firmware: UEFI firmware v2.3.1 or higher. The key point here is that the system’s UEFI must support Secure Boot. Recall that Secure Boot is a UEFI feature embraced by Microsoft that prevents unsigned (unauthorized) OS loaders or device drivers from loading during startup.
- CPU virtualization extensions: Intel VT-x or AMD-V with SLAT support
- TPM v 1.2 or 2.0: Trusted Platform Module (TPM) is a motherboard chip that stores Credential Guard encryption keys
Enabling Credential Guard via Group PolicyThe easiest way to deploy Credential Guard is to do so in local or domain Group Policy. Pop open your Group Policy editor and navigate to the following location:
Computer Configuration\Administrative Templates\System\Device Guard
We’re looking for the policy named “Turn on Virtualization Based Security,” as shown in the following screen capture from my Windows Server 2016 Technical Preview (TP) 5 VM:
Disabling Credential GuardAfter enabling this policy, you have two choices about how you want Credential Guard to behave:
- Enabled with UEFI lock: Credential Guard can’t be remotely disabled. An administrator needs to locally logon to the machine in question to disable the feature (along with modifying Group Policy if necessary).
- Enabled without lock: Credential Guard can be disabled remotely via Group Policy.
However, you’ll want to perform due diligence before enabling Credential Guard across your enterprise. The reason for this is that Credential Guard prevents the use of older NTLM credentials and unconstrained Kerberos delegation for security reasons. That second point may tweak a few of you in our readership because Kerberos delegation is a standard method to allow our line-of-business (LOB) applications to forward account credentials.
We can use good ol’ System Information (msinfo32.exe) to determine whether Credential Guard is enabled or disabled. My virtual machine wouldn’t work with UEFI, so you can see in the following screenshot that Credential Guard is enabled but not running: