Windows 10 has implemented a critical feature in Windows Defender that uses virtualization-based to isolate the secrets and reduce unauthorized access chances. This feature makes sure that only privileged system softwares can access the stored secrets. In the past, there are many attacks reported, such as Pass-the-Hash or Pass-The-Ticket, due to unauthorized access. All the credentials, including NTLM password hashes, domain credentials, and Kerberos access granting tokens, are protected by Windows Defender Credential Guard. In this article, we shall be discussing the importance of Windows Defender Credential Guard and steps to enable/disable it easily.
Why Windows Defender Credential Guard?
- Hardware-level security: The essential credentials such as NTLM, Kerberos, and domain credential makes use of platform security features to protect the credentials.
- Virtualization-based security: Windows NTLM and Kerberos are stored inside a protected environment that is isolated from the host machine.
- Better protection against advanced persistent threats: On an earlier version of Windows, a privileged administrative application could access all the critical credentials, but with virtualization-based security, no process can access the tokens without proper authorization.
Hardware and Software Requirements:
- Support for Virtualization-based security (required)
- Secure boot (required)
- Trusted Platform Module(TPM) version 1.0 or 2.0
- UEFI lock
- A 64-bit CPU
- CPU virtualization extensions plus extended page tables
- Windows hypervisor (does not require Hyper-V Windows Feature to be installed)
- You must be signed in as an administrator.
- This is available only on Windows 10 Enterprise and Windows 10 Education PCs.
Enable Windows Defender Credential Guard:
- Search for “Windows Features” on the Start menu and open the “Turn Windows features on or off” option.
- Scroll down and expand the “Hyper-V” feature and enable the below-mentioned feature. Below it, you can find “Isolated User Mode” check it and press the Ok button to save the changes.
- Open Local Group Policy Editor and navigate to the below-mentioned path,
Computer Configuration\Administrative Templates\System\Device Guard
- Click on the “Device Guard” option, and on the right-hand side, double click on the “Turn On Virtualization Based Security” to edit the policy.
- To disable the credential guard, click on the radio button next to “Disabled” or “Not Configured.”
- To enable the credential guard, click on the radio button next to “Enabled.”
- From the “Select Platform Security Level” dropdown, choose “Secure Boot” or “Secure Boot and DMA Protection.“
- You can enable the “Device Guard” by selecting Enabled with UEFI lock or Enabled without lock in the Virtualization Based Protection from the “Code Integrity” drop menu.
- From the “Credential Guard Configuration” dropdown, choose “Enabled with UEFI lock.“
- From the “Secure Launch Configuration” dropdown, choose “Not Configured, Enabled, or Disabled.“
- Click on the “Ok” button and close the Local Group Editor Policy.
- Restart the computer to see the changes.
Conclusion:
In this article, we have explained to you the importance of Credential Guard and also showed you the steps to enable/disable it on your Windows device. Please note that this feature is only available in Windows 10 Enterprise and Education version, please make sure to follow the prerequisites before getting started.