Credential Guard

Credential Guard is unique to Windows 10 Enterprise and Windows Server 2016, and designed to protect against OS-level attempts to read credentials. It uses hardware and virtualization-based security to isolate secrets so that only privileged system software can access them. Credential Guard protects NTLM password hashes, Kerberos Ticket-Granting Tickets, and credentials stored by applications.

Usually, Windows stores secrets in the Local Security Authority (LSA), in process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. You can consider the isolated LSA as running like a small virtual machine that only the LSA can communicate with, using remote procedure calls.

To enable this feature, the computers must meet specific hardware, firmware, and software requirements. Also, be aware that due to the restrictions necessary to secure the credentials, some applications will not be compatible, especially those that require the following authentication methods:

  • NTLMv1
  • MS-CHAPv2
  • Digest
  • CredSSP

Applications will also break if they require:

  • Kerberos DES encryption support
  • Kerberos unconstrained delegation
  • Extracting the Kerberos TGT

We recommended this solution be enabled due to the advanced protection it can provide against local attacks on workstations. Any applications that are not compatible should be replaced with more secure options. 

You can read more about this solution here: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-how-it-works.

You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed:

  1. From the Group Policy Management Console (GPMC), go to Computer Configuration | Administrative Templates | System | Device Guard.

  2. Double-click Turn On Virtualization Based Security, and then click on the Enabled option.

  3. In Select Platform Security Level option, choose Secure Boot and DMA Protection.

  4. In the Credential Guard Configuration option, click on Enabled with UEFI lock, and then click on OK. If you want to be able to turn off Credential Guard remotely, choose Enabled without lock.

  1. Close the Group Policy Management Console.

Source URL: https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-manage.

A more detailed step by step guide has been published here: https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/.