Credential Guard in Windows 11/10
Credential Guard is one of the main security features available with Windows 11/10. It allows protection against hacking of domain credentials thereby preventing hackers from taking over the enterprise networks. Along with features like Device Guard and Secure Boot, Windows 11/10 is more secure than any of the previous Windows operating systems.
What is Credential Guard feature in Windows 11/10
As its name indicates, this feature in Windows 11/10 safeguards credentials in and across user domains in a network. While previous operating systems from Microsoft used to store ID and password for user accounts in local RAM, Credential Guard creates a virtual container and stores all domain secrets in that virtual container that the operating system cannot access directly. You do not need external virtualization. The feature makes use of Hyper-V which you can configure in the Programs and Features applet in the Control Panel. When hackers compromised a Windows operating system earlier, they could get access to the hash used to encrypt the user credentials, as it would be stored in local RAM, without much protection. With Credential Manager, credentials are stored in a virtual container so that even if hackers compromise the system, they cannot access the hash. That way, they cannot penetrate computers on the network. In short, the Credential Guard feature in Windows 11/10 increases the security of domain credentials and related hashes so that it becomes almost impossible for hackers to access the secret and apply it to other computers. Thus any possibility of attack is stopped at the entrance only. I won’t say Credential Guard is unbreakable, but it sure increases the level of security so that your computer and the network are safe. Against the Credential Guards in previous versions of Windows, the one in Windows 11/10 disallows several protocols that may allow hackers to reach the virtual container where the hashed credentials are stored. However, the feature is not available for all computers. Read: Remote Credential Guard protects Remote Desktop credentials.
Credential Guard System Requirements
There are a few limitations – especially if you are on budget laptops. Even Ultrabooks that don’t support Trusted Platform Module (TPM) cannot run Credential Guard though the book runs Windows 11/10 Enterprise. Credential Guard runs only in the Enterprise Edition of Windows 11/10. If you are using Pro or Education, you won’t get to use this feature. Your machine should be supporting Secure Boot and 64-bit virtualization. That leaves all 32-bit computers out of the scope of this feature. This does not imply that you have to upgrade all your computers at the same time. You can use whatever computers that meet requirements after creating a sub-domain and putting incompatible computers into the sub-domain. When you configure the upper domains with Credential Guard and the incompatible computers are in a lower subdomain, the security will still be good enough to thwart credential hacking attempts. Read: Device Guard and Credential Guard Hardware Readiness Tool
Limits of Credential Guard
While some hardware requirements exist for Credential Guard in Windows 11/10 Enterprise edition, not everything is supposed to be protected by the feature. You should not expect the following from Credential Guard: Credential Guard will offer protection against direct hacking attempts and malware seeking credential information. If the credential information is already stolen before you could implement Credential Guard, it won’t prevent the hackers from using the hash key on other computers in the same domain. For additional information and for scripts to manage Credential Guard feature in Windows 11/10, please visit TechNet. Tomorrow we will see how to turn on Credential Guard by using Group Policy.
Should I enable Credential Guard?
The credential guard ensures the domain secrets are not compromised. If it is already compromised, then Windows Defender Credential Guard will not be able to secure the device or the identity. Hence not only it is recommended to enable it, but should be done before the device joins the domain.