Credential Guard overview

Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.

Credential Guard uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like pass the hash and pass the ticket.

When enabled, Credential Guard provides the following benefits:

  • Hardware security: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials
  • Virtualization-based security: NTLM, Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system
  • Protection against advanced persistent threats: when credentials are protected using VBS, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by VBS

Note

While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques, and you should also incorporate other security strategies and architectures.

Important

Starting in Windows 11, version 22H2, VBS and Credential Guard are enabled by default on all devices that meet the system requirements.
For information about known issues related to the default enablement of Credential Guard, see Credential Guard: Known Issues.

System requirements

For Credential Guard to provide protection, the devices must meet certain hardware, firmware, and software requirements.

Devices that meet more hardware and firmware qualifications than the minimum requirements, receive additional protections and are more hardened against certain threats.

Hardware and software requirements

Credential Guard requires the features:

While not required, the following features are recommended to provide additional protections:

  • Trusted Platform Module (TPM), as it provides binding to hardware. TPM versions 1.2 and 2.0 are supported, either discrete or firmware
  • UEFI lock, as it prevents attackers from disabling Credential Guard with a registry key change

For detailed information on protections for improved security that are associated with hardware and firmware options, see additional security qualifications.

Credential Guard in virtual machines

Credential Guard can protect secrets in Hyper-V virtual machines, just as it would on a physical machine. When Credential Guard is enabled on a VM, secrets are protected from attacks inside the VM. Credential Guard doesn't provide protection from privileged system attacks originating from the host.

The requirements to run Credential Guard in Hyper-V virtual machines are:

  • The Hyper-V host must have an IOMMU
  • The Hyper-V virtual machine must be generation 2

Note

Credential Guard is not supported on Hyper-V or Azure generation 1 VMs. Credential Guard is available on generation 2 VMs only.

Windows edition and licensing requirements

The following table lists the Windows editions that support Credential Guard:

Windows Pro Windows Enterprise Windows Pro Education/SE Windows Education
No Yes No Yes

Credential Guard license entitlements are granted by the following licenses:

Windows Pro/Pro Education/SE Windows Enterprise E3 Windows Enterprise E5 Windows Education A3 Windows Education A5
No Yes Yes Yes Yes

For more information about Windows licensing, see Windows licensing overview.

Application requirements

When Credential Guard is enabled, certain authentication capabilities are blocked. Applications that require such capabilities break. We refer to these requirements as application requirements.

Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.

Warning

Enabling Credential Guard on domain controllers isn't recommended. Credential Guard doesn't provide any added security to domain controllers, and can cause application compatibility issues on domain controllers.

Note

Credential Guard doesn't provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).

Applications break if they require:

  • Kerberos DES encryption support
  • Kerberos unconstrained delegation
  • Extracting the Kerberos TGT
  • NTLMv1

Applications prompt and expose credentials to risk if they require:

  • Digest authentication
  • Credential delegation
  • MS-CHAPv2

Applications may cause performance issues when they attempt to hook the isolated Credential Guard process LSAIso.exe.

Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Credential Guard.

Next steps