🛡️ Essential 8 Guide

Credential Guard functionality is enabled.

Summary

Credential Guard protects credentials by isolating secrets with virtualization-based security, reducing the risk of credential theft. Enable Credential Guard via an Intune device configuration profile to ensure consistent deployment across devices.¹²

Justification

What Credential Guard protects against:

Credential Guard uses Virtualization-Based Security (VBS) to isolate the Local Security Authority (LSA) process. It splits lsass.exe into a host process and a protected companion (LSAIso.exe) running inside a hypervisor-enforced Virtual Secure Mode (VSM) kernel. Credentials such as NTLM hashes and Kerberos TGTs are stored only within the VSM memory, which the host OS cannot access even with SYSTEM privileges.

Hardware requirements beyond TPM + Secure Boot:

• CPU virtualization extensions — Intel VT-x or AMD-V with SLAT (Second-Level Address Translation) to run the Hyper-V-based VSM.
• UEFI firmware ≥ 2.3.1 with UEFI-based memory attributes (MAT) enabled.
• 64-bit architecture (x64 only; Hyper-V and VSM are 64-bit only).
• IOMMU (optional) — provides DMA protection against PCIe-based direct memory attacks; required if “Secure Boot + DMA protection” is selected.

Known incompatibilities:

[!NOTE] Default enablement: Credential Guard is enabled by default on Windows 11 22H2 and later on eligible hardware. On earlier versions it must be explicitly enabled. Verify with: Get-WinEvent -FilterHashtable @{LogName='System';Id=6} or check HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\CredentialGuard\Enabled.

Design Decision

[!NOTE] The Credential Guard configuration will be applied via an Intune Settings Catalog policy to configure the Device Guard category’s Credential Guard setting to Enabled with UEFI lock or Enabled without lock.

Prerequisites

• Permissions/Roles
  • Access to configure Credential Guard using one of the supported deployment methods: Intune/MDM, Group Policy, or Registry.¹
  • Ability to assign the policy to a target group of devices or users for Intune, or to create/edit and link a Group Policy Object (GPO) for Group Policy deployment.¹
• Dependencies
  • The device must run Windows 11, 22H2 or later, or Windows Server 2025 or later.²
  • Hardware and firmware must support and have Virtualization Based Security (VBS) and Secure Boot enabled.⁴
  • If using Intune deployment, devices must be managed by Intune and enrolled in Entra ID (Azure AD) or hybrid Azure AD joined.⁴
  • If using Group Policy deployment, devices must be joined to an Active Directory domain and/or hybrid Azure AD joined.⁵
  • Credential Guard should be configured before a device is joined to a domain, or before a domain user signs in for the first time.¹

Implementation Steps

• Credential Guard has been enabled by default starting with Windows 11, 22H2 and Windows Server 2025 Credential Guard overview.

Configure Credential Guard with Intune

1. In Microsoft Intune, create a Settings catalog policy.
2. In the policy, under the category Device Guard, set the Credential Guard setting to one of the options:
   • Enabled with UEFI lock
   • Enabled without lock

   Note: If you want to be able to turn off Credential Guard remotely, choose Enabled without lock.

3. Assign the policy to a group that contains the devices or users you want to configure.
4. After the policy is applied, restart the device.
5. Optional: You can also configure Credential Guard by using an account protection policy in endpoint security. For more information, see Account protection policy settings for endpoint security in Microsoft Intune.

Additional related information

• Remote Credential Guard guidance explains enabling delegation of nonexportable credentials on remote hosts via Intune, Group Policy, or Registry Remote Credential Guard ⁶
• Essential Eight ML3 guidance describes enabling Credential Guard and Remote Credential Guard to mitigate credential theft, with Intune deployment considerations Essential Eight restrict administrative privileges ⁷
• Credential Guard protected machine accounts describes machine identity isolation and relocation of machine account secrets into Credential Guard Credential Guard protected machine accounts ⁵
• Windows settings you can manage through an Intune Endpoint Protection profile covers Defender Credential Guard settings and remote management behaviors Windows settings you can manage through an Intune Endpoint Protection profile ⁴
• Considerations and known issues outline upgrade considerations and default enablement behavior for Credential Guard Considerations and known issues ⁸
• Microsoft Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft (Version 1 and 2) is the foundational whitepaper series covering PtH attack anatomy, credential theft techniques (including lateral movement and overpass-the-hash), and the defence-in-depth strategies that Credential Guard directly addresses. Required baseline reading for architects designing a credential theft mitigation programme. Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft, Version 1 and 2 ³