# Credential Guard

> Source: Courseiva IT Certification Glossary — https://courseiva.com/glossary/credential-guard

## Quick definition

Credential Guard is a Windows security tool that locks away your login information so malware can't get it. It uses a special part of your computer's hardware to create a sealed-off area where credentials are kept safe. This makes it much harder for attackers to steal passwords or other secrets from a compromised system.

## Simple meaning

Think of Credential Guard as a high-tech safe inside your computer for your most sensitive information, like your usernames and passwords. Normally, when you log in, Windows holds onto a copy of your credentials for a while, and that copy is stored in a part of memory that other programs can access. If a malicious program sneaks into your computer, it can grab that copy and steal your login info. Credential Guard changes this by creating a tiny, isolated virtual machine, a separate mini-computer running inside your main computer, using your hardware's virtualization features. All your sensitive credentials are moved into this isolated VM. This VM is completely cut off from the rest of the operating system. Even if malware has full control over Windows itself, it cannot reach into this protected vault. The only way to get the credentials out is through strict, controlled channels that require special permissions. So, even if a hacker tricks you into running a dangerous program, your primary login password stays locked away, completely invisible to the attack. This is a huge leap forward because older protections only slowed down attacks, while Credential Guard can actually stop credential theft from happening at all, provided your hardware supports it.

## Technical definition

Credential Guard is a security feature built into Windows 10 Enterprise, Windows 10 Education, and Windows Server 2016 and later that uses virtualization-based security (VBS) to isolate and protect derived domain credentials and other secrets from compromise by malware. It works by leveraging hardware virtualization extensions, such as Intel VT-x or AMD-V, to create a secure, isolated environment known as the Secure World. Inside this secure environment, a lightweight, secure kernel (the Secure Kernel) runs a separate copy of the Local Security Authority (LSA) subsystem (Isolated LSA). Normally, the LSA process (lsass.exe) runs in the regular Windows kernel space and manages authentication, password changes, and token creation. This makes it a prime target for credential dumping tools like Mimikatz. With Credential Guard enabled, the sensitive credential material, including NTLM hashes, Kerberos ticket-granting tickets (TGTs), and other derived credentials, is stored exclusively within the Isolated LSA process running in the Virtualization-Based Security (VBS) environment. The regular Windows kernel cannot directly access this memory. All authentication requests from the regular OS are sent to the Isolated LSA via a secure, controlled RPC interface. The Isolated LSA processes the request and returns the result without exposing the raw secrets. Credential Guard also integrates with Key Storage Provider (KSP) to protect the encryption keys used for things like BitLocker and virtual smart cards. It requires specific hardware: a 64-bit processor with virtualization extensions and SLAT (Second Level Address Translation), UEFI firmware with Secure Boot, and a TPM 2.0 for the best security posture. It must be enabled via Group Policy or Windows Defender Device Guard settings, and once enabled, it changes how Windows handles authentication, preventing cached credentials from being written to disk and blocking legacy authentication protocols like LM and NTLMv1 from using cached secrets. This makes Credential Guard a foundational component of Microsoft's "privileged access workstation" (PAW) strategy for high-value accounts.

## Real-life example

Imagine a bank vault where tellers keep customers' deposit envelopes. Normally, all the tellers work at the main counter, and if a thief disguised as a janitor walks in, they could easily grab the envelopes. This is like a regular Windows system where credentials are stored in lsass.exe memory. Now, think of a high-security bank where the deposit envelopes are immediately dropped through a slot into a separate, sealed vault room. The tellers can only see and handle the envelopes through a small, armored window. The janitor can't even get close to the vault. This is Credential Guard. The tellers are the regular operating system, and the vault room is the isolated virtual machine. The armored window is the secure RPC interface. Even if the janitor (malware) takes over the main teller counter (the OS), they cannot access the money in the vault because the vault has its own guards (secure kernel) and a completely different lock (hardware-enforced isolation). In another analogy, think of your house. Normally, you keep your car keys on a hook by the front door. If a burglar breaks in, they walk right out with your keys and your car. Credential Guard is like having a small, fireproof safe in a hidden corner of the house, and you put your car keys in there before you go to sleep. Even if the burglar trashes the living room, they cannot open the safe because it has a combination lock you only know. The burglar can't even see what's inside the safe. That is the level of protection Credential Guard provides for your digital keys.

## Why it matters

Credential Guard is critically important because credential theft is the single most common method attackers use to move laterally, escalate privileges, and eventually gain domain admin access in an enterprise environment. Tools like Mimikatz have been around for years and are effective exactly because Windows historically stored credential material in a way that any process running with Administrator privileges could read. Pass-the-Hash, Pass-the-Ticket, and Overpass-the-Hash attacks all rely on attackers being able to extract NTLM hashes or Kerberos tickets from lsass.exe. Credential Guard directly counters these attacks by making the credentials inaccessible from the regular operating system. This means that even if an attacker gains administrative-level code execution on a machine, they cannot dump the credentials that would let them move to other servers or workstations. For IT professionals, this changes the security model from "trust but verify" to "never trust, always isolate." It reduces the blast radius of a single compromised endpoint dramatically. Implementing Credential Guard is not a silver bullet, it requires compatible hardware, planning, and it may break compatibility with some legacy applications that depend on direct access to credentials (like some older versions of Microsoft Office or line-of-business apps). However, for organizations that enforce a security baseline, it is a non-negotiable control, often mandated by compliance frameworks like CIS Benchmarks and Microsoft's own security recommendations. It also pairs well with other VBS-based features like Device Guard (which hardens code integrity) and Windows Defender Application Control, creating a layered defense that protects against both malware and targeted attacks.

## Why it matters in exams

In the MD-102 exam (Microsoft 365 Endpoint Administrator), Credential Guard is a key concept under the "Manage Windows security" objective domain. It appears in questions about deploying and managing security baselines, configuring Windows Defender Credential Guard, and understanding the prerequisites for virtualization-based security. Candidates should know that Credential Guard is not simply a registry setting but a feature requiring specific hardware: UEFI with Secure Boot, 64-bit CPU with SLAT (Second Level Address Translation), and ideally a TPM 2.0. The exam will test your ability to identify scenarios where Credential Guard should be enabled (e.g., privileged access workstations, servers holding high-value credentials) and where it cannot be used (e.g., devices that need to access certain legacy resources, or hardware lacking Intel VT-x or AMD-V). You may encounter multiple-choice questions that ask which security feature prevents Mimikatz from dumping credentials, or which set of prerequisites are required for Credential Guard. Troubleshooting questions might involve a device that fails to enable VBS due to a missing firmware setting. The MD-102 also expects you to understand that Credential Guard is part of a broader Device Guard and Credential Guard deployment strategy. You should be comfortable with Group Policy paths (Computer Configuration > Administrative Templates > System > Device Guard) and the PowerShell cmdlets used to check status, such as Get-CimInstance -ClassName Win32_DeviceGuard. The exam may ask about the difference between Credential Guard and Windows Defender Remote Credential Guard, which is a related feature that protects credentials during Remote Desktop sessions. The most common exam pitfall is thinking Credential Guard protects all credentials equally, in reality, it protects derived credentials (hashes, tickets) but does not protect the user's password itself at the time of interactive logon (that password is still entered via the keyboard).

## How it appears in exam questions

Exam questions will test your understanding of Credential Guard's purpose, prerequisites, deployment methods, and limitations. The most common question pattern is a scenario where an organization wants to prevent lateral movement from an endpoint that has been compromised. The answer will involve enabling Credential Guard. For example: "A security team wants to ensure that if a workstation is infected with credential dumping malware, the attacker cannot steal domain administrator credentials. Which feature should they deploy?" The correct answer is Windows Defender Credential Guard. Another pattern: "A user reports that after enabling Credential Guard, they cannot access a legacy file server that uses NTLM authentication. Why might this happen?" The answer is that Credential Guard disables caching of NTLM hashes, so if the server requires NTLMv1 or cached credentials for authentication, the attempt may fail. You will also see questions about prerequisites: "Which of the following is required for Credential Guard? (Select all that apply.)" Options may include TPM 2.0, UEFI with Secure Boot, SLAT-capable processor, and Internet connection. The exam expects you to select all hardware prerequisites and exclude the internet requirement. In configuration-based questions, you may be asked to identify the correct Group Policy setting location or registry key path. A common mistake is confusing Credential Guard with BitLocker or Windows Defender Firewall. BitLocker protects data at rest, not credentials in memory. The exam may also present a mixed set of security features and ask you to match each with its function. For Credential Guard, you must associate it with "virtualization-based isolation of LSA secrets." Finally, troubleshooting scenarios might show an event log entry indicating that VBS could not be started because Secure Boot is not enabled or virtualization is disabled in firmware. You would need to choose the correct remediation: enable Virtualization Technology in BIOS/UEFI and ensure Secure Boot is on.

## Example scenario

Contoso, Ltd. is a mid-sized legal firm that handles highly confidential client data. Their IT admin, Priya, is tasked with preventing credential theft after a recent phishing attack nearly succeeded. Priya decides to deploy Windows Defender Credential Guard on all lawyer and partner laptops. She first checks that all laptops meet the hardware requirements: they have Intel Core i5 processors with VT-x and SLAT, are running Windows 10 Enterprise, and have UEFI with Secure Boot enabled. Priya configures a Group Policy Object (GPO) to enable Credential Guard with UEFI lock. She applies the GPO to an organizational unit containing the laptops. After the next reboot, the laptops start using virtualization-based security. The LSA process now runs in a secure isolated environment. A month later, a partner's laptop is infected with a trojan that attempts to run Mimikatz. The malware, running with local Administrator privileges, fails to extract any NTLM hashes or Kerberos tickets because those secrets live inside the isolated VM. The attack is blocked. Priya checks the Event Viewer and sees events indicating Credential Guard successfully protected the secrets. She also realizes that one lawyer had trouble printing to an old network printer that used a legacy driver requiring direct access to cached credentials. Priya has to either update the printer or create a policy that excludes that specific device from Credential Guard, understanding the trade-off between security and compatibility. This scenario illustrates both the power of Credential Guard and the need for careful planning.

## Common mistakes

- **Mistake:** Thinking Credential Guard protects all passwords equally.
  - Why it is wrong: Credential Guard protects derived credentials (hashes, tickets) after they are created, but it does not protect the plaintext password entered during interactive logon. That password flows through the keyboard, down the stack, and is processed briefly in the kernel before being hashed. A keystroke logger built into hardware or low-level software could still capture it before it reaches Credential Guard.
  - Fix: Understand that Credential Guard protects stored and derived secrets, not the initial password entry. Pair it with Windows Defender Application Control and proper endpoint detection to protect the entire authentication path.
- **Mistake:** Assuming Credential Guard works on any version of Windows.
  - Why it is wrong: Credential Guard is only available on Windows 10 Enterprise, Windows 10 Education, Windows 11 Enterprise, and Windows Server 2016 and above. It is not available on Windows Pro, Home, or older versions. Enabling it on unsupported editions results in configuration errors or the feature simply being unavailable.
  - Fix: Always verify the Windows edition. Use the Get-WindowsEdition cmdlet in PowerShell to confirm the edition, and check that the device is licensed for Enterprise or Education. For Pro editions, consider alternative protections like Windows Defender Firewall and antimalware.
- **Mistake:** Believing that Credential Guard is a software-only change that works without hardware support.
  - Why it is wrong: Credential Guard requires hardware virtualization features (Intel VT-x or AMD-V), SLAT, UEFI with Secure Boot, and ideally a TPM 2.0. If any of these are missing or disabled, the feature will not enable. Many exam questions intentionally present scenarios where hardware lacks VT-x to trap candidates.
  - Fix: Check all prerequisites before deployment. In an exam, always look for mentions of CPU virtualization capability, Secure Boot, and UEFI. If the question says "the device has virtualization disabled in BIOS," Credential Guard cannot be used.
- **Mistake:** Confusing Credential Guard with Windows Defender Application Control (WDAC) or Device Guard.
  - Why it is wrong: While they are related and often deployed together, they protect different things. Credential Guard protects credentials; WDAC controls which executables can run. They are separate features with different Group Policy settings. Mixing them up leads to incorrect answers in configuration and scenario questions.
  - Fix: Create a mental map: Credential Guard = credentials, Device Guard = code integrity, Windows Defender Firewall = network traffic, BitLocker = disk encryption. In the exam, read the scenario carefully to see which resource is being attacked.

## Exam trap

{"trap":"A question says, \"Enabling Credential Guard will prevent an attacker from using a keystroke logger to capture a user's password.\"","why_learners_choose_it":"Learners often assume that because Credential Guard protects credentials, it protects everything credential-related, including the moment the user types their password. This is a natural but incorrect generalization.","how_to_avoid_it":"Remember that Credential Guard protects credentials after they have been processed by the LSA and turned into hashes or tickets. The initial password entry passes through the keyboard driver, the kernel, and is hashed in the regular memory before being sent to the isolated LSA. A keystroke logger installed before the password is hashed can still capture it. Credential Guard only prevents post-login theft of cached hashes and tickets."}

## Commonly confused with

- **Credential Guard vs Device Guard:** Device Guard (now part of Windows Defender Application Control) focuses on code integrity, it ensures that only trusted applications can run on a device. Credential Guard focuses on isolating credentials. Device Guard prevents malware from executing, while Credential Guard protects secrets even if malware does execute. (Example: Device Guard is like a club bouncer checking IDs at the door; Credential Guard is like a lockbox behind the bar where the cash is kept, locked even if a thief gets past the bouncer.)
- **Credential Guard vs Remote Credential Guard:** Remote Credential Guard is a feature that protects credentials when connecting to remote machines via Remote Desktop. It uses risk-based single sign-on and prevents forwarded credentials from being exposed to the remote host. Credential Guard (local) protects secrets on the local machine. Remote Guard protects the credentials during transit and on the remote endpoint. (Example: Local Credential Guard protects your safe at home; Remote Credential Guard is the armored courier that safely delivers your safe's combination to a distant bank vault.)
- **Credential Guard vs Microsoft Defender for Identity (MDI):** MDI is a cloud-based security solution that monitors on-premises Active Directory traffic and behavior to detect attacks. It doesn't isolate credentials; it analyzes logs and network traffic to identify suspicious activity like pass-the-hash. Credential Guard is a preventive control, while MDI is a detective control. (Example: Credential Guard is the lock on your door; MDI is the security camera watching the hallway.)

## Step-by-step breakdown

1. **Hardware Validation** — Before enabling Credential Guard, the system must confirm it supports UEFI firmware with Secure Boot, a 64-bit processor with virtualization extensions (Intel VT-x or AMD-V) and SLAT, and ideally a TPM 2.0. This step is critical because if hardware prerequisites are missing, the feature will not enable, and the system may boot into a degraded security state.
2. **Enable Virtualization-Based Security via Group Policy** — Administrators configure a Group Policy Object under Computer Configuration > Administrative Templates > System > Device Guard. The policy 'Turn on Virtualization Based Security' is set to Enabled, and 'Select Platform Security Level' is configured to include Secure Boot, DMA Protection, and optionally TPM boot attestation. This tells Windows to start using VBS.
3. **Enable Credential Guard Configuration** — Within the same Group Policy setting, there is a dropdown for 'Credential Guard Configuration.' It offers options like 'Disabled', 'Enabled with UEFI lock', and 'Enabled without lock.' Choosing 'Enabled with UEFI lock' permanently activates Credential Guard unless the UEFI firmware is reset. This prevents malware from turning it off.
4. **Reboot and Initialize VBS** — After applying the policy, the system reboots. During boot, the UEFI firmware interacts with the hardware to create the isolated environment, the Secure World. The Secure Kernel loads and sets up the Isolated LSA process. The hypervisor (Hyper-V's hypervisor) is initialized to manage memory isolation. This happens before the regular Windows kernel starts.
5. **Migration of Credential Material** — Once VBS is running, the LSA process in the normal OS (lsass.exe) starts using a new plug-in that redirects all credential operations to the Isolated LSA. Existing cached credentials are moved into the isolated memory. From this point on, hash-based credentials and Kerberos tickets are stored only in the secure VM. The regular OS cannot read them directly.
6. **Ongoing Secure Communication** — All authentication requests from the normal OS are sent to the Isolated LSA via an RPC channel that is protected by the hypervisor. The Isolated LSA processes the request (e.g., verifying an NTLM hash for a network logon) and returns the result (authentication success/failure) without exposing the secret material. This ensures that even a compromised kernel cannot force the Isolated LSA to reveal secrets.

## Practical mini-lesson

As an IT professional, deploying Credential Guard requires careful planning and testing because it can break applications that rely on legacy authentication mechanisms. In practice, you should first pilot Credential Guard on a non-production set of devices. Before enabling it, ensure your devices meet all hardware requirements by running the PowerShell cmdlet: Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard. This returns properties like RequiredSecurityProperties and VirtualizationBasedSecurityStatus. If the status is 0, VBS is not enabled. You can also use the 'System Information' tool and look for 'Virtualization-based security' status. The most common issue after enabling Credential Guard is that some legacy applications, especially older versions of Microsoft Office (2010 and earlier), Outlook add-ins, or line-of-business apps that use credential caching, may fail. You may need to create a second GPO that disables Credential Guard for specific devices, but this weakens security. A better approach is to update the application. For Remote Desktop scenarios, also enable Remote Credential Guard. Another practical consideration is that Credential Guard prevents the use of NTLMv1 and disables the caching of NTLM hashes. If your environment has servers that require NTLMv1, those connections will break. Use Group Policy to restrict NTLM usage network-wide instead of relying on Credential Guard alone. Also, monitor Event Logs for IDs 6144, 6145, and 5004 related to Device Guard and Credential Guard. A useful real-world strategy is to deploy Credential Guard on all administrator workstations and servers that handle sensitive identity services, like domain controllers or ADFS servers. For standard user workstations, the priority is lower unless they access high-value data. Finally, remember that Credential Guard is not a replacement for other security controls. It must be part of a layered defense including patch management, endpoint detection and response (EDR), and user training. When configuring via PowerShell, you can use the Set-DeviceGuard cmdlet, but Group Policy is the recommended method for enterprise scale. Always test after deployment with a trusted credential dump tool to confirm that secrets are indeed isolated.

## Memory tip

Think 'Virtual Box for Credentials', Credential Guard puts your logon secrets inside a hardware-enforced virtual box that regular Windows cannot touch.

## FAQ

**Can Credential Guard be enabled on Windows 11 Home?**

No. Credential Guard is only available on Windows 10/11 Enterprise, Education, and Windows Server editions. It is not available on Home or Pro editions.

**Does Credential Guard protect against Pass-the-Hash attacks?**

Yes, that is one of its primary purposes. By storing NTLM hashes in an isolated virtual machine, Credential Guard prevents tools like Mimikatz from extracting them, effectively blocking Pass-the-Hash attacks.

**What happens to Credential Guard if the TPM fails?**

Credential Guard can still function without a TPM, but it relies on software-based attestation which is less secure. For full protection, a TPM 2.0 is strongly recommended. If the TPM fails, VBS may still start, but the security posture is reduced.

**Will Credential Guard affect my normal daily work?**

For most users, it runs transparently. However, some legacy applications that directly access cached credentials (like older versions of Office or custom line-of-business apps) may stop working. It may also break features like 'Save Password' in some applications.

**How can I check if Credential Guard is running on my machine?**

Open the System Information (msinfo32) tool and look for 'Virtualization-based security' status. If it says 'Running', VBS is active. You can also use PowerShell: Get-CimInstance -ClassName Win32_DeviceGuard.

**Does Credential Guard protect credentials stored in the browser?**

No. Credential Guard only protects Windows domain credentials (NTLM hashes, Kerberos tickets). Internet browser saved passwords are stored separately in the browser's own vault or the Windows Credential Manager, which is not protected by Credential Guard.

## Summary

Credential Guard is a powerful security feature that uses hardware virtualization to isolate and protect domain credentials from being stolen by malware. It is a core component of modern Windows security, specifically designed to counter credential dumping techniques like those used by Mimikatz. For IT professionals, especially those preparing for the MD-102 exam, it is essential to understand its hardware prerequisites (64-bit CPU with VT-x/AMD-V and SLAT, UEFI Secure Boot, TPM 2.0), its deployment via Group Policy, and its limitations, it protects derived credentials but not the initial password entry, and it may break legacy applications. Credential Guard is not a standalone solution; it works best as part of a layered security strategy that includes Windows Defender Application Control, firewalls, and endpoint detection. In exams, you will be tested on scenario-based questions that require you to identify when Credential Guard is appropriate, what prerequisites are needed, and how to troubleshoot common issues. Remember that while Credential Guard significantly raises the bar for attackers, it is not a magic bullet. It requires careful planning, testing, and understanding of your organization's application compatibility. The key takeaway for the MD-102 exam is: Know the prerequisites, deployment method (Group Policy), and the difference between Credential Guard and related features like Device Guard and Remote Credential Guard. With this knowledge, you will be well-prepared to answer both exam questions and real-world security challenges.

---

Practice questions and the full interactive page: https://courseiva.com/glossary/credential-guard
