Credential Guard uses what Microsoft calls "Virtualization based security" to isolate credentials so that malware or attackers with admin privileges can't view or extract them. For more information on why this is so important see my previous post which links to my Derbycon talk. TLDR; When (not if) one of your systems gets compromised, attackers look for credentials and move around laterally until they get what they want. Without Credential Guard it is trivial to view credentials that Windows stores in memory. Depending on the version of Windows these credentials may be in plaintext, hashed, or in the form of a Kerberos ticket.
For example, here is the output of Mimikatz on a Windows 10 system running as a local user and not joined to a domain:
Here you can see the local user's hash that is stored in memory. If this was Windows 7, by default you would see the actual password in plaintext. Now lets look at the output when Credential Guard is enabled:
But wait, it looks like the NTLM hash is still accessible in memory? I confirmed with Benjamin Delpy that this is indeed the case when running Windows 10 LTSB 2015 with a local account. He said this has been fixed in the Anniversary Update so this shouldn't be the case when running LTSB 2016 or the latest Windows 10 CSB. I joined the machine to a domain and on the results were what I originally expected with no credentials accessible:
Configuring Credential Guard
So how do we turn this on? The first thing you need to consider is the prerequisites, which vary depending on the version of Windows 10. At a minimum, you'll need:- 64-bit CPU with virtualization extensions such as Intel VT-x or AMD-V
- TPM 1.2 or 2.
- UEFI firmware with Secure Boot enabled
- Windows 10 Enterprise, Education, 2016 Server or Enterprise IoT
You can enable Credential Guard via GPO, registry, or with a Microsoft provided Powershell script; however keep in mind the prerequisites must already be in place for Credential Guard to be successfully enabled. If the system didn't have Secure Boot enabled when Windows was installed, you'll have to enable Secure Boot and re-install Windows before Credential Guard will work. On my list of things to do is to find a way to poll systems remotely (probably with Powershell) and output a report on Credential Guard status. Also notice Credential Guard can't be run on Windows 10 Pro. In my mind Credential Guard and Device Guard are the primary motivating reasons to buy Enterprise.
For initial testing, my preferred method of enabling Credential Guard is with the DG_Readiness Powershell script from Microsoft which you can currently find here. This tool allows you to verify a system has the required prerequisites, enable or disable Credential Guard or Device Guard or both, and check to see if they are enabled/running. Run it with the -Capable flag to check the prerequisites:
Don't worry if you see HSTI Validation failed. I'm not exactly sure what this means but it doesn't seem to affect Credential Guard. If you see any other errors in red you'll need to fix those before you can enable Credential Guard. If you don't see any other errors you can run the Readiness Tool with the -Enable flag which will enable both Credential Guard and Device Guard. I ran into an issue when enabling CG this way where some applications wouldn't start because of a "digital signature" error. Running the Readness Tool with the -Disable -DG flags fixed the issue by disabling Device Guard. I assume this had to do with Device Guard being enabled but no configuration for it. Because of this issue, I'd recommend enabling Credential Guard with the -Enable -CG flags as shown:
When the system reboots Credential Guard should be running. You can verify this with the Readiness Tool and the -Ready flag or by running msinfo32.exe. This is what they should look like:
Credential Guard Configured But Services Not Running
When running Windows 10 LTSB 2016 or CSB I've ran into an issue where in msinfo32.exe it appears Credential Guard is configured, but the services are not running. I'm not sure what causes this, but the workaround below worked for me.
- Ensure all prerequisites are in place on the system
- Configure Credential Guard with the Readiness Tool
- After a reboot msinfo32.exe shows Credential Guard configured, but services not running
- Disable Secure Boot in the BIOS
- After a reboot msinfo32.exe shows Credential Guard configured and oddly services running even though Secure Boot is disabled
- Re-Enable Secure Boot
- After a reboot msinfo32.exe shows Credential Guard configured and services remain running
Update - 7-11-17
Ran into this again on an HP Prodesk 600 G1 SFF and the workaround above didn't work. When I looked at tpm.msc it showed "TPM Not Ready". I initialized the TPM from tpm.msc, rebooted, and had to confirm a BIOS message to initialize the chip. I then disabled Credential Guard and re-enabled it with the readiness script and then Credential Guard Services showed "Running" in msinfo32.exe.