Credential Guard is a Windows feature that secures the login credentials you use when logging in to Windows in enterprise environments. This guide explains what Windows Credential Guard is, what is required to use it, and how to check whether it is enabled or disabled.
Introduction to Windows Credential Guard
The primary purpose of Windows Credential Guard is to prevent the credentials used to log in to Windows Domains and other services from being stolen by isolating them from the rest of the system. This includes domain credentials, NT LAN Manager (NTLM) hashes, and Kerberos tickets, as well as tokens generated for two-factor authentication that are derived from these. It also protects any Windows credentials that are cached.
Credential Guard does not secure other credentials (like those for third-party apps): it is intended only for securing the authentication methods used by Windows.
Credential Guard is only supported on Windows 11 and Windows 10 Enterprise and Education editions. It is not supported by Windows 11 and Windows 10 Home or Pro, so if you are a home user, you are unlikely to have access to (or any need) for it. Credential Guard requires Virtualization-based Security (VBS) hardware support and for Secure Boot to be enabled.
As of Windows 11 version 22H2, if your system meets the above requirements, Credential Guard will default to enabled.
Why verifying Credential Guard status is important
Credential Guard protects against pass-the-hash and pass-the ticket attacks that use credentials stolen from Windows machines to impersonate users and gain further access to enterprise Windows networks and the sensitive data on them.
In enterprise IT, it’s vital to utilize all available security technologies to protect your infrastructure, data, and users. Additionally, leveraging all reasonable security measures is often a requirement for compliance with GDPR, CCPA, HIPAA, and other emerging data privacy legal frameworks.
If Credential Guard is available and supported on the Windows systems you are responsible for, there is no reason it should be disabled.
How Credential Guard works
Credential Guard uses a combination of hardware security and Virtualization-based Security (VBS). Hardware features, including secure boot and trusted platform modules (TPM), prevent tampering with virtualization protection mechanisms. VBS isolates credentials in virtualized environments, separate from Windows itself, so that they cannot be read by malware or cyber attackers.
Even if a system with Credential Guard enabled is compromised (even by malware running with Administrative privileges), only authorized processes can interact with protected Windows credentials.
How to verify if Credential Guard is enabled or disabled
You can use one of the below methods to check the status of Windows Credential Guard on a single PC.
Method 1: Using System Information
- Right-click on the Start button and select Run
- Enter msinfo32 in the Run dialog and click OK
- Click on System Summary in the left navigation panel
- In the right panel, scroll down to Virtualization-based Security Services Configured
- Credential Guard will be listed in the Value field for Virtualization-based Security Services Configured if it is enabled
If Windows Credential Guard is disabled or not available on your system, it will not appear.
Method 2: Using Group Policy Editor
You can also use the Group Policy Editor to check the enforcement status of Windows Credential Guard:
- Right-click on the Start button and select Run
- Enter gpedit.msc and click OK to open the Group Policy Editor
- Navigate to Computer Configuration/Administrative Templates/System/Device Guard
- Locate the Turn On Virtualization-based Security policy and open it
- If the policy is Enabled, you can check the options to see whether it’s enforced with UEFI (preventing it from being disabled) or not
If the policy is set to Not Configured, Credential Guard is not enforced by Group Policy (but still may be enabled by default)
Method 3: Checking the Windows Event Viewer
The Windows Event Viewer can be used to see information logged by Credential Guard.
- Search for and open Event Viewer from the Start menu
- Locate the Windows Credential Guard logs at Applications and Services Logs/Microsoft/Windows > DeviceGuard
- Open the Operational log
You can then verify that Credential Guard is working by inspecting the log entries. If there are no logs present, Device Guard may not be supported or enabled on your system.
Method 4: Using PowerShell commands
The Get-CimInstance PowerShell cmdlet can be used to check whether or not Credential Guard is enabled or disabled by following these steps:
- Open PowerShell as Administrator
- Run the following PowerShell command
[bool](Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning.Contains(2)
- If this command returns True, Credential Guard is active
What should I do if Credential Guard is not supported on my device?
If a device you are responsible for does not meet the requirements for Credential Guard, you can check whether the required hardware features are disabled by checking your BIOS/UEFI. You can then enable secure boot, UEFI boot, and the TPM if they are present. In some cases, it is possible to purchase a physical TPM module that can be installed in compatible systems if it is not included.
Credential Guard is only supported in Windows 11 and Windows 10 Enterprise and Education editions, and the protection it provides is specific to enterprise environments. If you are not tasked with maintaining such an environment, you probably don’t need to be concerned with the Credential Guard status of your PC.
How do I enable Credential Guard if it’s disabled?
Credential Guard will be automatically enabled on compatible systems running the latest version of Windows 11. If you want to enforce it, you can enable the Group Policy shown above.
Managing the security of Windows devices at scale
While Group Policy can be used to enforce Credential Guard on all devices in an enterprise environment, it is still important to check that all devices support it and that it is active. Doing so manually would be time-consuming and potentially leave security gaps if a device’s hardware configuration changes. This means that automated and ongoing monitoring and management is a must to ensure the security of Windows credentials in Windows domains, especially when employees may be using their own devices.
