Windows Defender Credential Guard uses virtualization-based security to secure secrets on Windows 10 Enterpirse and Windows Server 2019 machines. Using this method, only privileged system software can access them. Windows Defender Credential Guard will help preventing unauthorized access that can lead to credential theft attack. In this tutorial I will show you how to prepare the actual implementation and how to configure it for production environments.
How it works
Windows Defender Credential Guard prevents hackers and/or malware from retrieving NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. It does this by isolating these features virtually using Hyper-V running on the local system. The Local Security Authority (LSA) that runs on modern Windows 10 devices, will talk to a new component called the isolated LSA process. This will isolated process running virtually, will be used to store and protect secrets. The isolated process is not accessible by the operating system other then the local LSA.
This islolated LSA process will only host a small subset of operating system binaries that it needs to be functional. Binaries are signed using a certificate that will be trusted by the virtualization-bases security. When the signature could not be verified, the isolated LSA process will fail to launch.
It is important to investigate what Windows Defender Credential Guard might break in your production environment. Important authentication flows like wireless network access or application access through single sign-on might fail.
Security mostly comes at a cost. Usability of functionality will be limited and Windows Defender Credential Guard is no exception. Applications will break if they require:
- Kerberos DES encryption support
- Kerberos unconstrained delegation
- Extracting the Kerberos TGT
Applications will prompt and expose credentials to risk if they require:
- Digest authentication
- Credential delegation
However, applications can prompt for credentials or use credentials stores in Windows Vault which is not potected by Windows Defender Credential Guard. Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
Check device capability for Windows Defender Credential Guard
It is recommended to confirm that every device in your environment is capable of running Windows Defender Credential Guard.
There are some specific hardware requirements for Windows Defender Credentual Guard to work. I invested some time in creating a script myself, but there is a lot to check and verify. Luckily Microsoft provides PowerShell code that can be run from the device to check if all requirements are met.
After you have sucessfully copied the PowerShell code, save the file on the device and open a new PowerShell console with administrative access. Save the file as DG_Readiness.ps1 in C:\Defender.
Set-Location 'C:\Defender' .\DG_Readiness.ps1 -Capable
Enable for devices managed by Microsoft Intune
Access your Microsoft Intune tenant by logging in to the Microsoft Endpoint Manager admin center. Next, go to Endpoint Security and create a new policy under Account protection. Please be aware that this feature is still in preview at the time of writing.
Give the new policy a name that will suit with the rest of your environment. You might also want to add a description. When everything is filled in, click on Next.
For the purpose of this demonstration the profile has been assigned to All Devices.