Q. What is Credential Guard?
A. Credential Guard is a new feature in Windows 10 (Enterprise and Education edition) that helps to protect your credentials on a machine from threats such as pass the hash. This works through a technology called Virtual Secure Mode (VSM) which utilizes virtualization extensions of the CPU (but is not an actual virtual machine) to provide protection to areas of memory (you may hear this referred to as Virtualization Based Security or VBS). VSM creates a separate "bubble" for key processes that are isolated from the regular operating system processes, even the kernel and only specific trusted processes may communicate to the processes (known as trustlets) in VSM. This means a process in the main OS cannot read the memory from VSM, even kernel processes. The Local Security Authority (LSA) is one of the trustlets in VSM in addition to the standard LSASS process that still runs in the main OS to ensure support with existing processes but is really just acting as a proxy or stub to communicate with the version in VSM ensuring actual credentials run on the version in VSM and are therefore protected from attack. Credential Guard must be turned on and deployed in your organization as it is not enabled by default.
To use Credential Guard you must be running the Enterprise or Education SKU of Windows 10 in addition to having a machine with the following:
- UEFI (without CSM enabled)
- 64-bit Windows
- Secure Boot enabled
- Processor with virtualization extensions (Intel VT/AMD-V) and Secondary Level Address Translation (SLAT)
- TPM is recommended but not required