1682

  • Updated on Feb 6, 2026
  • 4 minute(s) read
  • VN
 Prev Next

About Credential Guard
Credential Guard is a Windows 10 security virtualization feature designed to ward off credential theft.  Credential Guard is the ability to store derived credentials (i.e. NTLM hashes and Kerberos tickets) and the process that manages them (i.e. Local Security Authority Subsystem Service (LSASS)), in a secured isolated container which uses Hyper-V and virtualization based security (VBS) for additional protections. NOTE: NTLM stands for NT LAN Manager, wihch is the authentication protocol in modern Windows environments, and replaces LANMAN).

Risks that Credential Guard addresses:
Previous Windows versions had permitted drivers to inject code into the Local Security Authority (LSA). Credentials could be compromised and then used to access other machines.

The idea of Credential Guard is to prevent credential theft, which can lead to pass-the-hash types of attacks. Microsoft has explained (in a Microsoft Channel 9 video) that most people think of security breaches as happening because some algorithm was hacked. However, about 80-90 percent of those breaches result from credential theft.

When Credential Manager domain credentials, NTLM, and Kerberos-derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked.
Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security.

Additional Considerations:
While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and customers are recommended to also incorporate Device Guard (see below) as well as other security strategies and architectures.

Microsoft has updated its TechNet article describing Credential Guard.

The technology has some limits.
It doesn't protect credentials stored in:

  • Credential Manager, or
  • in software that saves passwords, including local accounts and Microsoft accounts

It also can't protect against key loggers.

How Credential Guard Works:
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Unauthorized access to these secrets could lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.

Microsoft's virtualization-assisted security in Windows 10 is based on an Isolated User Mode (IUM) technology. Once an attacker has administrative privileges or "debug credentials" on a machine, then it's possible to pull from the memory space of the operating system.
However, with IUM, there's a boundary and the credentials are encrypted. As a result, drivers can't get into the Local Security Authority of Windows 10, and strict signing is enforced in the IUM.

Credential Guard Scope/Availability:
The Credential Guard feature is currently only available with the Windows 10 Enterprise or Education editions. It is not available with Windows 10 Pro.

Hardware Requirements:
In addition, Credential Guard has specific hardware requirements, namely:

  • Unified Extensible Firmware Interface (UEFI) 2.3.1 or greater;
  • Virtualization Extensions such as Intel VT-X, AMD-V and SLAT must be enabled;
  • x64 version of Windows;
  • IOMMU, such as Intel VT-d, AMD-Vi;
  • TPM 2.0;
  • BIOS lockdown


Benefits of using Credential Guard:
By enabling Credential Guard, the following features and solutions are provided:

  • Hardware security NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
  • Virtualization-based security Windows NTLM and Kerberos-derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
  • Better protection against advanced persistent threats


How Credential Guard is Managed:
Credential Guard is managed by IT pros using specific Group Policy Objects. The feature must be enabled, and its hardware and software requirements must be met in order for Credential Guard to work.

The weaker MS-CHAPv2 and NTLMv1 encryption protocols need to be disabled. Credential Guard will work with down-level domain controllers and network resources.

Windows 10 also has another virtualization-assisted security feature called Device Guard which has similar requirements to Credential Guard.


About Device Guard
Device Guard prevents non-trusted applications from running on Windows 10 machines. It allows organizations to control what can be run on a machine by locking it down.

How Device Guard is controlled
Device Guard is controllable via Group Policy, mobile device management and PowerShell.

How Device Guard Works
Device Guard on Windows 10 Enterprise changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating code integrity policies.

Code integrity contains two primary components: kernel mode code integrity (KMCI) and user mode code integrity (UMCI). KMCI has been available in previous versions of the Windows operating system, and protects the kernel mode from running unsigned drivers. In Windows 10 and Windows Server 2016, UMCI is also available, to help protect against viruses and malware.

Hardware integration in Device Guard
To increase the security level offered by code integrity policies, Device Guard can leverage advanced hardware features on hardware that supports them. These features include:

  • CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and
  • second-level address translation (SLAT).


In addition, hardware that includes input/output memory management units (IOMMUs) provides even stronger protections. When you enable the features associated with CPU virtualization extensions and SLAT, the Code Integrity service can run alongside the kernel in a Windows hypervisor-protected container.

Recommended further reading:
https://technet.microsoft.com/itpro/windows/keep-secure/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies