What Is Windows Credential Guard, and Should You Use It?
Quick Links
Windows Credential Guard is a security feature that secures authentication credentials against malicious attacks. It prevents hackers from tampering with system tools or running malicious codes on your computer. This feature is available on Enterprise and Education versions of Windows 10 and Windows 11. You should consider enabling Credential Guard if you handle or access sensitive data locally or remotely on a Windows domain or workgroup.
Sign up forfree
Forgot your password?
Create an account
*Required: 8 chars, 1 capital letter, 1 number
By continuing, you agree to thePrivacy PolicyandTerms of Use.You also agree to receive our newsletters, you may opt-out any time.
When you start your computer, a process called Local Security Authority Server Service (LSASS) authenticates the login credentials and grants you access. LSASS also stores these credentials (encrypted passwords, NT hashes, LM hashes, and Kerberos tickets) in memory during active sessions, so you don’t have to re-enter your password every time you need to make changes or access files.
Saving the credentials in memory during sessions is handy compared to the alternative: manual identity authentication at every step. Granted, entering authentication credentials now and then improves security. However, authentication credentials are lengthy, especially in their hashed forms. It would be especially inconvenient if you had to make a change quickly and particularly frustrating if you made a mistake and had to re-enter a password. And if you have to write down the password somewhere, this could potentially increase your security risk. LSASS handles authentications, so your device use is efficient.
But as you can imagine, with anything that stores valuable, sensitive data, LSASS is a jackpot for hackers. They can compromise LSASS throughcredential stealing attacksusing tools like Mimikatz, Crackmapexec, and Lsassy. Hackers use these tools to delete, replace, or alter the real system file (lsass.exe).
There are ways to stop credential stealing before a hacker does immense damage, and it is possible to stop an attack once you’ve discovered it. However, it’s better to prevent the attack in the first place. Credential Guard protects against malicious attacks by creating an isolated LSASS process (LSAIso) that stores authentication data securely.
Why You Should Enable Credential Guard on Your PC
The security feature isolates login credentials from the rest of the system’s memory as well as the main process (lsass.exe) that handles authentication. So, it is essentially a black box.
You should use Credential Guard if you have several computers in a domain or workgroup. Why? An attacker who compromises a device with admin login credentials can compromise the entire network. Enabling this feature effectively prevents an attacker from getting total control of sensitive information if they compromise a system.
What Are Credential Guard’s System Requirements?
Windows Credential Guard is exclusive to the Enterprise and Education versions of Windows 10 and 11. Recent versions of Windows Servers also have this security feature, but the device must meet strict hardware and software requirements.
For starters, the device must have a 64-bit CPU (to support virtualization-based security) and secure boot.Microsoft’s Credential Guard requirementsalso recommend havingTrusted Platform Module(TPM) versions 1.2 or 2.0 and UEFI lock (to prevent attackers from bypassing the security setup with regedit).
How to Enable Credential Guard on Windows
If your computer or server meets Microsoft’s baseline requirements, Credential Guard will be enabled by default. To check if this security feature is already enabled,
If Credential Guard is not enabled on your computer, you’re able to enable the feature in three main ways: through Group Policy, editing Windows Registry, or using Microsoft Intune. There’s also the option to enable Credential Guard with UEFI lock if you’re a power user. Most admins will find enabling this feature easier with Group Policy.
How to Disable Credential Guard on Windows
Despite its usefulness in preventing credential stealing and Pass the Hash attacks, Credential Guard will cause some services and protocols to break. For instance, enabling the security feature prevents you from using Windows To Go, Kerberos unconstrained delegation, and DES encryption.
Also, you cannot use third-party Security Support Providers (SSPs) because they are vulnerable to credential stealing attacks. Wi-Fi and VPN endpoints based on MS-CHAPv2 are equally vulnerable and will be disabled when you enable Credentials Guard.
If you need some of the aforementioned features, it’s possible to disable Credential Guard for however long you need. But be sure to set a reminder to re-enable it.
Disabling With Group Policy Editor
Your first option is to disable Credential Guard by changing the Group Policy settings.
To do this, pressStartand type “gpedit”, then selectEdit Group Policy. Go toComputer Configuration > Administrative Templates > System > Device Guard > Turn on Virtualization Based Security > Options. Set “Credential Guard Configuration” toDisabled, clickOKto save the change and then restart your computer.
Disabling With Regedit
This option is great if you have enabled Defender Credential Guard using a different method from UEFI Lock and Group Policy. To disable Credential Guard with Regedit, pressStartand type “regedit”. SelectRegistry Editor. First, navigate to file path HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaCfgFlags and set the value to “0”.
Next, navigate back to HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DeviceGuard\LsaCfgFlags and set the value to “0”.
it’s possible to also followMicrosoft’s instructionsfor disabling Credential Guard with UEFI lock or disabling the security feature on a virtual machine.
Enabling Credential Guard Is Only a Prevention
The rule of thumb is to install a fence around your garden before planting, especially if you live in an area with livestock on free roam. That fence would be useless if you already have goats on your property—in which case, you’d need to chase them out.
The same principle applies to safeguarding your sensitive login data. When enabled, Credential Guard prevents hackers from stealing your data. However, it would be ineffective if the attacker has already established themselves in your network or compromised the device. So, if you decide to use this security feature on a new work computer, make sure it’s enabled before the computer joins the Windows domain or workgroup.
How do cybercriminals find out which devices are vulnerable? Why are you targeted by hackers? Here’s how hackers work and how to protect yourself.
You’re not getting the most out of what you pay for iCloud+.
Obsidian finally feels complete.
Goodbye sending links via other apps.
These films will leave you questioning humanity, but also wanting more.
One casual AI chat exposed how vulnerable I was.
