How to Set Up Windows Server 2016 Credential Guard
Credential Guard is a Windows Server 2016 virtualization-based security (VBS) feature that protects Windows credential hashes and Kerberos tickets from theft. It uses hardware virtualization to isolate the Local Security Authority Subsystem Service (LSASS) process in a separate, secure execution environment called the Secure Kernel, making it impossible for malware running in the normal OS to access credential material — even with SYSTEM-level privileges. This prevents attacks like Pass-the-Hash and Pass-the-Ticket.
Prerequisites
- 64-bit CPU with SLAT (Second Level Address Translation) support.
- CPU virtualization extensions (Intel VT-x or AMD-V) enabled in BIOS/UEFI.
- UEFI firmware (not legacy BIOS) with Secure Boot enabled.
- Windows Server 2016 Standard or Datacenter edition.
- Hyper-V hypervisor layer (even on physical hardware, Credential Guard runs inside Hyper-V).
- TPM version 2.0 recommended for binding to hardware.
Step 1: Verify Prerequisites
Get-ComputerInfo | Select-Object HyperVisorPresent, DeviceGuardVirtualizationBasedSecurityStatus, DeviceGuardRequiredSecurityProperties, DeviceGuardAvailableSecurityPropertiesRun the Device Guard and Credential Guard Hardware Readiness Tool:
DG_Readiness_Tool_v3.6.ps1 -ReadyStep 2: Enable Credential Guard via Group Policy
Navigate to:
Computer Configuration > Administrative Templates > System > Device Guard > “Turn On Virtualization Based Security”
- Enable the policy.
- Select Platform Security Level: “Secure Boot and DMA Protection” (most secure) or “Secure Boot”.
- Under Credential Guard Configuration: Select “Enabled with UEFI lock” to prevent disabling without UEFI access.
Step 3: Enable Credential Guard via Registry (Without GPO)
$lsaPath = "HKLM:SYSTEMCurrentControlSetControlLSA"
Set-ItemProperty -Path $lsaPath -Name "LsaCfgFlags" -Value 1 -Type DWord
$vbsPath = "HKLM:SYSTEMCurrentControlSetControlDeviceGuard"
New-Item -Path $vbsPath -Force | Out-Null
Set-ItemProperty -Path $vbsPath -Name "EnableVirtualizationBasedSecurity" -Value 1 -Type DWord
Set-ItemProperty -Path $vbsPath -Name "RequirePlatformSecurityFeatures" -Value 3 -Type DWordLsaCfgFlags values: 0 = disabled, 1 = enabled with UEFI lock, 2 = enabled without UEFI lock.
Step 4: Enable Hyper-V Hypervisor
Credential Guard requires the Hyper-V hypervisor even on physical machines. Install it without the full Hyper-V role:
Install-WindowsFeature -Name Hyper-V-Hypervisor
bcdedit /set hypervisorlaunchtype autoRestart the server after enabling the hypervisor:
Restart-ComputerStep 5: Verify Credential Guard Is Running
After restart, verify Credential Guard status:
Get-ComputerInfo | Select-Object DeviceGuardCredentialGuardRunning, DeviceGuardVirtualizationBasedSecurityStatusCheck via msinfo32:
msinfo32Navigate to System Summary and look for “Virtualization-based security” and “Credential Guard” status.
Check the System event log:
Get-WinEvent -LogName System | Where-Object {$_.Id -eq 14 -and $_.ProviderName -like "*LsaIso*"} | Select-Object -First 5Step 6: Disable Credential Guard (if needed)
If Credential Guard was enabled without UEFI lock, disable it via registry:
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLSA" -Name "LsaCfgFlags" -Value 0 -Type DWord
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" -Name "EnableVirtualizationBasedSecurity" -Value 0 -Type DWord
bcdedit /set hypervisorlaunchtype off
Restart-ComputerStep 7: Credential Guard Compatibility Considerations
Credential Guard is incompatible with the following scenarios:
- Hyper-V virtual machines cannot run Credential Guard (it requires direct hardware access). However, Shielded VMs provide an alternative for VM workloads.
- Digest Authentication is not supported with Credential Guard enabled.
- Unconstrained Kerberos delegation does not work — migrate to constrained or resource-based constrained delegation.
- Third-party security products that hook into LSASS may be incompatible.
Verify no problematic SPs are installed:
Get-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsaOSConfig" -Name "AuditLevel" -ErrorAction SilentlyContinueSummary
Credential Guard on Windows Server 2016 is one of the most effective protections against credential theft attacks. By isolating LSASS in a virtualization-based secure environment, it renders stolen password hashes and Kerberos tickets useless for lateral movement. Enabling it on privileged servers such as domain controllers and management hosts significantly raises the cost of credential-based attacks in your environment.
