Introduction to Credential Guard

Credential Guard is a Windows 10/Server 2019 virtualization-based security feature that isolates credential storage from the main operating system. Traditionally, the Local Security Authority Subsystem Service (LSASS) stores and manages credentials including NTLM password hashes, Kerberos tickets, and cleartext passwords (in some configurations). If an attacker gains kernel-level access or exploits LSASS, they can harvest these credentials for pass-the-hash, pass-the-ticket, and other attacks. Credential Guard moves the credential store into a separate, hardware-isolated virtual machine called the Isolated LSA that runs at a higher trust level than the OS kernel—even a compromised kernel cannot access the credentials. This tutorial covers enabling and verifying Credential Guard on Windows Server 2019.

Hardware Requirements

Credential Guard requires specific hardware features: 64-bit CPU with virtualization extensions (Intel VT-x or AMD-V), SLAT (Second Level Address Translation—Intel EPT or AMD RVI), UEFI firmware version 2.3.1 or later with Secure Boot enabled, and TPM version 1.2 or 2.0 (strongly recommended for full protection). The server must be able to run Hyper-V. Verify these requirements before attempting to enable Credential Guard.

# Check virtualization extensions
(Get-WmiObject -Class Win32_Processor).VirtualizationFirmwareEnabled

# Check Hyper-V support
Get-WindowsOptionalFeature -FeatureName Microsoft-Hyper-V -Online

# Check TPM status
Get-Tpm | Select-Object TpmPresent, TpmReady, TpmEnabled, TpmActivated, ManagedAuthLevel

Checking Current Virtualization-Based Security Status

Before enabling Credential Guard, check what VBS (Virtualization-Based Security) features are currently active. The msinfo32 tool shows VBS status, or you can query via PowerShell.

msinfo32

In System Information, look for “Virtualization-based security” and “Credential Guard” rows. PowerShell query:

Get-WmiObject -Namespace rootMicrosoftWindowsDeviceGuard `
    -Class Win32_DeviceGuard | 
    Select-Object VirtualizationBasedSecurityStatus,
                  AvailableSecurityProperties,
                  SecurityServicesConfigured,
                  SecurityServicesRunning,
                  CodeIntegrityPolicyEnforcementStatus

SecurityServicesRunning value 1 = Credential Guard running. SecurityServicesConfigured value 1 = Credential Guard configured.

Enabling Credential Guard via Group Policy

Enable Credential Guard through Group Policy, which is the recommended method for domain-wide deployment. Create a GPO and navigate to Computer Configuration > Policies > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security.

Enable the policy and configure: Select Platform Security Level = Secure Boot and DMA Protection. Credential Guard Configuration = Enabled with UEFI lock (cannot be disabled without UEFI access, most secure) or Enabled without lock (can be disabled via Group Policy, easier to manage). Virtualization Based Protection of Code Integrity = Enabled with UEFI lock.

Enabling Credential Guard via Registry

Configure Credential Guard settings directly in the registry. This method is useful for testing or scripted deployment. The settings go in the DeviceGuard key under HKLMSYSTEMCurrentControlSetControlDeviceGuard.

# Enable VBS (required for Credential Guard)
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" `
    -Name "EnableVirtualizationBasedSecurity" -Value 1 -Type DWord

# Require Secure Boot (1) or Secure Boot and DMA Protection (3)
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" `
    -Name "RequirePlatformSecurityFeatures" -Value 3 -Type DWord

# Enable Credential Guard: 0=disabled, 1=enabled with UEFI lock, 2=enabled without lock, 3=not configured
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
    -Name "LsaCfgFlags" -Value 1 -Type DWord

After setting these registry values, restart the server. Credential Guard initializes during the next boot.

Enabling Credential Guard via UEFI Lock (Strongest)

For maximum protection, use the Device Guard and Credential Guard hardware readiness tool to enable Credential Guard with UEFI lock. This stores the configuration in UEFI firmware, preventing it from being bypassed even with registry access or by booting from external media.

# Download the DG_Readiness_Tool from Microsoft
# Run to enable with UEFI lock
DG_Readiness_Tool_v3.6.ps1 -Enable -AutoReboot

Verifying Credential Guard is Running

After rebooting, verify that Credential Guard is active. The Isolated LSA process (lsaiso.exe) should be visible in Task Manager, and the WMI query should show SecurityServicesRunning containing value 1.

# Check if lsaiso.exe is running (Isolated LSA)
Get-Process -Name lsaiso -ErrorAction SilentlyContinue

# WMI check for running security services
$dg = Get-WmiObject -Namespace rootMicrosoftWindowsDeviceGuard -Class Win32_DeviceGuard
if ($dg.SecurityServicesRunning -contains 1) {
    Write-Host "Credential Guard is RUNNING" -ForegroundColor Green
} else {
    Write-Host "Credential Guard is NOT running" -ForegroundColor Red
}
Write-Host "VBS Status: $($dg.VirtualizationBasedSecurityStatus)"

Incompatibilities and Limitations

Credential Guard has several important compatibility limitations. It is incompatible with: Hyper-V virtual machines (cannot run Credential Guard inside a VM unless the VM has nested virtualization and proper configuration), certain smart card middleware, some TPM-based attestation features when combined with other VBS features, and Digest authentication. Additionally, once Credential Guard is enabled with UEFI lock, disabling it requires UEFI firmware access and is a complex process. Review all applications for compatibility before enabling in production.

# Check if running in a VM (Credential Guard requires bare metal for full protection)
(Get-WmiObject Win32_ComputerSystem).Model
(Get-WmiObject Win32_ComputerSystem).HypervisorPresent

Disabling Credential Guard (Without UEFI Lock)

If Credential Guard was enabled without UEFI lock and needs to be disabled (for compatibility troubleshooting), set the registry value to 0 and restart.

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
    -Name "LsaCfgFlags" -Value 0 -Type DWord

Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlDeviceGuard" `
    -Name "EnableVirtualizationBasedSecurity" -Value 0 -Type DWord

# Restart required
Restart-Computer -Force

Conclusion

Credential Guard on Windows Server 2019 provides hardware-enforced protection for credentials that is virtually impossible to bypass without physical hardware access to the UEFI firmware. By moving the credential store into a virtualization-based security enclave, Credential Guard prevents even a fully compromised OS from accessing NTLM hashes and Kerberos tickets—eliminating the most devastating credential harvesting attacks. Enable Credential Guard on all domain controllers and privileged access workstations as part of a comprehensive privileged access strategy. Always test compatibility with your specific applications before production deployment.