Credential Guard uses virtualization based security to protect information that could be used in credential theft if compromised. Windows Defender Credential Guard allows us to leverage virtualization-based security to isolate secrets, such as cached user credentials, in a special separate virtualized operating system. The special separate virtualized operating system is configured so that only specific processes and memory in the host operating system can access this secret data.

Windows Defender Credential Guard is primarily a response to pass-the-hash or pass-the-ticket attacks. Should a host that has Credential Guard be compromised by an attacker, that attacker won’t be able to successfully run a pass-the-has attach tool to extract cached credentials and then use them to access other computers on the network.

DoD STIG requires that Credential Guard must be running on Windows domain-joined systems. Also Credential Guard is primarily useful for Privileged Access Workstation(PAW).

Windows Credential Guard has the following requirements:
– Windows Server 2016 or later, or Windows 10 Enterprise or later
– UEFI firmware version 2.3.1 or higher
– Secure boot
-Intel VT-x or AMD-V virtualization extensions
– TPM 1.2 or 2.0

To enable Windows Credential Guard:
– Turn on Virtualization Based Security policy located in the
Computer Configuration\Administrative Templates\System\Device node of a GPO.
You must set the policy to Enabled, and then you must set the platform security level to either Secure Boot or Secure Boot And DMA protection.
– You need to set the Credential Guard Configuration option to Enabled with UEFI Lock or Enabled without Lock. If you select Enabled with UEFI Lock, Credential Guard cannot be remotely disable and can only be disabled by having someone with local Administrator privileges sing on and disable Credential Guard configuration locally. The Enabled Without UEFI Lock option allows Credential Guard to be remotely disabled.