Using Windows Defender Credential Guard and HVCI correctly
Windows Defender Credential Guard is an internal network protection system usable on Windows 10 and Windows Server 2016/2019. If attackers have infiltrated the network, there is a risk of user credentials being compromised without further protection mechanisms. Microsoft has built technologies into Windows 10 and Windows Server 2016/2019 that leverage features from Hyper-V to improve the security of computers while they are running.
Getting started with virtualization-based security in Windows 10 and Windows Server 2016/2019.
Windows Defender Credential Guard is designed to prevent that. In Windows 10 and Windows Server 2016/2019, it is possible to create a VM with Windows Defender Credential Guard using virtualization technologies. The data in this VM is only available to verified processes. The purpose behind the technology is to securely lock down credentials. Once the technology is enabled, it is no longer possible for an attacker to grab credentials from a system. The system reliably protects against pass-the-hash or pass-the-ticket attacks.
Pass-the-hash (PtH) attacks are enhanced password attacks on the network. They generally affect all Windows systems, including those in Active Directory. PtH attacks do not target passwords, but rather the hashes that are generated in Active Directory after a user authenticates. To protect Windows networks from these attacks, technologies such as Windows Defender Credential Guard and Hypervisor-Protected Code Integrity are used.
Enable Windows Defender Credential Guard
Enabling the technology can be done with the “HVCI and Windows Defender Credential Guard hardware readiness tool”. This is a PowerShell script. The tool is also available in the download center. On German systems, the readiness tool sometimes returns errors. In this case, the script has to be checked for wrong names.
The script checks whether the server is compatible with the use of Windows Defender Credential Guard and Hypervisor-Protected Code Integrity (HVCI). This requires a TPM chip and an up-to-date UEFI. On most servers, both technologies should work. Windows Defender Credential Guard-protected computers must also be booted with Secure Boot.
In addition to Windows servers, Windows Defender Credential Guard can also be used on workstations. This makes sense on computers where employees work with particularly sensitive data or where the credentials have extensive permissions in Active Directory.
Windows Defender Credential Guard and Hypervisor-Protected Code Integrity (HVCI) rely on technologies from Hyper-V. For this reason, Hyper-V must be available on the protected computers and the computers must be compatible with Hyper-V.
Enable Windows Defender Credential Guard
To enable Windows Defender Credential Guard in Windows 10, the two features “Hyper-V hypervisor” via “Hyper-V\Hyper-V platform)” and “Isolated User Mode” must be installed via the optional features (optionalfeatures.exe). However, this is not necessary when enabling the feature via Group Policy. After this activation, Windows 10 computers automatically install the necessary features.
In Group Policy, these features can be found at “Computer Configuration\Administrative Templates\System\Devide Guard.” The “Enable virtualization-based security” option controls the protection. Several options are available in the policy. The successful activation can be seen in the system information at “System overview” in the lower area. Windows 10 displays the system information after entering “msinfo32.exe”. The various activated services can be found in the lower area under “virtualization-based security”.
Core isolation: Hypervisor-Protected Code Integrity
Hypervisor-Protected Code Integrity uses virtualization technologies from Hyper-V to protect the Windows kernel. If the function is activated, it can sometimes lead to error messages when updating Windows 10 or installing applications. Especially when installing new Windows 10 versions, problems can quickly arise when kernel isolation is active. In this case, the easiest step is to stop the isolation and re-enable it after installing Windows when all drivers are up-to-date.
The protection can be configured in the Windows 10 app “Windows Security”. It can be found via “Device Security” under “Core Isolation Details”. The protection can be activated and deactivated here. If incompatible drivers are used on the system, the protection cannot be activated. The Windows Security app displays the incompatible drivers with the link “Check incompatible drivers”.