What Is Windows Defender Credential Guard?

Updated on August 4, 2025

For cybersecurity professionals and Windows administrators, understanding Credential Guard is essential. It blocks attacks like Pass-the-Hash and Pass-the-Ticket that have plagued Active Directory environments for years. However, implementing this feature requires careful planning due to specific hardware requirements and potential application compatibility issues.

This guide provides the technical depth you need to understand, implement, and troubleshoot Windows Defender Credential Guard in enterprise environments.

Definition and Core Concepts

Windows Defender Credential Guard is a security feature available in Windows 10 Enterprise/Education, Windows 11, and Windows Server 2016 and later versions. It uses virtualization-based security (VBS) to isolate and protect sensitive authentication credentials from the rest of the operating system, even if the OS kernel becomes compromised.

The feature fundamentally changes how Windows handles credential storage by moving sensitive secrets out of the traditional Local Security Authority Subsystem Service (LSASS) process. Instead of storing NTLM password hashes and Kerberos Ticket Granting Tickets (TGTs) in memory accessible to the main operating system, Credential Guard relocates these secrets to an isolated environment.

Virtualization-Based Security (VBS)

VBS creates the foundation for Credential Guard’s protection. This technology establishes an isolated, secure environment called Virtual Secure Mode (VSM) that runs alongside the main Windows operating system. The Windows Hypervisor protects this environment, creating a boundary that even privileged kernel-mode code cannot cross.

Local Security Authority Components

The Local Security Authority (LSA) manages local security policies and authentication in Windows. Traditionally, the LSASS process handles all credential operations within the main operating system context. With Credential Guard enabled, Microsoft splits this functionality between two processes:

• LSASS.exe: Continues handling authentication requests in the main OS
• LSAIso.exe: Operates within the isolated VBS environment, storing actual credential secrets

Protected Credential Types

Credential Guard specifically protects several types of authentication data:

• NTLM Password Hashes: The hashed forms of user passwords used for NTLM authentication
• Kerberos TGTs: Initial authentication tickets that grant access to other Kerberos services
• Domain Credentials: Various forms of domain authentication tokens and certificates

Hardware Requirements

Credential Guard relies on specific hardware security features to establish its root of trust:

• Secure Boot: A UEFI firmware standard that ensures only digitally signed, trusted components load during system startup
• Trusted Platform Module (TPM): A hardware security chip that provides cryptographic key storage and platform integrity measurements
• IOMMU: Input/Output Memory Management Unit that protects VBS memory from direct memory access attacks

How It Works

Credential Guard’s protection mechanisms operate through several interconnected systems that create multiple layers of security around sensitive credentials.

Virtualization-Based Isolation

When Credential Guard activates, the Windows Hypervisor creates Virtual Secure Mode alongside the normal Windows environment. This VSM operates as a separate, highly isolated execution context with its own memory space and processor resources.

The hypervisor enforces strict boundaries between VSM and the main operating system. Even code running with the highest privileges in Windows—including kernel drivers and the Windows kernel itself—cannot directly access VSM memory or processes.

Credential Relocation Process

The credential relocation process fundamentally alters Windows authentication architecture. During system startup with Credential Guard enabled, the LSA initialization process creates the LSAIso.exe process within VSM instead of storing credentials directly in the main LSASS.exe process.

When users authenticate or applications request credential access, LSASS.exe in the main OS communicates with LSAIso.exe through tightly controlled Remote Procedure Calls (RPC). These communications undergo strict validation and auditing, preventing unauthorized access even from privileged processes.

Hardware Root of Trust Implementation

Credential Guard leverages multiple hardware security features to establish and maintain its protective boundaries:

• Secure Boot Process: The system firmware verifies digital signatures on all boot components, creating a chain of trust from the hardware up through the hypervisor and VBS environment. This prevents boot-time rootkits from compromising the system before Credential Guard initializes.
• TPM Integration: The Trusted Platform Module stores cryptographic keys used by Credential Guard and measures platform integrity through Platform Configuration Registers (PCRs). Keys sealed to the TPM only become available when the platform integrity measurements match expected values.
• IOMMU Memory Protection: The Input/Output Memory Management Unit prevents direct memory access attacks that might attempt to bypass the hypervisor’s memory protections by accessing VBS memory through hardware devices.

Attack Mitigation Mechanisms

Credential Guard specifically targets common post-exploitation attack techniques:

• Pass-the-Hash Protection: Since NTLM password hashes reside in the isolated LSAIso.exe process, credential dumping tools like Mimikatz cannot extract them from the main LSASS.exe process memory.
• Pass-the-Ticket Prevention: Kerberos TGTs stored in VSM remain inaccessible to malicious code operating in the main Windows environment, preventing ticket theft and replay attacks.
• Privileged Access Limitation: Even administrative accounts and kernel-mode drivers cannot directly access the protected credential store, requiring all access to go through the controlled RPC interface.

Key Features and Components

Windows Defender Credential Guard incorporates several integrated features that work together to provide comprehensive credential protection.

Primary Protection Features

• VBS-Based Credential Isolation: The core protection mechanism that physically separates credentials from the main operating system using hypervisor-enforced boundaries.
• Hardware-Backed Security: Integration with platform security features including Secure Boot, TPM, and IOMMU to create multiple layers of protection against different attack vectors.
• Credential Manager Protection: Extension of protection to credentials stored by Windows applications and services through the Windows Credential Manager.

Management and Deployment

• Group Policy Integration: Centralized configuration through Active Directory Group Policy Objects, allowing enterprise-wide deployment and management.
• Microsoft Intune Support: Mobile Device Management integration for cloud-based configuration and monitoring of Credential Guard status.
• Default Enablement: Automatic activation on supported hardware running Windows 11 22H2 and later, reducing deployment complexity for new systems.

Monitoring and Verification

• Event Log Integration: Detailed logging of Credential Guard status changes and security events through Windows Event Viewer.
• PowerShell Verification: Administrative cmdlets for checking Credential Guard configuration and operational status.
• System Information Tools: Integration with built-in Windows tools like MSInfo32 for easy status verification.

Use Cases and Applications

Understanding when and where to deploy Credential Guard helps organizations maximize their security investment while avoiding unnecessary complications.

Endpoint Security Enhancement

• Workstation Protection: Deployment on user workstations protects against credential theft from compromised endpoints, limiting an attacker’s ability to escalate privileges or move laterally through the network.
• Server Hardening: Application servers and member servers benefit from Credential Guard protection, especially those handling sensitive data or providing critical services.
• Remote Access Security: Systems used for remote access connections gain additional protection against credential interception during authentication processes.

Attack Surface Reduction

• Post-Exploitation Mitigation: Credential Guard significantly increases the difficulty for attackers who have already gained initial access to a system, forcing them to find alternative methods for credential harvesting.
• Advanced Persistent Threat Defense: The hardware-backed protection provides resilience against sophisticated threat actors using advanced credential theft techniques.
• Insider Threat Mitigation: Protection extends to scenarios where privileged insiders might attempt to extract credentials for unauthorized access.

Compliance and Governance

• Regulatory Requirements: Many cybersecurity frameworks now recommend or require advanced credential protection mechanisms similar to those provided by Credential Guard.
• Identity Protection Standards: Organizations implementing zero-trust architectures benefit from the additional identity protection layers that Credential Guard provides.
• Audit and Compliance: The detailed logging and verification capabilities support compliance auditing and security assessments.

Advantages and Trade-offs

Implementing Credential Guard involves significant security benefits balanced against specific technical requirements and potential compatibility challenges.

Security Advantages

• Credential Protection: Credential Guard provides industry-leading protection against memory-based credential theft attacks, making traditional post-exploitation techniques significantly more difficult.
• Hardware-Backed Security: The integration with platform security features creates multiple independent layers of protection that must all be compromised for an attack to succeed.
• Attack Mitigation: The feature effectively blocks common attack tools and techniques used by both automated malware and skilled threat actors.
• Lateral Movement Prevention: By protecting credentials from theft, Credential Guard limits an attacker’s ability to move through network resources using compromised accounts.

Implementation Considerations

• Hardware Prerequisites: Credential Guard requires specific modern hardware capabilities including 64-bit processors with virtualization extensions, Second Level Address Translation (SLAT), UEFI firmware version 2.3.1.c or later with Secure Boot capability, and TPM version 2.0 for optimal security.
• Application Compatibility Challenges: Several authentication protocols and scenarios experience compatibility issues with Credential Guard enabled, including NTLMv1 authentication, MS-CHAPv2 for VPN and wireless connections, Digest authentication for web applications, and Credential Security Support Provider (CredSSP) protocol used for credential delegation in Remote Desktop scenarios.
• Performance Considerations: While generally minimal on modern hardware, some organizations report slight performance impacts due to the additional virtualization overhead and secure communication requirements.
• Domain Controller Limitations: Credential Guard provides no security benefit on Active Directory Domain Controllers and can cause compatibility issues with DC-specific services and authentication requirements.

Operational Trade-offs

• Management Complexity: Organizations must plan for the additional complexity of managing VBS-based security features and potentially updating applications that rely on incompatible authentication methods.
• Licensing Requirements: Historically, Credential Guard required Windows Enterprise or Education editions, though default enablement on newer Windows versions has expanded availability.
• Disable Restrictions: When configured with UEFI lock, disabling Credential Guard requires physical access to the system and specific firmware procedures, making remote management more challenging.
• Incomplete Protection: Credential Guard does not protect against all credential theft vectors, including keyloggers, phishing attacks, or credentials stored in other locations like web browsers or applications.

Key Terms Appendix

• Windows Defender Credential Guard: Microsoft’s virtualization-based security feature that isolates authentication credentials to prevent memory-based theft attacks.
• Virtualization-Based Security (VBS): The underlying technology that creates an isolated execution environment using the Windows Hypervisor for security-sensitive operations.
• LSASS (Local Security Authority Subsystem Service): The Windows process responsible for managing local security policies and handling authentication operations.
• LSA Isolated (LSAIso.exe): The protected process running within VBS that stores sensitive credentials away from the main operating system.
• Pass-the-Hash (PtH): An attack technique where threat actors use stolen NTLM password hashes for authentication without needing the original plaintext password.
• Pass-the-Ticket (PtT): An attack method that uses stolen Kerberos tickets to authenticate to network resources without requiring password credentials.
• NTLM Password Hashes: Cryptographic hashes of user passwords used in NTLM authentication protocols.
• Kerberos Ticket Granting Ticket (TGT): Initial authentication tokens issued by domain controllers that allow users to request access to network services.
• Trusted Platform Module (TPM): A dedicated hardware security chip that provides cryptographic key storage and platform integrity verification capabilities.
• Input/Output Memory Management Unit (IOMMU): Hardware that controls device access to system memory, preventing direct memory access attacks against protected regions.