{
	"id": "1bb9846e-2522-40eb-a2f1-19ed6efc4902",
	"created_at": "2026-04-06T00:17:35.954018Z",
	"updated_at": "2026-04-10T03:21:25.808409Z",
	"deleted_at": null,
	"sha1_hash": "4655038a4f68b39bd7652c160c1ad0a659f3cf1b",
	"title": "How Credential Guard works",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54790,
	"plain_text": "How Credential Guard works\r\nBy officedocspr5\r\nArchived: 2026-04-05 22:40:14 UTC\r\nKerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-based security (VBS). Previous\r\nversions of Windows stored secrets in its process memory, in the Local Security Authority (LSA) process\r\nlsass.exe .\r\nWith Credential Guard enabled, the LSA process in the operating system talks to a component called the isolated\r\nLSA process that stores and protects those secrets, LSAIso.exe . Data stored by the isolated LSA process is\r\nprotected using VBS and isn't accessible to the rest of the operating system. LSA uses remote procedure calls to\r\ncommunicate with the isolated LSA process.\r\nFor security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset\r\nof operating system binaries that are needed for security and nothing else. All the binaries are signed with a\r\ncertificate that VBS trusts, and the signatures are validated before launching the file in the protected environment.\r\nDiagram of the Credential Guard architecture.\r\nSecrets protected by Credential Guard are protected in memory and isolated at runtime by the hypervisor using\r\nVirtual Secure Mode (VSM). On recent supported hardware with TPM 2.0, VSM data that is persisted will be\r\nprotected by a key called the VSM master key, which is protected by device firmware protections. To learn more,\r\nsee System Guard: How a hardware-based root of trust helps protect Windows. The VSM master key is protected\r\nby the TPM, ensuring that the key and secrets protected by Credential Guard can only be accessed in a trusted\r\nenvironment.\r\nCredential Guard doesn't typically persist authentication data (NTLM hash and TGTs), as that data is lost between\r\nreboots and refreshed when the user signs into the system. This means that it isn't dependent on the VSM master\r\nkey or the TPM to protect that data at reset.\r\nNote\r\nThe VBS master key might not be protected by the TPM in any of the following environments:\r\nIf Secure Boot is disabled\r\nIf a TPM isn't available on the firmware\r\nSome ways to store credentials aren't protected by Credential Guard, including:\r\nWhen Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in\r\ncredentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for\r\ncredentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with\r\nany of these protocols\r\nhttps://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works\r\nPage 1 of 2\n\nCaution\r\nIt's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols.\r\nSoftware that manages credentials outside of Windows feature protection\r\nLocal accounts and Microsoft Accounts\r\nCredential Guard doesn't protect the Active Directory database running on Windows Server domain\r\ncontrollers. It also doesn't protect credential input pipelines, such as Windows Server running Remote\r\nDesktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it\r\nwould when running a Windows client OS\r\nKey loggers\r\nPhysical attacks\r\nDoesn't prevent an attacker with malware on the PC from using the privileges associated with any\r\ncredential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with\r\naccess to high value assets in your organization\r\nNon-Microsoft security packages\r\nSupplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters\r\ncredentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory.\r\nThese same credentials are vulnerable to key loggers as well\r\nKerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket\r\n(TGT) is protected\r\nWhen Credential Guard is enabled, Kerberos doesn't allow unconstrained Kerberos delegation or DES\r\nencryption, not only for signed-in credentials, but also prompted or saved credentials\r\nWhen Credential Guard is enabled on a VM, it protects secrets from attacks inside the VM. However, it\r\ndoesn't provide protection from privileged system attacks originating from the host\r\nWindows logon cached password verifiers (commonly called cached credentials) don't qualify as\r\ncredentials because they can't be presented to another computer for authentication, and can only be used\r\nlocally to verify credentials. They're stored in the registry on the local computer and provide validation for\r\ncredentials when a domain-joined computer can't connect to AD DS during user logon. These cached\r\nlogons, or more specifically, cached domain account information, can be managed using the security policy\r\nsetting Interactive logon: Number of previous logons to cache if a domain controller isn't available\r\nLearn how to configure Credential Guard\r\nReview the advice and sample code for making your environment more secure and robust with Credential\r\nGuard in the Additional mitigations article\r\nReview considerations and known issues when using Credential Guard\r\nSource: https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works\r\nhttps://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works"
	],
	"report_names": [
		"credential-guard-how-it-works"
	],
	"threat_actors": [],
	"ts_created_at": 1775434655,
	"ts_updated_at": 1775791285,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4655038a4f68b39bd7652c160c1ad0a659f3cf1b.pdf",
		"text": "https://archive.orkl.eu/4655038a4f68b39bd7652c160c1ad0a659f3cf1b.txt",
		"img": "https://archive.orkl.eu/4655038a4f68b39bd7652c160c1ad0a659f3cf1b.jpg"
	}
}