{
	"id": "c898cb01-7363-407e-b995-c7d6e79c5b39",
	"created_at": "2026-04-06T00:21:34.224745Z",
	"updated_at": "2026-04-10T03:23:51.166103Z",
	"deleted_at": null,
	"sha1_hash": "84f648c051e8d6cfd2cac1aaf1e1d00fa8afa97a",
	"title": "Credential Guard overview",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 67382,
	"plain_text": "Credential Guard overview\r\nBy officedocspr5\r\nArchived: 2026-04-05 14:08:56 UTC\r\nCredential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting\r\nTickets (TGTs), and credentials stored by applications as domain credentials.\r\nCredential Guard uses Virtualization-based security (VBS) to isolate secrets so that only privileged system software\r\ncan access them. Unauthorized access to these secrets can lead to credential theft attacks like pass the hash and pass\r\nthe ticket.\r\nWhen enabled, Credential Guard provides the following benefits:\r\nHardware security: NTLM, Kerberos, and Credential Manager take advantage of platform security\r\nfeatures, including Secure Boot and virtualization, to protect credentials\r\nVirtualization-based security: NTLM, Kerberos derived credentials, and other secrets run in a protected\r\nenvironment that is isolated from the running operating system\r\nProtection against advanced persistent threats: when credentials are protected using VBS, the credential\r\ntheft attack techniques and tools used in many targeted attacks are blocked. Malware running in the\r\noperating system with administrative privileges can't extract secrets that are protected by VBS\r\nNote\r\nWhile Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques,\r\nand you should also incorporate other security strategies and architectures.\r\nDefault enablement\r\nStarting in Windows 11, 22H2 and Windows Server 2025, VBS and Credential Guard are enabled by default on\r\ndevices that meet the requirements.\r\nThe default enablement is without UEFI Lock, thus allowing administrators to disable Credential Guard remotely\r\nif needed.\r\nWhen Credential Guard is enabled, VBS is automatically enabled too.\r\nNote\r\nIf Credential Guard is explicitly disabled before a device is updated to Windows 11, version 22H2 / Windows\r\nServer 2025 or later, default enablement does not overwrite the existing settings. That device will continue to have\r\nCredential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.\r\nhttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard\r\nPage 1 of 4\n\nDefault enablement on Windows\r\nDevices running Windows 11, 22H2 or later have Credential Guard enabled by default if they:\r\nMeet the license requirements\r\nMeet the hardware and software requirements\r\nAren't explicitly configured to disable Credential Guard\r\nNote\r\nDevices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or\r\nCredential Guard automatically enabled if they meet the other requirements for default enablement, and have\r\npreviously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later\r\ndowngraded to Pro.\r\nTo determine whether the Pro device is in this state, check if the following registry key exists:\r\nComputer\\HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\MSV1_0\\IsolatedCredentialsRootSecret .\r\nIf you wish to disable Credential Guard, see configure Credential Guard.\r\nDefault enablement on Windows Server\r\nDevices running Windows Server 2025 or later have Credential Guard enabled by default if they:\r\nMeet the license requirements\r\nMeet the hardware and software requirements\r\nAren't explicitly configured to disable Credential Guard\r\nAre joined to a domain\r\nAren't a domain controller\r\nSystem requirements\r\nFor Credential Guard to provide protection, the device must meet certain hardware, firmware, and software\r\nrequirements.\r\nDevices that exceed the minimum hardware and firmware qualifications receive additional protections and are more\r\nhardened against certain threats.\r\nHardware and software requirements\r\nCredential Guard requires the features:\r\nVirtualization-based security (VBS)\r\nSecure Boot\r\nWhile not required, the following features are recommended to provide additional protections:\r\nTrusted Platform Module (TPM), as it provides binding to hardware. TPM versions 1.2 and 2.0 are\r\nsupported, either discrete or firmware\r\nhttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard\r\nPage 2 of 4\n\nUEFI lock, as it prevents attackers from disabling Credential Guard with a registry key change\r\nFor detailed information on protections for improved security that are associated with hardware and firmware\r\noptions, see additional security qualifications.\r\nCredential Guard in virtual machines\r\nCredential Guard can protect secrets in Hyper-V virtual machines, just as it would on a physical machine. When\r\nCredential Guard is enabled on a VM, secrets are protected from attacks inside the VM. Credential Guard doesn't\r\nprovide protection from privileged system attacks originating from the host.\r\nThe requirements to run Credential Guard in Hyper-V virtual machines are:\r\nThe Hyper-V host must have an IOMMU\r\nThe Hyper-V virtual machine must be generation 2\r\nNote\r\nCredential Guard is not supported on Hyper-V or Azure generation 1 VMs. Credential Guard is available on\r\ngeneration 2 VMs only.\r\nWindows edition and licensing requirements\r\nThe following table lists the Windows editions that support Credential Guard:\r\nWindows Pro Windows Enterprise Windows Pro Education/SE Windows Education\r\nNo Yes No Yes\r\nCredential Guard license entitlements are granted by the following licenses:\r\nWindows Pro/Pro\r\nEducation/SE\r\nWindows\r\nEnterprise E3\r\nWindows\r\nEnterprise E5\r\nWindows\r\nEducation A3\r\nWindows\r\nEducation A5\r\nNo Yes Yes Yes Yes\r\nFor more information about Windows licensing, see Windows licensing overview.\r\nApplication requirements\r\nWhen Credential Guard is enabled, certain authentication capabilities are blocked. Applications that require such\r\ncapabilities break. We refer to these requirements as application requirements.\r\nApplications should be tested before deployment to ensure compatibility with the reduced functionality.\r\nWarning\r\nhttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard\r\nPage 3 of 4\n\nEnabling Credential Guard on domain controllers isn't recommended. Credential Guard doesn't provide any added\r\nsecurity to domain controllers, and can cause application compatibility issues on domain controllers.\r\nEnabling Credential Guard on Exchange Server isn't supported and can lead to performance issues.\r\nNote\r\nCredential Guard doesn't provide protections for the Active Directory database or the Security Accounts Manager\r\n(SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active\r\nDirectory database (on domain controllers) and the SAM (for local accounts).\r\nApplications break if they require:\r\nKerberos DES encryption support\r\nKerberos unconstrained delegation\r\nKerberos TGT extraction\r\nNTLMv1\r\nApplications ask and expose credentials to risk if they require:\r\nDigest authentication\r\nCredential delegation\r\nMS-CHAPv2\r\nCredSSP\r\nApplications might cause performance issues when they attempt to hook the isolated Credential Guard process\r\nLSAIso.exe .\r\nServices or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't\r\naffected by Credential Guard.\r\nNext steps\r\nLearn how Credential Guard works\r\nLearn how to configure Credential Guard\r\nReview the advice and sample code for making your environment more secure and robust with Credential\r\nGuard in the Additional mitigations article\r\nReview considerations and known issues when using Credential Guard\r\nSource: https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard\r\nhttps://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard"
	],
	"report_names": [
		"credential-guard"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434894,
	"ts_updated_at": 1775791431,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/84f648c051e8d6cfd2cac1aaf1e1d00fa8afa97a.pdf",
		"text": "https://archive.orkl.eu/84f648c051e8d6cfd2cac1aaf1e1d00fa8afa97a.txt",
		"img": "https://archive.orkl.eu/84f648c051e8d6cfd2cac1aaf1e1d00fa8afa97a.jpg"
	}
}