We’ve just released the Level Library, a collection of pre-configured, importable resources.
Check it out.svg)
General
Learn what Windows Credential Guard is and explore its benefits. Find out how to enable and disable it and discover how Level can secure endpoints.
Level
Friday, May 23, 2025
As cyberattacks grow more advanced, especially those targeting credential theft, IT admins need strong defenses to reduce risk.
This is where Credential Guard comes in. It is a built-in Windows security feature that uses virtualization-based security (VBS) to block access to password hashes and other sensitive data.
In today's guide, we will cover everything you need to know about Windows Credential Guard, from definition to importance. We'll also share a step-by-step guide on how to enable Credential Guard and disable it.
Credential Guard is a security feature pre-built into the Windows operating system. It secures sensitive login data against credential theft attack techniques.
Windows Credential Guard focuses on protecting Kerberos ticket-granting tickets (TGTs), NT LAN Manager (NTLM) password hashes, and other domain credentials held in system memory. These credentials are common targets in privileged system attacks, especially within enterprise environments.
Credential Guard makes it harder for malware or unauthorized tools to access domain credentials, even if the device is compromised. It is a key component of any security strategy that seeks to safeguard Windows accounts.
Credential Guard uses virtualization-based security and hardware security to separate sensitive credential information from the rest of the Windows operating system.
It creates a secure and isolated environment to make sure only privileged system software can access NTLM, Kerberos-derived credentials, and other secrets.
On compatible Windows devices, Credential Guard keeps attackers, even malware with administrative privileges, from seeing sensitive credential data. This setup adds another barrier against common credential theft attacks in local accounts and enterprise environments.
Credential Guard in Hyper-V virtual machines is also supported. However, the Hyper-V host must have an IOMMU (input-output memory management unit). Meanwhile, the virtual machine should be Generation 2.
Enabling Credential Guard can secure credentials inside the virtual machine. However, it doesn't provide protection from privileged system attacks originating from the host.
Through default enablement on Windows servers, Credential Guard can benefit your business in several ways. Let's take a closer look below:
Credential Guard blocks attackers from extracting domain credentials stored in memory, even if they gain administrative rights. This provides protection against advanced persistent attacks from malware or unauthorized tools.
By isolating secrets in a protected environment, Credential Guard significantly minimizes the chances of stolen NTLM password hashes being reused across Windows network locations.
It also reduces the attack surface and makes post-exploitation techniques, such as pass-the-hash and pass-the-ticket, far less effective.
Credential Guard uses virtualization to protect credentials by storing them in a separate, secure environment.
This isolated Credential Guard process is enforced by VBS, which relies on security features including Secure Boot.
Attackers can't directly access or tamper with this data, even with administrative privileges. Thus, sensitive authentication information stays protected.
If a Windows remote desktop is compromised, attackers often harvest credentials to pivot across the network.
Luckily, Credential Guard can fight against targeted attacks and advanced persistent threats that use lateral movement techniques. It limits what they can collect by slowing or stopping their movement across managed endpoints.
This is especially valuable in enterprise environments with flat networks or legacy systems, where credential reuse is common. It keeps breaches contained and buys time for IT response teams to take action.
Windows Credential Guard supports security and compliance efforts by meeting key benchmarks for identity protection.
It aligns with modern data privacy legal frameworks like SOC 2, NIST, or ISO 27001. This makes it a valuable addition to your security strategy.
Credential Guard is automatically enabled on Windows Server 2025 and Windows devices with version 22H2 installed. Bear in mind that some Windows 11 devices may not have it enabled, depending on the hardware and edition.
By default, Credential Guard runs without UEFI Lock. This means you can disable Credential Guard remotely if needed.
However, you may still need to confirm its status, especially if you have mixed IT environments or use Credential Guard in virtual machines. Below are three methods to check if this feature is enabled or disabled:
One of the easiest ways to check Credential Guard status is with the System Information tool.
Open the Start Menu, type msinfo32, and click System Information. In the window that appears, you should select System Summary.
If Credential Guard is enabled, you’ll see it next to the "Virtualization-based Security Services Running" message.
You can also run a PowerShell command to check if Credential Guard is enabled. You can use this code on an elevated PowerShell session:
Look at the SecurityServicesRunning property. If the value 1 appears, Credential Guard is active. The value 0 means the feature is disabled.
Using the Event Viewer is another way to verify Credential Guard enablement.
First, launch the Event Viewer (eventvwr.exe) and go to Windows Logs\System. Then, filter the following event sources for WinInit:
If you don't have Credential Guard enabled by default, you can follow these steps to activate it:
Before enabling Credential Guard, you should check if your device meets Windows edition and licensing requirements.
Only Windows Enterprise and Windows Education support Credential Guard. You can't use it on computers that run Windows Pro and Windows Pro Education/SE editions.
When it comes to Credential Guard license entitlements, you should have any of the following licenses:
In addition to Windows version requirements, you should also meet certain hardware and software specifications.
Credential Guard requires mandatory hardware virtualization support, Secure Boot, virtualization-based security, and a compatible 64-bit CPU with Second-Level Address Translation (SLAT).
Having a Trusted Platform Module (TPM) is optional, but it is highly recommended to provide stronger credential protection. It works by providing a binding to hardware. Credential Guard supports TPM versions 1.2 and 2.0, either discrete or firmware.
UEFI lock is also useful, as it doesn't allow attackers to disable Credential Guard with a registry key change.
If you want to enable Credential Guard on applications, you need to test them before full deployment. Note that certain authentication capabilities are blocked, meaning they may cause compatibility issues.
Once you've met all requirements, you can enable VBS. Use the following custom policy with the DeviceGuard Policy CSP:
Alternatively, you can enable Credential Guard and configure devices with Microsoft Intune. You simply need to create a Settings catalog policy and select either of the following options:
You can modify Credential Guard through the Local Group Policy Editor. Create a group policy object (GPO) and apply the following settings:
Besides the Local Group Policy Editor, you can also configure devices through Registry settings:
The last step involves rebooting the device to activate Credential Guard.
After restarting, you should verify the status again using System Information, PowerShell, or Event Viewer.
You might need to disable Credential Guard for compatibility issues. There are different methods to deactivate this feature depending on how it is configured.
While powerful, Microsoft's Credential Guard is not a comprehensive security tool. It's best to combine it with other platforms to protect sensitive data and systems against cyberthreats.
Level provides a secure remote monitoring and management (RMM) software for IT teams and managed service providers.
It enforces strict security protocols to keep your account and stored data, such as credentials, safe. These include peer-to-peer connections, complex passwords, custom permissions, and IP restrictions.
Level's RMM platform can also track endpoints 24/7. If a threat or anomaly is detected, it instantly notifies the relevant teams for faster resolution and minimal damage to your infrastructure.
Book a demo or try Level free for 14 days right now!
Credential Guard protects domain credentials by isolating them from the rest of the operating system. It stores NTLM password hashes, Kerberos tickets, and other secrets in a secure environment to prevent attackers from stealing them.
Most IT environments benefit from keeping Credential Guard enabled. However, you might need to turn it off for software compatibility or performance testing. Always assess the risk first, as disabling it reduces protection against credential theft and lateral movement.
You can use three different methods to check if Credential Guard is enabled. You can launch the System Information tool, run a PowerShell command, or use the Event Viewer.
Remote Credential Guard extends protection to Remote Desktop (RDP) connections. It ensures that credentials are never sent to the network. Instead, they redirect Kerberos requests back to the device.
At Level, we understand the modern challenges faced by IT professionals. That's why we've crafted a robust, browser-based Remote Monitoring and Management (RMM) platform that's as flexible as it is secure. Whether your team operates on Windows, Mac, or Linux, Level equips you with the tools to manage, monitor, and control your company's devices seamlessly from anywhere.
Ready to revolutionize how your IT team works? Experience the power of managing a thousand devices as effortlessly as one. Start with Level today—sign up for a free trial or book a demo to see Level in action.
General
Start your 14-day free trial today.
