Enable Credential Guard using PowerShell

Credential Guard is a new security feature developed by Microsoft to protect passwords and other sensitive information. Credential Guard stores the secrets in an even more isolated memory. Even Windows processes and device drivers cannot access this isolated memory. It only has a small number of binaries loaded. Without Credential Guard, all Windows processes running in kernel mode have full memory access.

Hardware requirements of Credential Guard:

  • A physical PC is required,
    Note:Note: Starting with version 1607 Microsoft supports Credential Guard in virtual machines with
    Hyper-V as well.
  • It runs Windows 10 Enterprise edition
  • UEFI Secure Boot is enabled
  • The UEFI firmware version supports UEFI Interface Specifications v2.3.1 Errata B or higher and
    has the Microsoft Windows Certification Authority in the UEFI signature database
  • Support for Virtualization Technology is enabled (i.e., Intel VT-x or AMD-V)
  • Support for IOMMU technology is enabled (i.e., Intel VT-d or
    AMD-Vi)
  • The CPU supports Second Level Address Translation (SLAT)
  • The computer is an x64 architecture,
  • It has TPM version 1.2 or 2.0.

To enable Credential Guard using Powershell, run the following script:

$RegKey = “HKLM:\System\CurrentControlSet\Control\”
ForEach ($scope in “DeviceGuard”, “LSA”) {
$RegKeyPath = $RegKey + $scope
if (!(Test-Path $RegKeyPath)) {
New-Item $RegKeyPath -Force
}
}
$RegKey = “HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard”
Set-ItemProperty $RegKey -Name EnableVirtualizationBasedSecurity -Type DWord -Value 1
Set-ItemProperty $RegKey -Name RequirePlatformSecurityFeatures -Type DWord -Value 1
$RegKey = “HKLM:\SYSTEM\CurrentControlSet\Control\LSA”
Set-ItemProperty $RegKey -Name LsaCfgFlags -Type DWord -Value 1

To check if Credential Guard is enabled, you can do it easily in PowerShell with the following script:

Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard

 

Leave a comment

Your email address will not be published. Required fields are marked *

fifteen + 13 =