Filename: microsoft-md101-3-2-1-windows-defender-credential-guard

Show Name: Managing Modern Desktops (MD-101)

Topic Name: Manage and Protect Devices
Episode Name: Windows Defender Credential Guard
Description: Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. In this episode, you will
learn the about the protection Credential Guard provides. You will also learn how to configure Credential Guard using both Group Policy and Microsoft Intune.

Windows Defender Credential Guard

What is Credential Guard

Used to isolate users' login credentials from the rest of the operating system
Limits access to privileged system software
Isolated LSA
Communicates with regular LSA using RPC

Requirements

Support for virtualization-based security

64-bit
Virtualization extensions (Intel VT or AMD-V)
Windows hypervisor

Secure boot
TPM 1.2 or 2.0
For a VM

Generation 2
TPM enabled

Apps will break if they require

Kerberos DES encryption support

Kerberos unconstrained delegation
NTLMv1

Applications will prompt and expose credentials to risk if they require

Digest authentication
Credential delegation
MS-CHAPv2

Can be enabled using

Group Policy
Intune
Registry
Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool

Configure using Group Policy

Computer Configuration > Administrative Templates > System > Device Guard
Double-click Turn On Virtualization Based Security
Select enabled
In the 'Select Platform Security Level' box, choose 'Secure Boot' or 'Secure Boot and DMA Protection'
In the Credential Guard Configuration box, choose 'Enabled with UEFI' lock or 'Enabled without lock'

Configure using Intune

Login to portal.azure.com
Select Microsoft Intune
Click Device configuration
Click Profiles > Create Profile > Endpoint protection > Windows Defender Credential Guard.