In this post, we’ll see how we can configure Windows Defender Credential Guard using Microsoft Intune. Windows Defender Credential Guard is a Windows 10 feature which uses virtualization-based security to isolate secrets so that only privileged system software can access them. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.

There are some prerequisites to enable Windows Defender Credential Guard:

  • Support for Virtualization-based security (required)
  • Secure boot (required)
  • TPM 1.2 or 2.0, either discrete or firmware (preferred – provides binding to hardware)
  • UEFI lock (preferred – prevents attacker from disabling with a simple registry key change)

The Virtualization-based security requires:

  • 64-bit CPU
  • CPU virtualization extensions plus extended page tables
  • Windows hypervisor (does not require Hyper-V Windows Feature to be installed)

Credential Guard is also supported on Hyper-V Virtual Machines. Below are the requirements:

  • The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
  • The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured
  3. Seamless Single Sign-On (IE) configured
  4. Seamless Single Sign-On (Firefox) configured
  5. Hybrid Azure AD Join configured
  6. Intune enrollment – Domain Joined Windows 10 devices
  7. Azure AD Join
  8. Office 365 Pro Plus Application
  9. Sample SharePoint Team Site
  10. OneDrive Known Folder Migration and SharePoint library sync
  11. Copy necessary files (Win32 App)
  12. Set Desktop Background, Lock Screen and Screensaver
  13. Adding applications to StartUp folder
  14. Adding some 3rd Party applications (Browsers)
  15. Microsoft Store for Business configuration and integration and Store Apps.
  16. Windows Defender Application Guard configuration
  17. Extend Application Guard to Mozilla Firefox and Google Chrome
  18. Configure Windows Defender Antivirus

Existing setup:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
  8. SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
  9. SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
  10. SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
  11. SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)

Create a Group with SkyTEN3i as member

I have created a group with SkyTEN3i as member.

Navigate to Intune -> Device configuration -> Profiles. Click on +Create profile.

Enter appropriate Name and Description. I have entered:

Name: Win 10 WDCG Policy

Description: Windows 10 : Windows Defender Credential Guard Policy

In Platform, select Windows 10 and later.

In Profile type, select Endpoint protection.

Click on Microsoft Defender Credential Guard.

In Microsoft Defender Credential Guard window, select the appropriate option.

Disabled: Credential Guard is disabled

Enable with UEFI lock: needs physical presence at the device to configure UEFI in order to disable Credential Guard.

Enable without UEFI lock: Does not need physical presence. Credential Guard can be disabled remotely also (less secure).

Select the appropriate option and click OK.

I have selected Enable without UEFI lock.

Click OK.

Click Create.

Select appropriate group.

As I want to test Credential Guard on a specific machine, I have selected the above created group. After selecting the group, click Save.

The policy is deployed.

In Client machine:

Before Sync:

Search for System Information and click on System Information app.

We see that there is no information on Credential Guard.

After Sync

We see that after syncing the policy, Credential Guard is configured but not running.

Restart the machine

After machine is restarted, open System Information again.

We see that Credential Guard is configured and running.

Testing using Mimikatz

Navigate to https://github.com/gentilkiwi/mimikatz

Click on Clone or download and click on Download ZIP.

Extract the ZIP to the LAB folder.

Open Command Prompt in administrative mode.

Click Yes.

Navigate to Lab folder.

Execute command: mimikatz.exe log “privilege::debug”

You can see that there is an notification. Click on that notification.

On the Windows Defender Security Center, allow the executable.

Note: kindly do not perform this step in Production environment. This is only to test Credential Guard.

Execute the command one more time.

We can see that the log file is created.

Enter the following in the Command Prompt: sekurlsa::logonpasswords.

Enter the following in the Command Prompt: Exit.

Open the log file.

Scroll down to get the User details.

We see that the data is encrypted.

This screenshot is from a device where Credential Guard is not enabled. We can see that NTLM hash is visible.

Done.

Leave a comment

Your email address will not be published. Required fields are marked *