How to activate Microsoft Defender Credential Guard and Exploit Guard

Protecting credentials in Windows and hardening the system against exploits It has become almost mandatory in any modern business environment. Attacks such as Pass-the-Hash, Pass-the-Ticket, or the abuse of zero-day vulnerabilities exploit any oversight in the configuration to move laterally through the network and take control of servers and workstations in a matter of minutes.

In this context, Microsoft Defender Credential Guard and Exploit Guard technologies (along with the Microsoft Defender antivirus engine) are key components of the security strategy in Windows 10, Windows 11, and Windows Server. In the following lines, you will see, step by step and in detail, how they work, their requirements, and how to correctly activate or deactivate them using Intune, Group Policy, the Registry, PowerShell, and other tools, while avoiding unnecessarily breaking compatibility.

What is Microsoft Defender Credential Guard and why is it so important?

Windows Defender Credential Guard is a security feature Introduced by Microsoft in Windows 10 Enterprise and Windows Server 2016, this feature relies on virtualization-based security (VBS) to isolate authentication secrets. Instead of the Local Security Authority (LSA) directly managing in-memory credentials, an isolated LSA process is used.LSAIso.exe) executed in a protected environment.

Thanks to this isolation, Only system software with the appropriate privileges can access NTLM hashes and Kerberos tickets (TGT).Credentials used by Credential Manager, local logins, and credentials used in connections such as Remote Desktop are no longer available. Any malicious code attempting to directly read the memory of a conventional LSA process will find that those secrets are gone.

This approach drastically reduces the effectiveness of classic post-exploitation tools such as Mimikatz for Pass-the-Hash or Pass-the-Ticket attacksThis is because the hashes and tickets that were previously easy to extract now reside in an isolated container in memory that malware cannot so easily access, even if it has administrator privileges on the compromised system.

It is worth clarifying that Credential Guard is not the same as Device GuardWhile Credential Guard protects credentials and secrets, Device Guard (and related application control technologies) focuses on preventing unauthorized code from running on the computer. They are complementary, but they solve different problems.

Still, Credential Guard is not a silver bullet against Mimikatz or against inside attackersAn attacker who already controls an endpoint could capture credentials as the user enters them (for example, with a keylogger or by injecting code into the authentication process). It also doesn't prevent an employee with legitimate access to certain data from copying or exfiltrating it; Credential Guard protects credentials in memory, not user behavior.

Credential Guard enabled by default in Windows 11 and Windows Server

In modern versions of Windows, Credential Guard is automatically activated in many cases.Starting with Windows 11 22H2 and Windows Server 2025, devices that meet certain hardware, firmware, and configuration requirements receive VBS and Credential Guard enabled by default, without the administrator having to do anything.

In these systems, The default enablement is performed without UEFI lockingThis means that, although Credential Guard is enabled by default, the administrator can later disable it remotely via group policy, Intune, or other methods, because the lock option has not been activated in the firmware.

When Credential Guard is activated, and virtualization-based security (VBS) is also enabled.VBS is the component that creates the protected environment where LSAs are isolated and where secrets are stored, so both features go hand in hand in these versions.

An important nuance is that The values ​​explicitly configured by the administrator always prevail. over the default settings. If Credential Guard is enabled or disabled via Intune, GPO, or Registry, that manual state overwrites the default enabling after the computer restarts.

Furthermore, if One device had Credential Guard explicitly disabled before upgrading to a version of Windows that enables it by default.The device will respect this deactivation after the update and will not automatically turn on, unless its configuration is changed again using one of the management tools.

System, hardware, firmware and licensing requirements

So that Credential Guard can offer real protectionThe equipment must meet certain hardware, firmware, and software requirements. The better the platform's capabilities, the higher the achievable level of security.

Firstly, A 64-bit CPU is mandatory and compatibility with virtualization-based security. This means that the processor and motherboard must support the appropriate virtualization extensions, as well as the activation of these features in the UEFI/BIOS.

Another critical element is the Secure BootSecure Boot ensures that the system starts by loading only trusted, signed firmware and software. Secure Boot is used by VBS and Credential Guard to prevent an attacker from modifying boot components to disable or manipulate the protection.

Although not strictly mandatory, having one is strongly recommended. Trusted Platform Module (TPM) version 1.2 or 2.0Whether discrete or firmware-based, the TPM allows encryption secrets and keys to be linked to the hardware, adding an extra layer that seriously complicates matters for anyone trying to carry or reuse those secrets on another device.

It is also highly advisable to enable the UEFI lock for Credential GuardThis prevents anyone with system access from disabling the protection simply by modifying a registry key or policy. With the lock active, disabling Credential Guard requires a much more controlled and explicit procedure.

In the area of ​​licensing, Credential Guard is not available in all editions of WindowsGenerally, it is supported in enterprise and education editions: Windows Enterprise and Windows Education have support, while Windows Pro or Pro Education/SE do not include it by default.

The Credential Guard usage rights are tied to certain subscription licenses, such as Windows Enterprise E3 and E5, as well as Windows Education A3 and A5. The Pro editions, in terms of licensing, are not entitled to this advanced functionality, even though they run the same operating system binary.

Application compatibility and locked features

Before deploying Credential Guard en masseIt's advisable to thoroughly review applications and services that rely on specific authentication mechanisms. Not all legacy software works well with these protections, and some protocols are directly blocked.

When Credential Guard is enabled, features considered risky are disabled, so that Applications that depend on them stop working correctlyThese are known as application requirements: conditions that must be avoided if you want to continue using Credential Guard without incident.

Among the features that They are blocked directly include:

• Kerberos DES encryption compatibility.
• Delegation of Kerberos without restrictions.
• Extraction of TGT from Kerberos from LSA.
• NTLMv1 protocol.

Furthermore, There are features that, while not entirely prohibited, involve additional risks if used in combination with Credential Guard. Applications that rely on implicit authentication, credential delegation, MS-CHAPv2, or CredSSP are especially sensitive, as they can insecurely expose credentials if not carefully configured.

It has also been observed performance problems in applications that attempt to bind or interact directly with the isolated process LSAIso.exeBecause this process is protected and isolated, any repeated access attempts may add overhead or cause slowdowns in specific scenarios.

The good news is that modern services and protocols that use Kerberos as a standardFunctions such as access to SMB shared resources or a properly configured Remote Desktop continue to function normally and are not affected by the activation of Credential Guard, as long as they do not depend on the legacy functions mentioned above.

How to enable Credential Guard: Intune, GPO, and Registry

The ideal way to activate Credential Guard depends on the size and management of your environment.For organizations with modern management systems, Microsoft Intune (MDM) is very convenient, while in traditional Active Directory domains, Group Policy is still commonly used. For more precise adjustments or specific automations, the Registry remains an option.

First of all, it is crucial to understand that Credential Guard must be enabled before joining the computer to the domain. or before a domain user logs on for the first time. If activated later, user and machine secrets may already be compromised, reducing the actual benefit of the protection.

In general terms, you can enable Credential Guard by:

• Microsoft Intune / MDM management.
• Group Policy (GPO) in Active Directory or local policy editor.
• Direct modification of the Windows Registry.

When applying any of these settings, Don't forget that restarting the device is mandatory. For the changes to take effect, Credential Guard, VBS, and all isolation components are initialized at boot, so simply changing the policy is not enough.

Activate Credential Guard with Microsoft Intune

If you manage your devices with Intune, you have two approaches Main options: Use Endpoint Security templates or use a custom policy that configures the DeviceGuard CSP via OMA-URI.

On the Intune portal, you can go to “Endpoint security > Account protection” and create a new account protection policy. Select the platform "Windows 10 and later" and the profile type "Account protection" (in its different variants, depending on the version available).

When configuring the settings, Set the "Turn on Credential Guard" option to "Enable with UEFI lock" If you want to prevent the protection from being easily disabled remotely, Credential Guard is "anchored" in the firmware, raising the level of physical and logical security of the device.

Once the parameters have been defined, Assign the policy to a group that contains the devices or user objects you want to protect.The policy will be applied when the device syncs with Intune and, after the corresponding restart, Credential Guard will be activated.

If you prefer to control the fine details, You can use a custom policy based on the DeviceGuard CSPTo do this, it is necessary to create OMA-URI entries with the appropriate names and values, for example:

Configuration
NameEnable virtualization-based security OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/EnableVirtualizationBasedSecurity Type of data: int Price: 1
NameCredential Guard configuration OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceGuard/LsaCfgFlags Type of data: int Price: Enabled with UEFI lock: 1 Enabled without blocking: 2

After applying this custom policy and restarting, The device will start with VBS and Credential Guard active., and the system credentials will be protected in the isolated container.

Configure Credential Guard using group policy

In environments with traditional Active DirectoryThe most natural way to enable Credential Guard in bulk is through Group Policy Objects (GPOs). You can do this either from the local policy editor on a single computer or from the Group Policy Manager at the domain level.

To configure the policy, open the corresponding GPO editor and navigate to the path Computer Configuration > Administrative Templates > System > Device GuardIn that section you will find the policy "Enable virtualization-based security".

This directive establishes in Select "Enabled" and choose your desired Credential Guard settings from the drop-down list.You can choose between "Enabled with UEFI lock" or "Enabled without lock," depending on the level of physical protection you want to apply.

Once the GPO is configured, link it to the organizational unit or domain where the target computers resideYou can fine-tune its application using security group filtering or WMI filters, so that it only applies to certain types of devices (for example, only to corporate laptops with compatible hardware).

When the machines receive the directive and restart, Credential Guard will be activated according to the GPO configuration., leveraging the domain infrastructure to deploy it in a standardized way.

Enable Credential Guard by modifying the Windows Registry

If you need very granular control or to automate deployment with scriptsYou can configure Credential Guard directly using Registry keys. This method requires precision, because an incorrect value can leave the system in an unexpected state.

For virtualization-based security and Credential Guard to become active, You must create or modify several entries under specific pathsThe key points are:

Configuration
Ruta: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard Name: EnableVirtualizationBasedSecurity Type: REG_DWORD Price: 1 (enables virtualization-based security)
Ruta: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard Name: RequirePlatformSecurityFeatures Type: REG_DWORD Price: 1 (using secure boot) 3 (secure boot + DMA protection)
Ruta: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Name: LsaCfgFlags Type: REG_DWORD Price: 1 (enables Credential Guard with UEFI lock) 2 (enables Credential Guard without locking)

After applying these values, Restart the computer so that the Windows hypervisor and the isolated LSA process come into playWithout that reset, the Registry changes will not actually activate memory protection.

How to check if Credential Guard is enabled and working

See if the process LsaIso.exe It appears in the Task Manager. It might provide a clue, but Microsoft doesn't consider it a reliable method for confirming that Credential Guard is operational. More robust procedures exist, based on built-in system tools.

Among the recommended options for Check Credential Guard status These include System Information, PowerShell, and the Event Viewer. Each method offers a different perspective, so it's worth familiarizing yourself with them all.

The most visual method is the one that System information (msinfo32.exe)From the Start menu, simply run this tool, select "System Summary" and check the "Running virtualization-based security services" section to confirm that "Credential Guard" appears as an active service.

If you prefer something scriptable, PowerShell is your allyFrom a console with elevated privileges, you can run the following command:

(Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning

The output of this command indicates, using numerical codes, whether Credential Guard is enabled or not on that machineA value 0 means that Credential Guard is disabled.While 1 indicates that it is activated and running. as part of virtualization-based security services.

Finally, the The Event Viewer allows you to review the historical behavior of Credential Guard.Opening eventvwr.exe By navigating to "Windows Logs > System", you can filter by the "WinInit" event source and locate messages related to the initialization of Device Guard and Credential Guard services, useful for periodic audits.

Disable Credential Guard and manage UEFI lockout

Although the general recommendation is to keep Credential Guard activated On all systems that support it, in some very specific scenarios it may be necessary to disable it, either to resolve incompatibilities with legacy applications or to perform certain diagnostic tasks.

The exact procedure for Disabling Credential Guard depends on how it was initially configured.If it was enabled without UEFI locking, simply revert the Intune, GPO, or Registry policies and reboot. However, if it was enabled with UEFI locking, additional steps are required because some of the configuration is stored in the firmware's EFI variables.

In the specific case of Credential Guard enabled with UEFI lockFirst, you must follow the standard disabling process (reverting directives or Registry values) and then remove the related EFI variables using bcdedit and the utility SecConfig.efi with an advanced script.

The typical flow involves mount a temporary EFI drive, copy SecConfig.efi, create a new charger input with bcdeditConfigure your options to disable isolated LSA and set a temporary boot sequence through the Windows boot manager, as well as unmount the drive at the end of the process.

After restarting the computer with this configuration, Before Windows starts, a message will appear warning of a change in UEFI.Confirming this message is mandatory for the changes to be persistent and for the Credential Guard EFI lock to be truly disabled in the firmware.

If what you need is Disable Credential Guard on a specific Hyper-V virtual machineYou can do this from the host, without touching the guest, using PowerShell. A typical command would be:

Set-VMSecurity -VMName <NombreDeLaVM> -VirtualizationBasedSecurityOptOut $true

With that adjustment, the virtual machine It stops using VBS and therefore stops running Credential Guard even though the guest operating system supports the feature, which can be useful in very specific laboratory or testing environments.

Credential Guard on Hyper-V virtual machines

Credential Guard is not limited to physical equipmentIt can also protect credentials within virtual machines running Windows in Hyper-V environments, providing a level of isolation similar to that available in bare-metal hardware.

In this situations, Credential Guard protects secrets against attacks originating from within the virtual machine itself.In other words, if an attacker compromises system processes within the VM, VBS protection will continue to isolate LSAs and reduce the exposure of hashes and tickets.

However, it is important to be clear about the limit: Credential Guard cannot defend the VM from attacks originating from the host with elevated privileges. The hypervisor and the host system effectively have total control over the virtual machines, so a malicious host administrator could bypass these barriers.

For Credential Guard to function correctly in these types of deployments, The Hyper-V host must have an IOMMU (input/output memory management unit) that allows isolating access to memory and devices, and virtual machines must be of Generation 2, with UEFI firmware, which enables Secure Boot and other necessary capabilities.

With these requirements in place, The experience of using Credential Guard on VMs is very similar to that of a physical machine.including the same activation methods (Intune, GPO, Registry) and verification methods (msinfo32, PowerShell, Event Viewer).

Exploit Guard and Microsoft Defender: Activate and manage general protection

Alongside Credential Guard, the Windows security ecosystem relies on Microsoft Defender Antivirus and in technologies like Exploit Guard, which include attack surface reduction rules, network protection, folder access control, and other features aimed at slowing down malware and mitigating exploits.

In many teams, Microsoft Defender antivirus comes pre-installed and activated by default In Windows 8, Windows 10, and Windows 11, it is available, but it is relatively common to find it disabled due to previous policies, the installation of third-party solutions, or manual changes to the Registry.

To Activate Microsoft Defender Antivirus using local group policyYou can open the Start menu, search for "Group Policy," and select "Edit Group Policy." Within "Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus," you'll see the option "Turn off Windows Defender Antivirus."

If this policy is set to "Enabled", it means that the antivirus is forcibly disabled. To restore its functionality, set the option to "Disabled" or "Not Configured".Apply the changes and close the editor. The service will be able to start again after the next policy update.

If at the time Defender was explicitly disabled from the RegistryYou'll have to check the route HKEY_LOCAL_MACHINE/SOFTWARE/Policies/Microsoft/Windows/Defender and locate the value DisableAntiSpywareUsing the Registry Editor, you can open it and set its "Value data" to 0Accepting the change to allow the antivirus to function again.

After these adjustments, go to "Start > Settings > Update & Security > Windows Defender" (in more recent versions, "Windows Security") and Verify that the "Real-time protection" switch is enabledIf it's still turned off, manually turn it on to ensure that the antivirus defense starts with the system.

For maximum protection, it is advisable Enable both real-time protection and cloud-based protectionFrom the "Windows Security" application, go to "Virus & threat protection > Virus & threat protection settings > Manage settings" and activate the corresponding switches.

If these options are not visible, it is likely that A group policy is hiding the antivirus protection section. In Windows Security, check "Computer Configuration > Administrative Templates > Windows Components > Windows Security > Virus & threat protection" and make sure the "Hide virus and threat protection area" policy is set to "Disabled," applying the changes.

It is equally important keep virus definitions up to date This allows Microsoft Defender to detect recent threats. From Windows Security, under "Virus & threat protection," within "Threat protection updates," click "Check for updates" and allow the latest signatures to download.

If you prefer the command line, that's also an option. You can start the Microsoft Defender service from CMD. Press Windows + R, type cmd Then, at the command prompt (preferably with elevated privileges), run:

sc start WinDefend

With this command, The main antivirus service starts up provided there are no additional policies or blocks preventing it, allowing you to quickly verify if the engine starts without errors.

To find out if your computer uses Microsoft Defender, simply go to "Start > Settings > System" and then open the "Control Panel". In the "Security and Maintenance" section, you'll find the "System security and protection" section, where You will see a summary of the antivirus protection status and other active measures. in the team.

by combining Credential Guard to protect credentials in memory With a properly configured Microsoft Defender, Exploit Guard, and appropriate hardening rules, a significantly higher level of security is achieved against credential theft, advanced malware, and lateral movement within the domain. While there is always a cost associated with compatibility with legacy protocols and applications, the overall security improvement more than compensates for this in most organizations.