Use Windows Defender Credential Guard and HVCI correctlyPosted by Luis Andrianto on September 15th, 2021 Windows Defender Credential Guard helps secure login data in networks. Hypervisor-Protected Code Integrity (HVCI), in turn, uses virtualization technologies to protect the memory of computers. Windows Defender Credential Guard is an internal protection system in the network that can be used on Windows 10 and Windows Server 2016/2019. If attackers have penetrated the network, without further protection mechanisms there is a risk that user credentials will be compromised. Microsoft has integrated technologies into Windows 10 and Windows Server 2016/2019 that use functions from Hyper-V to improve the security of computers on the fly. Entry into the virtualization-based security of Windows 10 and Windows Server 2016/2019This is to prevent Windows Defender Credential Guard. In Windows 10 and Windows Server 2016/2019 it is possible to use virtualization technologies to create a VM with Windows Defender Credential Guard. The data in this VM are only available to verified processes. The point behind the technology is to securely seal off login data. Once the technology has been activated, it is no longer possible for an attacker to access login data from a system. The system reliably protects against pass-the- hash or pass-the-ticket attacks. Pass the hash attacks ( PtH ) are improved password attacks in the network. This generally affects all Windows systems, including those in Active Directory . PtH attacks do not target the passwords, but rather the hashes that are generated in Active Directory after a user has authenticated himself. Technologies such as Windows Defender Credential Guard and Hypervisor-Protected Code Integrity are used to protect Windows networks from these attacks.
Activate Windows Defender Credential Guard
The script checks whether the server is compatible for the use of Windows Defender Credential Guard and Hypervisor-Protected Code Integrity (HVCI). A TPM chip and a current UEFI are required for this . Both technologies should work on most servers. The computers protected with Windows Defender Credential Guard must also be started with Secure Boot. In addition to Windows servers, Windows Defender Credential Guard can also be used on workstations. This makes sense on computers on which employees work with particularly sensitive data, or where the login data has extensive authorizations in Active Directory. Windows Defender Credential Guard and Hypervisor-Protected Code Integrity (HVCI) rely on technologies from Hyper-V. For this reason, Hyper-V must be available on the protected computers and the computers must be compatible with Hyper-V. Activate Windows Defender Credential Guard
These functions can be found in the group guidelines under \\\\\"Computer Configuration \ Administrative Templates \ System \ Devide Guard\\\\\". The \\\\\"Enable virtualization-based security\\\\\" option controls the protection. Various options are available in the policy. The successful activation can be seen in the system information under \\\\\"System overview\\\\\" in the lower area. Windows 10 displays the system information after entering \\\\\"msinfo32.exe\\\\\". The various activated services can be found in the lower area under \\\\\"Virtualization-based security\\\\\". Core isolation: Hypervisor-Protected Code Integrity
The protection can be configured in the Windows 10 app \\\\\"Windows Security\\\\\". It can be found under \\\\\"Device security\\\\\" under \\\\\"Details on core insulation\\\\\". The protection can be activated and deactivated here. If the system uses drivers that are not compatible, the protection cannot be activated. The Windows Security app shows the incompatible drivers with the link \\\\\"Check incompatible drivers\\\\\". Like it? Share it!More by this author |