Use Windows Defender Credential Guard and HVCI correctly

Posted by Luis Andrianto on September 15th, 2021

Windows Defender Credential Guard helps secure login data in networks. Hypervisor-Protected Code Integrity (HVCI), in turn, uses virtualization technologies to protect the memory of computers.

Windows Defender Credential Guard is an internal protection system in the network that can be used on Windows 10 and Windows Server 2016/2019. If attackers have penetrated the network, without further protection mechanisms there is a risk that user credentials will be compromised. Microsoft has integrated technologies into Windows 10 and Windows Server 2016/2019 that use functions from Hyper-V to improve the security of computers on the fly.

Entry into the virtualization-based security of Windows 10 and Windows Server 2016/2019

This is to prevent Windows Defender Credential Guard. In Windows 10 and Windows Server 2016/2019 it is possible to use virtualization technologies to create a VM with Windows Defender Credential Guard. The data in this VM are only available to verified processes. The point behind the technology is to securely seal off login data. Once the technology has been activated, it is no longer possible for an attacker to access login data from a system. The system reliably protects against pass-the- hash or pass-the-ticket attacks.

Pass the hash attacks ( PtH ) are improved password attacks in the network. This generally affects all Windows systems, including those in Active Directory . PtH attacks do not target the passwords, but rather the hashes that are generated in Active Directory after a user has authenticated himself. Technologies such as Windows Defender Credential Guard and Hypervisor-Protected Code Integrity are used to protect Windows networks from these attacks.

 

Activate Windows Defender Credential Guard


The technology can be activated with the \\\\\"HVCI and Windows Defender Credential Guard hardware readiness tool\\\\\" . This is a PowerShell script. The tool is also available in the download center . The readiness tool sometimes produces errors on German systems. In this case, the script must be examined for incorrect names.

The script checks whether the server is compatible for the use of Windows Defender Credential Guard and Hypervisor-Protected Code Integrity (HVCI). A TPM chip and a current UEFI are required for this . Both technologies should work on most servers. The computers protected with Windows Defender Credential Guard must also be started with Secure Boot.

In addition to Windows servers, Windows Defender Credential Guard can also be used on workstations. This makes sense on computers on which employees work with particularly sensitive data, or where the login data has extensive authorizations in Active Directory.

Windows Defender Credential Guard and Hypervisor-Protected Code Integrity (HVCI) rely on technologies from Hyper-V. For this reason, Hyper-V must be available on the protected computers and the computers must be compatible with Hyper-V.

Activate Windows Defender Credential Guard


To activate Windows Defender Credential Guard in Windows 10, the two features \\\\\"Hyper-V Hypervisor\\\\\" via \\\\\"Hyper-V \ Hyper-V Platform)\\\\\" and \\\\\"Isolated User Mode\\\\\" must be activated via the optional features (optionalfeatures.exe) to be installed. However, this is not necessary when activating the function via group policies . After this activation, Windows 10 computers will automatically install the necessary features.

These functions can be found in the group guidelines under \\\\\"Computer Configuration \ Administrative Templates \ System \ Devide Guard\\\\\". The \\\\\"Enable virtualization-based security\\\\\" option controls the protection. Various options are available in the policy. The successful activation can be seen in the system information under \\\\\"System overview\\\\\" in the lower area. Windows 10 displays the system information after entering \\\\\"msinfo32.exe\\\\\". The various activated services can be found in the lower area under \\\\\"Virtualization-based security\\\\\".

Core isolation: Hypervisor-Protected Code Integrity


Hypervisor-Protected Code Integrity uses virtualization technologies from Hyper-V to protect the Windows kernel. If the function is activated, error messages can sometimes appear when updating Windows 10 or installing applications. Problems can quickly arise with active core isolation, especially when installing new Windows 10 versions. In this case, the easiest step is to end the isolation and re-enable it after installing Windows when all drivers are up to date.

The protection can be configured in the Windows 10 app \\\\\"Windows Security\\\\\". It can be found under \\\\\"Device security\\\\\" under \\\\\"Details on core insulation\\\\\". The protection can be activated and deactivated here. If the system uses drivers that are not compatible, the protection cannot be activated. The Windows Security app shows the incompatible drivers with the link \\\\\"Check incompatible drivers\\\\\".

https://www.downloadplikasi.id/windows/

Like it? Share it!


Luis Andrianto

About the Author

Luis Andrianto
Joined: May 12th, 2016
Articles Posted: 7

More by this author