deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Align formatting

Browse Source
This commit is contained in:
Anthony Swierkosz 2022-06-02 16:38:14 -04:00
parent af97d0ba7c
commit 1dbbcc23a3
No known key found for this signature in database
GPG Key ID: FA653BCC2CE12624
1 changed files with 95 additions and 102 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -28,39 +28,38 @@ ms.custom:
- Windows Server 2019
- Windows Server 2022
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard [hardware readiness tool](dg-readiness-tool.md). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
### Enable Windows Defender Credential Guard by using Group Policy
You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
1. From the Group Policy Management Console, go to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
1. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
1. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
1. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details.
1. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. See [System Guard Secure Launch and SMM protection](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details.
:::image type="content" source="images/credguard-gp.png" alt-text="Windows Defender Credential Guard Group Policy setting.":::
6. Close the Group Policy Management Console.
1. Close the Group Policy Management Console.
To enforce processing of the group policy, you can run ```gpupdate /force```.
To enforce processing of the group policy, you can run `gpupdate /force`.
### Enable Windows Defender Credential Guard by using Intune
1. From **Home**, click **Microsoft Intune**.
2. Click **Device configuration**.
1. Click **Device configuration**.
3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
1. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**.
> [!NOTE]
> It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock.
@ -82,30 +81,29 @@ You can do this by using either the Control Panel or the Deployment Image Servic
> [!NOTE]
> If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
**Add the virtualization-based security features by using Programs and Features**
##### Add the virtualization-based security features by using Programs and Features
1. Open the Programs and Features control panel.
2. Click **Turn Windows feature on or off**.
1. Click **Turn Windows feature on or off**.
3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
1. Go to **Hyper-V** > **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
4. Select the **Isolated User Mode** check box at the top level of the feature selection.
1. Select the **Isolated User Mode** check box at the top level of the feature selection.
5. Click **OK**.
1. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM**
##### Add the virtualization-based security features to an offline image by using DISM
1. Open an elevated command prompt.
2. Add the Hyper-V Hypervisor by running the following command:
1. Add the Hyper-V Hypervisor by running the following command:
```console
dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
```
3. Add the Isolated User Mode feature by running the following command:
1. Add the Isolated User Mode feature by running the following command:
```console
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
@ -121,22 +119,21 @@ You can do this by using either the Control Panel or the Deployment Image Servic
1. Open Registry Editor.
2. Enable virtualization-based security:
1. Enable virtualization-based security:
1. Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
1. Go to `HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard`.
1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Windows Defender Credential Guard:
1. Enable Windows Defender Credential Guard:
1. Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
1. Go to `HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA`.
1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
1. Close Registry Editor.
> [!NOTE]
> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting.
@ -158,20 +155,17 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot
### Review Windows Defender Credential Guard performance
**Is Windows Defender Credential Guard running?**
#### Is Windows Defender Credential Guard running?
You can view System Information to check that Windows Defender Credential Guard is running on a PC.
1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
2. Click **System Summary**.
1. Click **System Summary**.
3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**.
1. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Running**.
Here's an example:
> [!div class="mx-imgBorder"]
> ![System Information.](images/credguard-msinfo32.png)
:::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe).":::
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
@ -226,22 +220,21 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
To disable Windows Defender Credential Guard, you can use the following set of procedures or [the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy.
1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
1. Delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
- `HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags`
- `HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags`
3. If you also wish to disable virtualization-based security delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
1. If you also wish to disable virtualization-based security delete the following registry settings:
- `HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity`
- `HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures`
> [!IMPORTANT]
> If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
1. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
```console
mountvol X: /s
@ -254,11 +247,11 @@ To disable Windows Defender Credential Guard, you can use the following set of p
mountvol X: /d
```
5. Restart the PC.
1. Restart the PC.
6. Accept the prompt to disable Windows Defender Credential Guard.
1. Accept the prompt to disable Windows Defender Credential Guard.
7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
1. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
> [!NOTE]
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings: