From 39abfb24d5bffad2fecb7f17a610ecf83649d008 Mon Sep 17 00:00:00 2001 From: Lars Iwer Date: Thu, 27 Oct 2016 15:09:46 -0700 Subject: [PATCH 1/6] Updated enablement section Added enablement in VMs Changed other enablement flows --- windows/keep-secure/credential-guard.md | 52 ++++++++++++++++--------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index d31167eaf6..a4bc04f352 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -100,11 +100,11 @@ The following tables describes additional hardware and firmware requirements, an ## Manage Credential Guard -Credential Guard uses virtualization-based security features that must be enabled on each PC before you can use it. +Credential Guard can be enabled by using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool. ### Turn on Credential Guard by using Group Policy -You can use Group Policy to enable Credential Guard because it will add the virtualization-based security features for you. +You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed. 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. 2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. 3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. @@ -114,13 +114,18 @@ You can use Group Policy to enable Credential Guard because it will add the virt 5. Close the Group Policy Management Console. -### Add Credential Guard to an image +To enforce processing of the group policy, you can run ```gpupdate /force```. -If you would like to add Credential Guard to an image, you can do this by adding the virtualization-based security features and then turning on Credential Guard. +### Turn on Credential Guard by using the registy -### Add the virtualization-based security features +If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. -First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). +#### Add the virtualization-based security features + +Starting with Windows 10 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. + +If you are using Windows 10 1507 (RTM) or Windows 10 1511, Windows features have to be enabled to use virtualization-based security. +You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). > [!NOTE] > If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.   @@ -128,7 +133,8 @@ First, you must add the virtualization-based security features. You can do this 1. Open the Programs and Features control panel. 2. Click **Turn Windows feature on or off**. 3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -4. Click **OK**. +4. Select the **Isolated User Mode** check box at the top level of the feature selection. +5. Click **OK**. **Add the virtualization-based security features to an offline image by using DISM** 1. Open an elevated command prompt. @@ -136,21 +142,17 @@ First, you must add the virtualization-based security features. You can do this ``` syntax dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all ``` +3. Add the Isolated User Mode feature by running the following command: + ``` syntax + dism /image: /Enable-Feature /FeatureName:IsolatedUserMode + ``` > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. - In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode: -``` syntax -dism /image: /Enable-Feature /FeatureName:IsolatedUserMode -``` -### Turn on Credential Guard - -If you don't use Group Policy, you can enable Credential Guard by using the registry. - -**Turn on Credential Guard by using the registry** +#### Enable virtualization-based security and Credential Guard 1. Open Registry Editor. 2. Enable virtualization-based security: @@ -166,14 +168,28 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi > [!NOTE] > You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. -**Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool** +### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot ``` -  + +### Credential Guard deployment in virtual machines +Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would a physical machine. The enablement steps are the same from within the virtual machine. + +Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine: + +``` PowerShell +Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true +``` + +Requirements for running Credential Guard in Hyper-V virtual machines +- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. +- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. + + ### Remove Credential Guard If you have to remove Credential Guard on a PC, you need to do the following: From 1bb4cebcd3aaae5a5e8a3609c40d0a6419b6e1cd Mon Sep 17 00:00:00 2001 From: Lars Iwer Date: Thu, 27 Oct 2016 15:12:43 -0700 Subject: [PATCH 2/6] Fixed line breaks --- windows/keep-secure/credential-guard.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index a4bc04f352..839e59170d 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -105,6 +105,7 @@ Credential Guard can be enabled by using Group Policy, the registry, or the Devi ### Turn on Credential Guard by using Group Policy You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed. + 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. 2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. 3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. @@ -130,6 +131,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic > If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.   **Add the virtualization-based security features by using Programs and Features** + 1. Open the Programs and Features control panel. 2. Click **Turn Windows feature on or off**. 3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. @@ -137,6 +139,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic 5. Click **OK**. **Add the virtualization-based security features to an offline image by using DISM** + 1. Open an elevated command prompt. 2. Add the Hyper-V Hypervisor by running the following command: ``` syntax @@ -177,6 +180,7 @@ DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot ``` ### Credential Guard deployment in virtual machines + Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would a physical machine. The enablement steps are the same from within the virtual machine. Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine: From 73bd48d04a23210777cd80733a3b9d0dd3f34302 Mon Sep 17 00:00:00 2001 From: Lars Iwer Date: Thu, 27 Oct 2016 15:14:40 -0700 Subject: [PATCH 3/6] Fixed line break --- windows/keep-secure/credential-guard.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 839e59170d..87c9c02668 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -129,6 +129,7 @@ If you are using Windows 10 1507 (RTM) or Windows 10 1511, Windows features have You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). > [!NOTE] > If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you. +   **Add the virtualization-based security features by using Programs and Features** From cada0122709374d5418f3aa465075feb0f6a4e9e Mon Sep 17 00:00:00 2001 From: Lars Iwer Date: Thu, 27 Oct 2016 15:16:14 -0700 Subject: [PATCH 4/6] Updated headings --- windows/keep-secure/credential-guard.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 87c9c02668..b4f2af8443 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -100,9 +100,10 @@ The following tables describes additional hardware and firmware requirements, an ## Manage Credential Guard +### Enable Credential Guard Credential Guard can be enabled by using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool. -### Turn on Credential Guard by using Group Policy +#### Turn on Credential Guard by using Group Policy You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed. @@ -117,11 +118,11 @@ You can use Group Policy to enable Credential Guard. This will add and enable th To enforce processing of the group policy, you can run ```gpupdate /force```. -### Turn on Credential Guard by using the registy +#### Turn on Credential Guard by using the registy If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. -#### Add the virtualization-based security features +##### Add the virtualization-based security features Starting with Windows 10 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. @@ -156,7 +157,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode: -#### Enable virtualization-based security and Credential Guard +##### Enable virtualization-based security and Credential Guard 1. Open Registry Editor. 2. Enable virtualization-based security: @@ -172,7 +173,7 @@ In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is inclu > [!NOTE] > You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. -### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool +#### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). @@ -180,7 +181,7 @@ You can also enable Credential Guard by using the [Device Guard and Credential G DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot ``` -### Credential Guard deployment in virtual machines +#### Credential Guard deployment in virtual machines Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would a physical machine. The enablement steps are the same from within the virtual machine. From 1562c29654b0d8605737d4dbea71c4a9280cd9fe Mon Sep 17 00:00:00 2001 From: Lars Iwer Date: Thu, 27 Oct 2016 15:19:29 -0700 Subject: [PATCH 5/6] Fixed typo --- windows/keep-secure/credential-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index b4f2af8443..77bb8859bc 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -183,7 +183,7 @@ DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot #### Credential Guard deployment in virtual machines -Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would a physical machine. The enablement steps are the same from within the virtual machine. +Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine. Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine: From 404d9ad4fe80e65e46ea5aa04e0f58fe80f71f9c Mon Sep 17 00:00:00 2001 From: Lars Iwer Date: Thu, 27 Oct 2016 16:04:20 -0700 Subject: [PATCH 6/6] Fixed typos --- windows/keep-secure/credential-guard.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 77bb8859bc..5e20aa7fff 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -118,7 +118,7 @@ You can use Group Policy to enable Credential Guard. This will add and enable th To enforce processing of the group policy, you can run ```gpupdate /force```. -#### Turn on Credential Guard by using the registy +#### Turn on Credential Guard by using the registry If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. @@ -155,8 +155,6 @@ You can do this by using either the Control Panel or the Deployment Image Servic > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. -In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode: - ##### Enable virtualization-based security and Credential Guard 1. Open Registry Editor.