deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #268 from larsiwer/credguardupdate

Browse Source 
Updated Credential Guard enablement section
This commit is contained in:
Brian Lich 2016-10-28 15:10:46 -07:00 committed by GitHub
commit 28f2065576
1 changed files with 41 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
windows/keep-secure/credential-guard.md
View File

@ -100,11 +100,13 @@ The following tables describes additional hardware and firmware requirements, an
## Manage Credential Guard ## Manage Credential Guard
Credential Guard uses virtualization-based security features that must be enabled on each PC before you can use it. ### Enable Credential Guard
Credential Guard can be enabled by using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
### Turn on Credential Guard by using Group Policy #### Turn on Credential Guard by using Group Policy
You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
You can use Group Policy to enable Credential Guard because it will add the virtualization-based security features for you.
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**.
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. 2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. 3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
@ -114,43 +116,46 @@ You can use Group Policy to enable Credential Guard because it will add the virt
5. Close the Group Policy Management Console. 5. Close the Group Policy Management Console.
### Add Credential Guard to an image To enforce processing of the group policy, you can run ```gpupdate /force```.
If you would like to add Credential Guard to an image, you can do this by adding the virtualization-based security features and then turning on Credential Guard. #### Turn on Credential Guard by using the registry
### Add the virtualization-based security features If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). ##### Add the virtualization-based security features
Starting with Windows 10 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
If you are using Windows 10 1507 (RTM) or Windows 10 1511, Windows features have to be enabled to use virtualization-based security.
You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
> [!NOTE] > [!NOTE]
> If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you. > If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.
   
**Add the virtualization-based security features by using Programs and Features** **Add the virtualization-based security features by using Programs and Features**
1. Open the Programs and Features control panel. 1. Open the Programs and Features control panel.
2. Click **Turn Windows feature on or off**. 2. Click **Turn Windows feature on or off**.
3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. 3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box.
4. Click **OK**. 4. Select the **Isolated User Mode** check box at the top level of the feature selection.
5. Click **OK**.
**Add the virtualization-based security features to an offline image by using DISM** **Add the virtualization-based security features to an offline image by using DISM**
1. Open an elevated command prompt. 1. Open an elevated command prompt.
2. Add the Hyper-V Hypervisor by running the following command: 2. Add the Hyper-V Hypervisor by running the following command:
``` syntax ``` syntax
dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all dism /image:<WIM file name> /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all
``` ```
3. Add the Isolated User Mode feature by running the following command:
``` syntax
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
```
> [!NOTE] > [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager. > You can also add these features to an online image by using either DISM or Configuration Manager.
##### Enable virtualization-based security and Credential Guard
In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode:
``` syntax
dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
```
### Turn on Credential Guard
If you don't use Group Policy, you can enable Credential Guard by using the registry.
**Turn on Credential Guard by using the registry**
1. Open Registry Editor. 1. Open Registry Editor.
2. Enable virtualization-based security: 2. Enable virtualization-based security:
@ -166,14 +171,29 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi
> [!NOTE] > [!NOTE]
> You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. > You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
**Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool** #### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
``` ```
DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot
``` ```
 
#### Credential Guard deployment in virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
``` PowerShell
Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
```
Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
### Remove Credential Guard ### Remove Credential Guard
If you have to remove Credential Guard on a PC, you need to do the following: If you have to remove Credential Guard on a PC, you need to do the following: