From 39abfb24d5bffad2fecb7f17a610ecf83649d008 Mon Sep 17 00:00:00 2001 From: Lars Iwer Date: Thu, 27 Oct 2016 15:09:46 -0700 Subject: [PATCH] Updated enablement section Added enablement in VMs Changed other enablement flows --- windows/keep-secure/credential-guard.md | 52 ++++++++++++++++--------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index d31167eaf6..a4bc04f352 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -100,11 +100,11 @@ The following tables describes additional hardware and firmware requirements, an ## Manage Credential Guard -Credential Guard uses virtualization-based security features that must be enabled on each PC before you can use it. +Credential Guard can be enabled by using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool. ### Turn on Credential Guard by using Group Policy -You can use Group Policy to enable Credential Guard because it will add the virtualization-based security features for you. +You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed. 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. 2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. 3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. @@ -114,13 +114,18 @@ You can use Group Policy to enable Credential Guard because it will add the virt 5. Close the Group Policy Management Console. -### Add Credential Guard to an image +To enforce processing of the group policy, you can run ```gpupdate /force```. -If you would like to add Credential Guard to an image, you can do this by adding the virtualization-based security features and then turning on Credential Guard. +### Turn on Credential Guard by using the registy -### Add the virtualization-based security features +If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. -First, you must add the virtualization-based security features. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). +#### Add the virtualization-based security features + +Starting with Windows 10 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. + +If you are using Windows 10 1507 (RTM) or Windows 10 1511, Windows features have to be enabled to use virtualization-based security. +You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). > [!NOTE] > If you enable Credential Guard by using Group Policy, these steps are not required. Group Policy will install the features for you.   @@ -128,7 +133,8 @@ First, you must add the virtualization-based security features. You can do this 1. Open the Programs and Features control panel. 2. Click **Turn Windows feature on or off**. 3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. -4. Click **OK**. +4. Select the **Isolated User Mode** check box at the top level of the feature selection. +5. Click **OK**. **Add the virtualization-based security features to an offline image by using DISM** 1. Open an elevated command prompt. @@ -136,21 +142,17 @@ First, you must add the virtualization-based security features. You can do this ``` syntax dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all ``` +3. Add the Isolated User Mode feature by running the following command: + ``` syntax + dism /image: /Enable-Feature /FeatureName:IsolatedUserMode + ``` > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. - In Windows 10, version 1607 and Windows Server 2016, Isolated User Mode is included with Hyper-V and does not need to be installed separately. If you're running a version of Windows 10 that's earlier than Windows 10, version 1607, you can run the following command to install Isolated User Mode: -``` syntax -dism /image: /Enable-Feature /FeatureName:IsolatedUserMode -``` -### Turn on Credential Guard - -If you don't use Group Policy, you can enable Credential Guard by using the registry. - -**Turn on Credential Guard by using the registry** +#### Enable virtualization-based security and Credential Guard 1. Open Registry Editor. 2. Enable virtualization-based security: @@ -166,14 +168,28 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi > [!NOTE] > You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. -**Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool** +### Turn on Credential Guard by using the Device Guard and Credential Guard hardware readiness tool You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot ``` -  + +### Credential Guard deployment in virtual machines +Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would a physical machine. The enablement steps are the same from within the virtual machine. + +Credential Guard protects secrets from non-priviledged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine: + +``` PowerShell +Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true +``` + +Requirements for running Credential Guard in Hyper-V virtual machines +- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. +- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. + + ### Remove Credential Guard If you have to remove Credential Guard on a PC, you need to do the following: