From 7047eec1676376ab2ca738dbb74e30229ed0678c Mon Sep 17 00:00:00 2001 From: GITMichiko Date: Thu, 26 Jan 2017 00:23:30 -0800 Subject: [PATCH] Update credential-guard.md hardware requirements --- windows/keep-secure/credential-guard.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index c40e90f58a..12bd430f83 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -45,7 +45,15 @@ For Credential Guard to provide protections, the computers you are protecting mu To deploy Credential Guard, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements. Beyond that, computers can meet additional hardware and firmware requirements, and receive additional protection—those computers will be more hardened against certain threats. -You can deploy Credential Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh. +To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses: +- Support for Virtualization-based security (required) +- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware) +- UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) + +The Virtualization-based security requires: +- 64 bit CPU +- CPU virtualization extensions plu extended page tables +- Windows hypervisor ### Application requirements