deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update how-it-works.md

Browse Source
This commit is contained in:
Paolo Matarazzo
2025-06-12 13:07:52 -04:00
committed by GitHub
parent 6f01f1715f
commit ed66f6b99e
1 changed files with 6 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
windows/security/identity-protection/credential-guard/how-it-works.md
View File

@ -1,5 +1,5 @@
---
ms.date: 02/25/2025
ms.date: 06/12/2025
title: How Credential Guard works
description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.topic: concept-article
@ -21,15 +21,16 @@ Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-b
:::row-end:::
## VSM and TPM Protections
Secrets protected by Credential Guard are protected in memory and isolated at runtime by the hypervisor using [Virtual Secure Mode](/virtualization/hyper-v-on-windows/tlfs/vsm) (VSM). On recent supported hardware with TPM 2.0, VSM data that is persisted will be protected by a key called the VSM master key which is protected by device firmware protections. To learn more, see [System Guard: How a hardware-based root of trust helps protect Windows](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows). The VSM master key is protected by the TPM, ensuring that they key and the secrets protected by Credential Guard can only be accessed in a trusted environment.
Secrets protected by Credential Guard are protected in memory and isolated at runtime by the hypervisor using [Virtual Secure Mode](/virtualization/hyper-v-on-windows/tlfs/vsm) (VSM). On recent supported hardware with TPM 2.0, VSM data that is persisted will be protected by a key called the *VSM master key*, which is protected by device firmware protections. To learn more, see [System Guard: How a hardware-based root of trust helps protect Windows](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows). The VSM master key is protected by the TPM, ensuring that the key and secrets protected by Credential Guard can only be accessed in a trusted environment.
Credential Guard does not typically persist authentication data (NTLM hash and TGTs) as that data is lost between reboots and refreshed when the user signs into the system. This means that it isn't dependent on the VSM master key or the TPM to protect that data at reset.
Credential Guard doesn't typically persist authentication data (NTLM hash and TGTs), as that data is lost between reboots and refreshed when the user signs into the system. This means that it isn't dependent on the VSM master key or the TPM to protect that data at reset.
> [!NOTE]
> The VBS master key may not be protected by the TPM in any of the following environments:
> The VBS master key might not be protected by the TPM in any of the following environments:
>
> - If Secure Boot is disabled
> - If a TPM is not available on the firmware
> - If a TPM isn't available on the firmware
## Credential Guard protection limits