Windows 11 Security Boost – Credential Guard and HVCI Now Default

Posted on by

In as much as technology has evolved over the decades, there are still plenty of threats that can cause massive damage to organizations. Those with nefarious intentions have gotten increasingly sophisticated in their attack methods thus causing concern for tech companies. For Microsoft, however, providing regular security upgrades for all products and services is a sure way to minimize the risk that clients are exposed to. And by enabling Credential Guard and HVCI by default on Windows 11, this should go a long way in strengthening customers’ cybersecurity. These powerful tools have some excellent features that offer a formidable barrier against attacks.

What is Credential Guard?

Credential Guard is a security solution that aims to block credential theft attacks. It does so by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. This solution relies on Virtualization-based security to isolate secrets in a way that restricts access to privileged system software. Due to this isolation, there is a minimized risk of unauthorized access as this can often lead to credential theft attacks like pass the hash and pass the ticket.

How Does It Work?

With Credential Guard enabled, the Local Security Authority (LSA) process (lsass.exe) in the operating system will communicate with a component known as the isolated LSA process. It stores and protects the secrets, LSAIso.exe. All data stored by this isolated LSA process will be protected using VBS and the rest of the operating system will have no access to it. LSA utilizes remote procedure calls to talk to the isolated LSA process.

To keep security tight and minimize any issues, the isolated LSA process won’t host any device drivers. What it does, instead, is host a small subset of operating system binaries. These are required for security and nothing else. All the binaries must be signed with a certificate that is trusted by VBS. And the signatures require validation before launching the file in the protected environment.

Benefits of Credential Guard

Credential Guard has several benefits that can help improve the security status of Windows 11 users. Once Credential Guard is enabled, organizations can look forward to:

  • Hardware security – NTLM, Kerberos, and Credential Manager operate by leveraging platform security features such as Secure Boot and virtualization, to protect credentials.
  • Virtualization-based security – NTLM, Kerberos derived credentials, and other secrets run in a protected environment that is isolated from the running operating system.
  • Protection against advanced persistent threats – the use of VBS to protect credentials helps to significantly enhance organizations’ network security. This is because VBS has the capabilities to render ineffective many of the the credential theft attack techniques and tools used in a lot of targeted attacks. Owing to this, any secrets protected by VBS will be isolated from malware running in the operating system with administrative privileges.

Default Enablement

To ensure that Windows 11 clients get all the benefits discussed above, going forward Microsoft will be enabling VBS and Credential Guard by default in Windows 11, 22H2 and Windows Server 2025. This will only apply to devices that meet the requirements. However, IT admins will still have the flexibility to disable Credential Guard remotely if the need arises because the default enablement is without UEFI Lock. Once Credential Guard is enabled, VBS will be automatically enabled as well.

IT admins should also be aware that if they have Credential Guard explicitly disabled before updating a device to Windows 11 (version 22H2/ Windows Server 2025 or later), default enablement will not apply. Also, the existing settings will remain in place. As a result, even after updating to a version of Windows that has Credential Guard enabled by default, all such devices will continue to have Credential Guard disabled.

WINDOWS

All devices running Windows 11, 22H2 or later will have Credential Guard enabled by default if they meet the licensing, hardware, and software requirements. Additionally, these devices should not have Credential Guard explicitly disabled. Furthermore, all devices running Windows 11 Pro/Pro Edu 22H2 or later may have VBS and/or Credential Guard automatically enabled. This is if they meet the other requirements for default enablement, and have previously run Credential Guard. A good example would be if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.

WINDOWS SERVER

All devices running Windows Server 2025 or later will have Credential Guard enabled by default if they meet the licensing, hardware, and software requirements. Additionally, these devices should not have Credential Guard explicitly disabled, should be joined to a domain, and should not be a domain controller.

What If You Need To Disable Credential Guard?

IT admins may need to disable Credential Guard for any number of reasons and fortunately ‘enabled by default’ does not mean can’t be disabled. You’ll be happy to know that there are several different options available to disable Credential Guard. The best option for you will depend on how Credential Guard is configured:

  • When running in a virtual machine, the host can disable Credential Guard.
  • When enabled by UEFI lock, you can disable Credential Guard by following the steps in disable Credential Guard with UEFI lock.
  • If Credential Guard has been enabled without UEFI lock, or as part of the default enablement update, you can disable it using any one of Microsoft Intune/MDM, Group Policy, or Registry.

System Requirements

Credential Guard can only provide the protection it offers if the device meets certain hardware, firmware, and software requirements. It’s also important to note that all devices that exceed the minimum hardware and firmware requirements will benefit from additional protections. They will, as a result, offer better protection against certain threats.

HARDWARE AND SOFTWARE REQUIREMENTS

Credential Guard requires Virtualization-based security and Secure Boot. And although the following features are not required, they are highly recommended for the provision of additional protections:

  • Trusted Platform Module (TPM), as it provides binding to hardware. TPM versions 1.2 and 2.0 are supported, either discrete or firmware.
  • UEFI lock is crucial for blocking attackers from disabling Credential Guard with a registry key change.

CREDENTIAL GUARD IN VIRTUAL MACHINES

One of the biggest benefits of Credential Guard is that it is capable of protecting secrets in Hyper-V virtual machines. It does so the same way as it would on a physical machine. Enabling Credential Guard on a virtual machine means that all secrets will be protected from attacks inside the virtual machine.

However, Credential Guard won’t provide protection from privileged system attacks originating from the host. If you want to run Credential Guard in Hyper-V virtual machines, the Hyper-V host will need an IOMMU. Additionally, the Hyper-V virtual machine must be generation 2. This is because Credential Guard is only available on generation 2 VMs. Therefore, it won’t have support on Hyper-V or Azure generation 1 VMs.

Credential Guard Application Requirements

After Credential Guard is enabled, there are certain authentication capabilities that will be blocked. Consequently, any applications that need these capabilities will break. For this reason, these requirements are referred to as application requirements. IT admins need to ensure that they test applications before deployment to check compatibility with the reduced functionality.

Admins are also advised against enabling Credential Guard on domain controllers. This is because Credential Guard won’t offer any added security to domain controllers. Therefore, you can end up with application compatibility issues on domain controllers.

In like manner, Credential Guard offers no protections for the Active Directory database or the Security Accounts Manager (SAM). With Credential Guard enabled, all the credentials protected by Kerberos and NTLM are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).

You should expect applications to break if any of the following are needed:

  • Kerberos DES encryption support
  • Kerberos unconstrained delegation
  • Kerberos TGT extraction
  • NTLMv1

Applications will also ask and expose credentials if any of the following are needed:

  • Digest authentication
  • Credential delegation
  • MS-CHAPv2
  • CredSSP

IT admins should note that apps may cause performance issues when they attempt to hook the isolated Credential Guard process LSAIso.exe. However, any services or protocols that are reliant on Kerberos will still work and are not affected by Credential Guard. These include services or protocols such as remote desktop or file shares.

Hypervisor-Protected Code Integrity

Coupled with Credential Guard, Hypervisor-Protected Code Integrity (HVCI) is now also enabled by default in Windows 11, 22H2 and Windows Server 2025. HVCI is a virtualization-based security (VBS) feature that is also known as memory integrity and is available in Windows 10, Windows 11, and Windows Server 2016 and later. HVCI and VBS are key elements in the threat model of Windows. And they ensure that the defenses against malware trying to exploit the Windows kernel are greatly enhanced.

VBS leverages the Windows hypervisor to build an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is an integral element of the security system and is responsible for protecting and fortifying Windows. It achieves this by running kernel mode code integrity within the isolated virtual environment of VBS.

Memory integrity will further strengthen security by restricting kernel memory allocations that can be used to compromise the system. Imposing this restriction ensures that kernel memory pages can only become executable after passing code integrity checks inside the secure runtime environment. Additionally, this also guarantees that executable pages themselves will never become writable.

Functionality

IT admins should know that HVCI can work better with Intel Kabylake and higher processors with Mode-Based Execution Control, and AMD Zen 2 and higher processors with Guest Mode Execute Trap capabilities. The emulation of these features (Restricted User Mode) that older processors are dependant on will typically have a bigger impact on performance. Moreover, if you enable nested virtualization, you should expect to see memory integrity functioning better when the VM is version >= 9.3.

On the other hand, also consider that in scenarios where Secure Boot with DMA is selected, Azure VMs will not support HVCI. What you will see instead is that VBS will appear as enabled but not running. The main features of memory integrity are as follows:

  • Protects modification of the Control Flow Guard (CFG) bitmap for kernel mode drivers.
  • Protection of the kernel mode code integrity process ensuring that other trusted kernel processes have a valid certificate.

How Can You Disable HVCI?

As we discussed for Credential Guard, scenarios may sometimes arise where IT admins may need to disable HVCI. In such cases, what you can do is:

  • Navigate to the Core Isolation Settings – in the Windows search bar, search for Core Isolation. Then, select the Core Isolation settings page .
  • Find the Memory Integrity setting and turn it to the off position.
  • To apply the changes you’ve made, you’ll be prompted to restart your device.

In addition to the above option, if need be you may also disable VBS via Registry as follows:

  • Similar to the above option, head over to the Windows search bar and search for regedit. Proceed to open the Registry Editor.
  • Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard.
  • Double-click on EnableVirtualizationBasedSecurity and change its value to 0. Click Ok.
  • After completing these steps, close the Registry Editor and then restart your computer to apply the changes.

Wrap Up

The enablement by default of Credential Guard and Hypervisor-Protected Code Integrity in Windows 11 is part of Microsoft’s ongoing effort to enhance security for its customers. For all devices that meet the requirements, this change will mean a more protected and fortified Windows 11 environment. It also allows organizations to improve their overall network security.

Persistent threat attacks continue to change in search of even the slightest of vulnerabilities. Upgrades like these offer a powerful mitigating solution. Coupled with the other security measures, this change will help keep malicious actors at bay.

Feel free to comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.