How to configure Credential Guard with MS Intune

Windows Defender Credential Guard, introduced with Windows 10, uses virtualization-based security to containerize the LSASS authentication process.
 
This solution protects you from credential harvesting by running LSASS in a separate virtual machine on the client to prevent an attacker from collecting your credentials by dumping, for example, the authentication process that stores your NTLM and Kerberos credentials.

Prerequisites 

Windows Defender Credential Guard:

  • Support for Virtualization-based security (required)
  • Secure boot (required)
  • TPM 1.2 or 2.0, either discrete or firmware (preferred – provides binding to hardware)
  • UEFI lock (preferred – prevents attacker from disabling with a simple registry key change)

The Virtualization-based security requires:

  • 64-bit CPU
  • CPU virtualization extensions plus extended page tables
  • Windows hypervisor (does not require Hyper-V Windows Feature to be installed)

Credential Guard configuration with Microsoft Intune

  • Go to https://endpoint.microsoft.com
  • Select Devices / Configuration Profile / Create Profile
    • Platform : Windows 10 and later
    • Profile Type : Settings Catalog
  • Click Create
  • Complete Name field and click Next
  • Click Add Settings
  • In Browse Category, search and select Device Guard
  • In Setting name, select :
    • Credential Guard
    • Enable Virtualization Based Security
  • Configure options
  • Click Next
  • Scope tags, click Next
  • Deploy on Group devices or All devices and click Next
  • Review and create, click Next

Verification

On the client computer, open System Information and check these entries. 


If the mention Credential Guard appears in both lines, it means that it has been correctly configured

Commentaires

Posts les plus consultés de ce blog

Windows 11 security check with Powershell

SCCM - Erreur 0x87D00664 lors de l'installation de la mise à jour de Juin 2020

Edge Chromium - Les ADMX sont disponibles