How to configure Credential Guard with MS Intune

Windows Defender Credential Guard, introduced with Windows 10, uses virtualization-based security to containerize the LSASS authentication process.
This solution protects you from credential harvesting by running LSASS in a separate virtual machine on the client to prevent an attacker from collecting your credentials by dumping, for example, the authentication process that stores your NTLM and Kerberos credentials.


Windows Defender Credential Guard:

  • Support for Virtualization-based security (required)
  • Secure boot (required)
  • TPM 1.2 or 2.0, either discrete or firmware (preferred – provides binding to hardware)
  • UEFI lock (preferred – prevents attacker from disabling with a simple registry key change)

The Virtualization-based security requires:

  • 64-bit CPU
  • CPU virtualization extensions plus extended page tables
  • Windows hypervisor (does not require Hyper-V Windows Feature to be installed)

Credential Guard configuration with Microsoft Intune

  • Go to
  • Select Devices / Configuration Profile / Create Profile
    • Platform : Windows 10 and later
    • Profile Type : Settings Catalog
  • Click Create
  • Complete Name field and click Next
  • Click Add Settings
  • In Browse Category, search and select Device Guard
  • In Setting name, select :
    • Credential Guard
    • Enable Virtualization Based Security
  • Configure options
  • Click Next
  • Scope tags, click Next
  • Deploy on Group devices or All devices and click Next
  • Review and create, click Next


On the client computer, open System Information and check these entries. 

If the mention Credential Guard appears in both lines, it means that it has been correctly configured

Popular posts from this blog

How to implement Applocker with Microsoft Intune

How to reset computer in OOBE mode

Microsoft Intune, Uninstall Win32 app with the company portal