Credential Guard is a new feature in Windows 10 and it is a Enterprise feature only.

How does it works:

Credential Guard isolates secrets that previous versions of Windows stored in the Local Security Authority (LSA) by using virtualization-based security.

Credential Guard offers the following features and solutions:

•Hardware security Credential Guard increases the security of derived domain credentials by taking advantage of platform security features including, Secure Boot and virtualization.
•Virtualization-based security Windows services that manage derived domain credentials and other secrets run in a protected environment that is isolated from the running operating system.
•Better protection against advanced persistent threats Securing derived domain credentials using the virtualization-based security blocks the credential theft attack techniques and tools used in many targeted attacks. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
•Manageability You can manage Credential Guard by using Group Policy, WMI, from a command prompt, and Windows PowerShell.

Read more about Credential Guard on Microsoft TechNet:


How to build the prereq into Windows 10 Enterprise Base Image with MDT

There is only 2 Windows features that need to be enabled – so why not do it in the base image – then when the organization is ready to implement Credential Guard it is just to configure the GPO.

Enable “Hyper-V Hypervisor”

Install Roles and Features 1

Enable “Isolated User Mode”

Install Roles and Features 2

And then Build and Capture the base image as you normally will do in MDT

Hardware and software requirements

The PC must meet the following hardware and software requirements to use Credential Guard:

Requirement Description
Windows 10 Enterprise The PC must be running Windows 10 Enterprise.
UEFI firmware version 2.3.1 or higher and Secure Boot To verify that the firmware is using UEFI version 2.3.1 or higher and Secure Boot, you can validate it against the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby Windows Hardware Compatibility Program requirement.
Virtualization extensions The following virtualization extensions are required to support virtualization-based security:

  • Intel VT-x or AMD-V
  • Second Level Address Translation
x64 architecture The features that virtualization-based security uses in the Windows hypervisor can only run on a 64-bit PC.
A VT-d or AMD-Vi IOMMU (Input/output memory management unit) In Windows 10, an IOMMU enhances system resiliency against memory attacks. ¹
Trusted Platform Module (TPM) version 1.2 or 2.0 TPM 1.2 and 2.0 provides protection for encryption keys that are stored in the firmware and are used by Credential Guard. See the following table to determine which TPM versions are supported on your OS.

OS version Required TPM
Windows 10 version 1507 TPM 2.0
Windows 10 version 1511 TPM 2.0 or TPM 1.2
Note If you don’t have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.
Secure firmware update process To verify that the firmware complies with the secure firmware update process, you can validate it against the System.Fundamentals.Firmware.UEFISecureBoot Windows Hardware Compatibility Program requirement.
The firmware is updated for Secure MOR implementation Credential Guard requires the secure MOR bit to help prevent certain memory attacks.
Physical PC For PCs running Windows 10, you cannot run Credential Guard on a virtual machine.

¹ If you choose the Secure Boot and DMA protection option in the Group Policy setting, an IOMMU is required. The Secure Boot Group Policy option enables Credential Guard on devices without an IOMMU.