This feature uses virtualization-based security to help protect security secrets (for example, NTLM password hashes, Kerberos Ticket Granting Tickets) so that only privileged system software can access them. This helps prevent Pass-the-Hash or Pass-the-Ticket attacks.
Credential Guard has the following features:
- Hardware-level security. Credential Guard uses hardware platform security features (such as Secure Boot and virtualization) to help protect derived domain credentials and other secrets.
- Virtualization-based security. Windows services that access derived domain credentials and other secrets run in a virtualized, protected environment that is isolated.
- Improved protection against persistent threats. Credential Guard works with other technologies (e.g., Device Guard) to help provide further protection against attacks, no matter how persistent.
- Improved manageability. Credential Guard can be managed through Group Policy, Windows Management Instrumentation (WMI), or Windows PowerShell.