Implementing Credential Guard using Device Guard Readiness Tool

Credential Guard is a security feature that has been available in Windows 10 since Build 1511.  Enabling it on a Windows 10 laptop requires that the system disk is formatted with GPT.  You must also have secure boot turned on, and you are supposed to have a Trusted Platform Module (TPM 2.0).  I have read in Microsoft’s docs that you can use Credential Guard without a TPM, but then the keys are not secured in the TPM.  Not sure if this is still the case now in the latest Windows Builds, because they do say that a TPM is required.  First you should download the Device Guard and Credential Guard Readiness Kit from Microsoft’s download center.  Next, I will show you the commands you need to run in powershell to use the Readiness Kit.

The Device Guard and Credential Guard Readiness Kit includes a PowerShell script that can be used to check if the device is capable of running credential guard, check if Credential Guard is already running or enabled, and it also does the same for Device Guard and Hyper-V Code Integrity policies.

Note:
Make sure you download the new version3.0 of the toolkit. If you may have downloaded the older (version 2.1) script, make sure you go to the link above and re-download the tool.

Okay so you downloaded the tool, next step is to unblock the zip file and unpack the zip file into a directory. Personally, I like to use D:\DistributionShare\DeviceGuardReadinessToolv3.0 . The next thing to do is right click on PowerShell or the PowerShell_ISE and run PowerShell ISE as Administrator. Once you get the ISE opened up you should changed to the directory where you unzipped the Device Guard/Credential Guard Readiness Tool to. Set-Location D:\DistributionShare\DeviceGuardReadinessToolv3
Next we want to run the following script to run the Device Guard Readiness Tool and check if the device is capable of running Credential Guard, Device Guard, or HyperVisor Code Integrity: .\DG_Readiness_Tool_v3.0.ps1 -Capable -DG -CG -HVCI
Now you are going to have to reboot the machine.

After the reboot Open up the PowerShell ISE as Administrator again, and run the script again, or run the script with the switches
-Enable -CG -DG -HVCI, or whichever of the three you want to enable. You can also use the switch -Ready if you have want to see if any of the three security features are already enabled and running.
You should see some immediate feedback in the console, but you are going to want to find the folder C:\DGLOGS and in there will be a log file that will tell you if your computer is capable of enabling Credential Guard, Device Guard, and Hypervisor Code Integrity.

 

Group Policies to Enable Device Guard and Credential Guard

There are a bunch of group policies that are going to be necessary to enable credential guard and device guard in an Active Directory Domain environment. For the domain controllers, you are going to want to enable the following policies:

DOMAIN CONTROLLERS: AdministrativeTemplates/ComputerConfiguration/System/KDC : The necessary settings include >
KDC support for claims, compound authentication and Kerberos armoring: (This needs to be enabled on all domain controllers in order for Credential Guard to work.)

Also, Request Compound Authentication is necessary for Credential Guard so that as devices authenticate with the Domain Controllers, Kerberos compound authentication is requested. Enable this policy as well.

Next we need to go to the following location in the GPMC.msc (Group Policy Management Console) or GPEDIT.msc ( Group Policy Editor for local policies only):
AdministrativeTemplates/ComputerConfiguration/System/DeviceGuard: Turn on Virtualization Based Security -Enabled, for the options on the bottom, the best choices for testing are:
Select Platform Level: SECURE BOOT
VirtualizationBasesSecurityCodeIntegrity:Enabled without Lock
CredentialGuardConfiguration: Enabled without Lock
——————————————————————————————————————————————————————————
Now on a policy that is applied to the domain computers,servers, and devices that are compatible with credential guard, you will enable the following policies:

AdministrativeTemplates/ComputerConfiguration/System/Kerberos
1. Always send compound authentication first: Enabled
2. Kerberos client support for claims, compound authentication and Kerberos armoring: Enabled
3. Support compound authentication: Enabled – Support authorization with client device information:Automatic

After enabling these policies, you should be on your way to supporting Credential Guard, once you figure out how to use Code Integrity Policies, and enable the policy Deploy Code Integrity Policy (ComputerConfiguration/AdministrativeTemplates/System/DeviceGuard) then you can deploy Device Guard, however this policy is not necessary to use Device Guard. (There are some registry settings that can be set and then you can create code integrity policies and move them to C:\Windows\system32\CodeIntegrity to enable Device Guard.

————————————————————————————————————————————
Microsoft also offers a tool called the Device Guard and Credential Guard Readiness Tool which includes a PowerShell script to help enable Credential Guard, Device Guard, and Hypervisor Code Integrity.