Credential Guard

  • 1 April 2019
  • 5 replies

Badge +1
Can Credential Guard be enabled via GPO for 2016 servers running in AHV? Or is this something that only applies to servers running on a HyperV host?

This topic has been closed for comments

5 replies

I would like to learn this as well. I think it is not supported on AHV. Here is what i found so far,

Hardware and software requirements

To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
  • Support for Virtualization-based security (required)
  • Secure boot (required)
  • TPM 1.2 or 2.0, either discrete or firmware (preferred - provides binding to hardware)
  • UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)

Unified Extensible Firmware Interface (UEFI) Support for Guest VMs

AHV does not support VMs created in UEFI mode.
This should have changed by now.. apparently you can set "uefi_boot=True" .. please do share back if it works. I am looking to setup Credential Guard for AHV VMs as well.

"SSH into Nutanix Acropolis and run the following command: acli vm.update uefi_boot=True."
Userlevel 1
Badge +3

No feed back from anyone?

Apparently VMware is supporting this too:

So, has anyone put this to work on AHV?

Userlevel 6
Badge +5

Hi stevecharon and @SunilM

Support of Windows Defender Credential Guard is definitely coming. I am not able to disclose the details right now. All I can say is soon.

I would like to also encourage you to look at the document that is the most relevant to the version you are running on.

UEFI guest VMs have been supported since 5.11.  AHV Administration Guide 5.15: UEFI Support for VM.

What is the status of Credential Guard on Nutanix VMs? I have created a new VM with UEFI, Secure boot and Credential Guard enabled, but I can’t get it to work. Credential Guard is enabled with GPO, but still will not run. When I look at device security, it says “Standard hardware security not supported” and there is no compatible TPM shown in tpm.msc.