Question

Credential Guard

  • 1 April 2019
  • 4 replies
  • 10505 views

Badge +1
Can Credential Guard be enabled via GPO for 2016 servers running in AHV? Or is this something that only applies to servers running on a HyperV host?

4 replies

I would like to learn this as well. I think it is not supported on AHV. Here is what i found so far,

https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-requirements

Hardware and software requirements

To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
  • Support for Virtualization-based security (required)
  • Secure boot (required)
  • TPM 1.2 or 2.0, either discrete or firmware (preferred - provides binding to hardware)
  • UEFI lock (preferred - prevents attacker from disabling with a simple registry key change)
https://portal.nutanix.com/#/page/docs/details?targetId=AHV-Admin-Guide-v51:vmm-vm-driver-types-r.html

Unified Extensible Firmware Interface (UEFI) Support for Guest VMs

AHV does not support VMs created in UEFI mode.
This should have changed by now.. apparently you can set "uefi_boot=True" .. please do share back if it works. I am looking to setup Credential Guard for AHV VMs as well.

https://portal.nutanix.com/#/page/docs/details?targetId=AMF_Guide-Acr_v4_6:vm__vm_driver_types_r.html

"SSH into Nutanix Acropolis and run the following command: acli vm.update uefi_boot=True."
https://docs.citrix.com/en-us/provisioning/current-release/citrix-provisioning-1909.pdf
Badge +3

No feed back from anyone?

Apparently VMware is supporting this too:

https://blogs.vmware.com/vsphere/2018/05/introducing-support-virtualization-based-security-credential-guard-vsphere-6-7.html

So, has anyone put this to work on AHV?

Userlevel 5
Badge +5

Hi stevecharon and @SunilM

Support of Windows Defender Credential Guard is definitely coming. I am not able to disclose the details right now. All I can say is soon.

I would like to also encourage you to look at the document that is the most relevant to the version you are running on.

UEFI guest VMs have been supported since 5.11.  AHV Administration Guide 5.15: UEFI Support for VM.

Reply