How to remediate – Windows Credential Guard Disabled

Contents

1. Introduction

Windows Credential Guard is disabled on the remote Windows host. This security feature protects sensitive credentials, such as NTLM password hashes and Kerberos tickets, from theft by attackers. Systems running Windows 10 Enterprise or later are typically affected. A successful attack could compromise user accounts and allow access to protected resources. Impact: Confidentiality, Integrity, Availability may be compromised if credentials are stolen.

2. Technical Explanation

Windows Credential Guard is disabled by default on some Windows installations. When disabled, attackers can use techniques like Pass-the-Hash or Pass-The-Ticket to steal and reuse credentials. An attacker needs local access to the system to confirm this setting. There is no specific CVE associated with a disabled state; it’s a configuration issue. For example, an attacker gaining local admin rights could dump password hashes from memory if Credential Guard isn’t running.

Root cause: The feature is not enabled in the system configuration.
Exploit mechanism: An attacker gains local access and uses tools like Mimikatz to extract credentials from memory.
Scope: Windows 10 Enterprise, Windows Server 2016 and later.

3. Detection and Assessment

You can check if Credential Guard is running using system information or the command line. A thorough assessment involves reviewing Group Policy settings.

Quick checks: Open System Information (msinfo32.exe) and look for “Credential Guard” under “System Summary”. If it says “Not Enabled”, the feature is off.
Scanning: Nessus plugin ID 16849 can identify this issue.
Logs and evidence: Event ID 7036 in the System event log may indicate issues with Credential Guard startup.

reg query "HKLMSYSTEMCurrentControlSetControlLsa" /v CredentialGuardState

4. Solution / Remediation Steps

Enable Windows Credential Guard according to your organisation’s security policies.

4.1 Preparation

Ensure you have local administrator rights and understand the potential impact of enabling Credential Guard. Roll back by disabling Credential Guard via Group Policy or registry settings if issues occur.
A change window may be needed, depending on your organisation’s policies. Approval from a security team lead might also be required.

4.2 Implementation

Step 1: Open the Local Group Policy Editor (gpedit.msc).
Step 2: Navigate to Computer Configuration > Administrative Templates > System > Device Guard.
Step 3: Double-click “Turn On Virtualization Based Security”.
Step 4: Select “Enabled” and configure the settings as per your security guidelines.
Step 5: Restart the system for the changes to take effect.

4.3 Config or Code Example

Before

reg query "HKLMSYSTEMCurrentControlSetControlLsa" /v CredentialGuardState

After

reg query "HKLMSYSTEMCurrentControlSetControlLsa" /v CredentialGuardState

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent credential theft.

Practice 1: Least privilege reduces the impact if an attacker gains access. Limit user rights and permissions.
Practice 2: Patch cadence ensures systems are up-to-date with the latest security fixes. Regularly install Windows updates.

4.5 Automation (Optional)

PowerShell can be used to enable Credential Guard on multiple systems.

# Enable Virtualization Based Security using PowerShell
Set-VBSwitch -Enabled $true

5. Verification / Validation

Post-fix check: Open System Information (msinfo32.exe) and verify “Credential Guard” shows “Enabled” under “System Summary”.
Re-test: Re-run the Nessus scan (plugin ID 16849) to confirm the vulnerability is no longer detected.
Smoke test: Verify users can log in normally and access key applications.
Monitoring: Check Event Viewer for errors related to Credential Guard startup or operation.

reg query "HKLMSYSTEMCurrentControlSetControlLsa" /v CredentialGuardState

6. Preventive Measures and Monitoring

Update security baselines and implement checks in your deployment process.

Baselines: Update your Windows security baseline to require Credential Guard to be enabled.
Pipelines: Include a check in your CI/CD pipeline to verify Credential Guard is enabled on new systems.
Asset and patch process: Review configurations regularly as part of your asset management program.

7. Risks, Side Effects, and Roll Back

Enabling Credential Guard may cause compatibility issues with some older applications or hardware.

Roll back: 1) Open the Local Group Policy Editor (gpedit.msc). 2) Navigate to Computer Configuration > Administrative Templates > System > Device Guard. 3) Double-click “Turn On Virtualization Based Security”. 4) Select “Disabled” or “Not Configured”. 5) Restart the system.

8. References and Resources

Links to official documentation.

Vendor advisory or bulletin: https://learn.microsoft.com/en-us/windows/security/threats/virtualization-based-security
NVD or CVE entry: Not applicable, as this is a configuration issue.
Product or platform documentation relevant to the fix: https://learn.microsoft.com/en-us/windows/security/implementation/credential-guard

Updated on October 26, 2025

Was this article helpful?

Yes No