How to remediate – Windows Credential Guard Status

Contents

1. Introduction

Windows Credential Guard Status retrieves information about the status of Windows Credential Guard. This feature protects login credentials such as NTLM password hashes, Kerberos tickets and domain credentials from theft. It is typically found on servers and workstations running recent versions of Windows. A successful attack could lead to compromise of user accounts and data. Confidentiality, integrity and availability may be impacted if credentials are stolen.

2. Technical Explanation

Windows Credential Guard uses virtualisation-based security to isolate sensitive credentials from malicious software. Exploitation occurs when the feature is not enabled or configured correctly, leaving credentials vulnerable to attacks like Pass-the-Hash or Pass-The-Ticket. An attacker could steal these credentials and use them to gain access to systems and data.

Root cause: Credential Guard may be disabled or improperly configured.
Exploit mechanism: Attackers attempt to extract credentials from memory using tools like Mimikatz if Credential Guard is not active.
Scope: Windows 10 version 1607 and later, and Windows Server 2016 and later are affected.

3. Detection and Assessment

You can check the status of Credential Guard using system information tools or command-line utilities. A thorough assessment involves reviewing security logs for related events.

Quick checks: Use PowerShell to retrieve the current status.
Scanning: Nessus plugin ID 8c8c37 can identify systems where Credential Guard is not enabled. This is an example only.
Logs and evidence: Check Event Logs for events related to Virtualisation-Based Security (VBS). Look in the Microsoft-Windows/Kernel-Security directory.

powershell Get-CimInstance Win32_BitLockerVolume | Select-Object DriveLetter, EncryptionMethod, VolumeStatus

4. Solution / Remediation Steps

Enable and configure Windows Credential Guard to protect credentials. Follow these steps carefully to avoid service disruptions.

4.1 Preparation

Ensure your systems meet the hardware requirements for Virtualisation-Based Security (VBS). A roll back plan is to revert to the previous system state using the snapshot.
A change window may be needed, and approval from security teams should be sought.

4.2 Implementation

Step 1: Enable Virtualisation-Based Security (VBS) in UEFI/BIOS settings.
Step 2: Use Group Policy or PowerShell to enable Credential Guard. For example, using PowerShell: Set-CimInstance -Namespace rootvirtualization -ClassName Win32_TrustedPlatformModuleSetup | Set-TrustedPlatformModuleSetup -EnableCredentialGuard true
Step 3: Restart the system for changes to take effect.

4.3 Config or Code Example

Before

powershell Get-CimInstance Win32_TrustedPlatformModuleSetup | Select-Object EnableCredentialGuard

After

powershell Get-CimInstance Win32_TrustedPlatformModuleSetup | Select-Object EnableCredentialGuard, CredentialGuardState

4.4 Security Practices Relevant to This Vulnerability

Several security practices can help prevent credential theft and protect systems from attack. Least privilege reduces the impact if credentials are compromised. Input validation blocks unsafe data. Patch cadence ensures timely updates for known vulnerabilities.

Practice 1: Implement least privilege principles to limit user access rights.
Practice 2: Regularly patch systems to address security vulnerabilities.

4.5 Automation (Optional)

# Example PowerShell script to enable Credential Guard on multiple systems
# Requires remote management enabled (WinRM)
Invoke-Command -ComputerName "$env:COMPUTERNAME" -ScriptBlock {
  Set-CimInstance -Namespace rootvirtualization -ClassName Win32_TrustedPlatformModuleSetup | Set-TrustedPlatformModuleSetup -EnableCredentialGuard $true
}

5. Verification / Validation

Post-fix check: Run powershell Get-CimInstance Win32_TrustedPlatformModuleSetup | Select-Object EnableCredentialGuard, CredentialGuardState. Expected output should show EnableCredentialGuard as True and CredentialGuardState as Enabled.
Re-test: Re-run the Nessus scan (ID 8c8c37) to confirm it no longer reports the vulnerability.
Monitoring: Monitor Event Logs for events related to VBS and Credential Guard, looking for errors or unexpected behaviour.

powershell Get-CimInstance Win32_TrustedPlatformModuleSetup | Select-Object EnableCredentialGuard, CredentialGuardState

6. Preventive Measures and Monitoring

Baselines: Update your security baseline or policy (for example, CIS control 14) to require Credential Guard enabled.
Pipelines: Add checks in CI/CD pipelines to verify Credential Guard is enabled during deployment.
Asset and patch process: Review patches weekly for critical vulnerabilities related to Windows security features.

7. Risks, Side Effects, and Roll Back

8. References and Resources

Vendor advisory or bulletin: http://www.nessus.org/u?fb8c8c37
NVD or CVE entry: Not applicable in this context.
Product or platform documentation relevant to the fix: https://learn.microsoft.com/en-gb/windows/security/threats/virtualization-based-security

Updated on October 26, 2025

Was this article helpful?

Yes No