Enable Windows Defender Credential Guard via PowerShell

To enable Windows Defender Credential Guard via PowerShell, you need to ensure that your system meets the required prerequisites (such as Hyper-V and hardware virtualization support). Below are the steps to enable Credential Guard using PowerShell:

Step 1: Verify Prerequisites

Before enabling Credential Guard, you need to ensure that your system meets the following prerequisites:

• Windows 10 Enterprise or Windows Server 2016 and later.
• Hardware Virtualization support (Intel VT-x or AMD-V) enabled in BIOS/UEFI.
• Hyper-V must be enabled on the system.
• TPM 2.0 is recommended but not strictly required.
• UEFI firmware is required (BIOS-based systems will not work).

You can check if your system supports virtualization by running the following command in PowerShell:

systeminfo | Select-String "Virtualization"

If virtualization is supported, you'll see an entry like VM Monitor Mode Extensions: Yes or Hyper-V Requirements: Yes.

Step 2: Enable Hyper-V (if not already enabled)

Credential Guard relies on Hyper-V to create a virtualized security environment. If Hyper-V is not already enabled, you can enable it using the following PowerShell command:

Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -All -NoRestart

This command enables all necessary Hyper-V features. Once executed, you should restart the system to apply the changes.

Step 3: Enable Windows Defender Credential Guard via PowerShell

Now, you can enable Credential Guard by modifying the registry settings. Run the following PowerShell commands as an Administrator:

1. Enable Virtualization-Based Security (VBS) and Credential Guard:

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name EnableVirtualizationBasedSecurity -Value 1
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name RequirePlatformSecurityFeatures -Value 1
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name LsaCfgFlags -Value 1

2. Configure Credential Guard for UEFI Lock (optional but recommended for security):

Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\DeviceGuard" -Name EnableHypervisorEnforcedCodeIntegrity -Value 1

3. Enable the Credential Guard setting for the system:

Enable-WindowsOptionalFeature -Online -FeatureName DeviceGuard -All -NoRestart

This command ensures that Device Guard and Credential Guard are both enabled.

Step 4: Reboot the System

After applying the registry changes and enabling Hyper-V, you must restart the system for the settings to take effect.

Restart-Computer

Step 5: Verify Credential Guard is Enabled

After the system has rebooted, you can verify that Windows Defender Credential Guard is enabled using the following command:

Get-WmiObject -Class Win32_ComputerSystem | Select-Object -Property Name, Domain, CredentialGuardEnabled

Alternatively, you can use System Information to verify:

1. Press Win + R and type msinfo32 to open System Information.
2. Look for the Device Guard section.
   • If Credential Guard is enabled, it will show Running.

Additional Notes:

• Group Policy and Registry Changes: The steps above make the necessary registry changes to enable Credential Guard via PowerShell. These settings could also be managed through Group Policy in an Active Directory environment.
• Hyper-V: If you don’t want to enable Hyper-V on your system for other reasons, you cannot enable Credential Guard. It relies on the Hyper-V hypervisor to isolate credentials.

By following these steps, Windows Defender Credential Guard will be enabled via PowerShell on your system, helping to protect sensitive authentication information from being extracted or manipulated by attackers.