Forum Discussion

ElieAT's avatar
ElieAT
Iron Contributor
Dec 28, 2022
Solved

Credential Guard

Hello,

 

Kindly need to know if i enable credential guard with or without lock from intune to all users it will cause business disruption?

 

Regards,

 

 

Intune
Mobile Application Management (MAM)
  • Krishnakumar_M's avatar
    Krishnakumar_M
    Jan 04, 2023
    Hi ,
    To get complete feature of Credential Guard, you have to enable the below :
    1) Secure boot
    2) Trusted Platform Module (TPM) min. version 1.2 and above
    3) Virtualization based security

    There wont be any major impacts on the devices when you enable these options, but on a safer side I would recommend you to test with both existing (already registered) and new device.
    Let me know how it goes..

    Thanks !

10 Replies

Sort By
  • Krishnakumar_M's avatar
    Krishnakumar_M
    Copper Contributor
    Dec 28, 2022
    Hi, Enabling credential guard will not cause any disruptions, if you are using these protocols NTLMv1, MS-CHAPv2, Digest, and CredSSP they can't use the signed-in credentials already stored, instead it will prompt for credentials or would use credentials stored in Windows vault. If you have any important sign-in credentials stored, it is recommended to remove those from these legacy protocols. Hope it answers your question !
    • ElieAT's avatar
      ElieAT
      Iron Contributor
      Dec 28, 2022
      Okay thanks

      for those:

      Secure Platform Security Level
      Virtualization Based Protection of Code Integrity ( Require UEFI Memory Attributes Table)
      Credential Guard Configuration
      Secure Launch Configuration

      I can enable them on devices and if some of them doesnt have the requirement what will happen?

      • Krishnakumar_M's avatar
        Krishnakumar_M
        Copper Contributor
        Jan 03, 2023
        Virtualization Based Protection of Code Integrity - Kernel mode memory protections are enforced when this option is enabled.
        Credential Guard - Make sure this is enabled before the device onboarding is completed or joined to a domain.

        I would suggest you to enable this settings on test machine and observe the behaviour before you enable it on the user devices.
    • ElieAT's avatar
      ElieAT
      Iron Contributor
      Dec 28, 2022
      The blog helped but what should i configure for those option?:

      Secure Platform Security Level
      Virtualization Based Protection of Code Integrity ( Require UEFI Memory Attributes Table)
      Credential Guard Configuration
      Secure Launch Configuration

      I want to enable them without crashes if some of the devices dont have them.


Resources