Forum Discussion

ElieAT's avatar
ElieAT
Iron Contributor
Dec 28, 2022
Solved

Credential Guard

Hello,   Kindly need to know if i enable credential guard with or without lock from intune to all users it will cause business disruption?   Regards,    
Intune
Mobile Application Management (MAM)
  • Krishnakumar_M's avatar
    Krishnakumar_M
    Jan 04, 2023
    Hi ,
    To get complete feature of Credential Guard, you have to enable the below :
    1) Secure boot
    2) Trusted Platform Module (TPM) min. version 1.2 and above
    3) Virtualization based security

    There wont be any major impacts on the devices when you enable these options, but on a safer side I would recommend you to test with both existing (already registered) and new device.
    Let me know how it goes..

    Thanks !

Krishnakumar_M's avatar
Krishnakumar_M
Brass Contributor
Dec 28, 2022
Hi, Enabling credential guard will not cause any disruptions, if you are using these protocols NTLMv1, MS-CHAPv2, Digest, and CredSSP they can't use the signed-in credentials already stored, instead it will prompt for credentials or would use credentials stored in Windows vault. If you have any important sign-in credentials stored, it is recommended to remove those from these legacy protocols. Hope it answers your question !
ElieAT's avatar
ElieAT
Iron Contributor
Dec 28, 2022
Okay thanks

for those:

Secure Platform Security Level
Virtualization Based Protection of Code Integrity ( Require UEFI Memory Attributes Table)
Credential Guard Configuration
Secure Launch Configuration

I can enable them on devices and if some of them doesnt have the requirement what will happen?

  • Krishnakumar_M's avatar
    Krishnakumar_M
    Brass Contributor
    Jan 03, 2023
    Virtualization Based Protection of Code Integrity - Kernel mode memory protections are enforced when this option is enabled.
    Credential Guard - Make sure this is enabled before the device onboarding is completed or joined to a domain.

    I would suggest you to enable this settings on test machine and observe the behaviour before you enable it on the user devices.
    • ElieAT's avatar
      ElieAT
      Iron Contributor
      Jan 03, 2023

      Hello Krishnakumar_M,

       

      If i enable the credential guard without the virtual based protection it will work?

       

      Regards,

       

       

      • Krishnakumar_M's avatar
        Krishnakumar_M
        Brass Contributor
        Jan 04, 2023
        Hi ,
        To get complete feature of Credential Guard, you have to enable the below :
        1) Secure boot
        2) Trusted Platform Module (TPM) min. version 1.2 and above
        3) Virtualization based security

        There wont be any major impacts on the devices when you enable these options, but on a safer side I would recommend you to test with both existing (already registered) and new device.
        Let me know how it goes..

        Thanks !

Resources