Credential Guard on an AMD/Gigabyte system

Recently at work we have been rolling out Credential Guard on our Windows clients. I didn’t know that much about it, so I did some research: https://www.youtube.com/watch?v=urqXgBbVyWY this is a decent video that goes over what Credential Guard does. The high level bits are; it uses Hyper-V to create a secure container that holds your credentials. Then if your main Windows environment is compromised, in theory, the badie cant see your network hash and use it to gain access to stuff. This is just a quick post in case you haven’t heard or dug into a cool new security feature.

There are a few requirements to run Credential Guard, the first is you need Intel or AMD hardware support for virtualization which basically any system in the last 5+ years should easily have. You also have to be running with UEFI and Secure Boot enabled. Both are a good idea anyway, its 2020. This Microsoft page has a PowerShell script you can use to test if your machine is ready and enable bits you need on Windows, https://docs.microsoft.com/en-us/windows/security/identity-protection/credential-guard/credential-guard-manage .

The easiest way to check if its working, or even configured is to type “msinfo32” in the start menu. Then you can see which security tools are running and which are just configured. This is a nice panel because you can easily see if SecureBoot and Credential Guard are working. There are lots of guides on how to get this working, I want to go over some of the caveats to running this.

Caveat 1: Credential Guard breaks Single Sign On for 802.1x connections. This forces you to use certificate auth with User/Machine level certs. https://www.neighborgeek.net/2016/08/windows-10-credential-guard-breaks-wifi.html for more on that.

Caveat 2: Be careful with your motherboard. I have an AMD system I deployed this on, to get SecureBoot working I had to disable CSM (Compatibility Support Module), and after rebooting not only did my keyboard not want to work, but I had to enter my Bitlocker recovery key. That I should have remembered since I made a UEFI change. The keyboard issue seems to be the B350 motherboard in Fast Boot mode has issues with some USB keyboards. After disabling FastBoot that I got it working happily. With an NVME drive, letting the machine fully load each time and not using fast booting only delays the system a couple of seconds, but lets all the devices initialize.