Security Focus: Check Credential Guard Status with PowerShell
In Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket.
Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.
More on Credential Guard here.
First up, how do you check if it's configured with PowerShell?
$DevGuard = Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
if ($DevGuard.SecurityServicesConfigured -contains 1) {"Credential Guard configured"}
Now, how to check that Credential Guard is running...
if ($DevGuard.SecurityServicesRunning -contains 1) {"Credential Guard running"}
Excellent, so I have credential guard configured and running on this particular host!