Microsoft has released a Device Guard and Credential Guard Hardware Readiness Tool that will allow customers to enable Device Guard or Credential Guard & check if their Windows 11/10 or Windows Server hardware is ready for it.
Device Guard is a group of key features, designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run.
Credential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector.
The two are different, but complimentary as they offer different protections against different types of threats. Let’s dive in and take a logical approach to understanding each. It’s worth noting here that these are enterprise features, and as such are included only in the Windows Enterprise client.
Device Guard is a firmware that will not let un-authenticated, unsigned, unauthorized programs as well as operating systems to load. It is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications.
Credential Guard is one of the main security features available with Windows 11/10. It allows protection against hacking of domain credentials thereby preventing hackers from taking over the enterprise networks. Along with features like Device Guard and Secure Boot, Windows 11/10 is more secure than any of the previous Windows operating system.
Device Guard and Credential Guard Hardware Readiness Tool
This tool is a Windows PowerShell script and needs to run with elevated permissions.
It can be used in the following ways:
- Check the status of Device Guard or Credential Guard on the system
- Check if the hardware can run Device Guard or Credential Guard and is compatible with the Hardware Lab Kit tests
- Enable and disable Device Guard or Credential Guard
- Integrate with System Center Configuration Manager
- Use an embedded ConfigCI policy in audit mode.
You can download it from Microsoft.