Domain Member: Must be running Credential Guard on domain-joined members


Credential Guard uses virtualization-based security to protect information that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.

Not this applyes only to domain-joined computers that are NOT domain controllers.


To fix this configure the policy value for
Computer Configuration
|_ Administrative Templates
|_ System
|_ Device Guard
|_ "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration:".

2019: /
2016: /

W10: /

Virtualization-based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.

For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.

For VDIs with persistent desktops, this may be downgraded to a CAT II only where administrators have specific tokens for the VDI. Administrator accounts on virtual desktops must only be used on systems in the VDI; they may not have administrative privileges on any other systems such as servers and physical workstations.

v1507 LTSB does not include selection options; select "Enable Credential Guard".

A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link:

Nist 800-53: SI-16
Nist 800-171 Rev2: NFO - SI-16
CSCv7: 5.1