Domain Member: Must be running Credential Guard on domain-joined members

52b8eaca-e97b-4b7b-bda8-2f67dd947dbc

Credential Guard uses virtualization-based security to protect information that could be used in credential theft attacks if compromised. This authentication information, which was stored in the Local Security Authority (LSA) in previous versions of Windows, is isolated from the rest of operating system and can only be accessed by privileged system software.

Not this applyes only to domain-joined computers that are NOT domain controllers.

Remediation

To fix this configure the policy value for
Computer Configuration
|_ Administrative Templates
|_ System
|_ Device Guard
|_ "Turn On Virtualization Based Security" to "Enabled" with "Enabled with UEFI lock" selected for "Credential Guard Configuration:".

STIG:
Server:
2022: https://www.stigviewer.com/stig/microsoft_windows_server_2022/2023-09-11/finding/V-254441
2019: https://www.stigviewer.com/stig/microsoft_windows_server_2019/2023-09-11/finding/V-205907 / https://www.stigviewer.com/stig/windows_server_2019/2020-06-15/finding/V-93277
2016: https://www.stigviewer.com/stig/microsoft_windows_server_2016/2023-08-22/finding/V-225012 / https://www.stigviewer.com/stig/windows_server_2016/2020-06-16/finding/V-73515

Desktop:
W11: https://www.stigviewer.com/stig/microsoft_windows_11/2023-09-29/finding/V-253370
W10: https://www.stigviewer.com/stig/microsoft_windows_10/2023-09-29/finding/V-220812 / https://www.stigviewer.com/stig/windows_10/2021-08-18/finding/V-220812

NOTES:
Virtualization-based security, including Credential Guard, currently cannot be implemented in virtual desktop implementations (VDI) due to specific supporting requirements including a TPM, UEFI with Secure Boot, and the capability to run the Hyper-V feature within the virtual desktop.

For VDIs where the virtual desktop instance is deleted or refreshed upon logoff, this is NA.

For VDIs with persistent desktops, this may be downgraded to a CAT II only where administrators have specific tokens for the VDI. Administrator accounts on virtual desktops must only be used on systems in the VDI; they may not have administrative privileges on any other systems such as servers and physical workstations.

v1507 LTSB does not include selection options; select "Enable Credential Guard".

A Microsoft TechNet article on Credential Guard, including system requirement details, can be found at the following link:
https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard

Nist 800-53: SI-16
Nist 800-171 Rev2: NFO - SI-16
CSCv7: 5.1