Credential Guard w/o Hyper-V Hypervisor? – NO!

Starting Windows 10 1607 the pre-installation of Hyper-V Hypervisor for Credential Guard is no longer necessary (s. Protect derived domain credentials with Credential Guard).

After activating Credential Guard via GPO or registry the process lsaIso.exe is running.


Msinfo32 is showing Credential Guard activated and a hypervisor is detected.


But Windows Features shows Hyper-V Hypervisor not activated.


So where is the security coming from?

It is the Hyper-V Hypervisor.
Even if

Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V*"

still shows Hyper-V disabled,

Get-Service -Name "HV*"

shows the “HV Host” service is running.


The idea is to reduce the attack vector on the hypervisor, since no management tools or PowerShell modules are installed.
It also solves an issue in Hyper-V modularization. If only Hyper-V Hypervisor is installed via GUI or PowerShell, 5 devices will show up in device manager w/o drivers:
So, if Hyper-V is not required for running VMs, this increases the security and it simplifies the deployment since installing and activating Hyper-V requires two additional reboots.

2 thoughts on “Credential Guard w/o Hyper-V Hypervisor? – NO!

  1. Wow I just went through the trouble of enabling *just* Hyper-V Hypervisor in our MDT gold image for Device Guard / Credential Guard, and then noticed these missing drivers … which freaked me out all morning. This is EXACTLY what is going on in my situation. Wish Microsoft would update their Device Guard pages! I would’ve avoided so much trouble…. Thanks for the post!


    1. Hey davinnicode, glad I could help.
      I discussed the driver issue with Microsoft for a long time. At the end the technical team told me, if I follow the instructions from the documentation team literally with Hypervisor only, the configuration is not supported…


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s