Credential Guard w/o Hyper-V Hypervisor? – NO!

Starting Windows 10 1607 the pre-installation of Hyper-V Hypervisor for Credential Guard is no longer necessary (s. Protect derived domain credentials with Credential Guard).

After activating Credential Guard via GPO or registry the process lsaIso.exe is running.

explorer

Msinfo32 is showing Credential Guard activated and a hypervisor is detected.

SystemInformation

But Windows Features shows Hyper-V Hypervisor not activated.

feature_gui

So where is the security coming from?

It is the Hyper-V Hypervisor.
Even if

Get-WindowsOptionalFeature -Online -FeatureName "Microsoft-Hyper-V*"

still shows Hyper-V disabled,

Get-Service -Name "HV*"

shows the “HV Host” service is running.

HVHost_service

The idea is to reduce the attack vector on the hypervisor, since no management tools or PowerShell modules are installed.
It also solves an issue in Hyper-V modularization. If only Hyper-V Hypervisor is installed via GUI or PowerShell, 5 devices will show up in device manager w/o drivers:
ROOT\VMBUS\0000
ROOT\VID\0000
ROOT\VPCIVSP\0000
ROOT\STORVSP\0000
ROOT\SYNTH3DVSP\0000
So, if Hyper-V is not required for running VMs, this increases the security and it simplifies the deployment since installing and activating Hyper-V requires two additional reboots.

2 thoughts on “Credential Guard w/o Hyper-V Hypervisor? – NO!

  1. Wow I just went through the trouble of enabling *just* Hyper-V Hypervisor in our MDT gold image for Device Guard / Credential Guard, and then noticed these missing drivers … which freaked me out all morning. This is EXACTLY what is going on in my situation. Wish Microsoft would update their Device Guard pages! I would’ve avoided so much trouble…. Thanks for the post!

    Like

    1. Hey davinnicode, glad I could help.
      I discussed the driver issue with Microsoft for a long time. At the end the technical team told me, if I follow the instructions from the documentation team literally with Hypervisor only, the configuration is not supported…

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s