Device Guard is a firmware that will not let un-authenticated, unsigned, unauthorized programs as well as operating systems to load. It is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. Credential Guard is a specific feature that is not part of Device Guard that aims to isolate and harden key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. The two are different, but complimentary as they offer different protections against different types of threats. Let’s dive in and take a logical approach to understanding each. It’s worth noting here that these are enterprise features, and as such are included only in the Windows Enterprise client. Credential Guard is one of the main security features available with Windows 11/10. It allows protection against hacking of domain credentials thereby preventing hackers from taking over the enterprise networks. Along with features like Device Guard and Secure Boot, Windows 11/10 is more secure than any of the previous Windows operating system.
Device Guard and Credential Guard Hardware Readiness Tool
This tool is a Windows PowerShell script and needs to run with elevated permissions. It can be used in the following ways:
Check the status of Device Guard or Credential Guard on the systemCheck if the hardware can run Device Guard or Credential Guard and is compatible with the Hardware Lab Kit testsEnable and disable Device Guard or Credential GuardIntegrate with System Center Configuration ManagerUse an embedded ConfigCI policy in audit mode.
You can download it from Microsoft.