Enable Credential Guard for secure credential storage
Enable Credential Guard to protect credentials from attacks by isolating them.
Plain language
Enabling Credential Guard is like putting your most sensitive keys in a safe. It prevents cybercriminals from stealing login details by keeping them securely isolated. Without it, attackers could access sensitive areas of your system, leading to data theft or system damage.
Framework
ASD Essential Eight
Control effect
Preventative
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Official control statement
Credential Guard functionality is enabled.
Why it matters
Without Credential Guard, attackers can steal credentials from memory, enabling unauthorised access to critical systems and increasing breach risk.
Operational notes
Regularly confirm Credential Guard is enabled and running (e.g., via Device Guard/Credential Guard status), as updates or configuration changes can disable it.
Implementation tips
- System administrators should enable Credential Guard on all computers. They can do this by configuring the Group Policy settings for Windows Defender Credential Guard.
- IT teams need to verify that each workstation is compatible with Credential Guard. Check the system requirements and ensure any necessary updates are in place.
- The security officer should work with IT to confirm that Credential Guard is included in the organisation's security policy. They can do this by updating documentation and communicating the change to all staff.
- System administrators should regularly monitor the status of Credential Guard to ensure it remains enabled. Use tools provided in Windows Device Management to check these settings.
Audit / evidence tips
- AskHow does the organisation ensure Credential Guard is enabled on all systems?
- GoodCredential Guard is enabled via Group Policy, and its status is regularly audited and documented
- AskHow does the organisation verify workstation compatibility with Credential Guard?
- GoodThe organisation has documented compatibility checks and update procedures for Credential Guard across all systems
Cross-framework mappings
How E8-RA-ML3.6 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.1 | E8-RA-ML3.6 requires a specific endpoint hardening measure: enabling Credential Guard for secure credential storage | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires controlled management and secure handling of authentication information | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| ISM-1492 | ISM-1492 requires operating system exploit protection functionality to be enabled to reduce successful exploitation paths | |
| ISM-1897 | ISM-1897 requires enabling Remote Credential Guard to prevent exposure of credentials during remote connections | |
| handshake Supports (6) expand_less | ||
| ISM-1402 | ISM-1402 requires credentials stored on systems to be protected using mechanisms such as password managers, hardware security modules, or... | |
| ISM-1745 | E8-RA-ML3.6 requires enabling Credential Guard to isolate and protect stored credentials on Windows systems | |
| ISM-1749 | ISM-1749 requires cached credentials on endpoints to be limited to one previous logon, reducing stored credential material available afte... | |
| ISM-1829 | ISM-1829 requires that passwords are not stored in Group Policy Preferences (GPP), preventing easy retrieval of privileged credentials fr... | |
| ISM-1861 | ISM-1861 requires LSA protection to be enabled to harden the Local Security Authority process and reduce exposure of authentication secrets | |
| ISM-1896 | ISM-1896 requires memory integrity functionality to be enabled to reduce the risk of credential theft via memory inspection or kernel tam... | |
| link Related (1) expand_less | ||
| ISM-1686 | ISM-1686 requires Credential Guard functionality to be enabled to protect user credentials from unauthorised access | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.