Enable Credential Guard for Credential Protection
Credential Guard is activated to better protect user credentials from unauthorised access.
Plain language
Credential Guard is a security feature that helps to protect your passwords and sensitive login information from being stolen by hackers. If it's not enabled, a cybercriminal could potentially get hold of your login details and access your systems, risking your data and operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Protecting CredentialsOfficial control statement
Credential Guard functionality is enabled.
Why it matters
Without Credential Guard, attackers can intercept and reuse credentials, potentially leading to unauthorised access and data breaches.
Operational notes
Regularly verify Credential Guard is enabled, running, and reporting expected events to protect credentials from theft and reuse.
Implementation tips
- The IT team should check if the version of Windows used in the organisation supports Credential Guard. They can do this by reviewing Microsoft's list of compatible versions online. It's essential to ensure your operating system is up-to-date and compatible.
- System administrators need to enable Credential Guard through the Windows Group Policy. They can navigate to the system configurations on each computer and turn on Credential Guard by following a step-by-step guide provided by Microsoft or similar sources.
- IT managers should assess the current network infrastructure to ensure Credential Guard is correctly propagated across all devices. This might involve a review meeting with the IT team to discuss what devices need updating and ensure policies are consistently applied.
- Business owners should allocate resources for training staff on the importance of Credential Guard. They can organise short IT workshops to explain how Credential Guard helps keep company data secure and the procedures involved if any issues arise.
- The IT support team should regularly test Credential Guard's functionality by conducting security audits or penetration tests. This will help identify any devices where Credential Guard might not be working correctly and needs attention.
Audit / evidence tips
-
Askthe list of all devices with Credential Guard enabled: Request a comprehensive inventory of all computers and servers where Credential Guard has been activated
Goodshows a complete match between the registered devices and the actual infrastructure
-
AskWindows Group Policy documentation: Request the policy settings document that shows Credential Guard configuration
Goodincludes detailed descriptions and evidence that the policy is enforced across all devices
-
Askdocuments showing staff have been trained about Credential Guard
Goodoutcome demonstrates regular training sessions and positive feedback from staff
-
Askreports showing testing of Credential Guard's effectiveness
Goodreport would highlight successful tests and no major vulnerabilities
-
Askrecords of system updates relevant to Credential Guard: Request logs or documents that show when systems were updated to support Credential Guard
Cross-framework mappings
How ISM-1686 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.1 | ISM-1686 requires enabling Credential Guard as a specific technical control to protect user credentials from unauthorised access on Windo... | |
E8
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| E8-RA-ML3.5 | ISM-1686 requires Credential Guard functionality to be enabled to better protect credentials in Windows environments | |
| E8-RA-ML3.7 | ISM-1686 requires enabling Credential Guard to protect credentials on endpoints from unauthorised access | |
| link Related (1) expand_less | ||
| E8-RA-ML3.6 | ISM-1686 requires Credential Guard functionality to be enabled to protect user credentials from unauthorised access | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.