Why you should not enable Credential Guard on Domain Controllers?

First published on TECHNET on Feb 21, 2017

protects the credential derivatives like NTLM hash and tickets; this TechNet

article

has a very detailed explanation as well as deployment guidelines. There was a recent change in this article to call out the following:

Warning

Enabling on domain controllers is not supported. The hosts services which integrate with processes isolated when is enabled, causing crashes.

I would like to share my learnings on why you should not enable Credential Guard on Domain Controllers.

Credential guard protects credentials in LSASS memory; it does not protect credentials stored on disks. On domain controllers, it does not protect credentials that are stored in the SAM database.

In a production environment, you should restrict user access to a domain controller in order to protect the assets on that domain controller. If someone manages to get (unauthorized) access to it, and able to retrieve information in LSASS memory, that means the person already acquired domain admin privilege, and Credential Guard adds no value in that case.

Given that there is no added security benefit, we decided not to support Credential Guard on domain controllers.

 

This article was originally published by Microsoft's Data Center Security Blog. You can find the original article here.