What is Windows Defender Credential Guard?
Windows Defender Credential Guard is a feature of Microsoft Defender. The feature allows admins to store credentials in a virtualized process that cannot be queried by the operating system.
Does Credential Guard work with Enzoic?
At this time, No. Enzoic will not work with Credential Guard enabled on the Domain Controllers. When enabled on the DC’s, Credential Guard prevents the Enzoic filter from loading into the LSA process. Enzoic needs the LSA filter in order to screen passwords. Because of this, this feature of Microsoft Defender will need to be disabled before installing Enzoic. Otherwise it will prevent the Enzoic filter driver from loading into the LSASS.
How to disable Credential Guard and load the Enzoic Filter:
If you have Credential Guard enabled on your domain controllers, and then installed Enzoic, chances are that the filter was blocked from loading into the LSA, and password changes are not being screened. In order to get Enzoic working properly Credential Guard will first need to be disabled on the Domain Controllers, then Enzoic will need to be fixed to load the filter.
To disable the Credential Guard click here to see the Microsoft KB on their process. (If you have LSA protection enabled, it will need to be disabled as well. The Microsoft KB for that process can be found here.)
Once Windows Credential Guard is disabled on the Domain Controller, Enzoic will need to be fixed so that the filter can load into the LSASS. For this we’ve seen success with two options:
1. Restart the Enzoic service on the machine.
2. Rerun the installer overtop of your current build.
A few things to note if you do need to rerun the installer:
- The latest installer for Enzoic can be found in our tech docs, located here.
- Because Enzoic settings are saved inside of AD containers, you should not be prompted to configure the product again, nor should you lose any of your settings with this process.
- This process will need to be repeated on every DC that had Credential Guard enabled.
After this is done, you’ll want to test Enzoic to make sure it’s working properly. The first step is to see if the filter log has been created. This log only shows up when the filter has loaded into the LSA, so seeing this file in the logs is a good sign. The log is called EnzoicFilter.txt file, and it is located here: C:\ProgramData\Enzoic\Enzoic for Active Directory\Logs. If you see this log, the next step is to attempt a bad password change. If the bad password attempt is rejected, and you see a password attempt rejection in the logs, then you are good to go.
(If you're not sure how to find a password rejection attempts in the logs, click here for more information.)
If the filter log is still not showing up in the Enzoic Logs directory, then it is a good indication that there is still something in your environment preventing the filter from loading into the LSASS. You may want to run though the Microsoft KB again to double check that Credential Guard has truly been disabled. If you’re confident that it’s been disabled, then we suggest reaching out to your security team to see what else in your environment could block our filter from loading into the LSASS.