Credential Guard is unique to Windows 10 Enterprise and Windows Server 2016, and designed to protect against OS-level attempts to read credentials. It uses hardware and virtualization-based security to isolate secrets so that only privileged system software can access them. Credential Guard protects NTLM password hashes, Kerberos Ticket-Granting Tickets, and credentials stored by applications.
Usually, Windows stores secrets in the Local Security Authority (LSA), in process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system.
You can consider the isolated LSA as running like a small virtual machine that only the LSA can communicate with, using remote procedure calls. To enable this feature, the computers must meet specific hardware, firmware, and software requirements. Also, be aware that due to the restrictions necessary to secure the credentials, some applications will not be compatible, especially those that require the following authentication methods:
Applications will also break if they require:
> Kerberos DES encryption support
> Kerberos unconstrained delegation
> Extracting the Kerberos TGT