How Windows VBS Helps Prevent Token Theft

VBS creates an isolated virtual environment to host critical security processes, making them inaccessible to malware running in the normal operating system. The key feature of VBS relevant to token theft is Credential Guard.

1. Credential Guard:

   • It uses VBS to isolate and protect the Local Security Authority Subsystem Service (LSASS) process.
     

   • LSASS stores sensitive credential information like NTLM password hashes and Kerberos Ticket Granting Tickets (TGTs).
     

   • Attackers often try to dump LSASS memory (e.g., using Mimikatz) to extract these credentials, which can then be used in pass-the-hash or pass-the-ticket attacks to impersonate users and gain access to resources, including M365 services (especially in hybrid environments).
     

   • With Credential Guard enabled, LSASS runs in the VBS isolated environment. The normal OS LSASS process only communicates with it via a secure Remote Procedure Call (RPC) interface. Even if an attacker gains kernel-level privileges in the normal OS, they cannot directly access the credential material stored within the VBS-protected LSASS.
     

   • This makes it much harder to steal the credentials that would be used to obtain M365 tokens in the first place or to abuse on-premises credentials that might be synchronized to Azure AD.

2. Hypervisor-Protected Code Integrity (HVCI) / Memory Integrity:

   • While not directly preventing token theft, HVCI is another VBS feature that enhances overall system security. It ensures that only signed and verified code can run in the Windows kernel.
     

   • This makes it harder for malware to compromise the kernel, which could then be used to bypass other security measures, including potentially VBS itself or to inject code into processes holding tokens.

Important Considerations for M365 Tokens: M365 primarily uses OAuth 2.0 tokens (access tokens, refresh tokens) which are typically stored by applications (Outlook, Teams, browser) rather than directly in LSASS in the same way as NTLM hashes or Kerberos TGTs.

• Credential Guard primarily protects against theft of Windows logon credentials (NTLM/Kerberos) that could be used to authenticate and then obtain M365 tokens.
• It does not directly protect M365 access/refresh tokens stored in browser caches or application data if the user’s session is already compromised at the user-mode level (e.g., malware running as the user).

Appropriate Configuration for Windows Devices (using M365 Business Premium tools):

M365 Business Premium includes Microsoft Intune for device management, which is the recommended way to configure these settings.

1. Hardware & Firmware Requirements:

   • 64-bit CPU with virtualization extensions (Intel VT-x or AMD-V) and SLAT.
     

   • TPM 2.0 (Trusted Platform Module).
     

   • UEFI firmware with Secure Boot enabled.
     

   • BIOS/UEFI virtualization support enabled.

2. Enable VBS, Credential Guard, and HVCI via Intune:

   • Using Endpoint Security Profiles (Recommended):

     1. Go to the Microsoft Intune admin center.

     2. Navigate to Endpoint security > Account protection.

     3. Click Create Policy.

     4. Platform: Windows 10 and later. Profile: Account protection. Click Create.

     5. Name the policy (e.g., “Enable Credential Guard”).

     6. Under Configuration settings:

        • Block Windows Hello for Business: Typically Not configured or Disabled unless you have specific reasons to block it.
          

        • Enable Credential Guard: Set to Enable with UEFI lock. This prevents it from being disabled remotely without physical presence for UEFI changes. (Choose “Enable without UEFI lock” if you need more flexibility during initial rollout/testing, but “with UEFI lock” is more secure).
          

        • Turn on Security Guard: (This likely refers to Microsoft Defender Security Guard, which is related to Secure Boot and VBS launch). Set to Enabled.

     7. Assign the policy to your target device groups.

     8. To enable HVCI (Memory Integrity):

        • Navigate to Endpoint security > Attack surface reduction.
          

        • Click Create Policy.
          

        • Platform: Windows 10 and later. Profile: Attack Surface Reduction Rules (or look for specific HVCI profiles if available, sometimes it’s under Device Configuration > Endpoint Protection).
          

        • Alternatively, and often more straightforward for HVCI:
          
          • Go to Devices > Configuration profiles.
            

          • Click Create profile.
            

          • Platform: Windows 10 and later. Profile type: Settings catalog.
            

          • Search for “Hypervisor Enforced Code Integrity” or “Memory Integrity”.
            

          • Add the setting (e.g., VirtualizationBasedSecurity > HypervisorEnforcedCodeIntegrity) and set it to Enabled.

   • Secure Boot: This is typically enabled in the device UEFI/BIOS. Intune can report on Secure Boot status but doesn’t directly enable it from a cold start. Devices must be provisioned with it enabled.

3. Verify Deployment:

   • On a client device, you can check msinfo32.exe. Look for “Virtualization-based security” status and “Credential Guard” / “Memory Integrity” listed as running.
     

   • In Task Manager > Performance > CPU, you should see “Virtualization: Enabled”.

Complementary M365 Business Premium Security Measures:

VBS is one layer. For comprehensive token theft protection with M365:

• Multi-Factor Authentication (MFA): Enforce MFA for all users via Conditional Access. This is the single most effective measure against credential/token compromise.
  

• Conditional Access Policies:
  • Require compliant devices (managed by Intune, with VBS enabled).
    

  • Block legacy authentication.
    

  • Restrict access from untrusted locations or risky sign-ins.
    

  • Implement session controls (e.g., sign-in frequency).
• Microsoft Defender for Business (included in M365 BP): Provides endpoint detection and response (EDR) capabilities to detect and block malicious activities, including attempts to steal tokens or abuse legitimate processes.
  

• Identity Protection (Azure AD P1 features are included in M365 BP): Detects risky sign-ins and compromised user accounts, allowing for automated remediation.
  

• Application Guard: Use Microsoft Defender Application Guard for Edge/Office to isolate untrusted websites and documents, preventing malware from accessing user session tokens in the browser or system.
  

• Principle of Least Privilege: Ensure users do not have local admin rights unless absolutely necessary.
  

• User Education: Train users to recognize phishing attempts and social engineering.

Conclusion:

Yes, VBS, particularly Credential Guard, is a valuable tool provided by Windows that, when configured (ideally via Intune with M365 Business Premium), significantly hardens devices against the theft of Windows credentials that could be used to obtain M365 tokens. However, it’s most effective as part of a broader defense-in-depth strategy that includes MFA, Conditional Access, Defender for Business, and other security best practices to protect M365 application-level tokens and user sessio