docs: clarify Credential Guard Enterprise/Education requirement

2026-02-07 04:01:52 +01:00 · 2025-12-15 17:08:04 +01:00 · 2025-12-15 17:08:04 +01:00 · 645393b2f4
commit 645393b2f4
parent d78d941113
5 changed files with 12 additions and 9 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -147,7 +147,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - 335 Registry policies (Computer + User Configuration)
 - 67 Security Template settings (Password Policy, Account Lockout, User Rights, Security Options)
 - 23 Advanced Audit policies (Complete security event logging)
- Credential Guard, BitLocker policies, VBS & HVCI
+- Credential Guard (Enterprise/Education only), BitLocker policies, VBS & HVCI
 - No LGPO.exe dependency (100% native PowerShell)

 **ASR** (19 rules) - Attack Surface Reduction
--- a/Core/Framework.ps1
+++ b/Core/Framework.ps1
@ -503,7 +503,7 @@ function Invoke-Hardening {
                        Write-Host "    - 335 Registry policies (password, firewall, BitLocker)" -ForegroundColor Gray
                        Write-Host "    - 67 Security template settings (user rights, audit)" -ForegroundColor Gray
                        Write-Host "    - 23 Advanced audit policies" -ForegroundColor Gray
-                        Write-Host "    - VBS + Credential Guard + Memory Integrity" -ForegroundColor Gray
+                        Write-Host "    - VBS + Credential Guard* + Memory Integrity (*Ent/Edu only)" -ForegroundColor Gray
                        Write-Host ""
                        Write-Host "  Impact: Enterprise-grade security, may break legacy software" -ForegroundColor Yellow
                    }
--- a/Docs/FEATURES.md
+++ b/Docs/FEATURES.md
@ -53,7 +53,7 @@

 ### Key Features:
 - ✅ VBS (Virtualization Based Security)
- ✅ Credential Guard
+- ✅ Credential Guard (Enterprise/Education only)
 - ✅ System Guard Secure Launch
 - ✅ Kernel CET Shadow Stacks (Win11 25H2)
 - ✅ Memory Integrity (HVCI)
--- a/README.md
+++ b/README.md
@ -100,7 +100,7 @@
 - 425 settings: MS Security Baseline for Win11 25H2
 - 24 settings: MS Security Baseline for Edge
 - 19 rules: Attack Surface Reduction
- VBS + Credential Guard: Hardware-level protection
+- VBS + Credential Guard*: Hardware-level protection

 **🔒 Privacy Layer**
 - DNS: Block telemetry, tracking, ads (DoH)
@ -110,6 +110,8 @@

 **🎯 The Result:** A hardened system that's both secure against attacks and private from surveillance.

+*_Credential Guard requires Windows 11 Enterprise or Education_
+
 ---

 ## 🌟 Why NoID Privacy?
@ -122,7 +124,7 @@
 | 630+ Security Settings | No Recall / Copilot / AI | 100% Verification Coverage | BAVR Architecture |
 | 19 ASR Rules (17 Block + 2 Configurable) | Telemetry & Ads Blocked | Detailed Logging | Exact Pre-State Restore |
 | Zero-Day CVE-2025-9491 | DNS-over-HTTPS (DoH) | Modular Design | Designed for Zero Data Loss |
-| VBS & Credential Guard | Edge Browser Hardened | Open Source / Auditable | Safe for Production |
+| VBS & Credential Guard* | Edge Browser Hardened | Open Source / Auditable | Safe for Production |

 👉 [3-Minute Quick Start](#-quick-start) • 📖 [Full Feature List](Docs/FEATURES.md)

@ -170,7 +172,7 @@
 - **335 Registry Policies** Computer + User Configuration
 - **67 Security Template Settings** Password Policy, Account Lockout, User Rights, Security Options
 - **23 Advanced Audit Policies** Complete security event logging
- **Credential Guard** Passwords can't be stolen from memory
+- **Credential Guard*** Passwords can't be stolen from memory (Enterprise/Education only)
 - **BitLocker Policies** USB drive protection, enhanced PIN, DMA attack prevention
 - **VBS & HVCI** Virtualization-based security

@ -468,7 +470,7 @@ If your PC can run Windows 11 according to Microsoft's **official requirements**
 - **OS:** Windows 11 24H2 or newer (25H2 fully tested)
 - **CPU:** Any CPU on Microsoft's Windows 11 support list (Intel 8th Gen / AMD Ryzen 2000+)
 - **Firmware:** UEFI with **Secure Boot** enabled
- **TPM:** 2.0 (required for BitLocker, Credential Guard, VBS)
+- **TPM:** 2.0 (required for BitLocker, Credential Guard*, VBS)
 - **RAM:** 8 GB minimum, 16 GB recommended for VBS
 - **Admin Rights:** Required

@ -568,7 +570,7 @@ This is NOT an error - ASR will be skipped.
 - Protects against zero-day exploits (CVE-2025-9491)
 - Minimizes telemetry to Security-Essential level
 - Locks down AI features (Recall, Copilot, etc.)
- Configures BitLocker policies, Credential Guard, VBS 
+- Configures BitLocker policies, Credential Guard*, VBS 

 ### What This Tool Does NOT Do

@ -628,6 +630,7 @@ Edit: Modules/ASR/Config/ASR-Rules.json
 - Right-click PowerShell → "Run as Administrator"

 **VBS/Credential Guard not active after reboot**
+- Credential Guard requires Windows 11 Enterprise or Education
 - Hardware incompatibility (no TPM 2.0 or virtualization disabled)
 - Enable virtualization in BIOS/UEFI
 - Verify: `.\Tools\Verify-Complete-Hardening.ps1`
--- a/SECURITY.md
+++ b/SECURITY.md
@ -67,7 +67,7 @@ NoID Privacy implements multiple security layers:
 ### Security Hardening Applied
 - 🔐 Microsoft Security Baseline 25H2 (425 settings)
 - 🛡️ Attack Surface Reduction (19 rules)
- 🔒 Credential Guard + VBS + HVCI
+- 🔒 Credential Guard* + VBS + HVCI (*Enterprise/Education only)
 - 🤖 AI Lockdown (Recall, Copilot, etc.)
 - 🌐 DNS-over-HTTPS with no fallback
 - 🚫 Zero-Day Protection (CVE-2025-9491 SRP)