From 645393b2f4153305147739e644ce4cc2f8e95c4a Mon Sep 17 00:00:00 2001 From: NexusOne23 Date: Mon, 15 Dec 2025 17:08:04 +0100 Subject: [PATCH] docs: clarify Credential Guard Enterprise/Education requirement --- CHANGELOG.md | 2 +- Core/Framework.ps1 | 2 +- Docs/FEATURES.md | 2 +- README.md | 13 ++++++++----- SECURITY.md | 2 +- 5 files changed, 12 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bef3900..04a1fd5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -147,7 +147,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - 335 Registry policies (Computer + User Configuration) - 67 Security Template settings (Password Policy, Account Lockout, User Rights, Security Options) - 23 Advanced Audit policies (Complete security event logging) -- Credential Guard, BitLocker policies, VBS & HVCI +- Credential Guard (Enterprise/Education only), BitLocker policies, VBS & HVCI - No LGPO.exe dependency (100% native PowerShell) **ASR** (19 rules) - Attack Surface Reduction diff --git a/Core/Framework.ps1 b/Core/Framework.ps1 index e0f1d8e..f723fe7 100644 --- a/Core/Framework.ps1 +++ b/Core/Framework.ps1 @@ -503,7 +503,7 @@ function Invoke-Hardening { Write-Host " - 335 Registry policies (password, firewall, BitLocker)" -ForegroundColor Gray Write-Host " - 67 Security template settings (user rights, audit)" -ForegroundColor Gray Write-Host " - 23 Advanced audit policies" -ForegroundColor Gray - Write-Host " - VBS + Credential Guard + Memory Integrity" -ForegroundColor Gray + Write-Host " - VBS + Credential Guard* + Memory Integrity (*Ent/Edu only)" -ForegroundColor Gray Write-Host "" Write-Host " Impact: Enterprise-grade security, may break legacy software" -ForegroundColor Yellow } diff --git a/Docs/FEATURES.md b/Docs/FEATURES.md index b8e4ed5..7123f17 100644 --- a/Docs/FEATURES.md +++ b/Docs/FEATURES.md @@ -53,7 +53,7 @@ ### Key Features: - ✅ VBS (Virtualization Based Security) -- ✅ Credential Guard +- ✅ Credential Guard (Enterprise/Education only) - ✅ System Guard Secure Launch - ✅ Kernel CET Shadow Stacks (Win11 25H2) - ✅ Memory Integrity (HVCI) diff --git a/README.md b/README.md index d86a047..250f8f5 100644 --- a/README.md +++ b/README.md @@ -100,7 +100,7 @@ - 425 settings: MS Security Baseline for Win11 25H2 - 24 settings: MS Security Baseline for Edge - 19 rules: Attack Surface Reduction -- VBS + Credential Guard: Hardware-level protection +- VBS + Credential Guard*: Hardware-level protection **🔒 Privacy Layer** - DNS: Block telemetry, tracking, ads (DoH) @@ -110,6 +110,8 @@ **🎯 The Result:** A hardened system that's both secure against attacks and private from surveillance. +*_Credential Guard requires Windows 11 Enterprise or Education_ + --- ## 🌟 Why NoID Privacy? @@ -122,7 +124,7 @@ | 630+ Security Settings | No Recall / Copilot / AI | 100% Verification Coverage | BAVR Architecture | | 19 ASR Rules (17 Block + 2 Configurable) | Telemetry & Ads Blocked | Detailed Logging | Exact Pre-State Restore | | Zero-Day CVE-2025-9491 | DNS-over-HTTPS (DoH) | Modular Design | Designed for Zero Data Loss | -| VBS & Credential Guard | Edge Browser Hardened | Open Source / Auditable | Safe for Production | +| VBS & Credential Guard* | Edge Browser Hardened | Open Source / Auditable | Safe for Production | 👉 [3-Minute Quick Start](#-quick-start) • 📖 [Full Feature List](Docs/FEATURES.md) @@ -170,7 +172,7 @@ - **335 Registry Policies** Computer + User Configuration - **67 Security Template Settings** Password Policy, Account Lockout, User Rights, Security Options - **23 Advanced Audit Policies** Complete security event logging -- **Credential Guard** Passwords can't be stolen from memory +- **Credential Guard*** Passwords can't be stolen from memory (Enterprise/Education only) - **BitLocker Policies** USB drive protection, enhanced PIN, DMA attack prevention - **VBS & HVCI** Virtualization-based security @@ -468,7 +470,7 @@ If your PC can run Windows 11 according to Microsoft's **official requirements** - **OS:** Windows 11 24H2 or newer (25H2 fully tested) - **CPU:** Any CPU on Microsoft's Windows 11 support list (Intel 8th Gen / AMD Ryzen 2000+) - **Firmware:** UEFI with **Secure Boot** enabled -- **TPM:** 2.0 (required for BitLocker, Credential Guard, VBS) +- **TPM:** 2.0 (required for BitLocker, Credential Guard*, VBS) - **RAM:** 8 GB minimum, 16 GB recommended for VBS - **Admin Rights:** Required @@ -568,7 +570,7 @@ This is NOT an error - ASR will be skipped. - Protects against zero-day exploits (CVE-2025-9491) - Minimizes telemetry to Security-Essential level - Locks down AI features (Recall, Copilot, etc.) -- Configures BitLocker policies, Credential Guard, VBS +- Configures BitLocker policies, Credential Guard*, VBS ### What This Tool Does NOT Do @@ -628,6 +630,7 @@ Edit: Modules/ASR/Config/ASR-Rules.json - Right-click PowerShell → "Run as Administrator" **VBS/Credential Guard not active after reboot** +- Credential Guard requires Windows 11 Enterprise or Education - Hardware incompatibility (no TPM 2.0 or virtualization disabled) - Enable virtualization in BIOS/UEFI - Verify: `.\Tools\Verify-Complete-Hardening.ps1` diff --git a/SECURITY.md b/SECURITY.md index a06c97d..f15fa8b 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -67,7 +67,7 @@ NoID Privacy implements multiple security layers: ### Security Hardening Applied - 🔐 Microsoft Security Baseline 25H2 (425 settings) - 🛡️ Attack Surface Reduction (19 rules) -- 🔒 Credential Guard + VBS + HVCI +- 🔒 Credential Guard* + VBS + HVCI (*Enterprise/Education only) - 🤖 AI Lockdown (Recall, Copilot, etc.) - 🌐 DNS-over-HTTPS with no fallback - 🚫 Zero-Day Protection (CVE-2025-9491 SRP)