Articles refresh, Acrolinx scores > 90

2025-05-12 13:27:23 +00:00 · 2024-06-20 12:05:58 -04:00 · 2024-06-20 12:05:58 -04:00 · 08836f9de3
commit 08836f9de3
parent 8beb363638
5 changed files with 76 additions and 96 deletions
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@ -1,5 +1,5 @@
 ---
-ms.date: 08/31/2023
+ms.date: 06/20/2024
 title: Additional mitigations
 description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code.
 ms.topic: reference
@ -46,8 +46,8 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
 To enable Kerberos armoring for restricting domain users to specific domain-joined devices:
 - Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
+- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**
- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
+- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** > **Administrative Templates** > **System** > **Kerberos**.
 ### Protect domain-joined device secrets
@ -56,7 +56,7 @@ Since domain-joined devices also use shared secrets for authentication, attacker
 Domain-joined device certificate authentication has the following requirements:
 - Devices' accounts are in Windows Server 2012 domain functional level or higher.
- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
+- All domain controllers in those domains have KDC certificates that satisfy strict KDC validation certificate requirements:
  - KDC EKU present
  - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
 - Windows devices have the CA issuing the domain controller certificates in the enterprise store.
@ -82,7 +82,7 @@ For example, let's say you wanted to use the High Assurance policy only on these
 1. Under **Issuance Policies**, select **High Assurance**
 1. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box
-Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you created.
 **Enroll devices in a certificate**
@ -123,12 +123,13 @@ So we now have completed the following:
 - Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
 - Mapped that policy to a universal security group or claim
- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies
 Authentication policies have the following requirements:
 - User accounts are in a Windows Server 2012 domain functional level or higher domain.
-**Creating an authentication policy restricting users to the specific universal security group**
+- User accounts are in a Windows Server 2012 domain functional level or higher domain
 #### Create an authentication policy restricting users to the specific universal security group
 1. Open Active Directory Administrative Center
 1. Select **Authentication > New > Authentication Policy**
@ -154,7 +155,7 @@ To learn more about authentication policy events, see [Authentication Policies a
 ## Appendix: Scripts
-Here is a list of scripts mentioned in this topic.
+Here's a list of scripts mentioned in this article.
 ### <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@ -1,7 +1,7 @@
 ---
 ms.date: 06/20/2024
 title: Configure Credential Guard
 description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
 ms.date: 08/31/2023
 ms.topic: how-to
 ---
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@ -1,28 +1,28 @@
 ---
-ms.date: 08/31/2023
+ms.date: 06/20/2024
 title: Considerations and known issues when using Credential Guard
-description: Considerations, recommendations and known issues when using Credential Guard.
+description: Considerations, recommendations, and known issues when using Credential Guard.
 ms.topic: troubleshooting
 ---
 # Considerations and known issues when using Credential Guard
-It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
+Microsoft recommends that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys, or smart cards.
 ## Upgrade considerations
 > [!IMPORTANT]
 > Windows Server 2025 is in preview. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
-As Credential Guard evolves and enhances its security features, newer versions of Windows running Credential Guard may impact previously functional scenarios. For instance, Credential Guard could restrict the use of certain credentials or components to thwart malware exploiting vulnerabilities.
+As Credential Guard evolves and enhances its security features, newer versions of Windows running Credential Guard might affect previously functional scenarios. For instance, Credential Guard could restrict the use of certain credentials or components to thwart malware exploiting vulnerabilities.
-It’s advisable to thoroughly test operational scenarios within an organization before updating devices that utilize Credential Guard.
+It's advisable to thoroughly test operational scenarios within an organization before updating devices that utilize Credential Guard.
-Upgrades to Windows 11, 22H2 and Windows Server 2025 (preview) will have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
+Upgrades to Windows 11, version 22H2, and Windows Server 2025 (preview) have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
 ## Wi-fi and VPN considerations
-When Credential Guard is enabled, you can no longer use NTLM classic authentication (NTLMv1) for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
+When Credential Guard is enabled, you can no longer use NTLM classic authentication (NTLMv1) for single-sign-on (SSO). You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
 If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
@ -32,9 +32,9 @@ For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based conne
 When Credential Guard is enabled, certain types of identity delegation are unusable, as their underlying authentication schemes are incompatible with Credential Guard or require supplied credentials.
-When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) is no longer able to use saved or sign-on (SSO) credentials, though cleartext credentials can still be supplied. CredSSP-based Delegation requires cleartext credentials to be supplied on the destination machine and will not work with SSO once Credential Guard is enabled and blocks cleartext credential disclosure. Usage of [CredSSP for delegation](/windows/win32/secauthn/credential-security-support-provider), and in general, is not recommended due to the risk of credential theft. 
+When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) is no longer able to use saved or SSO credentials, though cleartext credentials can still be supplied. CredSSP-based Delegation requires cleartext credentials to be supplied on the destination machine, and doesn't work with SSO once Credential Guard is enabled and blocks cleartext credential disclosure. Usage of [CredSSP for delegation](/windows/win32/secauthn/credential-security-support-provider), and in general, isn't recommended due to the risk of credential theft.
-Kerberos Unconstrained delegation, as well as DES, are blocked by Credential Guard. [Unconstrained delegation](/defender-for-identity/security-assessment-unconstrained-kerberos#what-risk-does-unsecure-kerberos-delegation-pose-to-an-organization) is not a recommended practice.
+Kerberos Unconstrained delegation and DES are blocked by Credential Guard. [Unconstrained delegation](/defender-for-identity/security-assessment-unconstrained-kerberos#what-risk-does-unsecure-kerberos-delegation-pose-to-an-organization) isn't a recommended practice.
 Instead [Kerberos](/windows-server/security/kerberos/kerberos-authentication-overview) or [Negotiate SSP](/windows/win32/secauthn/microsoft-negotiate) are recommended for authentication generally, and for delegation, [Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) and [Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview#resource-based-constrained-delegation-across-domains) are recommended. These methods provide greater credential security overall, and are also compatible with Credential Guard.
@ -97,7 +97,7 @@ On domain-joined devices, DPAPI can recover user keys using a domain controller
 >[!IMPORTANT]
 > Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
-Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost.
+Auto VPN configuration is protected with user DPAPI. User might not be able to use VPN to connect to domain controllers since the VPN configurations are lost.
 If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
 Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
@ -126,48 +126,35 @@ This article describes known issues when Credential Guard is enabled.
 > [!IMPORTANT]
 > Windows Server 2025 is in previeww. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
-Devices which use CredSSP-based Delegation may no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services which rely on live migration (such as [SCVMM](/system-center/vmm/overview)) may also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
+Devices that use CredSSP-based Delegation might no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services that rely on live migration (such as [SCVMM](/system-center/vmm/overview)) might also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
-#### Affected devices
+|||
-Any server with Credential Guard enabled may encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that are not Domain Controllers. Default enablement of Credential Guard can be [pre-emptively blocked](configure.md#default-enablement) before upgrade.
+|-|-|
-
+|**Affected devices**|Any server with Credential Guard enabled might encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that aren't Domain Controllers. Default enablement of Credential Guard can be [preemptively blocked](configure.md#default-enablement) before upgrade.|
-#### Cause of the issue
+|**Cause of the issue**|Live Migration with Hyper-V, and applications and services that rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials. <br><br>If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration fails. In most cases, Credential Guard's enablement state on the destination machine won't impact Live Migration. Live Migration also fails in cluster scenarios (for example, SCVMM), since any device might act as a source machine.|
-Live Migration with Hyper-V, and applications and services which rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials.
+|**Resolution**|Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can [configure these types of delegation](/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering#BKMK_Step1) manually or with the help of automated scripts.|
 If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration will fail. In most cases, Credential Guard's enablement state on the destination machine will not impact Live Migration. Live Migration will also fail in cluster scenarios (e.g., SCVMM), since any device may at one point act as a source machine.
 #### How to fix the issue
 Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can [configure these types of delegation](/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering#BKMK_Step1) manually or with the help of automated scripts.
 ### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025 (preview)
-Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running.
+Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually reauthenticate in every new Windows session when Credential Guard is running.
-#### Affected devices
+|||
-
+|-|-|
-Any device with Credential Guard enabled may encounter the issue. Starting in Windows 11, version 22H2 and Windows Server 2025 (preview), eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).
+|**Affected devices**|Any device with Credential Guard enabled might encounter the issue. Starting in Windows 11, version 22H2, and Windows Server 2025 (preview), eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, and some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).<br><br>All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), receive default enablement.|
-
+|**Cause of the issue**|Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:<br><br>- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)<br>- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)<br>- MS-CHAP (only SSO is blocked)<br>- WDigest (only SSO is blocked)<br>- NTLM v1 (only SSO is blocked) <br><br>**Note**: Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.|
-All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
+|**Resolution**|Microsoft recommends moving away from MSCHAPv2-based connections (for example, PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (for example, PEAP-TLS or EAP-TLS). Credential Guard doesn't block certificate-based authentication.<br><br>For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.|
 > [!TIP]
 > To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to a version which [received default enablement](index.md#default-enablement). If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
 >
 > If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
 > [!NOTE]
 > To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025 (preview)**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
 > If it's present, the device enables Credential Guard after the update.
 >
 > Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
 #### Cause of the issue
 Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:
 - Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)
 - Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)
 - MS-CHAP (only SSO is blocked)
 - WDigest (only SSO is blocked)
 - NTLM v1 (only SSO is blocked)
 > [!NOTE]
 > Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.
 #### How to confirm the issue
 MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, version 22H2 update. To confirm if Credential Guard is blocking MS-CHAP or NTLMv1, open the Event Viewer (`eventvwr.exe`) and go to `Application and Services Logs\Microsoft\Windows\NTLM\Operational`. Check the following logs:
@ -215,22 +202,11 @@ MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, versio
  :::column-end:::
 :::row-end:::
 #### How to fix the issue
 We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Credential Guard doesn't block certificate-based authentication.
 For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.
 > [!TIP]
 > To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to a version which [received default enablement](index.md#default-enablement). If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
 >
 > If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
 ### Issues with non-Microsoft applications
 The following issue affects MSCHAPv2:
- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a common enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
+- [Credential Guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a common enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
 The following issue affects the Java GSS API. See the following Oracle bug database article:
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@ -1,5 +1,5 @@
 ---
-ms.date: 08/31/2023
+ms.date: 06/20/2024
 title: How Credential Guard works
 description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
 ms.topic: concept-article
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@ -1,7 +1,7 @@
 ---
 ms.date: 06/20/2024
 title: Credential Guard overview
 description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
 ms.date: 08/31/2023
 ms.topic: overview
 ---
@ -14,7 +14,7 @@ Credential Guard uses [Virtualization-based security (VBS)](/windows-hardware/de
 When enabled, Credential Guard provides the following benefits:
 - **Hardware security**: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials
- **Virtualization-based security**: NTLM, Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system
+- **Virtualization-based security**: NTLM, Kerberos derived credentials, and other secrets run in a protected environment that is isolated from the running operating system
 - **Protection against advanced persistent threats**: when credentials are protected using VBS, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by VBS
 > [!NOTE]
@ -36,11 +36,11 @@ When Credential Guard is enabled, [VBS](#system-requirements) is automatically e
 ### Default enablement on Windows
-Devices running Windows 11, 22H2 or later will have Credential Guard enabled by default if they:
+Devices running Windows 11, 22H2 or later have Credential Guard enabled by default if they:
 - Meet the [license requirements](#windows-edition-and-licensing-requirements)
- Meet the [hardware and sofware requirements](#system-requirements)
+- Meet the [hardware and software requirements](#system-requirements)
- Have not been [explicitly configured to disable Credential Guard](configure.md#default-enablement)
+- Aren't [explicitly configured to disable Credential Guard](configure.md#default-enablement)
 > [!NOTE]
 > Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.
@ -49,10 +49,13 @@ Devices running Windows 11, 22H2 or later will have Credential Guard enabled by
 ### Default enablement on Windows Server
-Devices running Windows Server 2025 (preview) or later will have Credential Guard enabled by default if they meet the above requirements for Windows and additionally:
+Devices running Windows Server 2025 (preview) or later have Credential Guard enabled by default if they:
 - Meet the [license requirements](#windows-edition-and-licensing-requirements)
 - Meet the [hardware and software requirements](#system-requirements)
 - Aren't [explicitly configured to disable Credential Guard](configure.md#default-enablement)
 - Are joined to a domain
- Are not a Domain Controller
+- Aren't a Domain Controller
 > [!IMPORTANT]
 > For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#known-issues).
@ -97,7 +100,7 @@ The requirements to run Credential Guard in Hyper-V virtual machines are:
 When Credential Guard is enabled, certain authentication capabilities are blocked. Applications that require such capabilities break. We refer to these requirements as *application requirements*.
-Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
+Applications should be tested before deployment to ensure compatibility with the reduced functionality.
 > [!WARNING]
 > Enabling Credential Guard on domain controllers isn't recommended.
@ -110,17 +113,17 @@ Applications break if they require:
 - Kerberos DES encryption support
 - Kerberos unconstrained delegation
- Extracting the Kerberos TGT
+- Kerberos TGT extraction
 - NTLMv1
-Applications prompt and expose credentials to risk if they require:
+Applications ask and expose credentials to risk if they require:
 - Digest authentication
 - Credential delegation
 - MS-CHAPv2
 - CredSSP
-Applications may cause performance issues when they attempt to hook the isolated Credential Guard process `LSAIso.exe`.
+Applications might cause performance issues when they attempt to hook the isolated Credential Guard process `LSAIso.exe`.
 Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Credential Guard.