From 1317d8fbcd0d3e2c5b3f020879f831ec04197ad3 Mon Sep 17 00:00:00 2001 From: mgewida1 Date: Fri, 6 Jun 2025 11:27:02 -0700 Subject: [PATCH] Update how-it-works.md Replaced absolute links with relative links --- .../identity-protection/credential-guard/how-it-works.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md index f4b8e04488..e89553a19e 100644 --- a/windows/security/identity-protection/credential-guard/how-it-works.md +++ b/windows/security/identity-protection/credential-guard/how-it-works.md @@ -21,7 +21,8 @@ Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-b :::row-end::: ## VSM and TPM Protections -Secrets protected by Credential Guard are protected in memory isolated at runtime by the hypervisor using [Virtual Secure Mode](https://learn.microsoft.com/en-us/virtualization/hyper-v-on-windows/tlfs/vsm). On recent supported hardware with TPM2.0, VSM data that is persisted will be protected by a key called the VSM master key which is protected by device firmware protections (see [System Guard: How a hardware-based root of trust helps protect Windows](https://learn.microsoft.com/en-us/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows)). The VSM master key is protected by the TPM, ensuring that they key and the secrets protected by Credential Guard can only be accessed in a trusted environment. +Secrets protected by Credential Guard are protected in memory isolated at runtime by the hypervisor using [Virtual Secure Mode](/virtualization/hyper-v-on-windows/tlfs/vsm). On recent supported hardware with TPM2.0, VSM data that is persisted will be protected by a key called the VSM master key which is protected by device firmware protections (see [System Guard: How a hardware-based root of trust helps protect Windows](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows +)). The VSM master key is protected by the TPM, ensuring that they key and the secrets protected by Credential Guard can only be accessed in a trusted environment. Credential Guard does not typically persist authentication data (NTLM hash and TGTs) and that data is lost between reboots and refreshed when the user signs into the system. This means that it is not dependent on the VSM master key or the TPM to protect that data at rest.