From 174e205eac1b4b49771781d0040745893129049b Mon Sep 17 00:00:00 2001
From: cchavez-msft <136099320+cchavez-msft@users.noreply.github.com>
Date: Tue, 25 Jun 2024 13:09:28 -0400
Subject: [PATCH] securityBookMatthewPalko

---
 .../identity-protection-advanced-credential-protection.md     | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md
index f5b1e3d1a4..68a93af8fc 100644
--- a/windows/security/book/identity-protection-advanced-credential-protection.md
+++ b/windows/security/book/identity-protection-advanced-credential-protection.md
@@ -27,6 +27,8 @@ Windows has several critical processes to verify a user's identity. Verification
 
 To help keep these credentials safe, additional LSA protection will be enabled by default on new, enterprise-joined Windows 11 devices. By loading only trusted, signed code, LSA provides significant protection against credential theft. LSA protection also now supports configuration using Group Policy and modern device management.
 
+End users have the ability to manage their LSA protection state in the Windows Security Application under Device Security -> Core Isolation -> Local Security Authority protection. It’s important to note that the enterprise policy for LSA protection will take precedence over enablement on upgrade. This ensures a seamless transition and enhanced security for all users.
+
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
 - [Configuring additional LSA protection](/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection)
@@ -37,6 +39,8 @@ Enabled by default in Windows 11 Enterprise, Credential Guard uses hardware-back
 
 By protecting the LSA process with virtualization-based security, Credential Guard shields systems from credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges.
 
+Protections are now expanded to optionally include machine account passwords for Active Directory joined devices. Administrators can enable audit mode of this capability or enforcement using Credential Guard management policy.
+
 :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:**
 
 - [Protect derived domain credentials with Credential Guard](/windows/security/identity-protection/credential-guard/credential-guard)