From 408c738d0429c64900130e1a8ae81128e7fcb9dc Mon Sep 17 00:00:00 2001 From: Justinha Date: Thu, 2 Feb 2017 13:21:14 -0800 Subject: [PATCH 1/3] fixed formatting --- windows/keep-secure/credential-guard.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 37f0fd9b7f..980862a955 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -9,6 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft --- + # Protect derived domain credentials with Credential Guard **Applies to** @@ -19,9 +20,9 @@ Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard u By enabling Credential Guard, the following features and solutions are provided: - **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. +- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -,- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. +- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. ## How it works @@ -60,7 +61,7 @@ The Virtualization-based security requires: When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. >[!WARNING] -> Enabling Credential Guard on domain controllers is not supported
+> Enabling Credential Guard on domain controllers is not supported.
> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. >[!NOTE] From 594e403a7f6420a90b540ff54f18f1472209e05f Mon Sep 17 00:00:00 2001 From: Karthika Raman Date: Thu, 2 Feb 2017 13:54:25 -0800 Subject: [PATCH 2/3] making a minor change to reflect the KB requirement change with V5 --- windows/deploy/upgrade-analytics-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index 1455ee624e..cd76825250 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -127,7 +127,7 @@ The Upgrade Analytics deployment script does the following: 3. Checks whether the computer has a pending restart.   -4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended). +4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14913 or later is required). 5. If enabled, turns on verbose mode for troubleshooting. From 09621fff218b73be9552c4ffbff860db5756f997 Mon Sep 17 00:00:00 2001 From: Justinha Date: Thu, 2 Feb 2017 14:25:52 -0800 Subject: [PATCH 3/3] fixed metadata --- windows/keep-secure/credential-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 980862a955..9d3a33d12c 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -1,4 +1,4 @@ -[s,,--- +--- title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1