deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 06:13:41 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

clarified domain join

Browse Source
This commit is contained in:
Justin Hall
2018-01-12 09:59:57 -08:00
parent 266e82496b
commit 69045b87dd
2 changed files with 4 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/access-protection/credential-guard/credential-guard-manage.md
View File

@ -123,9 +123,9 @@ DG_Readiness_Tool_v3.2.ps1 -Ready
> [!NOTE]
For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features.
For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features.
- If Windows Defender Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Windows Defender Credential Guard should be enabled before the PC is joined to a domain.
- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised.
- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.

4
windows/access-protection/remote-credential-guard.md
View File

@ -83,7 +83,7 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r
The Remote Desktop client device:
- Must be running at least Windows 10, version 1703 to be able to supply credentials.
- Must be running at least Windows 10, version 1703 to be able to supply credentials.
- Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the users signed-in credentials. This requires the users account be able to sign in to both the client device and the remote host.
- Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard.
- Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk.
@ -162,7 +162,7 @@ mstsc.exe /remoteGuard
- Windows Defender Remote Credential Guard does not support compound authentication. For example, if youre trying to access a file server from a remote host that requires a device claim, access will be denied.
- Windows Defender Remote Credential Guard cannot be used to connect to a device that is not domain-joined to Active Directory, for example, remote hosts joined to Azure Active Directory.
- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory.
- Remote Desktop Credential Guard only works with the RDP protocol.