Merge pull request #10798 from MicrosoftDocs/main

[AutoPublish] main to live - 04/22 04:29 PDT | 04/22 16:59 IST

windows/security/identity-protection/credential-guard/considerations-known-issues.md

@@ -1,5 +1,5 @@
 ---
-ms.date: 02/25/2025
+ms.date: 04/22/2025
 title: Considerations and known issues when using Credential Guard
 description: Considerations, recommendations, and known issues when using Credential Guard.
 ms.topic: troubleshooting
@@ -112,6 +112,12 @@ When data protected with user DPAPI is unusable, then the user loses access to a
 
 **Workaround:** Users can resolve the problem by connecting their device to the domain and rebooting or using their Encrypting File System Data Recovery Agent certificate. For more information about Encrypting File System Data Recovery Agent certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/previous-versions/windows/it-pro/windows-10/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
 
+### Azure Virtual Machines lose access to the data protected by Credential Guard after deallocation
+
+When an Azure Virtual Machine is deallocated, the underlying hardware is released, causing the keys protected by the TPM to become inaccessible. Consequently, any data protected by those keys also becomes inaccessible.
+
+For more information, see [States and billing status of Azure Virtual Machines](/azure/virtual-machines/states-billing#power-states-and-billing).
+
 ## Known issues
 
 Credential Guard blocks certain authentication capabilities. Applications that require such capabilities won't function when Credential Guard is enabled.

windows/security/identity-protection/hello-for-business/includes/expiration.md

@@ -17,4 +17,10 @@ The default value is 0.
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**|
 
 > [!NOTE]
-> Starting with Windows 11, version 24H2, Windows Hello is further hardened by default to use Virtualization-based security (VBS) to isolate credentials. This enhancement is automatically applied on devices that support VBS and have it enabled. However, it's important to note that PIN expiration is not supported on such devices. This change aims to enhance security by ensuring that credentials are protected in a more secure environment.
+> Starting with Windows 11, version 23H2, Windows Hello uses Virtualization-based security (VBS) to isolate credentials on devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security).
+>
+> Starting with Windows 11, version 24H2, Windows Hello uses VBS to isolate credentials on all devices that have VBS enabled.
+>
+> On such devices, PIN expiration is not supported.
+
+

windows/security/identity-protection/hello-for-business/includes/history.md

@@ -20,4 +20,8 @@ The default value is 0.
 | **GPO** | **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity** |
 
 > [!NOTE]
-> Starting with Windows 11, version 24H2, Windows Hello is further hardened by default to use Virtualization-based security (VBS) to isolate credentials. This enhancement is automatically applied on devices that support VBS and have it enabled. However, it's important to note that PIN history is not supported on such devices. This change aims to enhance security by ensuring that credentials are protected in a more secure environment.
+> Starting with Windows 11, version 23H2, Windows Hello uses Virtualization-based security (VBS) to isolate credentials on devices that support [Enhanced Security Settings (ESS)](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security).
+>
+> Starting with Windows 11, version 24H2, Windows Hello uses VBS to isolate credentials on all devices that have VBS enabled.
+>
+> On such devices, PIN history is not supported.