diff --git a/windows/security/book/conclusion.md b/windows/security/book/conclusion.md index 8d65331dc4..067f25716d 100644 --- a/windows/security/book/conclusion.md +++ b/windows/security/book/conclusion.md @@ -16,7 +16,6 @@ We will continue to bring you new features to protect against evolving threats, New: - [Config Refresh](operating-system-security-system-security.md#config-refresh) -- [Passkeys](identity-protection-passwordless-sign-in.md#passkeys) - [Trusted signing](application-security-application-and-driver-control.md#trusted-signing) - [VBS Key Protection](identity-protection-advanced-credential-protection.md#vbs-key-protection) - [Virtualization-based security enclave](application-security-application-isolation.md#virtualization-based-security-enclave) @@ -28,8 +27,8 @@ Enhanced: - [BitLocker](operating-system-security-encryption-and-data-protection.md#bitlocker) - [Credential Guard](identity-protection-advanced-credential-protection.md#credential-guard) - [Device Encryption](operating-system-security-encryption-and-data-protection.md#device-encryption) -- [Enhanced phishing protection in Microsoft Defender SmartScreen](identity-protection-passwordless-sign-in.md#enhanced-phishing-protection-in-microsoft-defender-smartscreen) - [Local Security Authority (LSA) protection](identity-protection-advanced-credential-protection.md#local-security-authority-lsa-protection) +- [Passkeys](identity-protection-passwordless-sign-in.md#passkeys) - [Personal data encryption (PDE)](operating-system-security-encryption-and-data-protection.md#personal-data-encryption-pde) - [Server Message Block file services](operating-system-security-network-security.md#server-message-block-file-services) - [Universal Print](cloud-services-protect-your-work-information.md#universal-print) diff --git a/windows/security/book/identity-protection-advanced-credential-protection.md b/windows/security/book/identity-protection-advanced-credential-protection.md index eee93926d9..29e4f6e9b5 100644 --- a/windows/security/book/identity-protection-advanced-credential-protection.md +++ b/windows/security/book/identity-protection-advanced-credential-protection.md @@ -27,11 +27,18 @@ To ensures a seamless transition and enhanced security for all users, the enterp ## Credential Guard -Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. +:::row::: + :::column::: + Credential Guard uses hardware-backed, Virtualization-based security (VBS) to protect against credential theft. With Credential Guard, the Local Security Authority (LSA) stores and protects Active Directory (AD) secrets in an isolated environment that isn't accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process. By protecting the LSA process with Virtualization-based security, Credential Guard shields systems from user credential theft attack techniques like Pass-the-Hash or Pass-the-Ticket. It also helps prevent malware from accessing system secrets even if the process is running with admin privileges. + :::column-end::: + :::column::: +:::image type="content" source="images/credential-guard-architecture.png" alt-text="Diagram of the Credential Guard's architecture." lightbox="images/credential-guard-architecture.png" border="false"::: + :::column-end::: +:::row-end::: -Protections are now expanded to optionally include machine account passwords for Active Directory joined devices. Administrators can enable audit mode of this capability or enforcement using Credential Guard management policy. +🆕 Starting in Windows 11, version 24H2, protections are expanded to optionally include machine account passwords for Active Directory-joined devices. Administrators can enable audit mode or enforcement of this capability using Credential Guard policy settings. :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** diff --git a/windows/security/book/images/credential-guard-architecture.png b/windows/security/book/images/credential-guard-architecture.png new file mode 100644 index 0000000000..fd55100713 Binary files /dev/null and b/windows/security/book/images/credential-guard-architecture.png differ