diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md index ee1efd2463..f54174f44c 100644 --- a/windows/access-protection/credential-guard/credential-guard-manage.md +++ b/windows/access-protection/credential-guard/credential-guard-manage.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: brianlic-msft -ms.date: 08/17/2017 +ms.date: 01/12/2018 --- # Manage Windows Defender Credential Guard @@ -123,9 +123,9 @@ DG_Readiness_Tool_v3.2.ps1 -Ready > [!NOTE] -For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features. +For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. -- If Windows Defender Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Windows Defender Credential Guard should be enabled before the PC is joined to a domain. +- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible. - You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md index 5bea794664..d3be3e2ba8 100644 --- a/windows/access-protection/credential-guard/credential-guard-requirements.md +++ b/windows/access-protection/credential-guard/credential-guard-requirements.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: brianlic-msft -ms.date: 08/17/2017 +ms.date: 01/12/2018 --- # Windows Defender Credential Guard: Requirements @@ -73,6 +73,8 @@ Applications will prompt and expose credentials to risk if they require: Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process. +Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard. + See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md index 7bb6243266..e5ef6bfcf2 100644 --- a/windows/access-protection/remote-credential-guard.md +++ b/windows/access-protection/remote-credential-guard.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 08/28/2017 +ms.date: 01/12/2018 --- # Protect Remote Desktop credentials with Windows Defender Remote Credential Guard @@ -83,7 +83,7 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r The Remote Desktop client device: -- Must be running at least Windows 10, version 1703 to be able to supply credentials. +- Must be running at least Windows 10, version 1703 to be able to supply credentials. - Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host. - Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard. - Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk. @@ -162,7 +162,7 @@ mstsc.exe /remoteGuard - Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied. -- Windows Defender Remote Credential Guard cannot be used to connect to a device that is not domain-joined to Active Directory, for example, remote hosts joined to Azure Active Directory. +- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory. - Remote Desktop Credential Guard only works with the RDP protocol.