From 69045b87dd642a7fc98ae4e13adac6c3c5dac272 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 12 Jan 2018 09:59:57 -0800 Subject: [PATCH 1/3] clarified domain join --- .../credential-guard/credential-guard-manage.md | 4 ++-- windows/access-protection/remote-credential-guard.md | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md index ee1efd2463..5e972edfb7 100644 --- a/windows/access-protection/credential-guard/credential-guard-manage.md +++ b/windows/access-protection/credential-guard/credential-guard-manage.md @@ -123,9 +123,9 @@ DG_Readiness_Tool_v3.2.ps1 -Ready > [!NOTE] -For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features. +For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. -- If Windows Defender Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Windows Defender Credential Guard should be enabled before the PC is joined to a domain. +- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised. - You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md index 7bb6243266..bf1b0ebf07 100644 --- a/windows/access-protection/remote-credential-guard.md +++ b/windows/access-protection/remote-credential-guard.md @@ -83,7 +83,7 @@ To use Windows Defender Remote Credential Guard, the Remote Desktop client and r The Remote Desktop client device: -- Must be running at least Windows 10, version 1703 to be able to supply credentials. +- Must be running at least Windows 10, version 1703 to be able to supply credentials. - Must be running at least Windows 10, version 1607 or Windows Server 2016 to use the user’s signed-in credentials. This requires the user’s account be able to sign in to both the client device and the remote host. - Must be running the Remote Desktop Classic Windows application. The Remote Desktop Universal Windows Platform application doesn't support Windows Defender Remote Credential Guard. - Must use Kerberos authentication to connect to the remote host. If the client cannot connect to a domain controller, then RDP attempts to fall back to NTLM. Windows Defender Remote Credential Guard does not allow NTLM fallback because this would expose credentials to risk. @@ -162,7 +162,7 @@ mstsc.exe /remoteGuard - Windows Defender Remote Credential Guard does not support compound authentication. For example, if you’re trying to access a file server from a remote host that requires a device claim, access will be denied. -- Windows Defender Remote Credential Guard cannot be used to connect to a device that is not domain-joined to Active Directory, for example, remote hosts joined to Azure Active Directory. +- Windows Defender Remote Credential Guard can be used only when connecting to a device that is joined to a Windows Server Active Directory domain, including AD domain-joined servers that run as Azure virtual machines (VMs). Windows Defender Remote Credential Guard cannot be used when connecting to remote devices joined to Azure Active Directory. - Remote Desktop Credential Guard only works with the RDP protocol. From d24082c9be99ad0628d3277c346e0370012b95c2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 12 Jan 2018 11:26:48 -0800 Subject: [PATCH 2/3] revised per feedback --- .../credential-guard/credential-guard-manage.md | 2 +- .../credential-guard/credential-guard-requirements.md | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md index 5e972edfb7..179aa5ff00 100644 --- a/windows/access-protection/credential-guard/credential-guard-manage.md +++ b/windows/access-protection/credential-guard/credential-guard-manage.md @@ -125,7 +125,7 @@ DG_Readiness_Tool_v3.2.ps1 -Ready For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. -- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised. +- We recommend enabling Windows Defender Credential Guard before a device is joined to a domain. If Windows Defender Credential Guard is enabled after domain join, the user and device secrets may already be compromised. In other words, enabling Credential Guard will not help to secure a device or identity that has already been compromised, which is why we recommend turning on Credential Guard as early as possible. - You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. diff --git a/windows/access-protection/credential-guard/credential-guard-requirements.md b/windows/access-protection/credential-guard/credential-guard-requirements.md index 5bea794664..d3be3e2ba8 100644 --- a/windows/access-protection/credential-guard/credential-guard-requirements.md +++ b/windows/access-protection/credential-guard/credential-guard-requirements.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: brianlic-msft -ms.date: 08/17/2017 +ms.date: 01/12/2018 --- # Windows Defender Credential Guard: Requirements @@ -73,6 +73,8 @@ Applications will prompt and expose credentials to risk if they require: Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process. +Services or protocols that rely on Kerberos, such as file shares, remote desktop, or BranchCache, continue to work and are not affected by Windows Defender Credential Guard. + See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474) From b6f02ac6e7d25830d6f7b79922c6679c1fae805a Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 12 Jan 2018 11:50:29 -0800 Subject: [PATCH 3/3] updated date --- .../credential-guard/credential-guard-manage.md | 2 +- windows/access-protection/remote-credential-guard.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/access-protection/credential-guard/credential-guard-manage.md b/windows/access-protection/credential-guard/credential-guard-manage.md index 179aa5ff00..f54174f44c 100644 --- a/windows/access-protection/credential-guard/credential-guard-manage.md +++ b/windows/access-protection/credential-guard/credential-guard-manage.md @@ -7,7 +7,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: high author: brianlic-msft -ms.date: 08/17/2017 +ms.date: 01/12/2018 --- # Manage Windows Defender Credential Guard diff --git a/windows/access-protection/remote-credential-guard.md b/windows/access-protection/remote-credential-guard.md index bf1b0ebf07..e5ef6bfcf2 100644 --- a/windows/access-protection/remote-credential-guard.md +++ b/windows/access-protection/remote-credential-guard.md @@ -6,7 +6,7 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 08/28/2017 +ms.date: 01/12/2018 --- # Protect Remote Desktop credentials with Windows Defender Remote Credential Guard