deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Update considerations-known-issues.md

Browse Source
This commit is contained in:
zwhitt-microsoft 2024-04-08 11:06:20 -07:00 committed by GitHub
parent db771835df
commit 84fda171de
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 15 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
windows/security/identity-protection/credential-guard/considerations-known-issues.md
View File

@ -11,7 +11,7 @@ It's recommended that in addition to deploying Credential Guard, organizations m
## Wi-fi and VPN considerations
When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
When Credential Guard is enabled, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
@ -19,9 +19,13 @@ For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based conne
## Kerberos considerations
When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
When Credential Guard is enabled, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
Use constrained or resource-based Kerberos delegation instead.
## CredSSP considerations
When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) can no longer rely on the signed-in credentials. Thus, applications which choose to use CredSSP cannot rely on single sign-on and instead must prompt the user for credentials.
## Non-Microsoft Security Support Providers considerations
Some non-Microsoft Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow non-Microsoft SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
@ -110,21 +114,24 @@ Credential Guard blocks certain authentication capabilities. Applications that r
This article describes known issues when Credential Guard is enabled.
### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2
### Live migration breaks on Server after upgrading to Windows Server 2025
TODO
### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025
Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running.
#### Affected devices
Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements).
Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 and Windows Server 2025 updates, eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).
All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
> [!TIP]
> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
> If it's present, the device enables Credential Guard after the update.
>
> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
> Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
#### Cause of the issue
@ -193,9 +200,9 @@ We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2
For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.
> [!TIP]
> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to a version which [received default enablement](index.md#default-enablement). If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
>
> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
> If Credential Guard is explicitly disabled, the device will not automatically enable Credential Guard after the update.
### Issues with non-Microsoft applications