deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 10:53:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #10929 from MicrosoftDocs/main
Some checks failed
(Scheduled) Publish to live / auto-publish (push) Has been cancelled
Details
(Scheduled) Mark stale pull requests / stale (push) Has been cancelled
Details

Browse Source 
[AutoPublish] main to live - 06/12 10:33 PDT | 06/12 23:03 IST
This commit is contained in:
m365-skilling-repo-management[bot]
2025-06-12 17:36:54 +00:00
committed by GitHub
parent 7f2668fa9e fedd934eb2
commit 98269b04dc
2 changed files with 13 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
windows/security/identity-protection/credential-guard/configure.md
View File

@ -191,29 +191,6 @@ Open the Event Viewer (`eventvwr.exe`) and go to `Windows Logs\System` and filte
:::column-end:::
:::row-end:::
The following event indicates whether TPM is used for key protection. Path: `Applications and Services logs > Microsoft > Windows > Kernel-Boot`
:::row:::
:::column span="1":::
**Event ID**
:::column-end:::
:::column span="3":::
**Description**
:::column-end:::
:::row-end:::
:::row:::
:::column span="1":::
51 (Information)
:::column-end:::
:::column span="3":::
```logging
VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
```
:::column-end:::
:::row-end:::
The TPM PCR mask is only relevant when SRTM is used. If the cached Copy status is 1, SRTM was not used - typically indicating DRTM is in use - and the PCR mask should be ignored.
## Disable Credential Guard
There are different options to disable Credential Guard. The option you choose depends on how Credential Guard is configured:

14
windows/security/identity-protection/credential-guard/how-it-works.md
View File

@ -1,5 +1,5 @@
---
ms.date: 02/25/2025
ms.date: 06/12/2025
title: How Credential Guard works
description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
ms.topic: concept-article
@ -20,6 +20,18 @@ Kerberos, NTLM, and Credential Manager isolate secrets by using Virtualization-b
:::column-end:::
:::row-end:::
## VSM and TPM Protections
Secrets protected by Credential Guard are protected in memory and isolated at runtime by the hypervisor using [Virtual Secure Mode](/virtualization/hyper-v-on-windows/tlfs/vsm) (VSM). On recent supported hardware with TPM 2.0, VSM data that is persisted will be protected by a key called the *VSM master key*, which is protected by device firmware protections. To learn more, see [System Guard: How a hardware-based root of trust helps protect Windows](/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows). The VSM master key is protected by the TPM, ensuring that the key and secrets protected by Credential Guard can only be accessed in a trusted environment.
Credential Guard doesn't typically persist authentication data (NTLM hash and TGTs), as that data is lost between reboots and refreshed when the user signs into the system. This means that it isn't dependent on the VSM master key or the TPM to protect that data at reset.
> [!NOTE]
> The VBS master key might not be protected by the TPM in any of the following environments:
>
> - If Secure Boot is disabled
> - If a TPM isn't available on the firmware
## Credential Guard protection limits
Some ways to store credentials aren't protected by Credential Guard, including: