From acde5f2d7a95a2d1e1fa606cf942a2e531999bf6 Mon Sep 17 00:00:00 2001 From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com> Date: Sun, 9 Jun 2024 16:47:27 -0700 Subject: [PATCH] Update considerations-known-issues.md Resolving comments from feature team review. --- .../considerations-known-issues.md | 41 ++++++++++--------- 1 file changed, 21 insertions(+), 20 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md index 80dffd3218..add35c7682 100644 --- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md +++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md @@ -7,10 +7,18 @@ ms.topic: troubleshooting # Considerations and known issues when using Credential Guard +It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards. + +## Upgrade considerations + > [!IMPORTANT] > Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here. -It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards. +As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. + +We recommend testing scenarios required for operations in an organization before upgrading a device that uses Credential Guard. + +Upgrades to Windows 11, 22H2 and Windows Server 2025 (preview) will have Credential Guard [enabled by default](index.md#default-enablement) if it has not been explicitly disabled. ## Wi-fi and VPN considerations @@ -24,7 +32,7 @@ For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based conne When Credential Guard is enabled, certain types of identity delegation will be unusable, as their underlying authentication schemes are incompatible with Credential Guard or require supplied credentials. -When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) is no longer able to use saved or sign-on (SSO) credentials, though cleartext credentials can still be supplied. CredSSP-based Delegation requires cleartext credentials to be supplied on the destination machine and will not work with SSO once Credential Guard is enabled. Usage of [CredSSP for delegation](/windows/win32/secauthn/credential-security-support-provider), and in general, is not recommended due to the risk of credential theft. +When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) is no longer able to use saved or sign-on (SSO) credentials, though cleartext credentials can still be supplied. CredSSP-based Delegation requires cleartext credentials to be supplied on the destination machine and will not work with SSO once Credential Guard is enabled and blocks cleartext credential disclosure. Usage of [CredSSP for delegation](/windows/win32/secauthn/credential-security-support-provider), and in general, is not recommended due to the risk of credential theft. Kerberos Unconstrained delegation, as well as DES, are blocked by Credential Guard. [Unconstrained delegation](/defender-for-identity/security-assessment-unconstrained-kerberos#what-risk-does-unsecure-kerberos-delegation-pose-to-an-organization) is not a recommended practice. @@ -38,14 +46,6 @@ It's recommended that custom implementations of SSPs/APs are tested with Credent For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package). -## Upgrade considerations - -As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. - -We recommend testing scenarios required for operations in an organization before upgrading a device that uses Credential Guard. - -Upgrades to Windows 11, 22H2 and Windows Server 2025 (preview) will have Credential Guard [enabled by default](index.md#default-enablement) if it has not been explicitly disabled. - ## Saved Windows credentials considerations *Credential Manager* allows you to store three types of credentials: @@ -121,35 +121,36 @@ Credential Guard blocks certain authentication capabilities. Applications that r This article describes known issues when Credential Guard is enabled. -### Live Migration with Hyper-V breaks when upgrading to Windows Server 2025 (preview) +### Live migration with Hyper-V breaks when upgrading to Windows Server 2025 (preview) -Devices which use CredSSP-based Delegation may no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services which rely on Live Migration (such as [SCVMM](/system-center/vmm/overview)) may also be affected. +> [!IMPORTANT] +> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here. + +Devices which use CredSSP-based Delegation may no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services which rely on live migration (such as [SCVMM](/system-center/vmm/overview)) may also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration. #### Affected devices -Any Server with Credential Guard enabled may encounter this issue. Starting in Windows Server 2025, [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that are not Domain Controllers. Default enablement of Credential Guard can be [pre-emptively blocked](configure.md#how-to-prevent-default-enablement) before upgrade. +Any server with Credential Guard enabled may encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that are not Domain Controllers. Default enablement of Credential Guard can be [pre-emptively blocked](configure.md#how-to-prevent-default-enablement) before upgrade. #### Cause of the issue Live Migration with Hyper-V, and applications and services which rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials. -If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration will fail. In most cases, Credential Guard's enablement state on the destination machine will not impact Live Migration. Live Migration will also fail in cluster scenarios (eg, SCVMM), since any device may at one point act as a source machine. +If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration will fail. In most cases, Credential Guard's enablement state on the destination machine will not impact Live Migration. Live Migration will also fail in cluster scenarios (e.g., SCVMM), since any device may at one point act as a source machine. #### How to fix the issue -Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can configure these types of delegation manually or with the help of automated scripts. +Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can [configure these types of delegation](/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering#BKMK_Step1) manually or with the help of automated scripts. -For a more immediate but less secure fix, [Credential Guard can be disabled](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft. - -### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025 +### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025 (preview) Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running. #### Affected devices -Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 and Windows Server 2025 updates, eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements). +Any device with Credential Guard enabled may encounter the issue. Starting in Windows 11, version 22H2 and Windows Server 2025 (preview), eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements). All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement. > [!TIP] -> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. +> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025 (preview)**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`. > If it's present, the device enables Credential Guard after the update. > > Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).