From db771835dfa1881641afdd131874fd6183ff4500 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Mon, 8 Apr 2024 11:04:20 -0700
Subject: [PATCH 01/32] Update configure.md

Updated configure page with initial draft of changes.
---
 .../credential-guard/configure.md             | 19 +++++++------------
 1 file changed, 7 insertions(+), 12 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index 9f8373b96b..4565e8b4fe 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -9,21 +9,16 @@ ms.topic: how-to
 
 This article describes how to configure Credential Guard using Microsoft Intune, Group Policy, or the registry.
 
-## Default enablement
+## Default Enablement
 
-Starting in **Windows 11, version 22H2**, Credential Guard is turned on by default on devices that [meet the requirements](index.md#hardware-and-software-requirements). The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Guard remotely, if needed.
+Starting in Windows 11, 22H2 and Windows Server 2025, Credential Guard is [enabled by default on devices which meet the requirements](index.md/#default-enablement).
 
-If Credential Guard or VBS are disabled *before* a device is updated to Windows 11, version 22H2 or later, default enablement doesn't overwrite the existing settings.
+System administrators can still [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values will overwrite default enablement state, typically after reboot.
 
-While the default state of Credential Guard changed, system administrators can [enable](#enable-credential-guard) or [disable](#disable-credential-guard) it using one of the methods described in this article.
+### How to Prevent Default Enablement
 
-> [!IMPORTANT]
-> For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#single-sign-on-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
+Devices that have had Credential Guard explicitly disabled *prior* to updating to a version of Windows that comes with default enablement will NOT have Credential Guard enabled upon update. In this case Credential Guard will continue to be disabled even after updating to a version of Windows that enables Credential Guard by default.
 
-> [!NOTE]
-> Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.
->
-> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](#disable-credential-guard).
 
 ## Enable Credential Guard
 
@@ -225,7 +220,7 @@ There are different options to disable Credential Guard. The option you choose d
 
 - Credential Guard running in a virtual machine can be [disabled by the host](#disable-credential-guard-for-a-virtual-machine)
 - If Credential Guard is enabled **with UEFI Lock**, follow the procedure described in [disable Credential Guard with UEFI Lock](#disable-credential-guard-with-uefi-lock)
-- If Credential Guard is enabled **without UEFI Lock**, or as part of the automatic enablement in the Windows 11, version 22H2 update, use one of the following options to disable it:
+- If Credential Guard is enabled **without UEFI Lock**, or as part of the [default enablement update](index.md#default-enablement), use one of the following options to disable it:
   - Microsoft Intune/MDM
   - Group policy
   - Registry
@@ -256,7 +251,7 @@ Once the policy is applied, restart the device.
 
 #### [:::image type="icon" source="../../images/icons/group-policy.svg" border="false"::: **GPO**](#tab/gpo)
 
-### Disable  Credential Guard with group policy
+### Disable Credential Guard with group policy
 
 If Credential Guard is enabled via Group Policy and without UEFI Lock, disabling the same group policy setting disables Credential Guard.
 

From 84fda171dee003c4c94f6bfd0e5e37f9b7c4e781 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Mon, 8 Apr 2024 11:06:20 -0700
Subject: [PATCH 02/32] Update considerations-known-issues.md

---
 .../considerations-known-issues.md            | 23 ++++++++++++-------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index ebae34dece..70e69ba53f 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -11,7 +11,7 @@ It's recommended that in addition to deploying Credential Guard, organizations m
 
 ## Wi-fi and VPN considerations
 
-When you enable Credential Guard, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
+When Credential Guard is enabled, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
 
 If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
 
@@ -19,9 +19,13 @@ For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based conne
 
 ## Kerberos considerations
 
-When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
+When Credential Guard is enabled, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
 Use constrained or resource-based Kerberos delegation instead.
 
+## CredSSP considerations
+
+When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) can no longer rely on the signed-in credentials. Thus, applications which choose to use CredSSP cannot rely on single sign-on and instead must prompt the user for credentials.
+
 ## Non-Microsoft Security Support Providers considerations
 
 Some non-Microsoft Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow non-Microsoft SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
@@ -110,21 +114,24 @@ Credential Guard blocks certain authentication capabilities. Applications that r
 
 This article describes known issues when Credential Guard is enabled.
 
-### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2
+### Live migration breaks on Server after upgrading to Windows Server 2025
+TODO
+
+### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025
 
 Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running.
 
 #### Affected devices
 
-Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 update, eligible devices that didn't disable Credential Guard, have it enabled by default. This affected all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they met the [minimum hardware requirements](index.md#hardware-and-software-requirements).
+Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 and Windows Server 2025 updates, eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).
 
 All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
 
 > [!TIP]
-> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
+> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
 > If it's present, the device enables Credential Guard after the update.
 >
-> You can Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
+> Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
 
 #### Cause of the issue
 
@@ -193,9 +200,9 @@ We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2
 For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.
 
 > [!TIP]
-> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to Windows 11, version 22H2. If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
+> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to a version which [received default enablement](index.md#default-enablement). If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
 >
-> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
+> If Credential Guard is explicitly disabled, the device will not automatically enable Credential Guard after the update.
 
 ### Issues with non-Microsoft applications
 

From 80cfc83e493f1264b404cd10cb656647ca5f3190 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Mon, 8 Apr 2024 11:06:56 -0700
Subject: [PATCH 03/32] Update index.md

---
 .../credential-guard/index.md                 | 36 ++++++++++++++++---
 1 file changed, 32 insertions(+), 4 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index 0fe80abdd8..d80d642b55 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -7,7 +7,7 @@ ms.topic: overview
 
 # Credential Guard overview
 
-Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.
+Credential Guard, now [enabled by default on most Windows machines](#default-enablement), prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.
 
 Credential Guard uses [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like *pass the hash* and *pass the ticket*.
 
@@ -20,9 +20,37 @@ When enabled, Credential Guard provides the following benefits:
 > [!NOTE]
 > While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques, and you should also incorporate other security strategies and architectures.
 
+## Default Enablement
+
+Starting in **Windows 11, 22H2** and **Windows Server 2025**, VBS and Credential Guard are enabled by default on devices that meet the requirements below. This means that going forward, domain credentials will automatically be protected by Credential Guard on most relevant Windows devices.
+
+The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Guard remotely, if needed.
+
+> [!NOTE]
+> If Credential Guard or VBS is explicitly [disabled](configure.md/#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
+
+### Default Enablement on Windows client
+
+Devices running Windows 11, 22H2 or later will have Credential Guard enabled by default if they:
+
+- Meet the [license requirements](#windows-edition-and-licensing-requirements)
+- Meet the [hardware and sofware requirements](#system-requirements)
+- Has not been [explicitly configured to disable Credential Guard](configure.md/#default-enablement)
+
+### Default Enablement on Windows Server
+
+Devices running Windows Server 2025 or later will have Credential Guard enabled by default if they meet the above requirements for client and additionally:
+
+- Are joined to a domain
+- Are not a Domain Controller
+
 > [!IMPORTANT]
-> Starting in Windows 11, version 22H2, VBS and Credential Guard are enabled by default on all devices that meet the system requirements.\
-> For information about known issues related to the default enablement of Credential Guard, see [Credential Guard: Known Issues](considerations-known-issues.md).
+> For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#single-sign-on-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
+
+> [!NOTE]
+> Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.
+>
+> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](#disable-credential-guard).
 
 ## System requirements
 
@@ -95,4 +123,4 @@ Services or protocols that rely on Kerberos, such as file shares or remote deskt
 - Learn [how Credential Guard works](how-it-works.md)
 - Learn [how to configure Credential Guard](configure.md)
 - Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article
-- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md)
\ No newline at end of file
+- Review [considerations and known issues when using Credential Guard](considerations-known-issues.md)

From 8ab35a69ddc918c5d7a4cae37d3d304334b4526f Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Mon, 8 Apr 2024 11:07:54 -0700
Subject: [PATCH 04/32] Update how-it-works.md

---
 .../identity-protection/credential-guard/how-it-works.md    | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
index 95c2cc6b76..8acc209f13 100644
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -19,6 +19,9 @@ Here's a high-level overview on how the LSA is isolated by using Virtualization-
 
 Some ways to store credentials aren't protected by Credential Guard, including:
 
+- When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with any of these protocols
+    > [!CAUTION]
+    > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Microsoft Entra users, secondary credentials should be provisioned for these use cases.
 - Software that manages credentials outside of Windows feature protection
 - Local accounts and Microsoft Accounts
 - Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS
@@ -26,9 +29,6 @@ Some ways to store credentials aren't protected by Credential Guard, including:
 - Physical attacks
 - Doesn't prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization
 - Non-Microsoft security packages
-- When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with any of these protocols
-    > [!CAUTION]
-    > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Microsoft Entra users, secondary credentials should be provisioned for these use cases.
 - Supplied credentials for NTLM authentication aren't protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. These same credentials are vulnerable to key loggers as well
 - Kerberos service tickets aren't protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is protected
 - When Credential Guard is enabled, Kerberos doesn't allow *unconstrained Kerberos delegation* or *DES encryption*, not only for signed-in credentials, but also prompted or saved credentials

From f81e3b4736a1db8957fe03d71d53f1b26989b0da Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Mon, 6 May 2024 11:21:59 -0700
Subject: [PATCH 05/32] Update configure.md

Fixing syntax errors
---
 .../security/identity-protection/credential-guard/configure.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index 4565e8b4fe..b796611b79 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -11,7 +11,7 @@ This article describes how to configure Credential Guard using Microsoft Intune,
 
 ## Default Enablement
 
-Starting in Windows 11, 22H2 and Windows Server 2025, Credential Guard is [enabled by default on devices which meet the requirements](index.md/#default-enablement).
+Starting in Windows 11, 22H2 and Windows Server 2025, Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
 
 System administrators can still [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values will overwrite default enablement state, typically after reboot.
 

From 48d1df9a3cfb3cd0ef1ee72590a60320afadddef Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Mon, 6 May 2024 12:02:05 -0700
Subject: [PATCH 06/32] Update index.md

Fixing learn-build warnings
---
 .../identity-protection/credential-guard/index.md         | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index d80d642b55..06ab5439d8 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -27,7 +27,7 @@ Starting in **Windows 11, 22H2** and **Windows Server 2025**, VBS and Credential
 The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Guard remotely, if needed.
 
 > [!NOTE]
-> If Credential Guard or VBS is explicitly [disabled](configure.md/#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
+> If Credential Guard or VBS is explicitly [disabled](configure.md#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
 
 ### Default Enablement on Windows client
 
@@ -35,7 +35,7 @@ Devices running Windows 11, 22H2 or later will have Credential Guard enabled by
 
 - Meet the [license requirements](#windows-edition-and-licensing-requirements)
 - Meet the [hardware and sofware requirements](#system-requirements)
-- Has not been [explicitly configured to disable Credential Guard](configure.md/#default-enablement)
+- Has not been [explicitly configured to disable Credential Guard](configure.md#default-enablement)
 
 ### Default Enablement on Windows Server
 
@@ -45,12 +45,12 @@ Devices running Windows Server 2025 or later will have Credential Guard enabled
 - Are not a Domain Controller
 
 > [!IMPORTANT]
-> For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#single-sign-on-for-network-services-breaks-after-upgrading-to-windows-11-version-22h2).
+> For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#known-issues).
 
 > [!NOTE]
 > Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.
 >
-> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](#disable-credential-guard).
+> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](configure.md#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](configure.md#disable-credential-guard).
 
 ## System requirements
 

From 0a89d59120eee72c71586de1d5ca1682a04257e5 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Mon, 6 May 2024 12:58:38 -0700
Subject: [PATCH 07/32] Update index.md

v2 of changes, reflecting Preview status of Server 2025, and some edits for clarity.
---
 .../credential-guard/index.md                 | 22 ++++++++++++-------
 1 file changed, 14 insertions(+), 8 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index 06ab5439d8..73f23a56b2 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -22,12 +22,14 @@ When enabled, Credential Guard provides the following benefits:
 
 ## Default Enablement
 
-Starting in **Windows 11, 22H2** and **Windows Server 2025**, VBS and Credential Guard are enabled by default on devices that meet the requirements below. This means that going forward, domain credentials will automatically be protected by Credential Guard on most relevant Windows devices.
+Starting in **Windows 11, 22H2** and **Windows Server 2025 (preview)**, VBS and Credential Guard are enabled by default on devices that meet the requirements below. This means that going forward, domain credentials will automatically be protected by Credential Guard on most relevant Windows devices.
 
-The default enablement is **without UEFI Lock**, which allows administrators to disable Credential Guard remotely, if needed.
+The default enablement is **without UEFI Lock**, thus allowing administrators to disable Credential Guard remotely if needed.
+
+If the preconditions for default enablement of Credential Guard listed below are met, and neither Credential Guard nor VBS have been explicitly disabled beforehand, the default enablement of Credential Guard will also automatically enable [VBS](#system-requirements).
 
 > [!NOTE]
-> If Credential Guard or VBS is explicitly [disabled](configure.md#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
+> If Credential Guard or VBS is explicitly [disabled](configure.md#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 (preview) or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
 
 ### Default Enablement on Windows client
 
@@ -35,11 +37,11 @@ Devices running Windows 11, 22H2 or later will have Credential Guard enabled by
 
 - Meet the [license requirements](#windows-edition-and-licensing-requirements)
 - Meet the [hardware and sofware requirements](#system-requirements)
-- Has not been [explicitly configured to disable Credential Guard](configure.md#default-enablement)
+- Have not been [explicitly configured to disable Credential Guard](configure.md#default-enablement)
 
 ### Default Enablement on Windows Server
 
-Devices running Windows Server 2025 or later will have Credential Guard enabled by default if they meet the above requirements for client and additionally:
+Devices running Windows Server 2025 (preview) or later will have Credential Guard enabled by default if they meet the above requirements for client and additionally:
 
 - Are joined to a domain
 - Are not a Domain Controller
@@ -54,16 +56,16 @@ Devices running Windows Server 2025 or later will have Credential Guard enabled
 
 ## System requirements
 
-For Credential Guard to provide protection, the devices must meet certain hardware, firmware, and software requirements.
+For Credential Guard to provide protection, the device must meet certain hardware, firmware, and software requirements.
 
-Devices that meet more hardware and firmware qualifications than the minimum requirements, receive additional protections and are more hardened against certain threats.
+Devices that meet more hardware and firmware qualifications than the minimum requirements receive additional protections and are more hardened against certain threats.
 
 ### Hardware and software requirements
 
 Credential Guard requires the features:
 
 - Virtualization-based security (VBS)
-  >[!NOTE]
+  > [!NOTE]
   > VBS has different requirements to enable it on different hardware platforms. For more information, see [Virtualization-based Security requirements](/windows-hardware/design/device-experiences/oem-vbs)
 - [Secure Boot](../../operating-system-security/system-security/secure-the-windows-10-boot-process.md#secure-boot)
 
@@ -113,11 +115,15 @@ Applications prompt and expose credentials to risk if they require:
 - Digest authentication
 - Credential delegation
 - MS-CHAPv2
+- CredSSP
 
 Applications may cause performance issues when they attempt to hook the isolated Credential Guard process `LSAIso.exe`.
 
 Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Credential Guard.
 
+> [!IMPORTANT]
+> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
 ## Next steps
 
 - Learn [how Credential Guard works](how-it-works.md)

From e2a8f99d5047caf5306fc7016c4b0b9b7ad83fc3 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Mon, 6 May 2024 13:18:09 -0700
Subject: [PATCH 08/32] Update configure.md

Updated to reflect Server 2025 preview status
---
 .../identity-protection/credential-guard/configure.md      | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index b796611b79..58c4a829ce 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -11,9 +11,9 @@ This article describes how to configure Credential Guard using Microsoft Intune,
 
 ## Default Enablement
 
-Starting in Windows 11, 22H2 and Windows Server 2025, Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
+Starting in Windows 11, 22H2 and Windows Server 2025 (preview), Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
 
-System administrators can still [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values will overwrite default enablement state, typically after reboot.
+System administrators can still explicitly [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values will overwrite default enablement state, typically after reboot.
 
 ### How to Prevent Default Enablement
 
@@ -394,6 +394,9 @@ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,
 bcdedit /set vsmlaunchtype off
 ```
 
+> [!IMPORTANT]
+> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
 ## Next steps
 
 - Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article

From 82ab3c7f0263a3c617759ab1dd51eac42cec23a1 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Tue, 7 May 2024 13:10:09 -0700
Subject: [PATCH 09/32] Update considerations-known-issues.md

Main change to reflect CredSSP delegation issue affecting Live Migration with Hyper-V
---
 .../considerations-known-issues.md            | 39 ++++++++++++++-----
 1 file changed, 30 insertions(+), 9 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 70e69ba53f..431057b2f9 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -5,6 +5,9 @@ description: Considerations, recommendations and known issues when using Credent
 ms.topic: troubleshooting
 ---
 
+> [!IMPORTANT]
+> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
 # Considerations and known issues when using Credential Guard
 
 It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
@@ -17,18 +20,20 @@ If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subj
 
 For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based connections (such as PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (such as PEAP-TLS or EAP-TLS).
 
-## Kerberos considerations
+## Delegation considerations
 
-When Credential Guard is enabled, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process.\
-Use constrained or resource-based Kerberos delegation instead.
+When Credential Guard is enabled, certain types of identity delegation will be unusable, as their underlying authentication schemes are incompatible with Credential Guard or require supplied credentials.
 
-## CredSSP considerations
+When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) is no longer able to use saved or sign-on (SSO) credentials, though cleartext credentials can still be supplied. CredSSP-based Delegation requires cleartext credentials to be supplied on the destination machine and will not work with SSO once Credential Guard is enabled. Usage of [CredSSP for delegation](/windows/win32/secauthn/credential-security-support-provider), and in general, is not recommended due to the risk of credential theft. 
 
-When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) can no longer rely on the signed-in credentials. Thus, applications which choose to use CredSSP cannot rely on single sign-on and instead must prompt the user for credentials.
+Kerberos Unconstrained delegation, as well as DES, are blocked by Credential Guard. [Unconstrained delegation](/defender-for-identity/security-assessment-unconstrained-kerberos#what-risk-does-unsecure-kerberos-delegation-pose-to-an-organization) is not a recommended practice.
+
+Instead [Kerberos](/windows-server/security/kerberos/kerberos-authentication-overview) or [Negotiate SSP](/windows/win32/secauthn/microsoft-negotiate) are recommended for authentication generally, and for delegation, [Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) and [Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview#resource-based-constrained-delegation-across-domains) are recommended. These methods provide greater credential security overall, and are also compatible with Credential Guard.
 
 ## Non-Microsoft Security Support Providers considerations
 
-Some non-Microsoft Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow non-Microsoft SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.\
+Some non-Microsoft Security Support Providers (SSPs and APs) might not be compatible with Credential Guard because it doesn't allow non-Microsoft SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs aren't supported.
+
 It's recommended that custom implementations of SSPs/APs are tested with Credential Guard. SSPs and APs that depend on any undocumented or unsupported behaviors fail. For example, using the KerbQuerySupplementalCredentialsMessage API isn't supported. Replacing the NTLM or Kerberos SSPs with custom SSPs and APs.
 
 For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package).
@@ -37,7 +42,9 @@ For more information, see [Restrictions around Registering and Installing a Secu
 
 As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities.
 
-Test scenarios required for operations in an organization before upgrading a device using Credential Guard.
+We recommend testing scenarios required for operations in an organization before upgrading a device that uses Credential Guard.
+
+Upgrades to Windows 11, 22H2 and Windows Server 2025 (preview) will have Credential Guard [enabled by default](index.md#default-enablement) if it has not been explicitly disabled.
 
 ## Saved Windows credentials considerations
 
@@ -114,8 +121,22 @@ Credential Guard blocks certain authentication capabilities. Applications that r
 
 This article describes known issues when Credential Guard is enabled.
 
-### Live migration breaks on Server after upgrading to Windows Server 2025
-TODO
+### Live Migration with Hyper-V breaks when upgrading to Windows Server 2025 (preview)
+
+Devices which use CredSSP-based Delegation may no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services which rely on Live Migration (such as [SCVMM](/system-center/vmm/overview)) may also be affected.
+
+#### Affected devices
+Any Server with Credential Guard enabled may encounter this issue. Starting in Windows Server 2025, [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that are not Domain Controllers. Default enablement of Credential Guard can be [pre-emptively blocked](configure.md#how-to-prevent-default-enablement) before upgrade.
+
+#### Cause of the issue
+Live Migration with Hyper-V, and applications and services which rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials.
+
+If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration will fail. In most cases, Credential Guard's enablement state on the destination machine will not impact Live Migration. Live Migration will also fail in cluster scenarios (eg, SCVMM), since any device may at one point act as a source machine.
+
+#### How to fix the issue
+Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can configure these types of delegation manually or with the help of automated scripts.
+
+For a more immediate but less secure fix, [Credential Guard can be disabled](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.
 
 ### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025
 

From 02efdb67838fac87e2ebce97455c8a09b7dc9c4c Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Tue, 7 May 2024 13:16:06 -0700
Subject: [PATCH 10/32] Update considerations-known-issues.md

Moved WS'25 preview disclaimer to fix compile warning
---
 .../credential-guard/considerations-known-issues.md           | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 431057b2f9..80dffd3218 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -5,11 +5,11 @@ description: Considerations, recommendations and known issues when using Credent
 ms.topic: troubleshooting
 ---
 
+# Considerations and known issues when using Credential Guard
+
 > [!IMPORTANT]
 > Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
-# Considerations and known issues when using Credential Guard
-
 It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
 
 ## Wi-fi and VPN considerations

From 8b2f448d2a57d4203c3ee8e5988c8578ecc5e841 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Sun, 9 Jun 2024 16:07:46 -0700
Subject: [PATCH 11/32] Update configure.md

Resolving comments from feature team review.
---
 .../credential-guard/configure.md                  | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index 58c4a829ce..4db3ec9c52 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -9,16 +9,19 @@ ms.topic: how-to
 
 This article describes how to configure Credential Guard using Microsoft Intune, Group Policy, or the registry.
 
-## Default Enablement
+> [!IMPORTANT]
+> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
+## Default enablement
 
 Starting in Windows 11, 22H2 and Windows Server 2025 (preview), Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
 
-System administrators can still explicitly [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values will overwrite default enablement state, typically after reboot.
-
-### How to Prevent Default Enablement
+System administrators can explicitly [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values will overwrite default enablement state after reboot.
 
 Devices that have had Credential Guard explicitly disabled *prior* to updating to a version of Windows that comes with default enablement will NOT have Credential Guard enabled upon update. In this case Credential Guard will continue to be disabled even after updating to a version of Windows that enables Credential Guard by default.
 
+> [!IMPORTANT]
+> For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md).
 
 ## Enable Credential Guard
 
@@ -394,9 +397,6 @@ bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,
 bcdedit /set vsmlaunchtype off
 ```
 
-> [!IMPORTANT]
-> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
-
 ## Next steps
 
 - Review the advice and sample code for making your environment more secure and robust with Credential Guard in the [Additional mitigations](additional-mitigations.md) article

From 5fe62f7f1a29b08c47a46e120b6e3d2f703a6559 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Sun, 9 Jun 2024 16:08:34 -0700
Subject: [PATCH 12/32] Update configure.md

Moved Windows Server 2025 Preview disclaimer.
---
 .../identity-protection/credential-guard/configure.md         | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index 4db3ec9c52..595159b2e9 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -9,11 +9,11 @@ ms.topic: how-to
 
 This article describes how to configure Credential Guard using Microsoft Intune, Group Policy, or the registry.
 
+## Default enablement
+
 > [!IMPORTANT]
 > Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
-## Default enablement
-
 Starting in Windows 11, 22H2 and Windows Server 2025 (preview), Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
 
 System administrators can explicitly [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values will overwrite default enablement state after reboot.

From acde5f2d7a95a2d1e1fa606cf942a2e531999bf6 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Sun, 9 Jun 2024 16:47:27 -0700
Subject: [PATCH 13/32] Update considerations-known-issues.md

Resolving comments from feature team review.
---
 .../considerations-known-issues.md            | 41 ++++++++++---------
 1 file changed, 21 insertions(+), 20 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 80dffd3218..add35c7682 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -7,10 +7,18 @@ ms.topic: troubleshooting
 
 # Considerations and known issues when using Credential Guard
 
+It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
+
+## Upgrade considerations
+
 > [!IMPORTANT]
 > Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
-It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
+As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities.
+
+We recommend testing scenarios required for operations in an organization before upgrading a device that uses Credential Guard.
+
+Upgrades to Windows 11, 22H2 and Windows Server 2025 (preview) will have Credential Guard [enabled by default](index.md#default-enablement) if it has not been explicitly disabled.
 
 ## Wi-fi and VPN considerations
 
@@ -24,7 +32,7 @@ For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based conne
 
 When Credential Guard is enabled, certain types of identity delegation will be unusable, as their underlying authentication schemes are incompatible with Credential Guard or require supplied credentials.
 
-When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) is no longer able to use saved or sign-on (SSO) credentials, though cleartext credentials can still be supplied. CredSSP-based Delegation requires cleartext credentials to be supplied on the destination machine and will not work with SSO once Credential Guard is enabled. Usage of [CredSSP for delegation](/windows/win32/secauthn/credential-security-support-provider), and in general, is not recommended due to the risk of credential theft. 
+When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) is no longer able to use saved or sign-on (SSO) credentials, though cleartext credentials can still be supplied. CredSSP-based Delegation requires cleartext credentials to be supplied on the destination machine and will not work with SSO once Credential Guard is enabled and blocks cleartext credential disclosure. Usage of [CredSSP for delegation](/windows/win32/secauthn/credential-security-support-provider), and in general, is not recommended due to the risk of credential theft. 
 
 Kerberos Unconstrained delegation, as well as DES, are blocked by Credential Guard. [Unconstrained delegation](/defender-for-identity/security-assessment-unconstrained-kerberos#what-risk-does-unsecure-kerberos-delegation-pose-to-an-organization) is not a recommended practice.
 
@@ -38,14 +46,6 @@ It's recommended that custom implementations of SSPs/APs are tested with Credent
 
 For more information, see [Restrictions around Registering and Installing a Security Package](/windows/win32/secauthn/restrictions-around-registering-and-installing-a-security-package).
 
-## Upgrade considerations
-
-As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities.
-
-We recommend testing scenarios required for operations in an organization before upgrading a device that uses Credential Guard.
-
-Upgrades to Windows 11, 22H2 and Windows Server 2025 (preview) will have Credential Guard [enabled by default](index.md#default-enablement) if it has not been explicitly disabled.
-
 ## Saved Windows credentials considerations
 
 *Credential Manager* allows you to store three types of credentials:
@@ -121,35 +121,36 @@ Credential Guard blocks certain authentication capabilities. Applications that r
 
 This article describes known issues when Credential Guard is enabled.
 
-### Live Migration with Hyper-V breaks when upgrading to Windows Server 2025 (preview)
+### Live migration with Hyper-V breaks when upgrading to Windows Server 2025 (preview)
 
-Devices which use CredSSP-based Delegation may no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services which rely on Live Migration (such as [SCVMM](/system-center/vmm/overview)) may also be affected.
+> [!IMPORTANT]
+> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+
+Devices which use CredSSP-based Delegation may no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services which rely on live migration (such as [SCVMM](/system-center/vmm/overview)) may also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
 
 #### Affected devices
-Any Server with Credential Guard enabled may encounter this issue. Starting in Windows Server 2025, [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that are not Domain Controllers. Default enablement of Credential Guard can be [pre-emptively blocked](configure.md#how-to-prevent-default-enablement) before upgrade.
+Any server with Credential Guard enabled may encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that are not Domain Controllers. Default enablement of Credential Guard can be [pre-emptively blocked](configure.md#how-to-prevent-default-enablement) before upgrade.
 
 #### Cause of the issue
 Live Migration with Hyper-V, and applications and services which rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials.
 
-If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration will fail. In most cases, Credential Guard's enablement state on the destination machine will not impact Live Migration. Live Migration will also fail in cluster scenarios (eg, SCVMM), since any device may at one point act as a source machine.
+If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration will fail. In most cases, Credential Guard's enablement state on the destination machine will not impact Live Migration. Live Migration will also fail in cluster scenarios (e.g., SCVMM), since any device may at one point act as a source machine.
 
 #### How to fix the issue
-Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can configure these types of delegation manually or with the help of automated scripts.
+Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can [configure these types of delegation](/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering#BKMK_Step1) manually or with the help of automated scripts.
 
-For a more immediate but less secure fix, [Credential Guard can be disabled](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.
-
-### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025
+### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025 (preview)
 
 Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running.
 
 #### Affected devices
 
-Any device with Credential Guard enabled may encounter the issue. As part of the Windows 11, version 22H2 and Windows Server 2025 updates, eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).
+Any device with Credential Guard enabled may encounter the issue. Starting in Windows 11, version 22H2 and Windows Server 2025 (preview), eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).
 
 All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
 
 > [!TIP]
-> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
+> To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025 (preview)**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
 > If it's present, the device enables Credential Guard after the update.
 >
 > Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).

From abbc5fd7669f82e64c88ef2f1e9f8c383b44b6dd Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Sun, 9 Jun 2024 16:49:54 -0700
Subject: [PATCH 14/32] Update how-it-works.md

Resolving comments from feature team review.
---
 .../identity-protection/credential-guard/how-it-works.md        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
index 8acc209f13..d3af49e5aa 100644
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -21,7 +21,7 @@ Some ways to store credentials aren't protected by Credential Guard, including:
 
 - When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP can't use the signed-in credentials. Thus, single sign-on doesn't work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault, which aren't protected by Credential Guard with any of these protocols
     > [!CAUTION]
-    > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols. If these protocols must be used by domain or Microsoft Entra users, secondary credentials should be provisioned for these use cases.
+    > It's recommended that valuable credentials, such as the sign-in credentials, aren't used with NTLMv1, MS-CHAPv2, Digest, or CredSSP protocols.
 - Software that manages credentials outside of Windows feature protection
 - Local accounts and Microsoft Accounts
 - Credential Guard doesn't protect the Active Directory database running on Windows Server domain controllers. It also doesn't protect credential input pipelines, such as Windows Server running Remote Desktop Gateway. If you're using a Windows Server OS as a client PC, it will get the same protection as it would when running a Windows client OS

From 11bd89951b63758f839e4cdb61bbefc65258cf33 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Sun, 9 Jun 2024 17:00:37 -0700
Subject: [PATCH 15/32] Update index.md

Resolving comments from feature team review.
---
 .../credential-guard/index.md                 | 28 +++++++++----------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index 73f23a56b2..aa17cc040f 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -20,18 +20,21 @@ When enabled, Credential Guard provides the following benefits:
 > [!NOTE]
 > While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques, and you should also incorporate other security strategies and architectures.
 
-## Default Enablement
+## Default enablement
+
+> [!IMPORTANT]
+> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
 Starting in **Windows 11, 22H2** and **Windows Server 2025 (preview)**, VBS and Credential Guard are enabled by default on devices that meet the requirements below. This means that going forward, domain credentials will automatically be protected by Credential Guard on most relevant Windows devices.
 
 The default enablement is **without UEFI Lock**, thus allowing administrators to disable Credential Guard remotely if needed.
 
-If the preconditions for default enablement of Credential Guard listed below are met, and neither Credential Guard nor VBS have been explicitly disabled beforehand, the default enablement of Credential Guard will also automatically enable [VBS](#system-requirements).
+If the preconditions for default enablement of Credential Guard listed below are met, and Credential Guard has not been [explicitly disabled](configure.md#disable-credential-guard) beforehand, the default enablement of Credential Guard will also automatically enable [VBS](#system-requirements).
 
 > [!NOTE]
-> If Credential Guard or VBS is explicitly [disabled](configure.md#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 (preview) or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
+> If Credential Guard is explicitly [disabled](configure.md#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 (preview) or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.
 
-### Default Enablement on Windows client
+### Default enablement on Windows
 
 Devices running Windows 11, 22H2 or later will have Credential Guard enabled by default if they:
 
@@ -39,9 +42,14 @@ Devices running Windows 11, 22H2 or later will have Credential Guard enabled by
 - Meet the [hardware and sofware requirements](#system-requirements)
 - Have not been [explicitly configured to disable Credential Guard](configure.md#default-enablement)
 
-### Default Enablement on Windows Server
+> [!NOTE]
+> Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.
+>
+> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](configure.md#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](configure.md#disable-credential-guard).
 
-Devices running Windows Server 2025 (preview) or later will have Credential Guard enabled by default if they meet the above requirements for client and additionally:
+### Default enablement on Windows Server
+
+Devices running Windows Server 2025 (preview) or later will have Credential Guard enabled by default if they meet the above requirements for Windows and additionally:
 
 - Are joined to a domain
 - Are not a Domain Controller
@@ -49,11 +57,6 @@ Devices running Windows Server 2025 (preview) or later will have Credential Guar
 > [!IMPORTANT]
 > For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#known-issues).
 
-> [!NOTE]
-> Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.
->
-> To determine whether the Pro device is in this state, check if the following registry key exists: `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0\IsolatedCredentialsRootSecret`. In this scenario, if you wish to disable VBS and Credential Guard, follow the instructions to [disable Virtualization-based Security](configure.md#disable-virtualization-based-security). If you wish to disable Credential Guard only, without disabling VBS, use the procedures to [disable Credential Guard](configure.md#disable-credential-guard).
-
 ## System requirements
 
 For Credential Guard to provide protection, the device must meet certain hardware, firmware, and software requirements.
@@ -121,9 +124,6 @@ Applications may cause performance issues when they attempt to hook the isolated
 
 Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Credential Guard.
 
-> [!IMPORTANT]
-> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
-
 ## Next steps
 
 - Learn [how Credential Guard works](how-it-works.md)

From 8a1c3f19ca1adb6a267e68ce838367ff2ff9283e Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Sun, 9 Jun 2024 17:03:32 -0700
Subject: [PATCH 16/32] Update considerations-known-issues.md

Fixed broken link
---
 .../credential-guard/considerations-known-issues.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index add35c7682..981313f76c 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -129,7 +129,7 @@ This article describes known issues when Credential Guard is enabled.
 Devices which use CredSSP-based Delegation may no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services which rely on live migration (such as [SCVMM](/system-center/vmm/overview)) may also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
 
 #### Affected devices
-Any server with Credential Guard enabled may encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that are not Domain Controllers. Default enablement of Credential Guard can be [pre-emptively blocked](configure.md#how-to-prevent-default-enablement) before upgrade.
+Any server with Credential Guard enabled may encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that are not Domain Controllers. Default enablement of Credential Guard can be [pre-emptively blocked](configure.md#default-enablement) before upgrade.
 
 #### Cause of the issue
 Live Migration with Hyper-V, and applications and services which rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials.

From 3f58cdd5fa8c3da50a53551cfc297d0078d496e3 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:33:32 -0700
Subject: [PATCH 17/32] Update considerations-known-issues.md

Changed "NTLM classic (NTLMv1)" clarification.
---
 .../credential-guard/considerations-known-issues.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 981313f76c..437fb823a5 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -22,7 +22,7 @@ Upgrades to Windows 11, 22H2 and Windows Server 2025 (preview) will have Credent
 
 ## Wi-fi and VPN considerations
 
-When Credential Guard is enabled, you can no longer use NTLM classic authentication for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
+When Credential Guard is enabled, you can no longer use NTLM classic authentication (NTLMv1) for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
 
 If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
 

From 5604bdc96d63bfbc7a574f548c79e21cba54aecf Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:35:08 -0700
Subject: [PATCH 18/32] Update
 windows/security/identity-protection/credential-guard/configure.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 .../security/identity-protection/credential-guard/configure.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index 595159b2e9..b8ee1c896c 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -12,7 +12,7 @@ This article describes how to configure Credential Guard using Microsoft Intune,
 ## Default enablement
 
 > [!IMPORTANT]
-> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+> Windows Server 2025 is in preview. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
 Starting in Windows 11, 22H2 and Windows Server 2025 (preview), Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
 

From e6eca6a4edb7693819daf504250c6b35a32d3301 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:35:22 -0700
Subject: [PATCH 19/32] Update
 windows/security/identity-protection/credential-guard/configure.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 .../security/identity-protection/credential-guard/configure.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index b8ee1c896c..ec37c443b2 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -16,7 +16,7 @@ This article describes how to configure Credential Guard using Microsoft Intune,
 
 Starting in Windows 11, 22H2 and Windows Server 2025 (preview), Credential Guard is [enabled by default on devices which meet the requirements](index.md#default-enablement).
 
-System administrators can explicitly [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values will overwrite default enablement state after reboot.
+System administrators can explicitly [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values overwrite the default enablement state after a reboot.
 
 Devices that have had Credential Guard explicitly disabled *prior* to updating to a version of Windows that comes with default enablement will NOT have Credential Guard enabled upon update. In this case Credential Guard will continue to be disabled even after updating to a version of Windows that enables Credential Guard by default.
 

From ec2fd686ead06355c4e8ae2a92caf679988889a8 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:35:56 -0700
Subject: [PATCH 20/32] Update
 windows/security/identity-protection/credential-guard/configure.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 .../security/identity-protection/credential-guard/configure.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index ec37c443b2..d0140e1fe3 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -18,7 +18,7 @@ Starting in Windows 11, 22H2 and Windows Server 2025 (preview), Credential Guard
 
 System administrators can explicitly [enable](#enable-credential-guard) or [disable](#disable-credential-guard) Credential Guard using one of the methods described in this article. Explicitly configured values overwrite the default enablement state after a reboot.
 
-Devices that have had Credential Guard explicitly disabled *prior* to updating to a version of Windows that comes with default enablement will NOT have Credential Guard enabled upon update. In this case Credential Guard will continue to be disabled even after updating to a version of Windows that enables Credential Guard by default.
+If a device has Credential Guard explicitly turned off before updating to a newer version of Windows where Credential Guard is enabled by default, it will remain disabled even after the update.
 
 > [!IMPORTANT]
 > For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md).

From e2b4b7c3d0eaa9093ce55c693421a9fc6b27d70d Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:36:10 -0700
Subject: [PATCH 21/32] Update
 windows/security/identity-protection/credential-guard/considerations-known-issues.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 .../credential-guard/considerations-known-issues.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 437fb823a5..c6dcadc9a7 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -12,7 +12,7 @@ It's recommended that in addition to deploying Credential Guard, organizations m
 ## Upgrade considerations
 
 > [!IMPORTANT]
-> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+> Windows Server 2025 is in preview. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
 As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities.
 

From 3203a7c6ab037485dc63ca2c632da174f807c723 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:36:44 -0700
Subject: [PATCH 22/32] Update
 windows/security/identity-protection/credential-guard/considerations-known-issues.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 .../credential-guard/considerations-known-issues.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index c6dcadc9a7..bd1c01b856 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -30,7 +30,7 @@ For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based conne
 
 ## Delegation considerations
 
-When Credential Guard is enabled, certain types of identity delegation will be unusable, as their underlying authentication schemes are incompatible with Credential Guard or require supplied credentials.
+When Credential Guard is enabled, certain types of identity delegation are unusable, as their underlying authentication schemes are incompatible with Credential Guard or require supplied credentials.
 
 When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) is no longer able to use saved or sign-on (SSO) credentials, though cleartext credentials can still be supplied. CredSSP-based Delegation requires cleartext credentials to be supplied on the destination machine and will not work with SSO once Credential Guard is enabled and blocks cleartext credential disclosure. Usage of [CredSSP for delegation](/windows/win32/secauthn/credential-security-support-provider), and in general, is not recommended due to the risk of credential theft. 
 

From 92657d163adae108a50cee6c8c143a91ef960ac9 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:37:01 -0700
Subject: [PATCH 23/32] Update
 windows/security/identity-protection/credential-guard/considerations-known-issues.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 .../credential-guard/considerations-known-issues.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index bd1c01b856..a93a12a8b7 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -124,7 +124,7 @@ This article describes known issues when Credential Guard is enabled.
 ### Live migration with Hyper-V breaks when upgrading to Windows Server 2025 (preview)
 
 > [!IMPORTANT]
-> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+> Windows Server 2025 is in previeww. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
 Devices which use CredSSP-based Delegation may no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services which rely on live migration (such as [SCVMM](/system-center/vmm/overview)) may also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
 

From 54193ff1d141f4ab6ac19eed791dc773a8ccf608 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:37:26 -0700
Subject: [PATCH 24/32] Update
 windows/security/identity-protection/credential-guard/index.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 windows/security/identity-protection/credential-guard/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index aa17cc040f..44f11fb93a 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -61,7 +61,7 @@ Devices running Windows Server 2025 (preview) or later will have Credential Guar
 
 For Credential Guard to provide protection, the device must meet certain hardware, firmware, and software requirements.
 
-Devices that meet more hardware and firmware qualifications than the minimum requirements receive additional protections and are more hardened against certain threats.
+Devices that exceed the minimum hardware and firmware qualifications receive additional protections and are more hardened against certain threats.
 
 ### Hardware and software requirements
 

From 7b827a5b913dd788f82689ede045a5ea316c2c93 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:38:46 -0700
Subject: [PATCH 25/32] Update
 windows/security/identity-protection/credential-guard/index.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 windows/security/identity-protection/credential-guard/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index 44f11fb93a..13f47d63af 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -29,7 +29,7 @@ Starting in **Windows 11, 22H2** and **Windows Server 2025 (preview)**, VBS and
 
 The default enablement is **without UEFI Lock**, thus allowing administrators to disable Credential Guard remotely if needed.
 
-If the preconditions for default enablement of Credential Guard listed below are met, and Credential Guard has not been [explicitly disabled](configure.md#disable-credential-guard) beforehand, the default enablement of Credential Guard will also automatically enable [VBS](#system-requirements).
+When Credential Guard is enabled, [VBS](#system-requirements) is automatically enabled too.
 
 > [!NOTE]
 > If Credential Guard is explicitly [disabled](configure.md#disable-credential-guard) *before* a device is updated to Windows 11, version 22H2 / Windows Server 2025 (preview) or later, default enablement does not overwrite the existing settings. That device will continue to have Credential Guard disabled even after updating to a version of Windows that enables Credential Guard by default.

From 8536afd93131cdd0e7074187e2fcbbf8ada8d6bf Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:39:49 -0700
Subject: [PATCH 26/32] Update
 windows/security/identity-protection/credential-guard/index.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 windows/security/identity-protection/credential-guard/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index 13f47d63af..169ff3d9f2 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -25,7 +25,7 @@ When enabled, Credential Guard provides the following benefits:
 > [!IMPORTANT]
 > Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
-Starting in **Windows 11, 22H2** and **Windows Server 2025 (preview)**, VBS and Credential Guard are enabled by default on devices that meet the requirements below. This means that going forward, domain credentials will automatically be protected by Credential Guard on most relevant Windows devices.
+Starting in **Windows 11, 22H2** and **Windows Server 2025 (preview)**, VBS and Credential Guard are enabled by default on devices that meet the requirements.
 
 The default enablement is **without UEFI Lock**, thus allowing administrators to disable Credential Guard remotely if needed.
 

From 008aa60796a391d4ba54f76d4d288a6faf6ff343 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:40:03 -0700
Subject: [PATCH 27/32] Update
 windows/security/identity-protection/credential-guard/index.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 windows/security/identity-protection/credential-guard/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index 169ff3d9f2..ce4f8a1ba2 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -23,7 +23,7 @@ When enabled, Credential Guard provides the following benefits:
 ## Default enablement
 
 > [!IMPORTANT]
-> Windows Server 2025 is in PREVIEW. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
+> Windows Server 2025 is in preview. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
 Starting in **Windows 11, 22H2** and **Windows Server 2025 (preview)**, VBS and Credential Guard are enabled by default on devices that meet the requirements.
 

From 2d5b4f76135958fffe47b12b0abea497b11d1008 Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:41:06 -0700
Subject: [PATCH 28/32] Update
 windows/security/identity-protection/credential-guard/index.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 windows/security/identity-protection/credential-guard/index.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index ce4f8a1ba2..52d594aa72 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -7,7 +7,7 @@ ms.topic: overview
 
 # Credential Guard overview
 
-Credential Guard, now [enabled by default on most Windows machines](#default-enablement), prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.
+Credential Guard prevents credential theft attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials.
 
 Credential Guard uses [Virtualization-based security (VBS)](/windows-hardware/design/device-experiences/oem-vbs) to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks like *pass the hash* and *pass the ticket*.
 

From 07982549f11d6d40f43b7aaf7d9b03b36a13ea4c Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 15:42:54 -0700
Subject: [PATCH 29/32] Update
 windows/security/identity-protection/credential-guard/considerations-known-issues.md

Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
---
 .../credential-guard/considerations-known-issues.md             | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index a93a12a8b7..8248beaeb0 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -224,7 +224,7 @@ For a more immediate, but less secure fix, [disable Credential Guard](configure.
 > [!TIP]
 > To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to a version which [received default enablement](index.md#default-enablement). If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
 >
-> If Credential Guard is explicitly disabled, the device will not automatically enable Credential Guard after the update.
+> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
 
 ### Issues with non-Microsoft applications
 

From 8beb3636381b54225930ceb0fdf01630b821d55b Mon Sep 17 00:00:00 2001
From: zwhitt-microsoft <101152161+zwhitt-microsoft@users.noreply.github.com>
Date: Wed, 19 Jun 2024 16:02:13 -0700
Subject: [PATCH 30/32] Update considerations-known-issues.md

Updating upgrade considerations per Paolo's recommendations.
---
 .../credential-guard/considerations-known-issues.md         | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 8248beaeb0..4bfa13a25a 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -14,11 +14,11 @@ It's recommended that in addition to deploying Credential Guard, organizations m
 > [!IMPORTANT]
 > Windows Server 2025 is in preview. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
-As the depth and breadth of protections provided by Credential Guard are increased, new releases of Windows with Credential Guard running may affect scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities.
+As Credential Guard evolves and enhances its security features, newer versions of Windows running Credential Guard may impact previously functional scenarios. For instance, Credential Guard could restrict the use of certain credentials or components to thwart malware exploiting vulnerabilities.
 
-We recommend testing scenarios required for operations in an organization before upgrading a device that uses Credential Guard.
+It’s advisable to thoroughly test operational scenarios within an organization before updating devices that utilize Credential Guard.
 
-Upgrades to Windows 11, 22H2 and Windows Server 2025 (preview) will have Credential Guard [enabled by default](index.md#default-enablement) if it has not been explicitly disabled.
+Upgrades to Windows 11, 22H2 and Windows Server 2025 (preview) will have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
 
 ## Wi-fi and VPN considerations
 

From 08836f9de373d105fc8a464d2f3f9fdcf279297e Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 20 Jun 2024 12:05:58 -0400
Subject: [PATCH 31/32] Articles refresh, Acrolinx scores > 90

---
 .../additional-mitigations.md                 | 59 +++++++-------
 .../credential-guard/configure.md             |  6 +-
 .../considerations-known-issues.md            | 80 +++++++------------
 .../credential-guard/how-it-works.md          |  2 +-
 .../credential-guard/index.md                 | 25 +++---
 5 files changed, 76 insertions(+), 96 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md
index 5a6e9fd2c9..dde02e443a 100644
--- a/windows/security/identity-protection/credential-guard/additional-mitigations.md
+++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md
@@ -1,5 +1,5 @@
 ---
-ms.date: 08/31/2023
+ms.date: 06/20/2024
 title: Additional mitigations
 description: Learn how to improve the security of your domain environment with additional mitigations for Credential Guard and sample code.
 ms.topic: reference
@@ -46,8 +46,8 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
 To enable Kerberos armoring for restricting domain users to specific domain-joined devices:
 
 - Users need to be in domains that are running Windows Server 2012 R2 or higher
-- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
-- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
+- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**
+- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** > **Administrative Templates** > **System** > **Kerberos**.
 
 ### Protect domain-joined device secrets
 
@@ -56,7 +56,7 @@ Since domain-joined devices also use shared secrets for authentication, attacker
 Domain-joined device certificate authentication has the following requirements:
 
 - Devices' accounts are in Windows Server 2012 domain functional level or higher.
-- All domain controllers in those domains have KDC certificates which satisfy strict KDC validation certificate requirements:
+- All domain controllers in those domains have KDC certificates that satisfy strict KDC validation certificate requirements:
   - KDC EKU present
   - DNS domain name matches the DNSName field of the SubjectAltName (SAN) extension
 - Windows devices have the CA issuing the domain controller certificates in the enterprise store.
@@ -70,19 +70,19 @@ For example, let's say you wanted to use the High Assurance policy only on these
 
 **Create a new certificate template**
 
-1.  From the Certificate Manager console, right-click **Certificate Templates > Manage**
-1.  Right-click **Workstation Authentication > Duplicate Template**
-1.  Right-click the new template, and then select **Properties**
-1.  On the **Extensions** tab, select **Application Policies > Edit**
-1.  Select **Client Authentication**, and then select **Remove**
-1.  Add the ID-PKInit-KPClientAuth EKU. Select **Add > New**, and then specify the following values:
-    -   Name: Kerberos Client Auth
-    -   Object Identifier: 1.3.6.1.5.2.3.4
-1.  On the **Extensions** tab, select **Issuance Policies > Edit**
-1.  Under **Issuance Policies**, select **High Assurance**
-1.  On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box
+1. From the Certificate Manager console, right-click **Certificate Templates > Manage**
+1. Right-click **Workstation Authentication > Duplicate Template**
+1. Right-click the new template, and then select **Properties**
+1. On the **Extensions** tab, select **Application Policies > Edit**
+1. Select **Client Authentication**, and then select **Remove**
+1. Add the ID-PKInit-KPClientAuth EKU. Select **Add > New**, and then specify the following values:
+   - Name: Kerberos Client Auth
+   - Object Identifier: 1.3.6.1.5.2.3.4
+1. On the **Extensions** tab, select **Issuance Policies > Edit**
+1. Under **Issuance Policies**, select **High Assurance**
+1. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box
 
-Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
+Then on the devices that are running Credential Guard, enroll the devices using the certificate you created.
 
 **Enroll devices in a certificate**
 
@@ -123,12 +123,13 @@ So we now have completed the following:
 
 - Created a special certificate issuance policy to identify devices that meet the deployment criteria required for the user to be able to sign on
 - Mapped that policy to a universal security group or claim
-- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies.
+- Provided a way for domain controllers to get the device authorization data during user sign-on using Kerberos armoring. Now what is left to do is to configure the access check on the domain controllers. This is done using authentication policies
 
 Authentication policies have the following requirements:
-- User accounts are in a Windows Server 2012 domain functional level or higher domain.
 
-**Creating an authentication policy restricting users to the specific universal security group**
+- User accounts are in a Windows Server 2012 domain functional level or higher domain
+
+#### Create an authentication policy restricting users to the specific universal security group
 
 1. Open Active Directory Administrative Center
 1. Select **Authentication > New > Authentication Policy**
@@ -154,7 +155,7 @@ To learn more about authentication policy events, see [Authentication Policies a
 
 ## Appendix: Scripts
 
-Here is a list of scripts mentioned in this topic.
+Here's a list of scripts mentioned in this article.
 
 ### <a href="" id="bkmk-getscript"></a>Get the available issuance policies on the certificate authority
 
@@ -195,7 +196,7 @@ displayName = displayName : {0}
 Name = Name : {0}
 dn = distinguishedName : {0}
         InfoName = Linked Group Name: {0}
-        InfoDN = Linked Group DN: {0}   
+        InfoDN = Linked Group DN: {0}
 NonLinkedIPs = The following Issuance Policies are NOT linked to groups:
 '@
 }
@@ -221,7 +222,7 @@ $getIP_strings.help8
     ""
     $getIP_strings.help10
 ""
-""    
+""
 $getIP_strings.help11
     "     " + '$' + "myIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:All"
     "     " + '$' + "myLinkedIPs = .\get-IssuancePolicy.ps1 -LinkedToGroup:yes"
@@ -272,7 +273,7 @@ write-host $errormsg -ForegroundColor Red
 if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) {
     $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(msDS-OIDToGroupLink=*)(flags=2))"
     $LinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
-    write-host ""    
+    write-host ""
     write-host "*****************************************************"
     write-host $getIP_strings.LinkedIPs
     write-host "*****************************************************"
@@ -317,11 +318,11 @@ write-host "There are no issuance policies that are mapped to a group"
         return $LinkedOIDs
         break
     }
-}    
-if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {  
+}
+if (($LinkedToGroup -eq "no") -or ($LinkedToGroup -eq "all")) {
     $LDAPFilter = "(&(objectClass=msPKI-Enterprise-Oid)(!(msDS-OIDToGroupLink=*))(flags=2))"
     $NonLinkedOIDs = get-adobject -searchBase $configNCDN -LDAPFilter $LDAPFilter -properties *
-    write-host ""    
+    write-host ""
     write-host "*********************************************************"
     write-host $getIP_strings.NonLinkedIPs
     write-host "*********************************************************"
@@ -385,7 +386,7 @@ confirmOUcreation = Warning: The Organizational Unit that you specified does not
 OUCreationSuccess = Organizational Unit "{0}" successfully created.
 OUcreationError = Error: Organizational Unit "{0}" could not be created.
 OUFoundSuccess = Organizational Unit "{0}" was successfully found.
-multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".  
+multipleGroups = Error: More than one group with name "{0}" was found in Organizational Unit "{1}".
 confirmGroupCreation = Warning: The group that you specified does not exist. Do you want to create it?
 groupCreationSuccess = Univeral Security group "{0}" successfully created.
 groupCreationError = Error: Univeral Security group "{0}" could not be created.
@@ -445,12 +446,12 @@ break
 $searchBase = [String]$root.configurationnamingcontext
 $OID = get-adobject -searchBase $searchBase -Filter { ((displayname -eq $IssuancePolicyName) -or (name -eq $IssuancePolicyName)) -and (objectClass -eq "msPKI-Enterprise-Oid")} -properties *
 if ($OID -eq $null) {
-$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase  
+$tmp = $ErrorMsg.NoIP -f $IssuancePolicyName, $searchBase
 write-host $tmp -ForeGroundColor Red
 break;
 }
 elseif ($OID.GetType().IsArray) {
-$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase  
+$tmp = $ErrorMsg.MultipleIPs -f $IssuancePolicyName, $searchBase
 write-host $tmp -ForeGroundColor Red
 break;
 }
diff --git a/windows/security/identity-protection/credential-guard/configure.md b/windows/security/identity-protection/credential-guard/configure.md
index d0140e1fe3..d108d589ab 100644
--- a/windows/security/identity-protection/credential-guard/configure.md
+++ b/windows/security/identity-protection/credential-guard/configure.md
@@ -1,7 +1,7 @@
 ---
-title: Configure Credential Guard 
+ms.date: 06/20/2024
+title: Configure Credential Guard
 description: Learn how to configure Credential Guard using MDM, Group Policy, or the registry.
-ms.date: 08/31/2023
 ms.topic: how-to
 ---
 
@@ -122,7 +122,7 @@ You can use PowerShell to determine whether Credential Guard is running on a dev
 (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning
 ```
 
-The command generates the following output:  
+The command generates the following output:
 
 - **0**: Credential Guard is disabled (not running)
 - **1**: Credential Guard is enabled (running)
diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 4bfa13a25a..249d3db3fb 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -1,28 +1,28 @@
 ---
-ms.date: 08/31/2023
+ms.date: 06/20/2024
 title: Considerations and known issues when using Credential Guard
-description: Considerations, recommendations and known issues when using Credential Guard.
+description: Considerations, recommendations, and known issues when using Credential Guard.
 ms.topic: troubleshooting
 ---
 
 # Considerations and known issues when using Credential Guard
 
-It's recommended that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys or smart cards.
+Microsoft recommends that in addition to deploying Credential Guard, organizations move away from passwords to other authentication methods, such as Windows Hello for Business, FIDO 2 security keys, or smart cards.
 
 ## Upgrade considerations
 
 > [!IMPORTANT]
 > Windows Server 2025 is in preview. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
-As Credential Guard evolves and enhances its security features, newer versions of Windows running Credential Guard may impact previously functional scenarios. For instance, Credential Guard could restrict the use of certain credentials or components to thwart malware exploiting vulnerabilities.
+As Credential Guard evolves and enhances its security features, newer versions of Windows running Credential Guard might affect previously functional scenarios. For instance, Credential Guard could restrict the use of certain credentials or components to thwart malware exploiting vulnerabilities.
 
-It’s advisable to thoroughly test operational scenarios within an organization before updating devices that utilize Credential Guard.
+It's advisable to thoroughly test operational scenarios within an organization before updating devices that utilize Credential Guard.
 
-Upgrades to Windows 11, 22H2 and Windows Server 2025 (preview) will have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
+Upgrades to Windows 11, version 22H2, and Windows Server 2025 (preview) have Credential Guard [enabled by default](index.md#default-enablement) unless explicitly disabled.
 
 ## Wi-fi and VPN considerations
 
-When Credential Guard is enabled, you can no longer use NTLM classic authentication (NTLMv1) for single sign-on. You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
+When Credential Guard is enabled, you can no longer use NTLM classic authentication (NTLMv1) for single-sign-on (SSO). You'll be forced to enter your credentials to use these protocols and can't save the credentials for future use.
 
 If you're using WiFi and VPN endpoints that are based on MS-CHAPv2, they're subject to similar attacks as for NTLMv1.
 
@@ -32,9 +32,9 @@ For WiFi and VPN connections, it's recommended to move from MSCHAPv2-based conne
 
 When Credential Guard is enabled, certain types of identity delegation are unusable, as their underlying authentication schemes are incompatible with Credential Guard or require supplied credentials.
 
-When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) is no longer able to use saved or sign-on (SSO) credentials, though cleartext credentials can still be supplied. CredSSP-based Delegation requires cleartext credentials to be supplied on the destination machine and will not work with SSO once Credential Guard is enabled and blocks cleartext credential disclosure. Usage of [CredSSP for delegation](/windows/win32/secauthn/credential-security-support-provider), and in general, is not recommended due to the risk of credential theft. 
+When Credential Guard is enabled, [Credential Security Support Provider ("CredSSP")](/windows/win32/secauthn/credential-security-support-provider) is no longer able to use saved or SSO credentials, though cleartext credentials can still be supplied. CredSSP-based Delegation requires cleartext credentials to be supplied on the destination machine, and doesn't work with SSO once Credential Guard is enabled and blocks cleartext credential disclosure. Usage of [CredSSP for delegation](/windows/win32/secauthn/credential-security-support-provider), and in general, isn't recommended due to the risk of credential theft.
 
-Kerberos Unconstrained delegation, as well as DES, are blocked by Credential Guard. [Unconstrained delegation](/defender-for-identity/security-assessment-unconstrained-kerberos#what-risk-does-unsecure-kerberos-delegation-pose-to-an-organization) is not a recommended practice.
+Kerberos Unconstrained delegation and DES are blocked by Credential Guard. [Unconstrained delegation](/defender-for-identity/security-assessment-unconstrained-kerberos#what-risk-does-unsecure-kerberos-delegation-pose-to-an-organization) isn't a recommended practice.
 
 Instead [Kerberos](/windows-server/security/kerberos/kerberos-authentication-overview) or [Negotiate SSP](/windows/win32/secauthn/microsoft-negotiate) are recommended for authentication generally, and for delegation, [Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) and [Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview#resource-based-constrained-delegation-across-domains) are recommended. These methods provide greater credential security overall, and are also compatible with Credential Guard.
 
@@ -97,7 +97,7 @@ On domain-joined devices, DPAPI can recover user keys using a domain controller
 >[!IMPORTANT]
 > Best practice when clearing a TPM on a domain-joined device is to be on a network with connectivity to domain controllers. This ensures DPAPI functions and the user does not experience strange behavior.
 
-Auto VPN configuration is protected with user DPAPI. User may not be able to use VPN to connect to domain controllers since the VPN configurations are lost.
+Auto VPN configuration is protected with user DPAPI. User might not be able to use VPN to connect to domain controllers since the VPN configurations are lost.
 If you must clear the TPM on a domain-joined device without connectivity to domain controllers, then you should consider the following.
 
 Domain user sign-in on a domain-joined device after clearing a TPM for as long as there's no connectivity to a domain controller:
@@ -126,48 +126,35 @@ This article describes known issues when Credential Guard is enabled.
 > [!IMPORTANT]
 > Windows Server 2025 is in previeww. This information relates to a prerelease product that may be substantially modified before it's released. Microsoft makes no warranties, expressed or implied, with respect to the information provided here.
 
-Devices which use CredSSP-based Delegation may no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services which rely on live migration (such as [SCVMM](/system-center/vmm/overview)) may also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
+Devices that use CredSSP-based Delegation might no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services that rely on live migration (such as [SCVMM](/system-center/vmm/overview)) might also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
 
-#### Affected devices
-Any server with Credential Guard enabled may encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that are not Domain Controllers. Default enablement of Credential Guard can be [pre-emptively blocked](configure.md#default-enablement) before upgrade.
-
-#### Cause of the issue
-Live Migration with Hyper-V, and applications and services which rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials.
-
-If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration will fail. In most cases, Credential Guard's enablement state on the destination machine will not impact Live Migration. Live Migration will also fail in cluster scenarios (e.g., SCVMM), since any device may at one point act as a source machine.
-
-#### How to fix the issue
-Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can [configure these types of delegation](/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering#BKMK_Step1) manually or with the help of automated scripts.
+|||
+|-|-|
+|**Affected devices**|Any server with Credential Guard enabled might encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that aren't Domain Controllers. Default enablement of Credential Guard can be [preemptively blocked](configure.md#default-enablement) before upgrade.|
+|**Cause of the issue**|Live Migration with Hyper-V, and applications and services that rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials. <br><br>If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration fails. In most cases, Credential Guard's enablement state on the destination machine won't impact Live Migration. Live Migration also fails in cluster scenarios (for example, SCVMM), since any device might act as a source machine.|
+|**Resolution**|Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can [configure these types of delegation](/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering#BKMK_Step1) manually or with the help of automated scripts.|
 
 ### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025 (preview)
 
-Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually re-authenticate in every new Windows session when Credential Guard is running.
+Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually reauthenticate in every new Windows session when Credential Guard is running.
 
-#### Affected devices
-
-Any device with Credential Guard enabled may encounter the issue. Starting in Windows 11, version 22H2 and Windows Server 2025 (preview), eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, as well as some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).
-
-All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), will receive default enablement.
+|||
+|-|-|
+|**Affected devices**|Any device with Credential Guard enabled might encounter the issue. Starting in Windows 11, version 22H2, and Windows Server 2025 (preview), eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, and some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).<br><br>All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), receive default enablement.|
+|**Cause of the issue**|Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:<br><br>- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)<br>- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)<br>- MS-CHAP (only SSO is blocked)<br>- WDigest (only SSO is blocked)<br>- NTLM v1 (only SSO is blocked) <br><br>**Note**: Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.|
+|**Resolution**|Microsoft recommends moving away from MSCHAPv2-based connections (for example, PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (for example, PEAP-TLS or EAP-TLS). Credential Guard doesn't block certificate-based authentication.<br><br>For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.|
 
 > [!TIP]
+> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to a version which [received default enablement](index.md#default-enablement). If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
+>
+> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
+
+> [!NOTE]
 > To determine if a Windows Pro device receives default enablement when upgraded to **Windows 11, version 22H2** or **Windows Server 2025 (preview)**, check if the registry key `IsolatedCredentialsRootSecret` is present in `Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0`.
 > If it's present, the device enables Credential Guard after the update.
 >
 > Credential Guard can be disabled after upgrade by following the [disablement instructions](configure.md#disable-credential-guard).
 
-#### Cause of the issue
-
-Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:
-
-- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)
-- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)
-- MS-CHAP (only SSO is blocked)
-- WDigest (only SSO is blocked)
-- NTLM v1 (only SSO is blocked)
-
-> [!NOTE]
-> Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.
-
 #### How to confirm the issue
 
 MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, version 22H2 update. To confirm if Credential Guard is blocking MS-CHAP or NTLMv1, open the Event Viewer (`eventvwr.exe`) and go to `Application and Services Logs\Microsoft\Windows\NTLM\Operational`. Check the following logs:
@@ -215,22 +202,11 @@ MS-CHAP and NTLMv1 are relevant to the SSO breakage after the Windows 11, versio
   :::column-end:::
 :::row-end:::
 
-#### How to fix the issue
-
-We recommend moving away from MSCHAPv2-based connections, such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication, like PEAP-TLS or EAP-TLS. Credential Guard doesn't block certificate-based authentication.
-
-For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.
-
-> [!TIP]
-> To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to a version which [received default enablement](index.md#default-enablement). If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.
->
-> If Credential Guard is explicitly disabled, the device won't automatically enable Credential Guard after the update.
-
 ### Issues with non-Microsoft applications
 
 The following issue affects MSCHAPv2:
 
-- [Credential guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a common enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
+- [Credential Guard doesn't work with MSCHAPv2 configurations, of which Cisco ISE is a common enterprise implementation](https://quickview.cloudapps.cisco.com/quickview/bug/CSCul55352).
 
 The following issue affects the Java GSS API. See the following Oracle bug database article:
 
diff --git a/windows/security/identity-protection/credential-guard/how-it-works.md b/windows/security/identity-protection/credential-guard/how-it-works.md
index d3af49e5aa..46df6ede24 100644
--- a/windows/security/identity-protection/credential-guard/how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/how-it-works.md
@@ -1,5 +1,5 @@
 ---
-ms.date: 08/31/2023
+ms.date: 06/20/2024
 title: How Credential Guard works
 description: Learn how Credential Guard uses virtualization to protect secrets, so that only privileged system software can access them.
 ms.topic: concept-article
diff --git a/windows/security/identity-protection/credential-guard/index.md b/windows/security/identity-protection/credential-guard/index.md
index 52d594aa72..9024cd7fab 100644
--- a/windows/security/identity-protection/credential-guard/index.md
+++ b/windows/security/identity-protection/credential-guard/index.md
@@ -1,7 +1,7 @@
 ---
+ms.date: 06/20/2024
 title: Credential Guard overview
 description: Learn about Credential Guard and how it isolates secrets so that only privileged system software can access them.
-ms.date: 08/31/2023
 ms.topic: overview
 ---
 
@@ -14,7 +14,7 @@ Credential Guard uses [Virtualization-based security (VBS)](/windows-hardware/de
 When enabled, Credential Guard provides the following benefits:
 
 - **Hardware security**: NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials
-- **Virtualization-based security**: NTLM, Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system
+- **Virtualization-based security**: NTLM, Kerberos derived credentials, and other secrets run in a protected environment that is isolated from the running operating system
 - **Protection against advanced persistent threats**: when credentials are protected using VBS, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges can't extract secrets that are protected by VBS
 
 > [!NOTE]
@@ -36,11 +36,11 @@ When Credential Guard is enabled, [VBS](#system-requirements) is automatically e
 
 ### Default enablement on Windows
 
-Devices running Windows 11, 22H2 or later will have Credential Guard enabled by default if they:
+Devices running Windows 11, 22H2 or later have Credential Guard enabled by default if they:
 
 - Meet the [license requirements](#windows-edition-and-licensing-requirements)
-- Meet the [hardware and sofware requirements](#system-requirements)
-- Have not been [explicitly configured to disable Credential Guard](configure.md#default-enablement)
+- Meet the [hardware and software requirements](#system-requirements)
+- Aren't [explicitly configured to disable Credential Guard](configure.md#default-enablement)
 
 > [!NOTE]
 > Devices running Windows 11 Pro/Pro Edu 22H2 or later may have Virtualization-based Security (VBS) and/or Credential Guard automatically enabled if they meet the other requirements for default enablement, and have previously run Credential Guard. For example if Credential Guard was enabled on an Enterprise device that later downgraded to Pro.
@@ -49,10 +49,13 @@ Devices running Windows 11, 22H2 or later will have Credential Guard enabled by
 
 ### Default enablement on Windows Server
 
-Devices running Windows Server 2025 (preview) or later will have Credential Guard enabled by default if they meet the above requirements for Windows and additionally:
+Devices running Windows Server 2025 (preview) or later have Credential Guard enabled by default if they:
 
+- Meet the [license requirements](#windows-edition-and-licensing-requirements)
+- Meet the [hardware and software requirements](#system-requirements)
+- Aren't [explicitly configured to disable Credential Guard](configure.md#default-enablement)
 - Are joined to a domain
-- Are not a Domain Controller
+- Aren't a Domain Controller
 
 > [!IMPORTANT]
 > For information about known issues related to default enablement, see [Credential Guard: known issues](considerations-known-issues.md#known-issues).
@@ -97,7 +100,7 @@ The requirements to run Credential Guard in Hyper-V virtual machines are:
 
 When Credential Guard is enabled, certain authentication capabilities are blocked. Applications that require such capabilities break. We refer to these requirements as *application requirements*.
 
-Applications should be tested prior to deployment to ensure compatibility with the reduced functionality.
+Applications should be tested before deployment to ensure compatibility with the reduced functionality.
 
 > [!WARNING]
 > Enabling Credential Guard on domain controllers isn't recommended.
@@ -110,17 +113,17 @@ Applications break if they require:
 
 - Kerberos DES encryption support
 - Kerberos unconstrained delegation
-- Extracting the Kerberos TGT
+- Kerberos TGT extraction
 - NTLMv1
 
-Applications prompt and expose credentials to risk if they require:
+Applications ask and expose credentials to risk if they require:
 
 - Digest authentication
 - Credential delegation
 - MS-CHAPv2
 - CredSSP
 
-Applications may cause performance issues when they attempt to hook the isolated Credential Guard process `LSAIso.exe`.
+Applications might cause performance issues when they attempt to hook the isolated Credential Guard process `LSAIso.exe`.
 
 Services or protocols that rely on Kerberos, such as file shares or remote desktop, continue to work and aren't affected by Credential Guard.
 

From 6da8ff38c49c5eb0a606033783f9abe0dc23ea22 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Thu, 20 Jun 2024 12:54:46 -0400
Subject: [PATCH 32/32] data matrix tables

---
 .../considerations-known-issues.md               | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/windows/security/identity-protection/credential-guard/considerations-known-issues.md b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
index 249d3db3fb..8faf5d3977 100644
--- a/windows/security/identity-protection/credential-guard/considerations-known-issues.md
+++ b/windows/security/identity-protection/credential-guard/considerations-known-issues.md
@@ -128,21 +128,21 @@ This article describes known issues when Credential Guard is enabled.
 
 Devices that use CredSSP-based Delegation might no longer be able to use [Live Migration with Hyper-V](/windows-server/virtualization/hyper-v/manage/live-migration-overview) after upgrading to Windows Server 2025 (preview). Applications and services that rely on live migration (such as [SCVMM](/system-center/vmm/overview)) might also be affected. CredSSP-based delegation is the default for Windows Server 2022 and earlier for live migration.
 
-|||
+||Description|
 |-|-|
-|**Affected devices**|Any server with Credential Guard enabled might encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that aren't Domain Controllers. Default enablement of Credential Guard can be [preemptively blocked](configure.md#default-enablement) before upgrade.|
-|**Cause of the issue**|Live Migration with Hyper-V, and applications and services that rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials. <br><br>If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration fails. In most cases, Credential Guard's enablement state on the destination machine won't impact Live Migration. Live Migration also fails in cluster scenarios (for example, SCVMM), since any device might act as a source machine.|
-|**Resolution**|Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can [configure these types of delegation](/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering#BKMK_Step1) manually or with the help of automated scripts.|
+|    **Affected devices**|Any server with Credential Guard enabled might encounter this issue. Starting in Windows Server 2025 (preview), [Credential Guard is enabled by default](index.md#default-enablement-on-windows-server) on all domain-joined servers that aren't Domain Controllers. Default enablement of Credential Guard can be [preemptively blocked](configure.md#default-enablement) before upgrade.|
+|    **Cause of the issue**|Live Migration with Hyper-V, and applications and services that rely on it, are affected by the issue if one or both ends of a given connection try to use CredSSP with Credential Guard enabled. With Credential Guard enabled, CredSSP can only utilize supplied credentials, not saved or SSO credentials. <br><br>If the source machine of a Live Migration uses CredSSP for delegation with Credential Guard enabled, the Live Migration fails. In most cases, Credential Guard's enablement state on the destination machine won't impact Live Migration. Live Migration also fails in cluster scenarios (for example, SCVMM), since any device might act as a source machine.|
+|    **Resolution**|Instead of CredSSP Delegation, [Kerberos Constrained Delegation and Resource-Based Kerberos Constrained Delegation](/windows-server/security/kerberos/kerberos-constrained-delegation-overview) are recommended. These forms of delegation provide greater credential protections, in addition to being compatible with Credential Guard. Administrators of Hyper-V can [configure these types of delegation](/windows-server/virtualization/hyper-v/deploy/set-up-hosts-for-live-migration-without-failover-clustering#BKMK_Step1) manually or with the help of automated scripts.|
 
 ### Single sign-on for Network services breaks after upgrading to Windows 11, version 22H2 or Windows Server 2025 (preview)
 
 Devices that use 802.1x wireless or wired network, RDP, or VPN connections that rely on insecure protocols with password-based authentication are unable to use SSO to sign in and are forced to manually reauthenticate in every new Windows session when Credential Guard is running.
 
-|||
+||Description|
 |-|-|
-|**Affected devices**|Any device with Credential Guard enabled might encounter the issue. Starting in Windows 11, version 22H2, and Windows Server 2025 (preview), eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, and some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).<br><br>All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), receive default enablement.|
-|**Cause of the issue**|Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:<br><br>- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)<br>- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)<br>- MS-CHAP (only SSO is blocked)<br>- WDigest (only SSO is blocked)<br>- NTLM v1 (only SSO is blocked) <br><br>**Note**: Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.|
-|**Resolution**|Microsoft recommends moving away from MSCHAPv2-based connections (for example, PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (for example, PEAP-TLS or EAP-TLS). Credential Guard doesn't block certificate-based authentication.<br><br>For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.|
+|    **Affected devices**|Any device with Credential Guard enabled might encounter the issue. Starting in Windows 11, version 22H2, and Windows Server 2025 (preview), eligible devices that didn't disable Credential Guard, have it [enabled by default](index.md#default-enablement). This affects all devices on Enterprise (E3 and E5) and Education licenses, and some Pro licenses, as long as they meet the [minimum hardware requirements](index.md#hardware-and-software-requirements).<br><br>All Windows Pro devices that previously ran Credential Guard on an eligible license and later downgraded to Pro, and which still meet the [minimum hardware requirements](index.md#hardware-and-software-requirements), receive default enablement.|
+|    **Cause of the issue**|Applications and services are affected by the issue when they rely on insecure protocols that use password-based authentication. Such protocols are considered insecure because they can lead to password disclosure on the client or the server, and Credential Guard blocks them. Affected protocols include:<br><br>- Kerberos unconstrained delegation (both SSO and supplied credentials are blocked)<br>- Kerberos when PKINIT uses RSA encryption instead of Diffie-Hellman (both SSO and supplied credentials are blocked)<br>- MS-CHAP (only SSO is blocked)<br>- WDigest (only SSO is blocked)<br>- NTLM v1 (only SSO is blocked) <br><br>**Note**: Since only SSO is blocked for MS-CHAP, WDigest, and NTLM v1, these protocols can still be used by prompting the user to supply credentials.|
+|    **Resolution**|Microsoft recommends moving away from MSCHAPv2-based connections (for example, PEAP-MSCHAPv2 and EAP-MSCHAPv2), to certificate-based authentication (for example, PEAP-TLS or EAP-TLS). Credential Guard doesn't block certificate-based authentication.<br><br>For a more immediate, but less secure fix, [disable Credential Guard](configure.md#disable-credential-guard). Credential Guard doesn't have per-protocol or per-application policies, and it can either be turned on or off. If you disable Credential Guard, you leave stored domain credentials vulnerable to theft.|
 
 > [!TIP]
 > To prevent default enablement, configure your devices [to disable Credential Guard](configure.md#disable-credential-guard) before updating to a version which [received default enablement](index.md#default-enablement). If the setting is not configured (which is the default state) and if the device is eligible, the device automatically enable Credential Guard after the update.