Credential Guard provides complete protection of both NTLMv1 legacy cryptography and many other attack surfaces, and thus Microsoft strongly recommends its deployment and enablement if Credential Guard’s requirements are met.

Credential Guard helps to protect those tokens by putting them in a protected, virtualized, environment where only certain services can access them when necessary.

The feature Machine Accounts in Credential Gurad, which is dependent on password rotation via Kerberos, has also been disabled, until a permanent fix is made available.

This article describes the protection against the publicly disclosed Secure Boot security feature bypass that uses the BlackLotus UEFI bootkit tracked by CVE-2023-24932, how to enable the mitigations, and guidance on bootable media.

This occurs when you turn on the Remote Credential Guard feature and the client is Windows 11, version 22H2 or higher. This update addresses an issue that affects DNS servers.

A Hyper-V user with BitLocker enabled may encounter a restart failure if the Device Guard or Credential Guard feature has not been disabled or has not been uninstalled cleanly.

Credential Manager lets you view and delete your saved credentials for signing in to websites, connected applications, and networks. To open Credential Manager, type credential manager in the search box on the taskbar and select Credential Manager Control panel.

If you must enable TGT delegation on a trust, it's recommended that you mitigate that risk by enabling Windows Defender Credential Guard on client computers. This prevents all unconstrained delegation from a computer that has Windows Defender Credential Guard enabled and running.

This occurs when you turn on the Remote Credential Guard feature and the client is Windows 11, version 22H2 or higher. This update makes Country and Operator Settings Asset (COSA) profiles up to date for some mobile operators.

Servicing Windows 10 computers that have the October 2017 security updates will remove the existing TPM credential key. Windows will only provision Credential Guard-protected keys to ensure Pass-the-Ticket protection for domain-joined device keys.