Credential Guard provides complete protection of both NTLMv1 legacy cryptography and many other attack surfaces, and thus Microsoft strongly recommends its deployment and enablement if Credential Guard’s requirements are met.

Credential Guard helps to protect those tokens by putting them in a protected, virtualized, environment where only certain services can access them when necessary.

The feature Machine Accounts in Credential Gurad, which is dependent on password rotation via Kerberos, has also been disabled, until a permanent fix is made available.

Servicing Windows 10 computers that have the October 2017 security updates will remove the existing TPM credential key. Windows will only provision Credential Guard-protected keys to ensure Pass-the-Ticket protection for domain-joined device keys.

This includes features such as Credential Guard, Device Guard, and Windows Hello. Verify the 2023 Secure Boot certificates and Boot Manager have been updated on your device.

This occurs when you turn on the Remote Credential Guard feature and the client is Windows 11, version 22H2 or higher. This update addresses an issue that affects DNS servers.

If you must enable TGT delegation on a trust, it's recommended that you mitigate that risk by enabling Windows Defender Credential Guard on client computers. This prevents all unconstrained delegation from a computer that has Windows Defender Credential Guard enabled and running.

This occurs when you turn on the Remote Credential Guard feature and the client is Windows 11, version 22H2 or higher. This update makes Country and Operator Settings Asset (COSA) profiles up to date for some mobile operators.

Credential Manager lets you view and delete your saved credentials for signing in to websites, connected applications, and networks. To open Credential Manager, type credential manager in the search box on the taskbar and select Credential Manager Control panel.

To prevent NTLM Relay Attacks on networks with NTLM enabled, domain administrators must ensure that services that permit NTLM authentication make use of protections such as Extended Protection for Authentication (EPA) or signing features such as SMB signing.