Credential 保護中的新功能What's new in Credential Protection

登入的使用者的 credential GuardCredential Guard for signed-in user

開始使用 Windows 10 版本 1507,Kerberos 和 NTLM 使用模擬為基礎的安全性保護工作階段登入的使用者登入 Kerberos 與 NTLM 機密資訊。Beginning with Windows 10, version 1507, Kerberos and NTLM use virtualization-based security to protect Kerberos & NTLM secrets of the signed-in user logon session.

開始使用 Windows 10,版本 1511,認證管理員會使用保護的網域 credential 類型的已儲存的認證模擬為基礎的安全性。Beginning with Windows 10, version 1511, Credential Manager uses virtualization-based security to protect saved credentials of domain credential type. 登入認證和網域已儲存的認證將不會被傳送至遠端使用遠端桌面主機。Signed-in credentials and saved domain credentials will not be passed to a remote host using remote desktop. 可以將 UEFI 鎖定不支援 credential Guard。Credential Guard can be enabled without UEFI lock.

開始使用 Windows 10,版本 1607,隔離的使用者模式已隨附 HYPER-V,不會再安裝分開 Credential Guard 部署。Beginning with Windows 10, version 1607, Isolated User Mode is included with Hyper-V so it no longer is installed separately for Credential Guard deployment.

深入了解 Credential GuardLearn more about Credential Guard.

使用者登入遠端 Credential GuardRemote Credential Guard for signed-in user

開始使用 Windows 10,版本 1607,遠端 Credential Guard 保護登入的使用者的認證,當您使用遠端桌面保護 Kerberos 和 NTLM 秘密 client 裝置上。Beginning with Windows 10, version 1607, Remote Credential Guard protects signed-in user credentials when using Remote Desktop by protecting the Kerberos and NTLM secrets on the client device. 遠端存取網路資源,為使用者主機,驗證要求需要 client 裝置使用密碼。For the remote host to assess network resources as the user, authentication requests require the client device to use the secrets.

開始使用 Windows 10,版本 1703,遠端 Credential Guard 保護提供的使用者的認證,當您使用遠端桌面。Beginning with Windows 10, version 1703, Remote Credential Guard protects supplied user credentials when using Remote Desktop.

深入了解遠端 credential guardLearn more about Remote credential guard.

網域保護Domain protections

網域保護需要 Active Directory domain。Domain protections require an Active Directory domain.

使用公用鍵驗證加入網域的裝置支援Domain-joined device support for authentication using public key

從 Windows 10 版本 1507年與 Windows Server 2016 加入網域的裝置是否可以與 Windows Server 2016 網域控制站 DC 登記其結合公用鍵開始,然後裝置可以驗證使用 Windows Server 2016 DC PKINIT Kerberos 驗證公開金鑰。Beginning with Windows 10 version 1507 and Windows Server 2016, if a domain-joined device is able to register its bound public key with a Windows Server 2016 domain controller (DC), then the device can authenticate with the public key using Kerberos PKINIT authentication to a Windows Server 2016 DC.

開始使用 Windows Server 2016、 Kdc 支援使用 Kerberos 按鍵信任驗證。Beginning with Windows Server 2016, KDCs support authentication using Kerberos key trust.

深入了解加入網域的裝置與 Kerberos 按鍵信任公開主要支援Learn more about public key support for domain-joined devices & Kerberos key trust.

PKINIT 有效期限延伸支援PKINIT Freshness extension support

開始使用 Windows 10、 1507 版和 Windows Server 2016、 Kerberos 戶端將嘗試登入附加公開金鑰根據的 PKInit 有效期限擴充功能。Beginning with Windows 10, version 1507 and Windows Server 2016, Kerberos clients will attempt the PKInit freshness extension for public key based sign-ons.

開始使用 Windows Server 2016、 Kdc 可支援 PKInit 有效期限擴充功能。Beginning with Windows Server 2016, KDCs can support the PKInit freshness extension. 根據預設,Kdc 將不提供 PKInit 有效期限擴充功能。By default, KDCs will not offer the PKInit freshness extension.

深入了解 PKINIT 有效期限延伸支援Learn more about PKINIT freshness extension support.

正在公開按鍵只使用者 NTLM 密碼Rolling public key only user's NTLM secrets

開始使用 Windows Server 2016 網域功能等級 (DFL),Dc 可支援循環公用按鍵只使用者的 NTLM 的機密資訊。Beginning with Windows Server 2016 domain functional level (DFL), DCs can support rolling a public key only user's NTLM secrets. 找不到較低 DFLs 中的,則此功能。This feature is unavailble in lower DFLs.


網域控制站加入網域的循環 NTLM 可支援之前 DC 已更新的至少 2016 年 11 月 8 日維護執行俠當機的風險。Adding a domain controller to a domain with rolling NTLM secrets enabled before the DC has been updated with at least the November 8, 2016 servicing runs the risk of the DC crashing.

設定: 新的網域,此功能預設。Configuration: For new domains, this feature is enabled by default. 現有的網域它必須設定 Active Directory 系統管理員中心] 中:For existing domains, it must be configured in the Active Directory Administrative center:

  1. 從 「 Active Directory 系統管理員中心 」,以滑鼠右鍵按一下網域在左窗格中,然後選取 [屬性From the Active Directory Administrative center, right-click the domain on the left pane and select Properties.


  2. 選取 [讓循環過期 NTLM 密碼的登入期間,使用者必須使用 Microsoft Passport 或智慧卡互動式登入Select Enable rolling of expiring NTLM secrets during sign on, for users who are required to use Microsoft Passport or smart card for interactive logon.

    Autoroll 過期 NTLM 密碼

  3. 按一下[確定]Click OK.

允許網路 NTLM 時限制使用者特定加入網域的裝置Allowing network NTLM when user is restricted to specific domain-joined devices

開頭和 Windows Server 2016 網域功能層級 (DFL),Dc 可支援允許網路 NTLM 使用者時限於特定加入網域的裝置。Beginning with Windows Server 2016 domain functional level (DFL), DCs can support allowing network NTLM when a user is restricted to specific domain-joined devices. 在下方 DFLs 無法使用這項功能。This feature is unavailable in lower DFLs.

設定: 驗證原則中,按一下 [允許 NTLM 網路驗證使用者限制時選取裝置Configuration: On the authentication policy, click Allow NTLM network authentication when the user is restricted to selected devices.

深入了解驗證原則Learn more about authentication policies.