Forum Discussion
Secure Score "this account is sensitive and cannot be delegated"
Microsoftstarman2heven Could you please check again? we've updated the recommendation title to be "Ensure privileged accounts are not delegated". The deployment was ended yesterday (except of United States Environment which will take a couple of days). At the moment, we excluded DC's only and ADFS, Exchange servers and Certificate servers will be excluded by Nov 20'.
LiorShapiraYes, I can confirm that the list of exposed entities has now only 2 devices left. One of them has a DHCP role and the other device object is AzureADKerberos (https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune#microsoft-entra-kerberos-and-cloud-kerberos-trust-authentication). What are your recommendation for the AzureADKerberos object? It's basically a Read-Only Domain controller and I would rather not break our Windows Hello authentication.
- LiorShapira
starman2heven We've implemented today an exclusion for ADFS servers, Exchange servers, Certificate servers and AzureADKerberos object. Can you please check the recommendation again? thanks!
In our environment we don't have ADFS or Exchange, only 2 DCs one of which is also a CA (I know it's not recommended, but it's working fine)
Last week, we went from completed status with the DCs still showing as exposed, to a completed status with nothing showing as exposed, but as of this morning it's back to not completed ('to address') and the DCs are showing as exposed again.We still see Exchange servers, CA-servers and AzureADKerberos objects under Exposed entities. The domain controllers disappeared for a while but now they are back.
