Forum Discussion
Secure Score "this account is sensitive and cannot be delegated"
LiorShapiraYes, I can confirm that the list of exposed entities has now only 2 devices left. One of them has a DHCP role and the other device object is AzureADKerberos (https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust?tabs=intune#microsoft-entra-kerberos-and-cloud-kerberos-trust-authentication). What are your recommendation for the AzureADKerberos object? It's basically a Read-Only Domain controller and I would rather not break our Windows Hello authentication.
Microsoftstarman2heven We've implemented today an exclusion for ADFS servers, Exchange servers, Certificate servers and AzureADKerberos object. Can you please check the recommendation again? thanks!
In our environment we don't have ADFS or Exchange, only 2 DCs one of which is also a CA (I know it's not recommended, but it's working fine)
Last week, we went from completed status with the DCs still showing as exposed, to a completed status with nothing showing as exposed, but as of this morning it's back to not completed ('to address') and the DCs are showing as exposed again.We still see Exchange servers, CA-servers and AzureADKerberos objects under Exposed entities. The domain controllers disappeared for a while but now they are back.
