Default hardening in Windows 11, version 22H2 | Microsoft Technical Takeoff

Event details

Explore the ins and outs of two security features enabled by default in Windows 11, version 22H2: Windows Defender Credential Guard and LSA protection. Explore the criteria for enablement, security b...

Heather_Poulsen

Updated Dec 27, 2024

Technical Takeoff

KarelPelckWortell

Copper Contributor

Oct 24, 2022

Will these security features be activated when doing an in-place upgrade, or only when clean installing this version?

Matthew_Palko
Microsoft
Oct 24, 2022
Hi Karel, Credential Guard will be enabled when doing an in place upgrade to Windows 11, 22H2. LSA Protection will only be activated on a clean install of Windows 11, 22H2.
- Deleted
  Oct 24, 2022
  Hi Matthew you are speaking about an in-place upgrade, so this means every device coming from Windows 11 21H2 to 22H2 with a the more feasible enablement package, won't gain the same protection in terms of Credential Guard? If so, this would make sense to rollout all devices again - what a pain for early adopters, because the new App control feature also does not create a baseline, even not on in-place upgrades.
- Deleted
  Oct 24, 2022
  Hi Matthew you are speaking about an in-place upgrade, so this means every device coming from Windows 11 21H2 to 22H2 with a the more feasible enablement package, won't gain the same protection in terms of Credential Guard? If so, this would make sense to rollout all devices again - what a pain for early adopters, because the new App control feature also does not create a baseline, even not on in-place upgrades.
  - jirenugo
    Microsoft
    Oct 24, 2022
    Default enablement will not override a previously applied policy setting. If Credential Guard or LSA Protection was enabled before it will continue to be enabled after the upgrade. It also applies to whether or not it was enabled with UEFI lock. Thanks for the question!