Windows authentication has evolved from “NTLM vs. Kerberos” into a system where credentials and tickets are isolated by Virtualization Based Security (VBS) and mediated by LSASS and Credential Guard. That shift brings real security gains and real operational surprises.

This talk starts off with a brief on the Windows authentication architecture - the interplay of protocols like Kerberos (including PKINIT for smart card logon), NTLM, and Netlogon - and how Credential Guard (using Virtualization-Based Security) protects credentials. It then goes deep into where secrets live today (NTLM hashes, Kerberos TGTs, machine passwords), walks the audience through the machine account secrets flow (Netlogon secure channel + Kerberos paths), how Credential Guard isolates them, and where limitations and modern bypass research sit. The talk also provides runbooks about reading the right event channels, testing rotations safely, and hardening without bricking production.

Most conference talks focus on exploitation; this one bridges internals and operations so defenders and identity engineers can deploy modern safeguards confidently and fix issues fast when reality bites.

You will learn:

• Secret locations today: What LSASS holds vs. what moves into CredGuard/VBS; which artifacts are still exposed, and which are isolated.
• Password rotation internals: Exact flows for machine password rotation and user password changes, how Kerberos and Netlogon interplay, and what telemetry proves success/failure.
• Security benefits vs. breakages: Which attacks Credential Guard thwarts.