On SBS 2011 and 2008 certain preconfigured group policies provided by Microsoft no longer work.
Log into the server, and drill down into the event logs, and specifically the one for Group policy. Look for Event 5313 and it will list the Group policies no longer working.
The three in particular that no longer work are:
Update Services Client Computers Policy
Windows SBS User Policy
Windows SBS CSE Policy
To fix this log into the Group policy console and in the security filtering section add the Domain Computers.
Literally click on add and type in domain computers in the window and click ok.
Do the same for each group policy indicating that it failed to process.
This is a feature that I’m honestly excited about….but.. wish that it wasn’t gated behind Enterprise sku.
Credential guard is one of the cool features of 10 that is limited to Enterprise and Education skus.
The listing of what you need specifically to support this is here:
Windows 10 Enterprise Feature: Credential Guard
- Windows 10 Enterprise
- Active Directory (any forest or domain level)
- Physical device (i.e. virtual machines are not supported)
- UEFI firmware 2.3.1 or higher
- Secure firmware update process and MOR implementation
- Secure Boot
- Intel VT-x or AMD-V
- Intel VT-d or AMD-Vi I/O memory management unit
- Second Level Address Translation
- 64-bit CPU
- TPM 2.0
The main thing credential guard does is to protect domain credentials from pass the hash attacks and other attacks that steal the domain credentials inside the firm once an attacker has gained access to the network.
10 also allows you to inplace upgrade from Pro skus to Enterprise skus without having to reinstall the operating system.