Enabled by default on compatible hardware, Credential Guard isolates secrets (like Kerberos Ticket Granting Tickets) inside a virtualized container. Even if malware gains admin rights on the Windows 11 machine, it cannot extract the credentials needed to move laterally across the Active Directory domain.
Hybrid join can be configured automatically via or Microsoft Intune with co-management. active directory windows 11