{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "title": "Credential Protection Configuration",
  "description": "Configuration for credential hardening including WDigest protection",
  "version": "2.2.2",
  
  "WDigest_Protection": {
    "description": "Prevent WDigest from storing plaintext passwords in LSASS memory",
    "enabled": true,
    "deprecated_in": "Windows 11 24H2",
    "status": "Deprecated in Win11 24H2+ but kept for backwards compatibility and defense-in-depth",
    
    "registry_path": "HKLM:\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest",
    "settings": {
      "UseLogonCredential": {
        "description": "Control whether WDigest stores credentials in memory",
        "value": 0,
        "type": "DWORD",
        "values": {
          "0": "Secure - Do NOT store plaintext credentials in memory",
          "1": "Insecure - Store plaintext credentials in memory (VULNERABLE!)"
        },
        "attack_prevention": [
          "Prevents Mimikatz from dumping plaintext passwords",
          "Prevents Windows Credential Editor (WCE) attacks",
          "Prevents other memory-dumping credential theft tools"
        ],
        "impact": "None - Modern systems (Win 8.1+) already default to 0"
      }
    },
    
    "default_behavior": {
      "Windows_7": 1,
      "Windows_8": 1,
      "Windows_8.1": 0,
      "Windows_10": 0,
      "Windows_11": 0,
      "Windows_11_24H2_plus": "Setting ignored (deprecated)"
    },
    
    "rationale": {
      "why_set_if_deprecated": [
        "Protects older Windows versions (Win7/8/Server 2008/2012)",
        "Protects early Win10/11 builds that may not be fully patched",
        "Defense-in-depth: Explicit is better than implicit",
        "Ensures compatibility in mixed environments",
        "No negative impact on Win11 24H2+ (setting is ignored)"
      ]
    },
    
    "microsoft_advisory": {
      "kb_article": "KB2871997",
      "date": "May 2014",
      "title": "Update to improve credentials protection and management",
      "url": "https://support.microsoft.com/en-us/topic/microsoft-security-advisory-update-to-improve-credentials-protection-and-management-may-13-2014-93434251-04ac-b7f3-52aa-9f951c14b649",
      "baseline_removal": {
        "version": "Windows 11 25H2 Security Baseline",
        "reason": "Engineering teams deprecated this policy in Windows 11 24H2",
        "url": "https://techcommunity.microsoft.com/blog/microsoft-security-baselines/windows-11-version-25h2-security-baseline/4456231"
      }
    }
  },
  
  "Profiles": {
    "Balanced": true,
    "Enterprise": true,
    "Maximum": true
  },
  
  "Compatibility": {
    "windows_versions": ["All Windows versions"],
    "notes": [
      "Setting is ignored on Windows 11 24H2+ (deprecated)",
      "No compatibility issues or breakage on any Windows version",
      "Recommended for all profiles for defense-in-depth"
    ]
  }
}