Merge remote-tracking branch 'refs/remotes/origin/master' into dh-whfb-sandbox

windows/access-protection/TOC.md

@@ -24,7 +24,7 @@
 ### [Credential Guard protection limits](credential-guard/credential-guard-protection-limits.md)
 ### [Considerations when using Credential Guard](credential-guard/credential-guard-considerations.md)
 ### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)
-
+### [Credential Guard: Known issues](credential-guard/credential-guard-known-issues.md)
 
 
 ## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)

windows/access-protection/credential-guard/credential-guard-known-issues.md

@@ -0,0 +1,70 @@
+---
+title: Credential Guard Known issues (Windows 10)
+description: Credential Guard - Known issues in Windows 10 Enterprise
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+---
+
+#  Credential Guard: Known issues 
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+ 
+Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/en-us/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). 
+
+The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
+
+-	KB4015217: [Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/en-us/help/4015217/windows-10-update-kb4015217)
+
+    This issue can potentially lead to unexpected account lockouts.
+See also Knowledge Base articles [KB4015219](https://support.microsoft.com/en-us/help/4015219/windows-10-update-kb4015219) and 
+[KB4015221](https://support.microsoft.com/en-us/help/4015221/windows-10-update-kb4015221)
+
+The following issue is under investigation. For available workarounds, see the following Knowledge Base article:
+-	[Installing AppSense Environment Manager on Windows 10 machines causes LsaIso.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) *
+
+    *Registration required to access this article. 
+
+-	[Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692)**
+
+    **Registration required to access this article. 
+
+Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 clients to exhibit high CPU usage. For further information, see the following Knowledge Base articles:
+
+-	KB88869: [Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869)
+
+
+-	 Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled.
+
+     Microsoft is currently working with Citrix to investigate this issue.
+
+
+## Vendor support
+
+-	[Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
+
+Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
+
+-	For Credential Guard on Windows 10 with McAfee Encryption products, see:
+[Support for Device Guard and Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
+
+-	For Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
+[Check Point Endpoint Security Client support for Microsoft Windows 10 Credential Guard and Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
+
+-	For Credential Guard on Windows 10 with VMWare Workstation
+[Windows 10 host fails when running VMWare Workstation when Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
+
+-	For Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
+[ThinkPad support for Device Guard and Credential Guard in Microsoft Windows 10 – ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
+
+-	For Credential Guard on Windows 10 with Symantec Endpoint Protection
+[Windows 10 with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
+
+ This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Credential guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Credential Guard. 
+
+ Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.

windows/access-protection/credential-guard/credential-guard-manage.md

@@ -15,8 +15,7 @@ author: brianlic-msft
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
-in the Deep Dive into Credential Guard video series.
+Prefer video? See [Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Credential Guard video series.
 
 ## Enable Credential Guard
 Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. 

windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md

@@ -86,21 +86,27 @@ Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow
 
 ### Disable Windows Firewall
 
-Disabling Windows Firewall with Advanced Security can cause the following problems:
+Microsoft recommends that you do not disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/). 
+
+Disabling Windows Firewall with Advanced Security can also cause problems, including:
 
 - Start menu can stop working
 - Modern applications can fail to install or update
 - Activation of Windows via phone fails 
 - Application or OS incompatibilities that depend on Windows Firewall
 
-Do not disable Windows Firewall with Advanced Security service by stopping the service. 
-The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
-Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**. 
-For more information, see [Windows firewall with advanced security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
-If you turn off the Windows Firewall with Advanced Security service, you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/). 
+Microsoft recommends disabling Windows Firewall with Advanced Security only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed. 
+
+If disabling Windows Firewall with Advanced Security is required, do not disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
+Stopping the Windows Firewall service is not supported by Microsoft.
+
 Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that need to be disabled for compatibility. 
 You should not disable the firewall yourself for this purpose. 
-Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
+
+The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
+
+Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**. 
+For more information, see [Windows firewall with advanced security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
 
 The following example disables Windows Firewall with Advanced Security for all profiles.