Merge pull request #7218 from MicrosoftDocs/main

Publish 10/03/2022 3:30 PM PT

windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md

@@ -231,6 +231,30 @@ After a successful MFA, the provisioning flow asks the user to create and valida
 
 Once a user has set up a PIN with cloud Kerberos trust, it can be used immediately for sign-in. On a Hybrid Azure AD joined device, the first use of the PIN requires line of sight to a DC. Once the user has signed in or unlocked with the DC, cached logon can be used for subsequent unlocks without line of sight or network connectivity.
 
+## Migrate from key trust deployment model to cloud Kerberos trust
+
+If you deployed WHFB using the **key trust** deployment model, and want to migrate to the **cloud Kerberos trust** deployment model, follow these steps:
+
+1. [Set up Azure AD Kerberos in your hybrid environment](#deploy-azure-ad-kerberos)
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
+1. For hybrid Azure AD joined devices, sign out and sign in the device using Windows Hello for Business with line of sight to a domain controller (DC). Without line of sight to DC, even when the policy is set to "UseCloudTrustForOnPremAuth", the system will fall back to key trust if cloud Kerberos trust login fails
+
+## Migrate from certificate trust deployment model to cloud Kerberos trust
+
+> [!IMPORTANT]
+> There is no direct migration path from certificate trust deployment to cloud Kerberos trust deployment.
+
+If you have deployed WHFB using a **certificate trust** deployment model, and want to use **cloud Kerberos trust**, you will need to clean up the existing deployments and redeploy by following these steps:
+
+1. Disable the certificate trust policy
+1. [Enable cloud Kerberos trust via Group Policy or Intune](#configure-windows-hello-for-business-policy)
+1. Remove the certificate trust credential using the command `certutil -deletehellocontainer` from the user context
+1. Reboot or sign out and sign back in
+1. Provision Windows Hello for Business (Enroll PIN/Face/Fingerprint)
+
+> [!NOTE]
+> For hybrid Azure AD joined devices, sign in with new credentials while having line of sight to a DC.
+
 ## Troubleshooting
 
 If you encounter issues or want to share feedback about Windows Hello for Business cloud Kerberos trust, share via the Windows Feedback Hub app by following these steps:

windows/security/threat-protection/windows-defender-application-control/TOC.yml

@@ -85,6 +85,8 @@
       href: merge-windows-defender-application-control-policies.md
     - name: Enforce WDAC policies
       href: enforce-windows-defender-application-control-policies.md
+    - name: Managing WDAC Policies with CI Tool
+      href: citool-commands.md
     - name: Use code signing to simplify application control for classic Windows applications
       href: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
       items:

windows/security/threat-protection/windows-defender-application-control/citool-commands.md

@@ -0,0 +1,105 @@
+---
+title: Managing CI Policies and Tokens with CiTool
+description: Learn how to use Policy Commands, Token Commands, and Miscellaneous Commands in CiTool
+author: valemieux
+ms.author: jogeurte
+ms.service: security
+ms.reviewer: jogeurte
+ms.topic: how-to
+ms.date: 08/07/2022
+ms.custom: template-how-to
+---
+
+# Manage Windows Defender Application Control (WDAC) Policies with CI Tool
+
+CI Tool makes Windows Defender Application Control (WDAC) policy management easier for IT admins.  CI Tool can be used to manage Windows Defender Application Control policies and CI Tokens. This article describes how to use CI Tool to update and manage policies.  CI Tool is currently included in Windows 11, version 22H2.
+
+## Policy Commands
+
+| Command | Description | Alias |
+|--------|---------|---------|
+| --update-policy `</Path/To/Policy/File>` | Add or update a policy on the current system | -up |
+| --remove-policy `<PolicyGUID>` | Remove a policy indicated by PolicyGUID from the system | -rp |
+| --list-policies | Dump information about all policies on the system, whether they are active or not | -lp |
+
+## Token Commands
+
+| Command | Description | Alias |
+|--------|---------|---------|
+| --add-token `<Path/To/Token/File>` <--token-id ID> | Deploy a token onto the current system, with an optional specific ID. | -at |
+| --remove-token `<ID>` | Remove a Token indicated by ID from the system. | -rt |
+| --list-tokens | Dump information about all tokens on the system | -lt |
+
+> [!NOTE]
+> Regarding --add-token, if `<ID>` is specified, a pre-existing token with `<ID>` should not exist.
+
+## Miscellaneous Commands
+
+| Command | Description | Alias |
+|--------|---------|---------|
+| --device-id | Dump the Code Integrity Device ID | -id |
+| --refresh | Attempt to Refresh WDAC Policies | -r |
+| --help | Display the tool's help menu | -h |
+
+## Examples
+
+1. Deploy a WDAC policy onto the system
+
+    ```powershell
+    PS C:\Users\<USER> CITool --update-policy "\Windows\Temp\{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}.cip"
+    Operation Successful
+    Press Enter to Continue
+    ```
+
+2. Refresh the WDAC policies
+
+    ```powershell
+    PS C:\Users\<USER> CITool --refresh
+    Operation Successful
+    ```
+
+3. Remove a specific WDAC policy by its policy ID
+
+    ```powershell
+    PS C:\Users\<USER> CiTool --remove-policy "{BF61FE40-8929-4FDF-9EC2-F7A767717F0B}"
+    Operation Successful
+    Press Enter to Continue
+    ```
+
+4. Display the help menu
+
+    ```powershell
+    PS C:\Users\<USER> CITool -h
+
+    ----------------------------- Policy Commands ---------------------------------
+      --update-policy /Path/To/Policy/File
+          Add or update a policy on the current system
+          aliases: -up
+      --remove-policy PolicyGUID
+          Remove a policy indicated by PolicyGUID from the system
+          aliases: -rp
+      --list-policies
+          Dump information about all policies on the system, whether they be active or not
+          aliases: -lp
+    ----------------------------- Token Commands ---------------------------------
+      --add-token Path/To/Token/File <--token-id ID>
+          Deploy a token onto the current system, with an optional specific ID
+              If <ID> is specified, a pre-existing token with <ID> should not exist.
+          aliases:-at
+      --remove-token ID
+          Remove a Token indicated by ID from the system.
+          aliases: -rt
+      --list-tokens
+          Dump information about all tokens on the system
+          aliases: -lt
+    ----------------------------- Misc Commands ---------------------------------
+      --device-id
+          Dump the Code Integrity Device Id
+          aliases: -id
+      --refresh
+          Attempt to Refresh CI Policies
+          aliases: -r
+      --help
+          Display this message
+          aliases: -h
+    ```

windows/security/threat-protection/windows-defender-application-control/understanding-wdac-policy-settings.md

@@ -2,7 +2,6 @@
 title: Understanding Windows Defender Application Control (WDAC) secure settings
 description: Learn about secure settings in Windows Defender Application Control.
 ms.prod: windows-client
-ms.technology: itpro-security
 ms.localizationpriority: medium
 ms.collection: M365-security-compliance
 author: jgeurten
@@ -10,6 +9,7 @@ ms.reviewer: vinpa
 ms.author: jogeurte
 manager: aaroncz
 ms.date: 10/11/2021
+ms.technology: itpro-security
 ---
 
 # Understanding WDAC Policy Settings