From 9939fe66df6a6fe7d00eae897dc14181ee680c04 Mon Sep 17 00:00:00 2001 From: v-dihans Date: Fri, 9 Jul 2021 12:08:02 -0600 Subject: [PATCH 1/6] DH-repohealth-column-absolute --- .../credential-guard/credential-guard-manage.md | 2 +- .../hello-for-business/hello-deployment-issues.md | 2 +- .../bitlocker/bitlocker-deployment-comparison.md | 3 +-- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 7e9ef6ad60..c737034fd5 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -63,7 +63,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```. > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. > [!TIP] -> You can also configure Credential Guard by using an account protection profile in endpoint security. See [Account protection policy settings for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-account-protection-profile-settings). +> You can also configure Credential Guard by using an account protection profile in endpoint security. See [Account protection policy settings for endpoint security in Intune](/mem/intune/protect/endpoint-security-account-protection-profile-settings). ### Enable Windows Defender Credential Guard by using the registry diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 453dcb53bb..ff6e77c407 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -76,7 +76,7 @@ Applies to: Windows Hello for Business uses smart card based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates. For more information, read [Guidelines for enabling smart card logon with third-party certification authorities]( -https://docs.microsoft.com/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities). +/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities). ### Identifying On-premises Resource Access Issues with Third-Party CAs diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md index 0fbc7f9f48..4864bdf4d4 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md +++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md @@ -26,9 +26,8 @@ This article depicts the BitLocker deployment comparison chart. ## BitLocker deployment comparison chart -| |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) | +| Requirements |Microsoft Intune |Microsoft Endpoint Configuration Manager |Microsoft BitLocker Administration and Monitoring (MBAM) | |---------|---------|---------|---------| -|**Requirements**|||| |Minimum client operating system version |Windows 10 | Windows 10 and Windows 8.1 | Windows 7 and later | |Supported Windows 10 SKUs | Enterprise, Pro, Education | Enterprise, Pro, Education | Enterprise | |Minimum Windows 10 version |1909 | None | None | From 6a0d2cfac04ed6dde7d2825bb5cdc02f0c5fef4f Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Fri, 9 Jul 2021 13:31:15 -0700 Subject: [PATCH 2/6] fixing code block --- .../hello-for-business/hello-deployment-issues.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index ff6e77c407..9b6bed29b0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -82,7 +82,8 @@ For more information, read [Guidelines for enabling smart card logon with third- This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in the Kerberos operation event log under **Application and Services/Microsoft/Windows/Security-Kerberos/Operational**. These logs are default disabled. The failure event for this case will include the following information: - Log Name: Microsoft-Windows-Kerberos/Operational + ```console + Log Name: Microsoft-Windows-Kerberos/Operational Source: Microsoft-Windows-Security-Kerberos Event ID: 107 GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} @@ -91,6 +92,7 @@ This issue can be identified using network traces or Kerberos logging from the c Keywords: User: SYSTEM Description: + ``` The Kerberos client received a KDC certificate that does not have a matched domain name. @@ -205,4 +207,4 @@ This issue is fixed in Windows Server, version 1903 and later. For Windows Serve 6. Execute the command `Set-AdfsApplicationPermission -TargetIdentifier -AddScope 'ugs'`. 7. Restart the AD FS service. -8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business. \ No newline at end of file +8. On the client: Restart the client. User should be prompted to provision Windows Hello for Business. From 98d4711cd030dd2331af17c23848fe98ae3f76bc Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Fri, 9 Jul 2021 13:37:37 -0700 Subject: [PATCH 3/6] Update hello-deployment-issues.md --- .../hello-for-business/hello-deployment-issues.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 9b6bed29b0..fc8a3f7b2f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -146,6 +146,7 @@ AD FS running on Windows Server 2019 fails to complete device authentication pro The provisioning experience for Windows Hello for Business will launch if a set of prerequisite checks done by the client are successful. The result of the provisioningAdmin checks is available in event logs under Microsoft-Windows-User Device Registration. If provisioning is blocked because device authentication has not successfully occurred, there will be an event ID 362 in the logs that states that *User has successfully authenticated to the enterprise STS: No*. + ```console Log Name: Microsoft-Windows-User Device Registration/Admin Source: Microsoft-Windows-User Device Registration Date: @@ -169,11 +170,13 @@ The provisioning experience for Windows Hello for Business will launch if a set User has successfully authenticated to the enterprise STS: No Certificate enrollment method: enrollment authority See https://go.microsoft.com/fwlink/?linkid=832647 for more details. + ``` If a device has recently been joined to a domain, then there may be a delay before the device authentication occurs. If the failing state of this prerequisite check persists, then it can indicate an issue with the AD FS configuration. If this AD FS scope issue is present, event logs on the AD FS server will indicate an authentication failure from the client. This error will be logged in event logs under AD FS/Admin as event ID 1021 and the event will specify that the client is forbidden access to resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs': + ```console Log Name: AD FS/Admin Source: AD FS Date: @@ -190,6 +193,7 @@ If this AD FS scope issue is present, event logs on the AD FS server will indica Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9368: Received invalid OAuth request. The client '38aa3b87-a06d-4817-b275-7a316988d93b' is forbidden to access the resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs'. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore() + ``` ### Resolving Certificate Trust with AD FS 2019 Enrollment Issue From 7115eb2a9f27d4f376cc8a4bae77d72d27529f76 Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Fri, 9 Jul 2021 14:27:12 -0700 Subject: [PATCH 4/6] Update hello-deployment-issues.md --- .../hello-deployment-issues.md | 104 +++++++++--------- 1 file changed, 52 insertions(+), 52 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index fc8a3f7b2f..26dcf5fe7c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -82,17 +82,17 @@ For more information, read [Guidelines for enabling smart card logon with third- This issue can be identified using network traces or Kerberos logging from the client. In the network trace, the client will fail to place a TGS_REQ request when a user attempts to access a resource. On the client, this can be observed in the Kerberos operation event log under **Application and Services/Microsoft/Windows/Security-Kerberos/Operational**. These logs are default disabled. The failure event for this case will include the following information: - ```console - Log Name: Microsoft-Windows-Kerberos/Operational - Source: Microsoft-Windows-Security-Kerberos - Event ID: 107 - GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} - Task Category: None - Level: Error - Keywords: - User: SYSTEM - Description: - ``` +```console +Log Name: Microsoft-Windows-Kerberos/Operational +Source: Microsoft-Windows-Security-Kerberos +Event ID: 107 +GUID: {98e6cfcb-ee0a-41e0-a57b-622d4e1b30b1} +Task Category: None +Level: Error +Keywords: +User: SYSTEM +Description: +``` The Kerberos client received a KDC certificate that does not have a matched domain name. @@ -146,54 +146,54 @@ AD FS running on Windows Server 2019 fails to complete device authentication pro The provisioning experience for Windows Hello for Business will launch if a set of prerequisite checks done by the client are successful. The result of the provisioningAdmin checks is available in event logs under Microsoft-Windows-User Device Registration. If provisioning is blocked because device authentication has not successfully occurred, there will be an event ID 362 in the logs that states that *User has successfully authenticated to the enterprise STS: No*. - ```console - Log Name: Microsoft-Windows-User Device Registration/Admin - Source: Microsoft-Windows-User Device Registration - Date: - Event ID: 362 - Task Category: None - Level: Warning - Keywords: - User: - Computer: - Description: - Windows Hello for Business provisioning will not be launched. - Device is AAD joined ( AADJ or DJ++ ): Yes - User has logged on with AAD credentials: Yes - Windows Hello for Business policy is enabled: Yes - Windows Hello for Business post-logon provisioning is enabled: Yes - Local computer meets Windows hello for business hardware requirements: Yes - User is not connected to the machine via Remote Desktop: Yes - User certificate for on premise auth policy is enabled: Yes - Enterprise user logon certificate enrollment endpoint is ready: Not Tested - Enterprise user logon certificate template is : No ( 1 : StateNoPolicy ) - User has successfully authenticated to the enterprise STS: No - Certificate enrollment method: enrollment authority - See https://go.microsoft.com/fwlink/?linkid=832647 for more details. - ``` +```console +Log Name: Microsoft-Windows-User Device Registration/Admin +Source: Microsoft-Windows-User Device Registration +Date: +Event ID: 362 +Task Category: None +Level: Warning +Keywords: +User: +Computer: +Description: +Windows Hello for Business provisioning will not be launched. +Device is AAD joined ( AADJ or DJ++ ): Yes +User has logged on with AAD credentials: Yes +Windows Hello for Business policy is enabled: Yes +Windows Hello for Business post-logon provisioning is enabled: Yes +Local computer meets Windows hello for business hardware requirements: Yes +User is not connected to the machine via Remote Desktop: Yes +User certificate for on premise auth policy is enabled: Yes +Enterprise user logon certificate enrollment endpoint is ready: Not Tested +Enterprise user logon certificate template is : No ( 1 : StateNoPolicy ) +User has successfully authenticated to the enterprise STS: No +Certificate enrollment method: enrollment authority +See https://go.microsoft.com/fwlink/?linkid=832647 for more details. +``` If a device has recently been joined to a domain, then there may be a delay before the device authentication occurs. If the failing state of this prerequisite check persists, then it can indicate an issue with the AD FS configuration. If this AD FS scope issue is present, event logs on the AD FS server will indicate an authentication failure from the client. This error will be logged in event logs under AD FS/Admin as event ID 1021 and the event will specify that the client is forbidden access to resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs': - ```console - Log Name: AD FS/Admin - Source: AD FS - Date: - Event ID: 1021 - Task Category: None - Level: Error - Keywords: AD FS - User: - Computer: - Description: - Encountered error during OAuth token request. - Additional Data - Exception details: - Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9368: Received invalid OAuth request. The client '38aa3b87-a06d-4817-b275-7a316988d93b' is forbidden to access the resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs'. +```console +Log Name: AD FS/Admin +Source: AD FS +Date: +Event ID: 1021 +Task Category: None +Level: Error +Keywords: AD FS +User: +Computer: +Description: +Encountered error during OAuth token request. +Additional Data +Exception details: +Microsoft.IdentityServer.Web.Protocols.OAuth.Exceptions.OAuthUnauthorizedClientException: MSIS9368: Received invalid OAuth request. The client '38aa3b87-a06d-4817-b275-7a316988d93b' is forbidden to access the resource 'http://schemas.microsoft.com/ws/2009/12/identityserver/selfscope' with scope 'ugs'. at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthProtocolContext.ValidateScopes(String scopeParameter, String clientId, String relyingPartyId) at Microsoft.IdentityServer.Web.Protocols.OAuth.OAuthToken.OAuthJWTBearerRequestContext.ValidateCore() - ``` +``` ### Resolving Certificate Trust with AD FS 2019 Enrollment Issue From 7f7166cb063132b0afce4283019e056c929e1fac Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Fri, 9 Jul 2021 14:31:20 -0700 Subject: [PATCH 5/6] Update hello-deployment-issues.md --- .../hello-for-business/hello-deployment-issues.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 26dcf5fe7c..662a379e97 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -94,10 +94,12 @@ User: SYSTEM Description: ``` - The Kerberos client received a KDC certificate that does not have a matched domain name. +The Kerberos client received a KDC certificate that does not have a matched domain name. - Expected Domain Name: ad.contoso.com - Error Code: 0xC000006D + ```console + Expected Domain Name: ad.contoso.com + Error Code: 0xC000006D + ``` ### Resolving On-premises Resource Access Issue with Third-Party CAs From bb543c0a9594ff306e148746806153a6f1822d98 Mon Sep 17 00:00:00 2001 From: Rebecca Agiewich Date: Fri, 9 Jul 2021 14:43:46 -0700 Subject: [PATCH 6/6] Update hello-deployment-issues.md --- .../hello-for-business/hello-deployment-issues.md | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 662a379e97..1620881268 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -92,13 +92,10 @@ Level: Error Keywords: User: SYSTEM Description: -``` The Kerberos client received a KDC certificate that does not have a matched domain name. - - ```console - Expected Domain Name: ad.contoso.com - Error Code: 0xC000006D +Expected Domain Name: ad.contoso.com +Error Code: 0xC000006D ``` ### Resolving On-premises Resource Access Issue with Third-Party CAs