From 34b3e113518de946f6bd68d4e962de8ae1fa0bef Mon Sep 17 00:00:00 2001 From: "v-tea@microsoft.com" <46357187+Teresa-Motiv@users.noreply.github.com> Date: Tue, 14 Jul 2020 15:55:27 -0700 Subject: [PATCH] Update credential-guard-manage.md Edits --- .../credential-guard/credential-guard-manage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index c28c0a5c73..b4bbe78a9d 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -158,13 +158,13 @@ DG_Readiness_Tool_v3.6.ps1 -Ready - You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: - **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials. - **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: \[**0x0** \| **0x1** \| **0x2**\], **0** - - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. 0x0 means that it's not configured to run. - - The second variable: 0 means it's configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0. + - The first variable: **0x1** or **0x2** means that Windows Defender Credential Guard is configured to run. **0x0** means that it's not configured to run. + - The second variable: **0** means that it's configured to run in protect mode. **1** means that it's configured to run in test mode. This variable should always be **0**. - **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard. - **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\] - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. - - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. + - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**. - You can use Windows Powershell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated Powershell window and run the following command: ```powershell