From 78c219b8c32a85cf859419534dc9875672a3c2ce Mon Sep 17 00:00:00 2001
From: VLG17 <41186174+VLG17@users.noreply.github.com>
Date: Fri, 30 Jul 2021 10:51:06 +0300
Subject: [PATCH 1/4] update info

https://github.com/MicrosoftDocs/windows-itpro-docs/issues/9521
---
 .../mdm/clientcertificateinstall-csp.md               | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 1e66232f8b..4d4367df3c 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -205,11 +205,8 @@ Supported operations are Add, Get, Delete, and Replace.
 Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus <strong>+</strong>. For example, <em>OID1</em>+<em>OID2</em>+<em>OID3</em>.
 
 Data type is string.
-Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail.
 
-Data type is int.
-
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Get, Add, Delete, and Replace.
 
 <a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**  
 Required. Specifies the subject name. 
@@ -242,7 +239,9 @@ Supported operations are Add, Get, Delete, and Replace.
 <a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**  
 Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesn’t have those bits set, configuration will fail.
 
- Supported operations are Add, Get, Delete, and Replace. Value type is integer.
+Data type is int.
+
+Supported operations are Add, Get, Delete, and Replace. 
 
 <a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**  
 Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
@@ -700,4 +699,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
 
 ## Related topics
 
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)

From 74eb90a8d76b05500ccf9ce20583614a5575ea2a Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Fri, 30 Jul 2021 17:46:30 +0530
Subject: [PATCH 2/4] Added powershell commands

as per user feedback #9824, so i added correct commands after verification from the windows 11 dev channel.

Also, I found that TWO screenshots are really old, so I want to add new screenshots.
---
 ...tion-based-protection-of-code-integrity.md | 26 +++++++++++++++----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 0628013832..e0a2325d8c 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -103,7 +103,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
 ```
 
-> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
+**To enable VBS with Secure Boot and DMA (value 3)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
+```
 
 **To enable VBS without UEFI lock (value 0)**
 
@@ -111,7 +115,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
 ```
 
-> To enable **VBS with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
+**To enable VBS with UEFI lock (value 1)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
+```
 
 **To enable virtualization-based protection of Code Integrity policies**
 
@@ -125,7 +133,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
 ```
 
-> To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**.
+**To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
+```
 
 #### For Windows 10 version 1511 and earlier
 
@@ -155,7 +167,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
 ```
 
-> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**.
+**To enable VBS with Secure Boot and DMA (value 3)**
+
+``` command
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
+```
 
 **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
 
@@ -296,4 +312,4 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
 -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
 -   HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
 -   Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
--   The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
\ No newline at end of file
+-   The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.

From 2cf0c6cf1b87c64594c832e8b63c3be4ded916d8 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 30 Jul 2021 09:04:29 -0700
Subject: [PATCH 3/4] Update
 enable-virtualization-based-protection-of-code-integrity.md

---
 .../enable-virtualization-based-protection-of-code-integrity.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index e0a2325d8c..429cc12f93 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -10,7 +10,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/01/2019
+ms.date: 07/30/2021
 ms.reviewer: 
 ms.technology: mde
 ---

From c3f2ec88662b21ff6daa1d3645b5ad0e56895b1f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT <deniseb@microsoft.com>
Date: Fri, 30 Jul 2021 09:06:06 -0700
Subject: [PATCH 4/4] Update clientcertificateinstall-csp.md

---
 windows/client-management/mdm/clientcertificateinstall-csp.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md
index 4d4367df3c..ffb8f4fa5d 100644
--- a/windows/client-management/mdm/clientcertificateinstall-csp.md
+++ b/windows/client-management/mdm/clientcertificateinstall-csp.md
@@ -9,7 +9,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: manikadhiman
-ms.date: 02/28/2020
+ms.date: 07/30/2021
 ---
 
 # ClientCertificateInstall CSP