deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #5454 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Diana Hanson 2021-07-30 10:37:14 -06:00 committed by GitHub
commit 376b23a725
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 28 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
windows/client-management/mdm/clientcertificateinstall-csp.md
View File

@ -9,7 +9,7 @@ ms.topic: article
ms.prod: w10 ms.prod: w10
ms.technology: windows ms.technology: windows
author: manikadhiman author: manikadhiman
ms.date: 02/28/2020 ms.date: 07/30/2021
--- ---
# ClientCertificateInstall CSP # ClientCertificateInstall CSP
@ -205,11 +205,8 @@ Supported operations are Add, Get, Delete, and Replace.
Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus <strong>+</strong>. For example, <em>OID1</em>+<em>OID2</em>+<em>OID3</em>. Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus <strong>+</strong>. For example, <em>OID1</em>+<em>OID2</em>+<em>OID3</em>.
Data type is string. Data type is string.
Required for enrollment. Specifies the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesnt have those bits set, the configuration will fail.
Data type is int. Supported operations are Get, Add, Delete, and Replace.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName** <a href="" id="clientcertificateinstall-scep-uniqueid-install-subjectname"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/SubjectName**
Required. Specifies the subject name. Required. Specifies the subject name.
@ -242,7 +239,9 @@ Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** <a href="" id="clientcertificateinstall-scep-uniqueid-install-keyusage"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage**
Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesnt have those bits set, configuration will fail. Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have second (0x20) or forth (0x80) or both bits set. If the value doesnt have those bits set, configuration will fail.
Supported operations are Add, Get, Delete, and Replace. Value type is integer. Data type is int.
Supported operations are Add, Get, Delete, and Replace.
<a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay** <a href="" id="clientcertificateinstall-scep-uniqueid-install-retrydelay"></a>**ClientCertificateInstall/SCEP/*UniqueID*/Install/RetryDelay**
Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes. Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.
@ -700,4 +699,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c
## Related topics ## Related topics
[Configuration service provider reference](configuration-service-provider-reference.md) [Configuration service provider reference](configuration-service-provider-reference.md)

28
windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -10,7 +10,7 @@ manager: dansimp
audience: ITPro audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
ms.topic: conceptual ms.topic: conceptual
ms.date: 04/01/2019 ms.date: 07/30/2021
ms.reviewer: ms.reviewer:
ms.technology: mde ms.technology: mde
--- ---
@ -103,7 +103,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
``` ```
> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. **To enable VBS with Secure Boot and DMA (value 3)**
``` command
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
**To enable VBS without UEFI lock (value 0)** **To enable VBS without UEFI lock (value 0)**
@ -111,7 +115,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
``` ```
> To enable **VBS with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**. **To enable VBS with UEFI lock (value 1)**
``` command
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
```
**To enable virtualization-based protection of Code Integrity policies** **To enable virtualization-based protection of Code Integrity policies**
@ -125,7 +133,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
``` ```
> To enable **virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**, in the preceding command, change **/d 0** to **/d 1**. **To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**
``` command
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
```
#### For Windows 10 version 1511 and earlier #### For Windows 10 version 1511 and earlier
@ -155,7 +167,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
``` ```
> To enable **VBS with Secure Boot and DMA (value 3)**, in the preceding command, change **/d 1** to **/d 3**. **To enable VBS with Secure Boot and DMA (value 3)**
``` command
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)** **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
@ -296,4 +312,4 @@ Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time - HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.