From fabf1b6d14b37581fe381e8890bdbb45b66b125e Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 29 Jan 2020 09:59:21 +0500 Subject: [PATCH 01/13] Update hello-hybrid-cert-whfb-settings-pki.md --- .../hello-hybrid-cert-whfb-settings-pki.md | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 7c4e019e6d..7631e6620b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -156,6 +156,26 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ > [!NOTE] > If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. +> [!IMPORTANT] +> If the template was changed successfully, the output of the command will contain old and new values of the template parameters. New value must contain **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. For example: +> +> CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication +> +> Old Value: +> msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) +> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) +> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 +> TEMPLATE_SERVER_VER_WINBLUE< TEMPLATE_CLIENT_VER_WINBLUE< New Value: +> msPKI-Private-Key-Flag REG_DWORD = 5250080 (86311040) +> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) +> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 +> TEMPLATE_SERVER_VER_WINBLUE< CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -- 200000 (2097152) +> TEMPLATE_CLIENT_VER_WINBLUE< CertUtil: -dsTemplate command completed successfully." + ## Publish Templates ### Publish Certificate Templates to a Certificate Authority From 8985b4a89eff9cd639b3ea486ed3a79c4b06581f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 30 Jan 2020 12:05:15 +0500 Subject: [PATCH 02/13] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 7631e6620b..c627e71a66 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -157,7 +157,7 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ > If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. > [!IMPORTANT] -> If the template was changed successfully, the output of the command will contain old and new values of the template parameters. New value must contain **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. For example: +> If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: > > CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication > @@ -234,4 +234,3 @@ Sign-in to the certificate authority or management workstation with _Enterprise 4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) 5. Configure Windows Hello for Business settings: PKI (*You are here*) 6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md) - From 2f21dc1a5031a8a47a9ade95acf93af2c9a2f1b8 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 30 Mar 2020 08:24:44 +0500 Subject: [PATCH 03/13] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-hybrid-cert-whfb-settings-pki.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index c627e71a66..503bdf5c4c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -159,22 +159,22 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ > [!IMPORTANT] > If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: > -> CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication -> -> Old Value: -> msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) -> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) -> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 -> TEMPLATE_SERVER_VER_WINBLUE< TEMPLATE_CLIENT_VER_WINBLUE< New Value: -> msPKI-Private-Key-Flag REG_DWORD = 5250080 (86311040) -> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) -> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 -> TEMPLATE_SERVER_VER_WINBLUE< CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -- 200000 (2097152) -> TEMPLATE_CLIENT_VER_WINBLUE< CertUtil: -dsTemplate command completed successfully." +> CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
+>
+> Old Value:
+> msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
+> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+> TEMPLATE_SERVER_VER_WINBLUE< +> TEMPLATE_CLIENT_VER_WINBLUE< +> New Value:
+> msPKI-Private-Key-Flag REG_DWORD = 5250080 (86311040)
+> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
+> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
+> TEMPLATE_SERVER_VER_WINBLUE< +> CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -- 200000 (2097152)
+> TEMPLATE_CLIENT_VER_WINBLUE< +> CertUtil: -dsTemplate command completed successfully."
## Publish Templates From 69b1cedfd474115a1253ac6c7313aa2acefd98d6 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 28 Jul 2020 09:50:26 +0500 Subject: [PATCH 04/13] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-hybrid-cert-whfb-settings-pki.md | 39 +++++++++---------- 1 file changed, 19 insertions(+), 20 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 503bdf5c4c..4fe092f5bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -153,29 +153,28 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ 1. Open an elevated command prompt. 2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` +If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: + +CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication + +Old Value: +msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) +CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) +CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 +TEMPLATE_SERVER_VER_WINBLUE< [!NOTE] > If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. -> [!IMPORTANT] -> If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: -> -> CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication
->
-> Old Value:
-> msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888)
-> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
-> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
-> TEMPLATE_SERVER_VER_WINBLUE< -> TEMPLATE_CLIENT_VER_WINBLUE< -> New Value:
-> msPKI-Private-Key-Flag REG_DWORD = 5250080 (86311040)
-> CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)
-> CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0
-> TEMPLATE_SERVER_VER_WINBLUE< -> CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY -- 200000 (2097152)
-> TEMPLATE_CLIENT_VER_WINBLUE< -> CertUtil: -dsTemplate command completed successfully."
- ## Publish Templates ### Publish Certificate Templates to a Certificate Authority From 789b160464e30d70db16a000dfe9fe4b760c3937 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 1 Aug 2020 07:25:51 +0500 Subject: [PATCH 05/13] Update hello-hybrid-cert-whfb-settings-pki.md --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 4fe092f5bc..dc5b78d9b1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -163,6 +163,7 @@ CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) CTPRIVATEKEY_FLAG_ATTEST_NONE -- 0 TEMPLATE_SERVER_VER_WINBLUE< Date: Thu, 13 Aug 2020 06:30:30 -0700 Subject: [PATCH 06/13] Update faq-md-app-guard.md Added a known issue and it's mitigation --- .../faq-md-app-guard.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 1dfee7b591..b5f906e1fe 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -159,3 +159,15 @@ Step 2: 3. Disable IPNAT (Optional): `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`. 4. Restart the device. + +### Why doesn't Application guard work, although it is enabled via GPO? + +Application Guard must meet all these pre-requisites to be enabled in enterprise mode: +https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard +To understand why it is not being enabled in enterprise mode you need to check the status of the evaluation to find out what is missing. + +For CSP (Intune) you can query the status node via a Get as mentioned in this document: +https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp +In this page you will see the “status” node as well as the meaning of each bit. If the status is not 63, you are missing a pre-requisite. + +For Group Policy you need to look at the registry. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP Status. The meaning of each bit is the same as the CSP. From 668820b5ab2b75963f4e8bcf203d95e3de61db64 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 13 Aug 2020 18:15:15 -0700 Subject: [PATCH 07/13] Update faq-md-app-guard.md minor edits --- .../faq-md-app-guard.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index b5f906e1fe..e8e1beac23 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -160,14 +160,12 @@ Step 2: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`. 4. Restart the device. -### Why doesn't Application guard work, although it is enabled via GPO? +### Why doesn't Application guard work, even though it's enabled through Group Policy? -Application Guard must meet all these pre-requisites to be enabled in enterprise mode: -https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard -To understand why it is not being enabled in enterprise mode you need to check the status of the evaluation to find out what is missing. +Application Guard must meet all these prerequisites to be enabled in enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). +To understand why it is not enabled in enterprise mode, check the status of the evaluation to understand what's missing. -For CSP (Intune) you can query the status node via a Get as mentioned in this document: -https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp -In this page you will see the “status” node as well as the meaning of each bit. If the status is not 63, you are missing a pre-requisite. +For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). +In this page you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite. -For Group Policy you need to look at the registry. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP Status. The meaning of each bit is the same as the CSP. +For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP. From 93fee46622ee19373bc21071f1c99760ceb0088b Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Fri, 14 Aug 2020 05:49:37 -0700 Subject: [PATCH 08/13] Update windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-application-guard/faq-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index e8e1beac23..4665446026 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -160,7 +160,7 @@ Step 2: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`. 4. Restart the device. -### Why doesn't Application guard work, even though it's enabled through Group Policy? +### Why doesn't Application Guard work, even though it's enabled through Group Policy? Application Guard must meet all these prerequisites to be enabled in enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). To understand why it is not enabled in enterprise mode, check the status of the evaluation to understand what's missing. From 029a4fcf5ef0e57ae1890f17614fb173adb95d82 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Fri, 14 Aug 2020 05:49:48 -0700 Subject: [PATCH 09/13] Update windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-application-guard/faq-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index 4665446026..c659fe350f 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -162,7 +162,7 @@ Step 2: ### Why doesn't Application Guard work, even though it's enabled through Group Policy? -Application Guard must meet all these prerequisites to be enabled in enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). +Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). To understand why it is not enabled in enterprise mode, check the status of the evaluation to understand what's missing. For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). From 76fa041f5cc8049f23beb35d26ea6a9c6e9023dc Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Fri, 14 Aug 2020 05:49:55 -0700 Subject: [PATCH 10/13] Update windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-application-guard/faq-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index c659fe350f..afbcc33510 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -163,7 +163,7 @@ Step 2: ### Why doesn't Application Guard work, even though it's enabled through Group Policy? Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). -To understand why it is not enabled in enterprise mode, check the status of the evaluation to understand what's missing. +To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing. For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). In this page you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite. From 64c9024fe5ac3fed9e06e8d9c8de1ce2d36a5128 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Fri, 14 Aug 2020 05:50:11 -0700 Subject: [PATCH 11/13] Update windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-application-guard/faq-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index afbcc33510..061966afc5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -166,6 +166,6 @@ Application Guard must meet all these prerequisites to be enabled in Enterprise To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing. For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). -In this page you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite. +On this page, you will see the **status** node as well as the meaning of each bit. If the status is not 63, you are missing a prerequisite. For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP. From fed0fdfb94ecddb41440fce67eef7eae24bea027 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 14 Aug 2020 16:58:12 -0700 Subject: [PATCH 12/13] Applied proper note style, consistent spacing, and indentation --- .../hello-hybrid-cert-whfb-settings-pki.md | 88 ++++++++++++++++--- 1 file changed, 78 insertions(+), 10 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index dc5b78d9b1..051c8a2896 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -46,13 +46,22 @@ By default, the Active Directory Certificate Authority provides and publishes th Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. + 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs. - **Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab. + + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the lab. + 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. + 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. + 8. Close the console. #### Configure Certificate Superseding for the Domain Controller Authentication (Kerberos) Certificate Template @@ -66,13 +75,21 @@ The auto-enrollment feature in Windows enables you to effortlessly replace these Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. + 4. Click the **Superseded Templates** tab. Click **Add**. + 5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. + 6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. + 7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. + 8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. + 9. Click **OK** and close the **Certificate Templates** console. The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. @@ -95,33 +112,54 @@ Approximately 60 days prior to enrollment agent certificate's expiration, the AD Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority Management** console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. + 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. -6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. - **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. + +6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. + + > [!NOTE] + > The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. + 8. On the **Security** tab, click **Add**. + 9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. + 10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. -11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. + +11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. + 12. Close the console. -#### Creating an Enrollment Agent certificate for typical Service Acconts +#### Creating an Enrollment Agent certificate for typical Service Accounts Sign-in a certificate authority or management workstations with *Domain Admin* equivalent credentials. 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. + 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. + 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. + 8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. + 9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. + 10. Close the console. ### Creating Windows Hello for Business authentication certificate template @@ -131,32 +169,51 @@ During Windows Hello for Business provisioning, the Windows 10, version 1703 cli Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. - **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. + +5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. + + > [!NOTE] + > If you use different template names, you'll need to remember and substitute these names in different portions of the deployment. + +6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. + 7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. + 8. On the **Issuance Requirements** tab, select the **This number of authorized signatures** check box. Type **1** in the text box. - * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. + + Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. + 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. + 10. On the **Request Handling** tab, select the **Renew with same key** check box. + 11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. + 12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. + 13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. + 14. Click on the **Apply** to save changes and close the console. #### Mark the template as the Windows Hello Sign-in template Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. + 1. Open an elevated command prompt. + 2. Run `certutil -dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication +```console Old Value: msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128) @@ -172,6 +229,7 @@ TEMPLATE_SERVER_VER_WINBLUE< [!NOTE] > If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. @@ -185,11 +243,17 @@ The certificate authority may only issue certificates for certificate templates #### Publish Certificate Templates to the Certificate Authority Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Expand the parent node from the navigation pane. + 3. Click **Certificate Templates** in the navigation pane. + 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. -5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. + +5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. + 6. Close the console. @@ -202,9 +266,13 @@ The newly created domain controller authentication certificate template supersed Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. + 2. Expand the parent node from the navigation pane. + 3. Click **Certificate Templates** in the navigation pane. + 4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. + 5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. From 173a268c3ad3e1d59a31de9d4662847d2b0907dd Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Fri, 14 Aug 2020 16:59:59 -0700 Subject: [PATCH 13/13] Expanded code block to include "CN=Certificate Templates..." --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 051c8a2896..8a785dcf5f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -211,9 +211,9 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ If the template was changed successfully, the output of the command will contain old and new values of the template parameters. The new value must contain the **CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY** parameter. Example: +```console CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=[yourdomain]:WHFBAuthentication -```console Old Value: msPKI-Private-Key-Flag REG_DWORD = 5050080 (84213888) CTPRIVATEKEY_FLAG_REQUIRE_SAME_KEY_RENEWAL -- 80 (128)