From 38abc228699dae47501786a1fa49229369905753 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 7 Apr 2021 16:17:25 -0700 Subject: [PATCH 1/3] Moved note about "it" to immediately follow apparent it --- .../credential-guard/credential-guard-manage.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 911041368f..6872bdb85b 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -59,12 +59,12 @@ To enforce processing of the group policy, you can run ```gpupdate /force```. 3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**. + > [!NOTE] + > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. + > [!TIP] > You can also configure Credential Guard using an account protection profile in endpoint security. See [Account protection policy settings for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-account-protection-profile-settings). -> [!NOTE] -> It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. - ### Enable Windows Defender Credential Guard by using the registry If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. From d5bafe4693e93dbce98a64582c3205741b2df749 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 7 Apr 2021 16:19:45 -0700 Subject: [PATCH 2/3] Changed second-level sequential list to enumerated --- .../credential-guard/credential-guard-manage.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 6872bdb85b..9183d13f28 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -120,17 +120,17 @@ You can do this by using either the Control Panel or the Deployment Image Servic 2. Enable virtualization-based security: - - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. + 1. Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. - - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. + 1. Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. + 1. Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. 3. Enable Windows Defender Credential Guard: - - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. + 1. Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. - - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it. + 1. Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it. 4. Close Registry Editor. From 3118103fbff9878aece9f54b20d6b7f11e83acb5 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 7 Apr 2021 16:35:07 -0700 Subject: [PATCH 3/3] Minor corrections --- .../credential-guard/credential-guard-manage.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 9183d13f28..7e9ef6ad60 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -63,7 +63,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```. > It will enable VBS and Secure Boot and you can do it with or without UEFI Lock. If you will need to disable Credential Guard remotely, enable it without UEFI lock. > [!TIP] -> You can also configure Credential Guard using an account protection profile in endpoint security. See [Account protection policy settings for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-account-protection-profile-settings). +> You can also configure Credential Guard by using an account protection profile in endpoint security. See [Account protection policy settings for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-account-protection-profile-settings). ### Enable Windows Defender Credential Guard by using the registry @@ -167,7 +167,8 @@ You can view System Information to check that Windows Defender Credential Guard Here's an example: - ![System Information](images/credguard-msinfo32.png) + > [!div class="mx-imgBorder"] + > ![System Information](images/credguard-msinfo32.png) You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). @@ -261,7 +262,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p > [!NOTE] > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings: > - >``` + >```console >bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS >bcdedit /set vsmlaunchtype off >``` @@ -277,7 +278,7 @@ For more info on virtualization-based security and HVCI, see [Enable virtualizat You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). -```console +```powershell DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot ```