From 1d5b080bf9a8a4416e54e25151c80422813e8e6f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 17 Aug 2020 15:34:20 -0700 Subject: [PATCH 1/4] Applied correct note style --- windows/client-management/mdm/registry-csp.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/registry-csp.md b/windows/client-management/mdm/registry-csp.md index 676424f6ed..38bd56ba6d 100644 --- a/windows/client-management/mdm/registry-csp.md +++ b/windows/client-management/mdm/registry-csp.md @@ -17,7 +17,8 @@ ms.date: 06/26/2017 The Registry configuration service provider is used to update registry settings. However, if there is configuration service provider that is specific to the settings that need to be updated, use the specific configuration service provider. -> **Note**   The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management. +> [!NOTE] +> The Registry CSP is only supported in Windows 10 Mobile for OEM configuration. Do not use this CSP for enterprise remote management. For Windows 10 Mobile only, this configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_OEM capabilities to be accessed from a network configuration application.   @@ -38,7 +39,6 @@ The default security role maps to each subnode unless specific permission is gra ## Microsoft Custom Elements - The following table shows the Microsoft custom elements that this configuration service provider supports for OMA Client Provisioning. @@ -75,11 +75,10 @@ The following table shows the Microsoft custom elements that this configuration
  - Use these elements to build standard OMA Client Provisioning configuration XML. For information about specific elements, see MSPROV DTD elements. -## Supported Data Types +## Supported Data Types The following table shows the data types this configuration service provider supports. From d2cafe2fac340f36bda44d239d2de88bb515217d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 17 Aug 2020 15:46:33 -0700 Subject: [PATCH 2/4] Standardized vertical spacing and added labels to code blocks --- .../credential-guard-manage.md | 43 ++++++++++++++----- 1 file changed, 33 insertions(+), 10 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 4c6b1e2b9d..0ff8876a89 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -36,9 +36,13 @@ The same set of procedures used to enable Windows Defender Credential Guard on p You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed. 1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard**. + 2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option. + 3. In the **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**. + 4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**. + 5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection) for more details. ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp-2.png) @@ -49,8 +53,10 @@ To enforce processing of the group policy, you can run ```gpupdate /force```. ### Enable Windows Defender Credential Guard by using Intune -1. From **Home** click **Microsoft Intune** -2. Click **Device configuration** +1. From **Home**, click **Microsoft Intune**. + +2. Click **Device configuration**. + 3. Click **Profiles** > **Create Profile** > **Endpoint protection** > **Windows Defender Credential Guard**. > [!NOTE] @@ -66,6 +72,7 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security. You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM). + > [!NOTE] > If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you. @@ -73,22 +80,31 @@ You can do this by using either the Control Panel or the Deployment Image Servic **Add the virtualization-based security features by using Programs and Features** 1. Open the Programs and Features control panel. + 2. Click **Turn Windows feature on or off**. + 3. Go to **Hyper-V** -> **Hyper-V Platform**, and then select the **Hyper-V Hypervisor** check box. + 4. Select the **Isolated User Mode** check box at the top level of the feature selection. + 5. Click **OK**. **Add the virtualization-based security features to an offline image by using DISM** 1. Open an elevated command prompt. + 2. Add the Hyper-V Hypervisor by running the following command: - ``` + + ```console dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all ``` + 3. Add the Isolated User Mode feature by running the following command: - ``` + + ```console dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` + > [!NOTE] > In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. @@ -100,11 +116,13 @@ You can do this by using either the Control Panel or the Deployment Image Servic 1. Open Registry Editor. 2. Enable virtualization-based security: + - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard. - Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it. - Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**. 3. Enable Windows Defender Credential Guard: + - Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA. - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it. @@ -120,9 +138,10 @@ You can do this by using either the Control Panel or the Deployment Image Servic You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). -``` +```console DG_Readiness_Tool.ps1 -Enable -AutoReboot ``` + > [!IMPORTANT] > When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. @@ -134,7 +153,9 @@ DG_Readiness_Tool.ps1 -Enable -AutoReboot You can view System Information to check that Windows Defender Credential Guard is running on a PC. 1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. + 2. Click **System Summary**. + 3. Confirm that **Credential Guard** is shown next to **Virtualization-based security Services Configured**. Here's an example: @@ -143,9 +164,10 @@ You can view System Information to check that Windows Defender Credential Guard You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). -``` +```console DG_Readiness_Tool_v3.6.ps1 -Ready ``` + > [!IMPORTANT] > When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. @@ -165,7 +187,7 @@ DG_Readiness_Tool_v3.6.ps1 -Ready - **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: **0x0**. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: **0x1**. TPM PCR mask: **0x0**. - - You can use Windows Powershell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated Powershell window and run the following command: + - You can use Windows PowerShell to determine whether credential guard is running on a client computer. On the computer in question, open an elevated PowerShell window and run the following command: ```powershell (Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning @@ -195,7 +217,7 @@ To disable Windows Defender Credential Guard, you can use the following set of p 4. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: - ``` syntax + ```console mountvol X: /s copy %WINDIR%\System32\SecConfig.efi X:\EFI\Microsoft\Boot\SecConfig.efi /Y bcdedit /create {0cb3b571-2f2e-4343-a879-d86a476d7215} /d "DebugTool" /application osloader @@ -232,9 +254,10 @@ For more info on virtualization-based security and HVCI, see [Enable virtualizat You can also disable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). -``` +```console DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot ``` + > [!IMPORTANT] > When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. @@ -243,7 +266,7 @@ DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot From the host, you can disable Windows Defender Credential Guard for a virtual machine: -``` PowerShell +```powershell Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ``` From 22e75ac21793379999bc488651b2501e02348cc4 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 17 Aug 2020 15:48:38 -0700 Subject: [PATCH 3/4] Corrected labels on code blocks --- .../command-line-arguments-microsoft-defender-antivirus.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md index 167fb28fc2..4a296ac42c 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md @@ -30,11 +30,12 @@ You can perform various Microsoft Defender Antivirus functions with the dedicate The utility has the following commands: -```DOS +```console MpCmdRun.exe [command] [-options] ``` Here's an example: -``` + +```console MpCmdRun.exe -Scan -ScanType 2 ``` From 89f96a5ca22fd11e273b6591da938de760afaa82 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Mon, 17 Aug 2020 15:50:24 -0700 Subject: [PATCH 4/4] Acrolinx spelling: "aer" --- .../microsoft-defender-application-guard/faq-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index d94f47691e..4dcd95abef 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -43,7 +43,7 @@ Depending on your organization's settings, employees can copy and paste images ( ### Why don't employees see their Favorites in the Application Guard Edge session? -To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session aer not copied to the host device. +To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in an Application Guard Edge session are not copied to the host device. ### Are extensions supported in the Application Guard?