deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2927 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Tina Burden 2020-05-28 11:10:12 -07:00 committed by GitHub
commit 5d68009924
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 83 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

161
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -14,11 +14,13 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.reviewer:
---
# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
```powershell
# Script to find out if machine is Device Guard compliant
# requires driver verifier on system.
# Script to find out if a machine is Device Guard compliant.
# The script requires a driver verifier present on the system.
param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
$path = "C:\DGLogs\"
@ -36,7 +38,7 @@ $DGVerifySuccess = New-Object System.Text.StringBuilder
$Sys32Path = "$env:windir\system32"
$DriverPath = "$env:windir\system32\drivers"
#generated by certutil -encode
#generated by certutil -encode
$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA
HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC
NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC
@ -114,7 +116,7 @@ function LogAndConsoleSuccess($message)
function LogAndConsoleError($message)
{
Write-Host $message -foregroundcolor "Red"
Write-Host $message -foregroundcolor "Red"
Log $message
}
@ -132,16 +134,16 @@ function IsExempted([System.IO.FileInfo] $item)
Log $cert.ToString()
return 0
}
}
}
function CheckExemption($_ModName)
{
$mod1 = Get-ChildItem $Sys32Path $_ModName
$mod2 = Get-ChildItem $DriverPath $_ModName
if($mod1)
{
{
Log "NonDriver module" + $mod1.FullName
return IsExempted($mod1)
return IsExempted($mod1)
}
elseif($mod2)
{
@ -184,15 +186,15 @@ function CheckFailedDriver($_ModName, $CIStats)
}
if($Result.Contains("PASS"))
{
$CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null
$CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null
}
elseif($FailingStat.Trim().Contains("execute-write"))
{
$FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
$FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
}
else
{
$FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
$FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null
}
Log "Result: " $Result
}
@ -204,7 +206,7 @@ function ListCIStats($_ModName, $str1)
{
Log "String := " $str1
Log "Warning! CI Stats are missing for " $_ModName
return
return
}
$temp_str1 = $str1.Substring($i1)
$CIStats = $temp_str1.Substring(0).Trim()
@ -245,7 +247,7 @@ function ListDrivers($str)
}
$DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile
LogAndConsole $DriverScanCompletedMessage
LogAndConsole $DriverScanCompletedMessage
if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 )
{
@ -254,7 +256,7 @@ function ListDrivers($str)
{
LogAndConsoleError $WarningMessage
}
else
else
{
LogAndConsoleWarning $WarningMessage
}
@ -321,7 +323,7 @@ function ListSummary()
}
else
{
LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"
LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n"
if(!$HVCI -and !$DG)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f '
@ -336,56 +338,56 @@ function ListSummary()
function Instantiate-Kernel32 {
try
try
{
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
public static class Kernel32
{
[DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)]
public static extern IntPtr LoadLibrary(
[MarshalAs(UnmanagedType.LPStr)]string lpFileName);
[DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)]
public static extern IntPtr GetProcAddress(
IntPtr hModule,
string procName);
}
"@
}
catch
{
Log $_.Exception.Message
Log $_.Exception.Message
LogAndConsole "Instantiate-Kernel32 failed"
}
}
function Instantiate-HSTI {
try
try
{
Add-Type -TypeDefinition @"
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
using System.Net;
public static class HstiTest3
{
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
public static extern int QueryHSTIdetails(
ref HstiOverallError pHstiOverallError,
public static extern int QueryHSTIdetails(
ref HstiOverallError pHstiOverallError,
[In, Out] HstiProviderErrorDuple[] pHstiProviderErrors,
ref uint pHstiProviderErrorsCount,
byte[] hstiPlatformSecurityBlob,
ref uint pHstiPlatformSecurityBlobBytes);
[DllImport("hstitest.dll", CharSet = CharSet.Unicode)]
public static extern int QueryHSTI(ref bool Pass);
public static extern int QueryHSTI(ref bool Pass);
[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
public struct HstiProviderErrorDuple
{
@ -397,7 +399,7 @@ function Instantiate-HSTI {
[MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)]
internal string ErrorString;
}
[FlagsAttribute]
public enum HstiProviderErrors : int
{
@ -425,8 +427,8 @@ function Instantiate-HSTI {
BlobVersionMismatch = 0x00000080,
PlatformSecurityVersionMismatch = 0x00000100,
ProviderError = 0x00000200
}
}
}
"@
@ -434,9 +436,9 @@ function Instantiate-HSTI {
$FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails")
$FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI")
if ([System.IntPtr]::Size -eq 8)
if ([System.IntPtr]::Size -eq 8)
{
#assuming 64 bit
#assuming 64 bit
Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())"
Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())"
}
@ -450,7 +452,7 @@ function Instantiate-HSTI {
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize)
[byte[]]$blob = New-Object byte[] $blobByteSize
[HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount
[HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount
$hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize)
$string = $null
$blob | foreach { $string = $string + $_.ToString("X2")+"," }
@ -479,7 +481,7 @@ function Instantiate-HSTI {
LogAndConsoleError $ErrorMessage
$DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null
}
else
else
{
LogAndConsoleWarning $ErrorMessage
$DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null
@ -487,9 +489,9 @@ function Instantiate-HSTI {
}
}
catch
catch
{
LogAndConsoleError $_.Exception.Message
LogAndConsoleError $_.Exception.Message
LogAndConsoleError "Instantiate-HSTI failed"
}
}
@ -613,10 +615,10 @@ function ExecuteCommandAndLog($_cmd)
$CmdOutput = Invoke-Expression $_cmd | Out-String
Log "Output: $CmdOutput"
}
catch
catch
{
Log "Exception while exectuing $_cmd"
Log $_.Exception.Message
Log $_.Exception.Message
}
@ -676,7 +678,7 @@ function CheckDriverCompat
verifier.exe /flags 0x02000000 /all /log.code_integrity
LogAndConsole "Enabling Driver Verifier and Rebooting system"
Log $verifier_state
Log $verifier_state
LogAndConsole "Please re-execute this script after reboot...."
if($AutoReboot)
{
@ -692,7 +694,7 @@ function CheckDriverCompat
else
{
LogAndConsole "Driver verifier already enabled"
Log $verifier_state
Log $verifier_state
ListDrivers($verifier_state.Trim().ToLowerInvariant())
}
}
@ -700,23 +702,23 @@ function IsDomainController
{
$_isDC = 0
$CompConfig = Get-WmiObject Win32_ComputerSystem
foreach ($ObjItem in $CompConfig)
foreach ($ObjItem in $CompConfig)
{
$Role = $ObjItem.DomainRole
Log "Role=$Role"
Switch ($Role)
Switch ($Role)
{
0 { Log "Standalone Workstation" }
1 { Log "Member Workstation" }
2 { Log "Standalone Server" }
3 { Log "Member Server" }
4
4
{
Log "Backup Domain Controller"
$_isDC=1
break
}
5
5
{
Log "Primary Domain Controller"
$_isDC=1
@ -735,7 +737,7 @@ function CheckOSSKU
Log "OSNAME:$osname"
$SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home")
$HLKAllowed = @("microsoft windows 10 pro")
foreach ($SKUent in $SKUarray)
foreach ($SKUent in $SKUarray)
{
if($osname.ToString().Contains($SKUent.ToLower()))
{
@ -762,7 +764,7 @@ function CheckOSSKU
}
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f '
}
else
else
{
LogAndConsoleError "This PC edition is Unsupported for Device Guard"
$DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null
@ -773,14 +775,14 @@ function CheckOSSKU
function CheckOSArchitecture
{
$OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()
Log $OSArch
if($OSArch.Contains("64-bit"))
Log $OSArch
if($OSArch -match ("^64\-?\s?bit"))
{
LogAndConsoleSuccess "64 bit archictecture"
LogAndConsoleSuccess "64 bit architecture"
}
elseif($OSArch.Contains("32-bit"))
elseif($OSArch -match ("^32\-?\s?bit"))
{
LogAndConsoleError "32 bit archictecture"
LogAndConsoleError "32 bit architecture"
$DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null
}
else
@ -878,7 +880,7 @@ function CheckTPM
function CheckSecureMOR
{
$isSecureMOR = CheckDGFeatures(4)
Log "isSecureMOR= $isSecureMOR "
Log "isSecureMOR= $isSecureMOR "
if($isSecureMOR -eq 1)
{
LogAndConsoleSuccess "Secure MOR is available"
@ -904,7 +906,7 @@ function CheckSecureMOR
function CheckNXProtection
{
$isNXProtected = CheckDGFeatures(5)
Log "isNXProtected= $isNXProtected "
Log "isNXProtected= $isNXProtected "
if($isNXProtected -eq 1)
{
LogAndConsoleSuccess "NX Protector is available"
@ -921,7 +923,7 @@ function CheckNXProtection
function CheckSMMProtection
{
$isSMMMitigated = CheckDGFeatures(6)
Log "isSMMMitigated= $isSMMMitigated "
Log "isSMMMitigated= $isSMMMitigated "
if($isSMMMitigated -eq 1)
{
LogAndConsoleSuccess "SMM Mitigation is available"
@ -938,15 +940,15 @@ function CheckSMMProtection
function CheckHSTI
{
LogAndConsole "Copying HSTITest.dll"
try
try
{
$HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded)
[System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded)
}
catch
catch
{
LogAndConsole $_.Exception.Message
LogAndConsole $_.Exception.Message
LogAndConsole "Copying and loading HSTITest.dll failed"
}
@ -959,7 +961,7 @@ function PrintToolVersion
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
LogAndConsole ""
LogAndConsole "###########################################################################"
LogAndConsole ""
@ -1030,7 +1032,7 @@ if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -a
}
$user = [Security.Principal.WindowsIdentity]::GetCurrent();
$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator)
if(!$TestForAdmin)
{
@ -1065,7 +1067,7 @@ if($Ready)
{
Log "_CGState: $_CGState"
PrintCGDetails $_CGState
if($_CGState)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f'
@ -1077,28 +1079,28 @@ if($Ready)
}
elseif($DG)
{
Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
PrintHVCIDetails $_HVCIState
PrintConfigCIDetails $_ConfigCIState
PrintConfigCIDetails $_ConfigCIState
if($_ConfigCIState -and $_HVCIState)
{
LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running."
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f'
}
else
{
LogAndConsoleWarning "Not all services are running."
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f'
}
}
else
else
{
Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState"
PrintCGDetails $_CGState
PrintHVCIDetails $_HVCIState
PrintConfigCIDetails $_ConfigCIState
@ -1147,7 +1149,7 @@ if($Enable)
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f'
}
else
else
{
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f'
ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f'
@ -1158,8 +1160,8 @@ if($Enable)
{
if(!$HVCI -and !$CG)
{
if(!$SIPolicyPath)
{
if(!$SIPolicyPath)
{
Log "Writing Decoded SIPolicy.p7b"
$SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded)
[System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded)
@ -1182,7 +1184,7 @@ if($Enable)
if(!$_isRedstone)
{
LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately"
#Enable/Disable IOMMU seperately
#Enable/Disable IOMMU separately
ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart'
}
$CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String
@ -1251,7 +1253,7 @@ if($Disable)
if(!$_isRedstone)
{
LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately"
#Enable/Disable IOMMU seperately
#Enable/Disable IOMMU separately
ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart'
}
$CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String
@ -1270,7 +1272,7 @@ if($Disable)
}
#set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS
#these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always
#these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always
#this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS
$FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random
Log "FreeDrive=$FreeDrive"
@ -1314,7 +1316,7 @@ if($Capable)
}
$_StepCount = 1
if(!$CG)
{
{
LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== "
$_StepCount++
CheckDriverCompat
@ -1323,15 +1325,15 @@ if($Capable)
LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== "
$_StepCount++
CheckSecureBootState
if(!$HVCI -and !$DG -and !$CG)
{
{
#check only if sub-options are absent
LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== "
$_StepCount++
CheckHSTI
}
LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== "
$_StepCount++
CheckOSArchitecture
@ -1345,11 +1347,11 @@ if($Capable)
CheckVirtualization
if(!$HVCI -and !$DG)
{
{
LogAndConsole " ====================== Step $_StepCount TPM version ====================== "
$_StepCount++
CheckTPM
LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== "
$_StepCount++
CheckSecureMOR
@ -1358,11 +1360,11 @@ if($Capable)
LogAndConsole " ====================== Step $_StepCount NX Protector ====================== "
$_StepCount++
CheckNXProtection
LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== "
$_StepCount++
CheckSMMProtection
LogAndConsole " ====================== End Check ====================== "
LogAndConsole " ====================== Summary ====================== "
@ -1371,7 +1373,6 @@ if($Capable)
}
# SIG # Begin signature block
## REPLACE
# SIG # End signature block

4
windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
View File

@ -63,7 +63,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca).
* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
* The certificate Subject section should contain the directory path of the server object (the distinguished name).
@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind
* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.
* The certificate template must have an extension that has the BMP data value "DomainController".
* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
* The domain controller certificate must be installed in the local computer's certificate store.