Merge pull request #2927 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)

windows/security/identity-protection/credential-guard/dg-readiness-tool.md

@@ -14,11 +14,13 @@ ms.collection: M365-identity-device-management
 ms.topic: article
 ms.reviewer: 
 ---
+
 # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
 
 ```powershell
-# Script to find out if machine is Device Guard compliant
-# requires driver verifier on system.
+# Script to find out if a machine is Device Guard compliant.
+# The script requires a driver verifier present on the system.
+
 param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier)
 
 $path = "C:\DGLogs\"
@@ -774,13 +776,13 @@ function CheckOSArchitecture
 {
     $OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower()
     Log $OSArch
-    if($OSArch.Contains("64-bit"))
+    if($OSArch -match ("^64\-?\s?bit"))
     {
-        LogAndConsoleSuccess "64 bit archictecture"
+        LogAndConsoleSuccess "64 bit architecture"
     }
-    elseif($OSArch.Contains("32-bit"))
+    elseif($OSArch -match ("^32\-?\s?bit"))
     {
-        LogAndConsoleError "32 bit  archictecture"   
+        LogAndConsoleError "32 bit architecture"
         $DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null
     }
     else
@@ -959,7 +961,7 @@ function PrintToolVersion
     LogAndConsole ""
     LogAndConsole "###########################################################################"
     LogAndConsole ""
-    LogAndConsole "Readiness Tool Version 3.7.1 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
+    LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard."
     LogAndConsole ""
     LogAndConsole "###########################################################################"
     LogAndConsole ""
@@ -1182,7 +1184,7 @@ if($Enable)
     if(!$_isRedstone)
     {
         LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately"
-        #Enable/Disable IOMMU seperately
+        #Enable/Disable IOMMU separately
         ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart'
     }
     $CmdOutput =  DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String
@@ -1251,7 +1253,7 @@ if($Disable)
         if(!$_isRedstone)
         {
             LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately"
-            #Enable/Disable IOMMU seperately
+            #Enable/Disable IOMMU separately
             ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart'
         }
         $CmdOutput =  DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String
@@ -1371,7 +1373,6 @@ if($Capable)
 }
 
 
-
 # SIG # Begin signature block
 ## REPLACE
 # SIG # End signature block

windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md

@@ -63,7 +63,7 @@ The Windows Hello for Business deployment depends on an enterprise public key in
 
 Key trust deployments do not need client issued certificates for on-premises authentication.  Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
 
-The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
+The minimum required Enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party Enterprise certification authority. The requirements for the domain controller certificate are shown below. For more details, see [Requirements for domain controller certificates from a third-party CA](https://support.microsoft.com/help/291010/requirements-for-domain-controller-certificates-from-a-third-party-ca).
 
 * The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
 * The certificate Subject section should contain the directory path of the server object (the distinguished name).
@@ -71,7 +71,7 @@ The minimum required enterprise certificate authority that can be used with Wind
 * Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
 * The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1), and KDC Authentication (1.3.6.1.5.2.3.5).
 * The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.  
-* The certificate template must have an extension that has the BMP data value "DomainController".
+* The certificate template must have an extension that has the value "DomainController", encoded as a [BMPstring](https://docs.microsoft.com/windows/win32/seccertenroll/about-bmpstring). If you are using Windows Server Enterprise Certificate Authority, this extension is already included in the domain controller certificate template.
 * The domain controller certificate must be installed in the local computer's certificate store.