deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 13:17:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #70 from MicrosoftDocs/master

Browse Source 
4/29 AM Publish
This commit is contained in:
huypub 2019-04-29 10:42:47 -07:00 committed by GitHub
commit 69b4c12a49
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 51 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
View File

@ -296,7 +296,7 @@ The deep link used for connecting your device to work will always use the follow
| Parameter | Description | Supported Value for Windows 10|
|-----------|--------------------------------------------------------------|----------------------------------------------|
| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm”, "awa", "aadj" |
| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| MDM (Mobile Device Management), AWA (Adding Work Account), and AADJ (Azure Active Directory Joined). |
|username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string |
| servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string|
| accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string |

12
windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
View File

@ -26,8 +26,8 @@ To configure your environment for BitLocker, you will need to do the following:
3. Configure the operating system deployment task sequence for BitLocker.
4. Configure the rules (CustomSettings.ini) for BitLocker.
**Note**  
Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
>[!NOTE]
>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.
 
For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof).
@ -35,8 +35,8 @@ For the purposes of this topic, we will use DC01, a domain controller that is a
To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.
**Note**  
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
>[!NOTE]
>Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.
 
In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
@ -79,8 +79,8 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor
Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services
4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy.
**Note**  
If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
>[!NOTE]
>If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.
 
### Set permissions in Active Directory for BitLocker

8
windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
View File

@ -21,15 +21,15 @@ This topic is designed to teach you how to use the MDT database to pre-stage inf
MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment.
**Note**  
Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
>[!NOTE]
>Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.
 
## <a href="" id="sec02"></a>Create the deployment database
The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01.
**Note**  
Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
>[!NOTE]
>Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.
 
1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**.
2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**:

5
windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
View File

@ -195,6 +195,11 @@ Upgrade Readiness only collects app inventory on devices that are not yet upgrad
Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.)
Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level.
There are two additional configurations to check:
1. Make sure Flip Ahead with Page Prediction is enabled. It can be configured at Internet Options -> Advanced -> Browsing -> Enable flip ahead with page prediction.
2. Make sure IE is not running in InPrivate mode.
Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded).
>[!NOTE]

3
windows/deployment/update/windows-update-troubleshooting.md
View File

@ -20,7 +20,8 @@ If you run into problems when using Windows Update, start with the following ste
1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**.
2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from theMicrosoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU.
3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
- [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history)
- [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history)
- [Windows 10, version 1709](https://support.microsoft.com/help/4043454)
- [Windows 10, version 1703](https://support.microsoft.com/help/4018124)

2
windows/deployment/usmt/usmt-scanstate-syntax.md
View File

@ -89,7 +89,7 @@ To create an encrypted store using the Config.xml file and the default migration
<tbody>
<tr class="odd">
<td align="left"><p><em>StorePath</em></p></td>
<td align="left"><p>Indicates a folder where files and settings will be saved. Note that <em>StorePath</em> cannot be <strong>c:\</strong>. You must specify the <em>StorePath</em> option in the <strong>ScanState</strong> command, except when using the <strong>/genconfig</strong> option. You cannot specify more than one <em>StorePath</em> location.</p></td>
<td align="left"><p>Indicates a folder where files and settings will be saved. Note that <em>StorePath</em> cannot be <strong>C:&#92;</strong>. You must specify the <em>StorePath</em> option in the <strong>ScanState</strong> command, except when using the <strong>/genconfig</strong> option. You cannot specify more than one <em>StorePath</em> location.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>/apps</strong></p></td>

17
windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
View File

@ -22,11 +22,11 @@ ms.date: 08/19/2018
Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.<br>
Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.<br>
[Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)<br>
[Azure AD join authentication to Active Directory using a Key](#Azure-AD-join-authentication-to-Active-Directory-using-a-Key)<br>
[Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)<br>
[Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)<br>
[Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)<br>
[Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)<br>
[Azure AD join authentication to Active Directory using a Key](#azure-ad-join-authentication-to-active-directory-using-a-key)<br>
[Azure AD join authentication to Active Directory using a Certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)<br>
[Hybrid Azure AD join authentication using a Key](#hybrid-azure-ad-join-authentication-using-a-key)<br>
[Hybrid Azure AD join authentication using a Certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)<br>
## Azure AD join authentication to Azure Active Directory
@ -40,7 +40,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
[Return to top](#Windows-Hello-for-Business-and-Authentication)
## Azure AD join authentication to Active Directory using a Key
![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png)
@ -52,7 +51,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
[Return to top](#Windows-Hello-for-Business-and-Authentication)
## Azure AD join authentication to Active Directory using a Certificate
![Azure AD join authentication to Active Directory using a Certificate](images/howitworks/auth-aadj-certtrust-kerb.png)
@ -62,7 +60,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.<br>The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
[Return to top](#Windows-Hello-for-Business-and-Authentication)
## Hybrid Azure AD join authentication using a Key
![Hybrid Azure AD join authentication using a Key](images/howitworks/auth-haadj-keytrust.png)
@ -76,7 +73,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
[Return to top](#Windows-Hello-for-Business-and-Authentication)
## Hybrid Azure AD join authentication using a Certificate
![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png)
@ -90,6 +86,3 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.<br>The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.<br>The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
[Return to top](#Windows-Hello-for-Business-and-Authentication)

2
windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
View File

@ -28,7 +28,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)<br>
[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)<br>
[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)<br>
[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-federated-environment)<br>
[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)<br>
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)<br>
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)<br>
[Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)<br>

10
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -29,12 +29,14 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h
## Managing devices joined to Azure Active Directory
Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones.
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
This is applicable to Azure Hybrid AD as well.
## Managing workplace-joined PCs and phones
@ -51,7 +53,7 @@ If you are installing a server manually, such as a stand-alone server, then choo
Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles).
For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles).
## PowerShell examples
@ -134,4 +136,4 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell)
[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)

18
windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
View File

@ -50,6 +50,24 @@ As a result, if the currently used PCR bank is switched all keys that have been
Before switching PCR banks you should suspend or disable BitLocker or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor.
## How can I identify which PCR bank is being used?
A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active.
- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices<br>
- DWORD: TPMActivePCRBanks<br>
- Defines which PCR banks are currently active. This is a bitmap defined in the TCG Algorithm Registry.<br>
Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met.
You can identify which PCR bank is currently used by Windows by looking at the registry.
- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices<br>
- DWORD: TPMDigestAlgID<br>
- Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)<br>
Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted.
## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)

4
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
View File

@ -72,11 +72,11 @@ If you've tested the feature with the demo site and with audit mode, and network
When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues.
1. Open an elevated command prompt and change to the Windows Defender directory:
```console
```
cd c:\program files\windows defender
```
2. Run this command to generate the diagnostic logs:
```console
```
mpcmdrun -getfiles
```
3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form.