From 059af48a09da3f016bab69ecac22e7fd0057c423 Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 5 Apr 2017 17:21:15 -0700 Subject: [PATCH 1/4] fixed examples --- .../overview-of-threat-mitigations-in-windows-10.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md index 3b315d321b..ff8d0da12b 100644 --- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md @@ -419,10 +419,10 @@ ConvertTo-ProcessMitigationPolicy -EMETFilePath -OutputFilePath Date: Wed, 5 Apr 2017 17:36:19 -0700 Subject: [PATCH 2/4] Edits to cred_guard manage --- .../keep-secure/credential-guard-manage.md | 67 +++++++++++++------ 1 file changed, 45 insertions(+), 22 deletions(-) diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/keep-secure/credential-guard-manage.md index a70d85eb17..d2fcbe101f 100644 --- a/windows/keep-secure/credential-guard-manage.md +++ b/windows/keep-secure/credential-guard-manage.md @@ -1,4 +1,4 @@ ---- +--- title: Manage Credential Guard (Windows 10) description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool. ms.prod: w10 @@ -19,7 +19,9 @@ Prefer video? See [Protecting privileged users with Credential Guard](https://mv in the Deep Dive into Credential Guard video series. ## Enable Credential Guard -Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). +Credential Guard can be enabled either by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. +The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines. + ### Enable Credential Guard by using Group Policy @@ -41,7 +43,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```. If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems. -### Add the virtualization-based security features +#### Add the virtualization-based security features Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped. @@ -74,7 +76,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. -### Enable virtualization-based security and Credential Guard +#### Enable virtualization-based security and Credential Guard 1. Open Registry Editor. 2. Enable virtualization-based security: @@ -101,22 +103,16 @@ DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot ### Credential Guard deployment in virtual machines -Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine. +Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host. -Credential Guard protects secrets from non-privileged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine: +#### Requirements for running Credential Guard in Hyper-V virtual machines -``` PowerShell -Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true -``` - -Requirements for running Credential Guard in Hyper-V virtual machines - The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10. +### Review Credential Guard performance -### Check that Credential Guard is running - -You can use System Information to ensure that Credential Guard is running on a PC. +You can view System Information to check that Credential Guard is running on a PC. 1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. 2. Click **System Summary**. @@ -132,10 +128,31 @@ You can also check that Credential Guard is running by using the [Device Guard a DG_Readiness_Tool_v3.0.ps1 -Ready ``` +- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain. -### Remove Credential Guard +- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: + - **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials. + - **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0 + - The first variable: 0x1 means Credential Guard is configured to run. 0x0 means it’s not configured to run. + - The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0. + - **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard. + - **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\] + - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] + You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. + - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. +- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. +- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN. +- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running. -If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). +- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager: + - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed". + - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. + - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. + - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. + +## Disable Credential Guard + +If you have to disable Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). 1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -> **Administrative Templates** -> **System** -> **Device Guard** -> **Turn on Virtualization Based Security**). 2. Delete the following registry settings: @@ -146,11 +163,7 @@ If you have to remove Credential Guard on a PC, you can use the following set of > [!IMPORTANT] > If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery. -3. Delete the Credential Guard EFI variables by using bcdedit. - -**Delete the Credential Guard EFI variables** - -1. From an elevated command prompt, type the following commands: +3. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands: ``` syntax mountvol X: /s @@ -180,7 +193,7 @@ If you have to remove Credential Guard on a PC, you can use the following set of For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md). -#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool +#### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). @@ -188,5 +201,15 @@ You can also disable Credential Guard by using the [Device Guard and Credential DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot ``` +#### Disable Credential Guard for a virtual machine + +From the host, you can disable Credential Guard for a virtual machine: + +``` PowerShell +Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true +``` + + + From 3d2e3d62c023c5afa8c7412335e2fe768ab0d393 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 6 Apr 2017 08:34:37 -0700 Subject: [PATCH 3/4] updating chassistype description --- .../basic-level-windows-diagnostic-events-and-fields.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md index f62ad1e526..738d97b024 100644 --- a/windows/configure/basic-level-windows-diagnostic-events-and-fields.md +++ b/windows/configure/basic-level-windows-diagnostic-events-and-fields.md @@ -1491,7 +1491,7 @@ This event sends data about the device, including hardware type, OEM brand, mode The following fields are available: -- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 24. +- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36. - **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields. - **DeviceColor** Indicates a color of the device. - **DeviceName** The device name that is set by the user. From f098ee755835b24f03ca7b217122292bb9dbc5a6 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Thu, 6 Apr 2017 09:31:26 -0700 Subject: [PATCH 4/4] Removed known issues heading --- ...redential-guard-not-protected-scenarios.md | 36 ------------------- 1 file changed, 36 deletions(-) diff --git a/windows/keep-secure/credential-guard-not-protected-scenarios.md b/windows/keep-secure/credential-guard-not-protected-scenarios.md index a62da81098..bce8580dfb 100644 --- a/windows/keep-secure/credential-guard-not-protected-scenarios.md +++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md @@ -634,42 +634,6 @@ write-host $tmp -Foreground Red > [!NOTE] > If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter. - - - -## Troubleshooting Credential Guard - - - -### Known Issues - -Microsoft is aware of certain issues with Credential Guard that affect client machines that run Windows 10. -• For devices with Credential Guard enabled, a sign-in attempt that fails because of a bad password counts as two bad password attempts instead of one. Consequently, if your enterprise has an account lockout policy based on a certain number of failed password attempts, that threshold will be reached in half the number of attempts. - -This issue has been resolved for clients that run Windows 10 version 1703. For clients that run Windows 10 version 1607, a hotfix is available for download to resolve the issue. For clients that run Windows 10 versions 1507 or 1511, no hotfix is available. For those operating systems, to resolve the issue, you can upgrade the client to a later version of Windows 10. As a workaround, administrators can either choose to increase the account lockout threshold accordingly, consistent with current security policy, or can disable Credential Guard. For further information, see Credential Guard generates double bad password count - -Credential guard has known issues on Windows 10 when used with certain third-party applications: - -• Applications Appsense and Lumension E S. are known to cause high CPU utilization on Windows 10 client machines with credential guard enabled. -• Citrix Applications are known to cause high CPU utilization on Windows 10 client machines. This issue is currently under investigation. -• Cisco Proxy Agents are known to cause authentication failure on Windows 10 client machines. This issue is currently under investigation. -• Client machines with Credential Guard enabled cannot access shares on For further information see: Machines with Credential Guard enabled unable to connect to IBM File Servers - - - - - - -### How-to - - - - - - - - - ## See also **Deep Dive into Credential Guard: Related videos**