From 40d1d6559fd7220d3a2248c655252d22effecefd Mon Sep 17 00:00:00 2001 From: afirodiya <42394035+afirodiya@users.noreply.github.com> Date: Tue, 5 Oct 2021 15:50:09 -0700 Subject: [PATCH 01/37] Update enable-virtualization-based-protection-of-code-integrity.md --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index ea4b252a30..03ca52bd5e 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -311,6 +311,6 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ### Requirements for running HVCI in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. -- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time +- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable HyperV role on the VM, first install the HyperV role in a Windows nested virtualization environment. - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. From 4e77f2107da79f8bf2fcbfedd06413d6d51e89d9 Mon Sep 17 00:00:00 2001 From: Alice-at-Microsoft <79878795+Alice-at-Microsoft@users.noreply.github.com> Date: Thu, 7 Oct 2021 17:02:06 -0700 Subject: [PATCH 02/37] Add content on safeguards --- .../deployment/update/deployment-service-overview.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 546749d1dd..28854e1093 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -29,6 +29,7 @@ The deployment service is designed for IT Pros who are looking for more control - You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021). - You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise. - You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization. +- You can leverage safeguards against likely update issues, as identified by Microsoft machine learning algorithms, and automatically put the deployment on hold for any affected devices. The service is privacy focused and backed by leading industry compliance certifications. @@ -52,7 +53,6 @@ Using the deployment service typically follows a common pattern: 2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service. 3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates. - The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Endpoint Manager. ## Prerequisites @@ -74,7 +74,6 @@ Additionally, your organization must have one of the following subscriptions: - Windows Virtual Desktop Access E3 or E5 - Microsoft 365 Business Premium - ## Getting started To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application. @@ -87,7 +86,6 @@ Microsoft Endpoint Manager integrates with the deployment service to provide Win The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started). - ### Building your own application Microsoft Graph makes deployment service APIs available through. Get started with these learning paths: @@ -113,14 +111,17 @@ This built-in piloting capability complements your existing ring structure and p You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and additional protections within each ring. +### Safeguard holds against likely and known issues + +[Safeguard holds](https://docs.microsoft.com/windows/deployment/update/safeguard-holds) are a key technology Microsoft uses to protect devices from encountering known quality or compatibility issues, by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing post-update issues (such as OS rollbacks, app crashes, or graphics issues) and temporarily puts the deployment on hold for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you may opt out if desired. + ### Monitoring deployments to detect rollback issues During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. - ### How to enable deployment protections -Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your organization, devices must share diagnostic data with Microsoft. +Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft. #### Device prerequisites @@ -174,7 +175,6 @@ Follow these suggestions for the best results with the service. Avoid using different channels to manage the same resources. If you use Microsoft Endpoint Manager along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. - ## Next steps To learn more about the deployment service, try the following: From f6d6c426d78f33a770ea693b721bf81fea31a3ca Mon Sep 17 00:00:00 2001 From: afirodiya <42394035+afirodiya@users.noreply.github.com> Date: Fri, 8 Oct 2021 10:13:58 -0700 Subject: [PATCH 03/37] Update windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 03ca52bd5e..5d7ffa6cd9 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -311,6 +311,6 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ### Requirements for running HVCI in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. -- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable HyperV role on the VM, first install the HyperV role in a Windows nested virtualization environment. +- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the HyperV role on the virtual machine, you must first install the HyperV role in a Windows nested virtualization environment. - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. From 4988c8cf4f59a11fac5eca1f9e698ff78d5eb486 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 12 Oct 2021 11:30:07 +0530 Subject: [PATCH 04/37] 5488965- EICC Updates-Reimplement Re-implemented EICC CSP updates as per task : 5488965 (Need to go through and re-implement these text changes if they are not already present: CSP changes - https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9138 DDF changes - https://github.com/MicrosoftDocs/windows-itpro-docs/pull/9137) --- windows/client-management/mdm/euiccs-csp.md | 30 +++ .../client-management/mdm/euiccs-ddf-file.md | 206 +++++++++++++++++- 2 files changed, 233 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 97ae6b939f..c9219f4340 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -62,6 +62,36 @@ Required. Indicates whether this eUICC is physically present and active. Updated Supported operation is Get. Value type is boolean. +**_eUICC_/PPR1Allowed** +Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed. + +Supported operation is Get. Value type is boolean. + +**_eUICC_/PPR1AlreadySet** +Required. Indicates whether the eUICC already has a profile with PPR1. + +Supported operation is Get. Value type is boolean. + +**_eUICC_/DownloadServers** +Interior node. Represents default SM-DP+ discovery requests. + +Supported operation is Get. + +**_eUICC_/DownloadServers/_ServerName_** +Interior node. Optional. Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request. + +Supported operations are Add, Get, and Delete. + +**_eUICC_/DownloadServers/_ServerName_/DiscoveryState** +Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. + +Supported operation is Get. Value type is integer. Default value is 1. + +**_eUICC_/DownloadServers/_ServerName_/AutoEnable** +Required. Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. + +Supported operations are Add, Get, and Replace. Value type is bool. + **_eUICC_/Profiles** Interior node. Required. Represents all enterprise-owned profiles. diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md index 38bb8e5f6f..f7d0851746 100644 --- a/windows/client-management/mdm/euiccs-ddf-file.md +++ b/windows/client-management/mdm/euiccs-ddf-file.md @@ -49,7 +49,7 @@ The XML below if for Windows 10, version 1803. - com.microsoft/1.1/MDM/eUICCs + com.microsoft/1.2/MDM/eUICCs @@ -58,7 +58,7 @@ The XML below if for Windows 10, version 1803. - Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC. + Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC. @@ -79,7 +79,7 @@ The XML below if for Windows 10, version 1803. - Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID. + The EID. @@ -118,6 +118,139 @@ The XML below if for Windows 10, version 1803. + + PPR1Allowed + + + + + Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed. + + + + + + + + + + + text/plain + + + + + PPR1AlreadySet + + + + + Indicates whether the eUICC already has a profile with PPR1. + + + + + + + + + + + text/plain + + + + + DownloadServers + + + + + Represents default SM-DP+ discovery requests. + + + + + + + + + + + + + + + + + + + + + + + Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request. + + + + + + + + + + ServerName + + + + + + DiscoveryState + + + + + 1 + Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA. + + + + + + + + + + + text/plain + + + + + AutoEnable + + + + + + + Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created. + + + + + + + + + + + text/plain + + + + + Profiles @@ -145,6 +278,7 @@ The XML below if for Windows 10, version 1803. + Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC). @@ -167,6 +301,7 @@ The XML below if for Windows 10, version 1803. + Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created. @@ -192,6 +327,7 @@ The XML below if for Windows 10, version 1803. + Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created. @@ -256,6 +392,70 @@ The XML below if for Windows 10, version 1803. + + PPR1Set + + + + + This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise). + + + + + + + + + + + text/plain + + + + + PPR2Set + + + + + This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise). + + + + + + + + + + + text/plain + + + + + ErrorDetail + + + + + 0 + Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14). + + + + + + + + + + + text/plain + + + From ad7c23fb423ad6dd25f8a3a9b3c5ebbad27df06c Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Tue, 12 Oct 2021 18:01:36 -0700 Subject: [PATCH 05/37] adding new message around WHFB cloud trust --- .../hello-for-business/hello-deployment-guide.md | 5 ++++- .../identity-protection/hello-for-business/hello-faq.yml | 4 ++++ .../hello-for-business/hello-identity-verification.md | 5 ++++- .../identity-protection/hello-for-business/hello-overview.md | 3 +++ .../hello-for-business/hello-planning-guide.md | 3 +++ 5 files changed, 18 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 80a1ca91b3..4e7d1f7942 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -50,7 +50,10 @@ Do not begin your deployment until the hosting servers and infrastructure (not r ## Deployment and trust models -Windows Hello for Business has three deployment models: Cloud, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*. +Windows Hello for Business has three deployment models: Azure AD cloud only, hybrid, and on-premises. Hybrid and on-premises deployment models have two trust models: *Key trust* and *certificate trust*. + +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. Hybrid deployments are for enterprises that use Azure Active Directory. On-premises deployments are for enterprises who exclusively use on-premises Active Directory. Remember that the environments that use Azure Active Directory must use the hybrid deployment model for all domains in that forest. diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 735e563fb8..a11d68959d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -25,6 +25,10 @@ summary: | sections: - name: Ignored questions: + - question: What is Windows Hello for Business cloud trust? + answer: | + Windows Hello for Business cloud trust is a new trust model that is planned to be introduced in early 2022. This trust model will enable Windows Hello for Business deployment using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + - question: What about virtual smart cards? answer: | Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future, but no date is set at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends that new Windows 10 deployments use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 3660d85201..26a25c7342 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -22,7 +22,7 @@ ms.date: 1/22/2021 This article lists the infrastructure requirements for the different deployment models for Windows Hello for Business. -## Cloud Only Deployment +## Azure AD Cloud Only Deployment * Windows 10, version 1511 or later, or Windows 11 * Microsoft Azure Account @@ -35,6 +35,9 @@ This article lists the infrastructure requirements for the different deployment The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + | Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | | --- | --- | --- | --- | | Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index cd38c11105..b191dbc916 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -97,6 +97,9 @@ Windows Hello for Business can use either keys (hardware or software) or certifi Windows Hello for Business with a key does not support supplied credentials for RDP. RDP does not support authentication with a key or a self signed certificate. RDP with Windows Hello for Business is supported with certificate based deployments as a supplied credential. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](../remote-credential-guard.md). +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + ## Learn more [Implementing strong user authentication with Windows Hello for Business](https://www.microsoft.com/en-us/itshowcase/implementing-strong-user-authentication-with-windows-hello-for-business) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 617be85699..d0de57c65c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -95,6 +95,9 @@ It's fundamentally important to understand which deployment model to use for a s A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory. There are two trust types: key trust and certificate trust. +> [!NOTE] +> Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. + The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 or later domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers (but still requires [Windows Server 2016 or later Active Directory schema](./hello-hybrid-cert-trust-prereqs.md#directories)). Users can use their certificate to authenticate to any Windows Server 2008 R2, or later, domain controller. From 983e42ac90688abaa1d375d0122da7796af33557 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Tue, 12 Oct 2021 18:21:44 -0700 Subject: [PATCH 06/37] fixing reference to Azure AD cloud only deployment --- .../hello-for-business/hello-aad-join-cloud-only-deploy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index aa4d0faa2f..8e5fd2f049 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -31,7 +31,7 @@ You may wish to disable the automatic Windows Hello for Business enrollment prom Cloud only deployments will use Azure AD multi-factor authentication (MFA) during Windows Hello for Business (WHfB) enrollment and there's no additional MFA configuration needed. If you aren't already registered in Azure AD MFA, you will be guided though the MFA registration as part of the Windows Hello for Business enrollment process. -The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#cloud-only-deployment). +The necessary Windows Hello for Business prerequisites are located at [Cloud Only Deployment](hello-identity-verification.md#azure-ad-cloud-only-deployment). Also note that it's possible for federated domains to enable the “Supports MFA” flag in your federated domain settings. This flag tells Azure AD that the federated IDP will perform the MFA challenge. From b9601479b32f556843bc249f70b074af20fd3444 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 14 Oct 2021 16:30:06 +0500 Subject: [PATCH 07/37] Update enroll-a-windows-10-device-automatically-using-group-policy.md --- ...roll-a-windows-10-device-automatically-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index c9f13235e0..8c53bccf46 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -214,7 +214,7 @@ Requirements: If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain. -6. Wait for the SYSVOL DFSR replication to be completed and then restart the Domain Controller for the policy to be available. +6. Wait for the SYSVOL DFSR replication to be completed for the policy to be available. This procedure will work for any future version as well. From 3a1a328871814a1eba09911934a532369292e7c3 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Thu, 14 Oct 2021 08:51:26 -0700 Subject: [PATCH 08/37] Update deployment-service-overview.md Small updates for style; corrected article cross-link. --- windows/deployment/update/deployment-service-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 28854e1093..6064c7ae15 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -29,7 +29,7 @@ The deployment service is designed for IT Pros who are looking for more control - You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021). - You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise. - You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization. -- You can leverage safeguards against likely update issues, as identified by Microsoft machine learning algorithms, and automatically put the deployment on hold for any affected devices. +- You can use safeguards against likely update issues that have been identified by Microsoft machine-learning algorithms and automatically hold the deployment for any affected devices. The service is privacy focused and backed by leading industry compliance certifications. @@ -113,7 +113,7 @@ You should continue to use deployment rings as part of the servicing strategy fo ### Safeguard holds against likely and known issues -[Safeguard holds](https://docs.microsoft.com/windows/deployment/update/safeguard-holds) are a key technology Microsoft uses to protect devices from encountering known quality or compatibility issues, by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing post-update issues (such as OS rollbacks, app crashes, or graphics issues) and temporarily puts the deployment on hold for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you may opt out if desired. +Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out. ### Monitoring deployments to detect rollback issues From 63609d921a0b0c0092ea8863049c7e23270b9faa Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Thu, 14 Oct 2021 09:19:34 -0700 Subject: [PATCH 09/37] Revert "Add content on safeguards" --- .../deployment/update/deployment-service-overview.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 6064c7ae15..546749d1dd 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -29,7 +29,6 @@ The deployment service is designed for IT Pros who are looking for more control - You can stage deployments over a period of days or weeks by using rich expressions (for example, deploy 20H2 to 500 devices per day, beginning on March 14, 2021). - You can bypass pre-configured Windows Update for Business policies to immediately deploy a security update across your organization when emergencies arise. - You can benefit from deployments with automatic piloting tailored to your unique device population to ensure coverage of hardware and software in your organization. -- You can use safeguards against likely update issues that have been identified by Microsoft machine-learning algorithms and automatically hold the deployment for any affected devices. The service is privacy focused and backed by leading industry compliance certifications. @@ -53,6 +52,7 @@ Using the deployment service typically follows a common pattern: 2. The chosen tool conveys your approval, scheduling, and device selection information to the deployment service. 3. The deployment service processes the content approval and compares it with previously approved content. Final update applicability is determined and conveyed to Windows Update, which then offers approved content to devices on their next check for updates. + The deployment service exposes these capabilities through Microsoft [Graph REST APIs](/graph/overview). You can call the APIs directly, through a Graph SDK, or integrate them with a management tool such as Microsoft Endpoint Manager. ## Prerequisites @@ -74,6 +74,7 @@ Additionally, your organization must have one of the following subscriptions: - Windows Virtual Desktop Access E3 or E5 - Microsoft 365 Business Premium + ## Getting started To use the deployment service, you use a management tool built on the platform, script common actions using PowerShell, or build your own application. @@ -86,6 +87,7 @@ Microsoft Endpoint Manager integrates with the deployment service to provide Win The Microsoft Graph SDK includes a PowerShell extension that you can use to script and automate common update actions. For more information, see [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started). + ### Building your own application Microsoft Graph makes deployment service APIs available through. Get started with these learning paths: @@ -111,17 +113,14 @@ This built-in piloting capability complements your existing ring structure and p You should continue to use deployment rings as part of the servicing strategy for your organization, but use gradual rollouts to add scheduling convenience and additional protections within each ring. -### Safeguard holds against likely and known issues - -Microsoft uses [safeguard holds](/windows/deployment/update/safeguard-holds) to protect devices from encountering known quality or compatibility issues by preventing them from installing the update or upgrade. For Windows 11 deployments, the deployment service extends these safeguard holds to also protect devices that Microsoft identifies as being at a higher risk of experiencing problems after an update (such as operating system rollbacks, app crashes, or graphics issues). The service temporarily holds the deployment for these devices while Microsoft investigates the likely issue. Safeguard holds apply to deployments by default, but you can opt out. - ### Monitoring deployments to detect rollback issues During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. + ### How to enable deployment protections -Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your population, devices must share diagnostic data with Microsoft. +Deployment scheduling controls are always available, but to take advantage of the unique deployment protections tailored to your organization, devices must share diagnostic data with Microsoft. #### Device prerequisites @@ -175,6 +174,7 @@ Follow these suggestions for the best results with the service. Avoid using different channels to manage the same resources. If you use Microsoft Endpoint Manager along with Microsoft Graph APIs or PowerShell, aspects of resources (such as devices, deployments, updatable asset groups) might be overwritten if you use both channels to manage the same resources. Instead, only manage each resource through the channel that created it. + ## Next steps To learn more about the deployment service, try the following: From 2515c5784a919ec7fdca66ebd90c4687ffd9bdf8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 14 Oct 2021 09:36:36 -0700 Subject: [PATCH 10/37] Update enroll-a-windows-10-device-automatically-using-group-policy.md --- ...ll-a-windows-10-device-automatically-using-group-policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 8c53bccf46..58d590e4b2 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -5,8 +5,8 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman -ms.date: 06/02/2021 +author: dansimp +ms.date: 10/14/2021 ms.reviewer: manager: dansimp --- From b1619045ffbec8088992768de3d22a1f2ebb2b4a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 11:48:52 -0700 Subject: [PATCH 11/37] Applied valid slugs for labeling code blocks The complete list is here: https://review.docs.microsoft.com/en-us/help/contribute/metadata-taxonomies?branch=master#dev-lang --- .../troubleshoot-tcpip-port-exhaust.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index d3a3ceb2db..10fbfe6f45 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -39,7 +39,7 @@ You can view the dynamic port range on a computer by using the following netsh c The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP. -```cmd +```console netsh int set dynamic start=number num=range ``` @@ -107,7 +107,7 @@ You may also see CLOSE_WAIT state connections in the same output, however CLOSE_ 4. Open a command prompt in admin mode and run the below command - ```cmd + ```console Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl ``` @@ -121,7 +121,7 @@ The key is to identify which process or application is using all the ports. Belo Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process: -```Powershell +```powershell Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending ``` @@ -165,7 +165,7 @@ Finally, if the above methods did not help you isolate the process, we suggest y As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands: -```cmd +```console netsh int ipv4 set dynamicport tcp start=10000 num=1000 ``` @@ -176,7 +176,7 @@ This will set the dynamic port range to start at port 10000 and to end at port 1 For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend. -``` +```console @ECHO ON set v=%1 :loop From 05d50c14123517ecb7105d86d7fdd53b3ed691a9 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 11:52:51 -0700 Subject: [PATCH 12/37] Corrected indentation of images & second-level list items These images should have been indented as part of their respective second-level list items. For this to work correctly, though, the second-level list items also needed to be laid out correctly, and that often doesn't happen unless the list items rely on automatic numbering (1, 1, 1) instead of specifying the enumeration (a, b, c). --- .../client-management/troubleshoot-tcpip-port-exhaust.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 10fbfe6f45..a09a0c7ea4 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -82,13 +82,13 @@ If you suspect that the machine is in a state of port exhaustion: 2. Open event viewer and under the system logs, look for the events which clearly indicate the current state: - a. **Event ID 4227** + 1. **Event ID 4227** - ![Screenshot of event id 4227 in Event Viewer.](images/tcp-ts-18.png) + ![Screenshot of event id 4227 in Event Viewer.](images/tcp-ts-18.png) - b. **Event ID 4231** + 1. **Event ID 4231** - ![Screenshot of event id 4231 in Event Viewer.](images/tcp-ts-19.png) + ![Screenshot of event id 4231 in Event Viewer.](images/tcp-ts-19.png) 3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. From 2503158cabfdfc6ba9ee37c1d035161ecde678ce Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 11:59:13 -0700 Subject: [PATCH 13/37] Added lightbox functionality to some images These images aren't easy to read. Lightbox allows the images to be viewed in an expanded window. --- .../client-management/troubleshoot-tcpip-port-exhaust.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index a09a0c7ea4..b7b25c7d2d 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -58,7 +58,7 @@ Since outbound connections start to fail, you will see a lot of the below behavi - Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work. - ![Screenshot of error for NETLOGON in Event Viewer.](images/tcp-ts-14.png) + :::image type="content" alt-text="Screenshot of error for NETLOGON in Event Viewer." source="images/tcp-ts-14.png" lightbox="images/tcp-ts-14.png"::: - Group Policy update failures: @@ -84,11 +84,11 @@ If you suspect that the machine is in a state of port exhaustion: 1. **Event ID 4227** - ![Screenshot of event id 4227 in Event Viewer.](images/tcp-ts-18.png) + :::image type="content" alt-text="Screenshot of event ID 4227 in Event Viewer." source="images/tcp-ts-18.png" lightbox="images/tcp-ts-18.png"::: 1. **Event ID 4231** - ![Screenshot of event id 4231 in Event Viewer.](images/tcp-ts-19.png) + :::image type="content" alt-text="Screenshot of event ID 4231 in Event Viewer." source="images/tcp-ts-19.png" lightbox="images/tcp-ts-19.png"::: 3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. @@ -157,7 +157,7 @@ Steps to use Process explorer: File \Device\AFD - ![Screenshot of Process Explorer.](images/tcp-ts-22.png) + :::image type="content" alt-text="Screenshot of Process Explorer." source="images/tcp-ts-22.png" lightbox="images/tcp-ts-22.png"::: 10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app. From eacfe32e51fd32f391a9f3f6945be9871c4af381 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 12:02:03 -0700 Subject: [PATCH 14/37] Updated code block label to a valid value The complete list is here: https://review.docs.microsoft.com/en-us/help/contribute/metadata-taxonomies?branch=master#dev-lang --- windows/client-management/mandatory-user-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 8b2e2bc3e9..5a566f1410 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -68,7 +68,7 @@ First, you create a default user profile with the customizations that you want, 1. At a command prompt, type the following command and press **ENTER**. - ```dos + ```console sysprep /oobe /reboot /generalize /unattend:unattend.xml ``` From e89a0f19ffc81e4d9846b4d3c3a80fbbbfaccddf Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 12:04:21 -0700 Subject: [PATCH 15/37] Indented images in second-level list items --- windows/client-management/mandatory-user-profile.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 5a566f1410..25245fa812 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -100,11 +100,11 @@ First, you create a default user profile with the customizations that you want, - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path. - ![Example of Copy profile to.](images/copy-to-path.png) + ![Example of Copy profile to.](images/copy-to-path.png) - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location. - ![Example of Copy To UI with UNC path.](images/copy-to-path.png) + ![Example of Copy To UI with UNC path.](images/copy-to-path.png) 1. Click **OK** to copy the default user profile. From 8ffec9b20f1f0249aa9b83b7f6f4370163cb069d Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 12:19:57 -0700 Subject: [PATCH 16/37] Indented note in a list item --- .../manage-device-installation-with-group-policy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index cadcf9664a..8e177ae184 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -342,8 +342,8 @@ Getting the right device identifier to prevent it from being installed: > ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}\ > This class includes printers. -> [!NOTE] -> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system. + > [!NOTE] + > As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system. Creating the policy to prevent all printers from being installed: From 746eb537749f49d492fbbc48a267a8f355fb26fc Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:01:19 -0700 Subject: [PATCH 17/37] Applied ordered list to sequential steps --- .../manage-device-installation-with-group-policy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md index 8e177ae184..4088d331ab 100644 --- a/windows/client-management/manage-device-installation-with-group-policy.md +++ b/windows/client-management/manage-device-installation-with-group-policy.md @@ -376,9 +376,9 @@ Creating the policy to prevent all printers from being installed: 1. If you have not completed step #9 – follow these steps: - - Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. - - For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. - - You should not be able to reinstall the printer. + 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”. + 1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app. + 1. You should not be able to reinstall the printer. 2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use. From 3658e39021c2595afe94caf999f887a732128632 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:07:36 -0700 Subject: [PATCH 18/37] Correct slash location in self-closing BR tags --- .../hello-identity-verification.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 26a25c7342..1a9e16072a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -38,37 +38,37 @@ The table shows the minimum requirements for each deployment. For key trust in a > [!NOTE] > Windows Hello for Business is introducing a new trust model called cloud trust in early 2022. This trust model will enable deployment of Windows Hello for Business using the infrastructure introduced for supporting [security key sign-in on Hybrid Azure AD joined devices and on-premises resource access on Azure AD Joined devices](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). More information will be available on Windows Hello for Business cloud trust once it is generally available. -| Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | +| Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | | --- | --- | --- | --- | -| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | +| Windows 10, version 1511 or later| **Hybrid Azure AD Joined:**
*Minimum:* Windows 10, version 1703
*Best experience:* Windows 10, version 1709 or later (supports synchronous certificate enrollment).
**Azure AD Joined:**
Windows 10, version 1511 or later| Windows 10, version 1511 or later | Windows 10, version 1511 or later | | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | Windows Server 2016 or later Schema | | Windows Server 2008 R2 Domain/Forest functional level | Windows Server 2008 R2 Domain/Forest functional level| Windows Server 2008 R2 Domain/Forest functional level |Windows Server 2008 R2 Domain/Forest functional level | | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | Windows Server 2016 or later Domain Controllers | Windows Server 2008 R2 or later Domain Controllers | | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | Windows Server 2012 or later Certificate Authority | -| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
and
Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | -| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | +| N/A | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/help/4088889) (hybrid Azure AD joined clients),
and
Windows Server 2012 or later Network Device Enrollment Service (Azure AD joined) | N/A | Windows Server 2012 or later Network Device Enrollment Service | +| Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | Azure MFA tenant, or
AD FS w/Azure MFA adapter, or
AD FS w/Azure MFA Server adapter, or
AD FS w/3rd Party MFA Adapter | | Azure Account | Azure Account | Azure Account | Azure Account | | Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory | | Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect | | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment | > [!Important] -> 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
+> 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
+> **Requirements:**
+> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 > -> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
+> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> **Requirements:**
+> Reset from settings - Windows 10, version 1703, Professional
+> Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ## On-premises Deployments The table shows the minimum requirements for each deployment. -| Key trust
Group Policy managed | Certificate trust
Group Policy managed| +| Key trust
Group Policy managed | Certificate trust
Group Policy managed| | --- | --- | | Windows 10, version 1703 or later | Windows 10, version 1703 or later | | Windows Server 2016 Schema | Windows Server 2016 Schema| From f57263c1a54e3e1826d6b43db7f435bd36d4eb63 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:09:31 -0700 Subject: [PATCH 19/37] Add bullets to vertical lists --- .../hello-identity-verification.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 1a9e16072a..065df8dd49 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -54,15 +54,15 @@ The table shows the minimum requirements for each deployment. For key trust in a > [!Important] > 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 > > 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Reset from settings - Windows 10, version 1703, Professional +> - Reset above lock screen - Windows 10, version 1709, Professional +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ## On-premises Deployments From 2a14c0b54de61760c79f38009ff9e24409be42d1 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:11:41 -0700 Subject: [PATCH 20/37] Replace numbers with bullets in unordered list --- .../hello-identity-verification.md | 20 ++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 065df8dd49..641d92045a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -53,16 +53,18 @@ The table shows the minimum requirements for each deployment. For key trust in a | Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment | > [!Important] -> 1. Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:** -> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 -> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> - Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. > -> 2. On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:** -> - Reset from settings - Windows 10, version 1703, Professional -> - Reset above lock screen - Windows 10, version 1709, Professional -> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> +> - On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. + +> **Requirements:** +> - Reset from settings - Windows 10, version 1703, Professional +> - Reset above lock screen - Windows 10, version 1709, Professional +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ## On-premises Deployments From 86f28739efab1a49050d1e284e437c25fae93787 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:14:09 -0700 Subject: [PATCH 21/37] Add lightbox functionality for legibility --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index b191dbc916..72fda09ca8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -70,7 +70,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup >[!NOTE] >Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password. -![How authentication works in Windows Hello.](images/authflow.png) +:::image type="content" alt-text="How authentication works in Windows Hello." source="images/authflow.png" lightbox="images/authflow.png"::: Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device. From cae6cc2ccd6124169492945c64cfa242e890eaea Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:15:05 -0700 Subject: [PATCH 22/37] Add blank lines for readability --- .../hello-for-business/hello-overview.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 72fda09ca8..33d820a1a7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -81,12 +81,19 @@ Windows Hello helps protect user identities and user credentials. Because the us ## How Windows Hello for Business works: key points - Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device. + - Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step. + - Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy. + - Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared. + - The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process. + - PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user. + - Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy. + - Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture. For details, see [How Windows Hello for Business works](hello-how-it-works.md). From c58fe7af5e8cb4d4d6e79e8517d7a00f4fa76404 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:16:27 -0700 Subject: [PATCH 23/37] Correct slash location in self-closing BR tags --- .../hello-for-business/hello-planning-guide.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index d0de57c65c..611f55ea0d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -74,19 +74,19 @@ The hybrid deployment model is for organizations that: - Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources > [!Important] -> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
+> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
+> **Requirements:**
+> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ##### On-premises The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory. > [!Important] -> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
+> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> **Requirements:**
+> Reset from settings - Windows 10, version 1703, Professional
+> Reset above lock screen - Windows 10, version 1709, Professional
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. From ab5f819050520acff45c400cab109a4e06695328 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:17:54 -0700 Subject: [PATCH 24/37] Add bullets to vertical lists --- .../hello-for-business/hello-planning-guide.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 611f55ea0d..c8d18101d8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -75,19 +75,19 @@ The hybrid deployment model is for organizations that: > [!Important] > Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
-> **Requirements:**
-> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 ##### On-premises The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory. > [!Important] > On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
-> **Requirements:**
-> Reset from settings - Windows 10, version 1703, Professional
-> Reset above lock screen - Windows 10, version 1709, Professional
-> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 +> **Requirements:** +> - Reset from settings - Windows 10, version 1703, Professional +> - Reset above lock screen - Windows 10, version 1709, Professional +> - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 It's fundamentally important to understand which deployment model to use for a successful deployment. Some aspects of the deployment may have already been decided for you based on your current infrastructure. From 15e39694808a7d8ac40737f67c7129d36419e696 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:19:13 -0700 Subject: [PATCH 25/37] Removed unnecessary BR tags --- .../hello-for-business/hello-planning-guide.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index c8d18101d8..8aada054b6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -74,7 +74,8 @@ The hybrid deployment model is for organizations that: - Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources > [!Important] -> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.
+> Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models. +> > **Requirements:** > - Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903 > - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 @@ -83,7 +84,8 @@ The hybrid deployment model is for organizations that: The on-premises deployment model is for organizations that do not have cloud identities or use applications hosted in Azure Active Directory. > [!Important] -> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models.
+> On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. +> > **Requirements:** > - Reset from settings - Windows 10, version 1703, Professional > - Reset above lock screen - Windows 10, version 1709, Professional From 88129581d474fce062c5e20061069da4b290f681 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 14:26:24 -0700 Subject: [PATCH 26/37] Added missing angle bracket --- .../hello-for-business/hello-identity-verification.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 641d92045a..92c2b72d61 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -60,7 +60,7 @@ The table shows the minimum requirements for each deployment. For key trust in a > - Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 > > - On-premises deployments support destructive PIN reset that works with both the certificate trust and the key trust models. - +> > **Requirements:** > - Reset from settings - Windows 10, version 1703, Professional > - Reset above lock screen - Windows 10, version 1709, Professional From 438a77ac54ba0fe6b72d1a469d1922f092089035 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 18:15:28 -0700 Subject: [PATCH 27/37] Corrected labels on code blocks to valid type Here's the list of valid types: https://review.docs.microsoft.com/en-us/help/contribute/metadata-taxonomies?branch=master#dev-lang --- ...tion-based-protection-of-code-integrity.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 5d7ffa6cd9..d4507b1ee4 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -78,7 +78,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): -``` commands +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f @@ -94,49 +94,49 @@ If you want to customize the preceding recommended settings, use the following s **To enable VBS** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f ``` **To enable VBS and require Secure boot only (value 1)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` **To enable VBS with Secure Boot and DMA (value 3)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f ``` **To enable VBS without UEFI lock (value 0)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f ``` **To enable VBS with UEFI lock (value 1)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f ``` **To enable virtualization-based protection of Code Integrity policies** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f ``` **To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f ``` **To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f ``` @@ -144,7 +144,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock): -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f @@ -158,31 +158,31 @@ If you want to customize the preceding recommended settings, use the following s **To enable VBS (it is always locked to UEFI)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f ``` **To enable VBS and require Secure boot only (value 1)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f ``` **To enable VBS with Secure Boot and DMA (value 3)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f ``` **To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f ``` **To enable virtualization-based protection of Code Integrity policies without UEFI lock** -``` command +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` From 170846294085a37742491866ef21020c73bffa8b Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 18:21:44 -0700 Subject: [PATCH 28/37] Replace single BR tags with proper paragraph breaks --- ...able-virtualization-based-protection-of-code-integrity.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index d4507b1ee4..3bedae6d12 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -71,7 +71,10 @@ Set the following registry keys to enable HVCI. This provides exactly the same s > [!IMPORTANT] -> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled. +> +> In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled. +> > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers. #### For Windows 10 version 1607 and later From 0a7cdbac239f968c21cc84aa97b33cfd7a30c374 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 18:22:37 -0700 Subject: [PATCH 29/37] Corrected type label on code block --- ...irtualization-based-protection-of-code-integrity.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 3bedae6d12..d75271bcad 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -294,12 +294,14 @@ C. If you experience a critical error during boot or your system is unstable aft ## How to turn off HVCI -1. Run the following command from an elevated prompt to set the HVCI registry key to off -```ini +1. Run the following command from an elevated prompt to set the HVCI registry key to off: + +```console reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f ``` -2. Restart the device. -3. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed. + +1. Restart the device. +1. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed. ## HVCI deployment in virtual machines From dc63e23408a55038ee5a223fc6fd5ba9db6d2eb2 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 18:24:39 -0700 Subject: [PATCH 30/37] Add blank lines for consistent layout --- ...nable-virtualization-based-protection-of-code-integrity.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index d75271bcad..a19ca85753 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -54,8 +54,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] ### Enable HVCI using Group Policy 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one. + 2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**. + 3. Double-click **Turn on Virtualization Based Security**. + 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png) @@ -301,6 +304,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE ``` 1. Restart the device. + 1. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed. ## HVCI deployment in virtual machines From 7577992ae124c1ce3b7bc258382affcb04639a0b Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 18:25:18 -0700 Subject: [PATCH 31/37] Indent a code block in a list item --- ...ble-virtualization-based-protection-of-code-integrity.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index a19ca85753..e331616635 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -299,9 +299,9 @@ C. If you experience a critical error during boot or your system is unstable aft 1. Run the following command from an elevated prompt to set the HVCI registry key to off: -```console -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f -``` + ```console + reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f + ``` 1. Restart the device. From 5416ecd0192eb107b0ea6d06951c74b771daaf5a Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 18:33:44 -0700 Subject: [PATCH 32/37] Add lightbox functionality to image --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index e331616635..a4fc2cfbe2 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -285,7 +285,7 @@ This field lists the computer name. All valid values for computer name. Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section. -![Windows Defender Device Guard properties in the System Summary.](../images/dg-fig11-dgproperties.png) +:::image type="content" alt-text="Windows Defender Device Guard properties in the System Summary." source="../images/dg-fig11-dgproperties.png" lightbox="../images/dg-fig11-dgproperties.png"::: ## Troubleshooting From ef9db012f5d9aa8d6e4699c39d8388f625e1ec35 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 19:29:41 -0700 Subject: [PATCH 33/37] Replaced single backticks with tripe to create labeled code block --- ...nable-virtualization-based-protection-of-code-integrity.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index a4fc2cfbe2..a7cdb8f8e9 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -196,7 +196,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG Windows 10 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: -`Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard` +```powershell +Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard +``` > [!NOTE] > The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10. From a8c5f1480a6c6d5cb67bcc4525172b56b03897b3 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 20:23:08 -0700 Subject: [PATCH 34/37] Acrolinx: "Powershell" --- windows/client-management/troubleshoot-tcpip-port-exhaust.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index b7b25c7d2d..772f2ec791 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -119,7 +119,7 @@ The key is to identify which process or application is using all the ports. Belo ### Method 1 -Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process: +Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below PowerShell command to identify the process: ```powershell Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending @@ -127,7 +127,7 @@ Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Pro Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports. -For Windows 7 and Windows Server 2008 R2, you can update your Powershell version to include the above cmdlet. +For Windows 7 and Windows Server 2008 R2, you can update your PowerShell version to include the above cmdlet. ### Method 2 From d97fae2a49c0fe1a2453a7011c6c85107f96e991 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 14 Oct 2021 20:31:37 -0700 Subject: [PATCH 35/37] Indent multiple types of content in Step 3 --- .../troubleshoot-tcpip-port-exhaust.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index 772f2ec791..1267dad41f 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -94,16 +94,16 @@ If you suspect that the machine is in a state of port exhaustion: ![Screenshot of netstate command output.](images/tcp-ts-20.png) -After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. - -You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. - ->[!Note] ->Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. -> ->Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. -> ->Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more. + After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state. + + You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion. + + >[!Note] + >Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion. + > + >Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports. + > + >Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more. 4. Open a command prompt in admin mode and run the below command From ec0d5181e1a8589794f96e4241ee725923e6ab6d Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Fri, 15 Oct 2021 09:52:51 -0700 Subject: [PATCH 36/37] remove reference to whfb feedback --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index a11d68959d..3c1cb2a112 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -212,7 +212,7 @@ sections: - question: Does Windows Hello for Business work with third-party federation servers? answer: | - Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).

+ Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.

| Protocol | Description | | :---: | :--- | From dbf11b4c9e094fb11be7f5363df7682dea3b631d Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Fri, 15 Oct 2021 09:56:19 -0700 Subject: [PATCH 37/37] Update hello-faq.yml --- .../identity-protection/hello-for-business/hello-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 3c1cb2a112..34170a5423 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -14,7 +14,7 @@ metadata: ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium - ms.date: 01/14/2021 + ms.date: 10/15/2021 ms.reviewer: title: Windows Hello for Business Frequently Asked Questions (FAQ) @@ -224,4 +224,4 @@ sections: - question: Does Windows Hello for Business work with Mac and Linux clients? answer: | Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms. - \ No newline at end of file +