From 3e29250928a845aa19753160a16b7da53d9ab7da Mon Sep 17 00:00:00 2001 From: John Tobin Date: Thu, 6 Apr 2017 14:56:55 -0700 Subject: [PATCH 1/2] Added note for LSAIso to Credential Guard Manage --- windows/keep-secure/credential-guard-manage.md | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/credential-guard-manage.md b/windows/keep-secure/credential-guard-manage.md index d2fcbe101f..e4081028d7 100644 --- a/windows/keep-secure/credential-guard-manage.md +++ b/windows/keep-secure/credential-guard-manage.md @@ -112,6 +112,8 @@ Credential Guard can protect secrets in a Hyper-V virtual machine, just as it wo ### Review Credential Guard performance +**Is Credential Guard running?** + You can view System Information to check that Credential Guard is running on a PC. 1. Click **Start**, type **msinfo32.exe**, and then click **System Information**. @@ -128,6 +130,10 @@ You can also check that Credential Guard is running by using the [Device Guard a DG_Readiness_Tool_v3.0.ps1 -Ready ``` +> [!NOTE] + +For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features. + - If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain. - You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for: @@ -140,15 +146,6 @@ DG_Readiness_Tool_v3.0.ps1 -Ready - **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\] You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -> **Windows** -> **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0. - **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0. -- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business. -- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN. -- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running. - -- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager: - - Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed". - - Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials. - - You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials. - - Credential Guard uses hardware security so some features, such as Windows To Go, are not supported. ## Disable Credential Guard From bb80e9c58bfd7554e6bd9754efb12777b42be547 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Fri, 7 Apr 2017 09:47:06 -0700 Subject: [PATCH 2/2] fixed a bunch of wipfb typos :sunny: --- windows/update/waas-windows-insider-for-business-aad.md | 4 ++-- windows/update/waas-windows-insider-for-business-faq.md | 2 +- windows/update/waas-windows-insider-for-business.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/update/waas-windows-insider-for-business-aad.md b/windows/update/waas-windows-insider-for-business-aad.md index 440c4b8bfc..5467e01600 100644 --- a/windows/update/waas-windows-insider-for-business-aad.md +++ b/windows/update/waas-windows-insider-for-business-aad.md @@ -56,11 +56,11 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc ## User consent requirement -With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions, like this: +With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will see a popup asking for their permission, like this: ![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png) -Once agreed, everything will work fine and that user won't be asked for permissions again. +Once agreed, everything will work fine and that user won't be prompted for permission again. ### Something went wrong diff --git a/windows/update/waas-windows-insider-for-business-faq.md b/windows/update/waas-windows-insider-for-business-faq.md index 249b9c95ee..aa84530023 100644 --- a/windows/update/waas-windows-insider-for-business-faq.md +++ b/windows/update/waas-windows-insider-for-business-faq.md @@ -74,7 +74,7 @@ In just a few steps, you can switch your existing program registration from your Sign in to the Feedback Hub using the same AAD account you are using to flight builds. ### Am I going to lose all the feedback I submitted and badges I earned with my MSA? -No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badge you’ve earned. +No. However, your feedback will not be transferred from your MSA to your AAD account. You can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. ### How is licensing handled for Windows 10 Insider builds? All PCs need to have a valid Windows 10 license. This requirement applies whether the device is joined to the Windows Insider Program using a Microsoft account or an Azure Active Directory account. diff --git a/windows/update/waas-windows-insider-for-business.md b/windows/update/waas-windows-insider-for-business.md index 802fb3b122..5308d3e795 100644 --- a/windows/update/waas-windows-insider-for-business.md +++ b/windows/update/waas-windows-insider-for-business.md @@ -65,7 +65,7 @@ The Slow Windows Insider level is for users who enjoy seeing new builds of Windo * Builds are sent to the Slow Ring after feedback has been received from Insiders within the Fast Ring and analyzed by our Engineering teams. * These builds will include updates to fix key issues that would prevent many Windows Insiders from being able to use the build on a daily basis. -* These builds are still may have issues that would be addressed in a future flight. +* These builds still may have issues that would be addressed in a future flight. ### Fast