From 7f10f5382eca117862e4bc9a05b675c200196d34 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 2 Aug 2016 10:49:17 -0700 Subject: [PATCH] fixed rendering issues and TOC entries --- windows/keep-secure/TOC.md | 14 ++++++++++---- windows/keep-secure/credential-guard.md | 5 +++++ 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 5cd8b3ab93..58e3985526 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -1,8 +1,5 @@ # [Keep Windows 10 secure](index.md) ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) -## [Device Guard certification and compliance](device-guard-certification-and-compliance.md) -### [Get apps to run on Device Guard-protected devices](getting-apps-to-run-on-device-guard-protected-devices.md) -### [Create a Device Guard code integrity policy based on a reference device](creating-a-device-guard-policy-for-signed-apps.md) ## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md) ### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) ### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md) @@ -14,6 +11,16 @@ ### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md) ## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md) ## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md) +## [Device Guard deployment guide](device-guard-deployment-guide.md) +### [Introduction to Device Guard: virtualization-based security and code integrity policies](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) +### [Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) +### [Planning and getting started on the Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md) +### [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md) +#### [Optional: Create a code signing certificate for code integrity policies](optional-create-a-code-signing-certificate-for-code-integrity-policies.md) +#### [Deploy code integrity policies: policy rules and file rules](deploy-code-integrity-policies-policy-rules-and-file-rules.md) +#### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) +#### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) +### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) ## [Protect derived domain credentials with Credential Guard](credential-guard.md) ## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md) ## [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) @@ -832,7 +839,6 @@ ###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md) ## [Enterprise security guides](windows-10-enterprise-security-guides.md) ### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) -### [Device Guard deployment guide](device-guard-deployment-guide.md) ### [Microsoft Passport guide](microsoft-passport-guide.md) ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ### [Windows 10 security overview](windows-10-security-guide.md) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index b0c15689da..988deb9e06 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -158,6 +158,7 @@ First, you must add the virtualization-based security features. You can do this ``` syntax dism /image: /Enable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /all ``` + > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. @@ -183,6 +184,7 @@ If you don't use Group Policy, you can enable Credential Guard by using the regi - Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it. 4. Close Registry Editor. + > [!NOTE] > You can also turn on Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. @@ -348,6 +350,7 @@ On devices that are running Credential Guard, enroll the devices using the machi ``` syntax CertReq -EnrollCredGuardCert MachineAuthentication ``` + > [!NOTE] > You must restart the device after enrolling the machine authentication certificate.   @@ -364,6 +367,7 @@ By using an authentication policy, you can ensure that users only sign into devi ``` syntax .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:”” –groupOU:”” –groupName:”” ``` + ### Deploy the authentication policy Before setting up the authentication policy, you should log any failed attempt to apply an authentication policy on the KDC. To do this in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**. @@ -388,6 +392,7 @@ Now you can set up an authentication policy to use Credential Guard. 14. Click **OK** to create the authentication policy. 15. Close Active Directory Administrative Center. + > [!NOTE] > When authentication policies in enforcement mode are deployed with Credential Guard, users will not be able to sign in using devices that do not have the machine authentication certificate provisioned. This applies to both local and remote sign in scenarios.