From 0964d37f99d256ef082d087cfbbc5ef62d341985 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Sat, 18 Mar 2023 07:17:58 -0700 Subject: [PATCH 1/7] Update introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md --- ...-based-security-and-windows-defender-application-control.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md index 09f6cce05f..4f36792ed9 100644 --- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md +++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md @@ -23,6 +23,9 @@ ms.topic: article Windows includes a set of hardware and OS technologies that, when configured together, allow enterprises to "lock down" Windows systems so they behave more like mobile devices. In this configuration, [**Windows Defender Application Control (WDAC)**](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control) is used to restrict devices to run only approved apps, while the OS is hardened against kernel memory attacks using [**memory integrity**](enable-virtualization-based-protection-of-code-integrity.md). +> [!NOTE] +> Memory integrity is sometimes referred to as *hypervisor-protected code integrity (HVCI)* or *hypervisor enforced code integrity*, and was originally released as part of *Device Guard*. Device Guard is no longer used except to locate memory integrity and VBS settings in Group Policy or the Windows registry. + WDAC policies and memory integrity are powerful protections that can be used separately. However, when these two technologies are configured to work together, they present a strong protection capability for Windows devices. Using WDAC to restrict devices to only authorized apps has these advantages over other solutions: From 8b11ac9cc315f8ea13606e1ac2f052bbd42e9e2f Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Sun, 19 Mar 2023 20:30:54 -0700 Subject: [PATCH 2/7] Clarify when certificates are re-validated The original wording implied that the client would trigger when the certificate expired. It doesn't; the client instead triggers whenever and at that point determines if the certificate has expired. --- .../identity-protection/vpn/vpn-conditional-access.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md index e9af1d83a5..4e7d339c66 100644 --- a/windows/security/identity-protection/vpn/vpn-conditional-access.md +++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md @@ -33,7 +33,7 @@ Conditional Access Platform components used for Device Compliance include the fo - Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA. See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy). -- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When that certificate expires, the client will again check with Azure AD for health validation before a new certificate is issued. +- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued. - [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things. @@ -125,4 +125,4 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien - [VPN name resolution](vpn-name-resolution.md) - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) - [VPN security features](vpn-security-features.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file +- [VPN profile options](vpn-profile-options.md) From 3e30d1f3037d0153b6682db76cf9e967c2d293e4 Mon Sep 17 00:00:00 2001 From: mudeeb <35724901+mudeeb@users.noreply.github.com> Date: Mon, 20 Mar 2023 12:51:55 +0300 Subject: [PATCH 3/7] Update hello-faq.yml PIN 1231 doesn't have a constant delta (1,1,8), so it's allowed ====>must be change to ====>PIN 1231 doesn't have a constant delta (1,1,2), so it's allowed. 8 to 2 this is the change --- .../identity-protection/hello-for-business/hello-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml index 621663aecd..bb59a07821 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.yml +++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml @@ -109,7 +109,7 @@ sections: - The PIN 9630 has a constant delta of (7,7,7), so it isn't allowed - The PIN 1593 has a constant delta of (4,4,4), so it isn't allowed - The PIN 7036 has a constant delta of (3,3,3), so it isn't allowed - - The PIN 1231 doesn't have a constant delta (1,1,8), so it's allowed + - The PIN 1231 doesn't have a constant delta (1,1,2), so it's allowed - The PIN 1872 doesn't have a constant delta (7,9,5), so it's allowed This check prevents repeating numbers, sequential numbers, and simple patterns. It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm doesn't apply to alphanumeric PINs. From 34c16a971936e362ccf8916576b72354a3eebff1 Mon Sep 17 00:00:00 2001 From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com> Date: Mon, 20 Mar 2023 15:49:46 +0100 Subject: [PATCH 4/7] Update event-4769.md Add details to some of the error logging details... --- windows/security/threat-protection/auditing/event-4769.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index e82434467c..d15a58aca9 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -194,7 +194,12 @@ The most common values: | 0x18 | RC4-HMAC-EXP | Default suite for operating systems before Windows Server 2008 and Windows Vista. | | 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | -- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. The table below contains the list of the most common error codes for this event: +- **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. +Some errors are only reported when you set KdcExtraLogLevel per [Kerberos and KDC registry entries] (https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) hexadecimal flag, OR-connected for multiple flags being set: +0x01: Audit SPN unknown errors. +0x10: Log audit events on encryption type (ETYPE) and bad options errors. + +The table below contains the list of the most common error codes for this event: | Code | Code Name | Description | Possible causes | |------|----------------------------------------|-----------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| From 47a7c7eaafc683ac1e3ebcf834dc6cadba1ea241 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 20 Mar 2023 11:07:57 -0400 Subject: [PATCH 5/7] Update windows/security/threat-protection/auditing/event-4769.md --- windows/security/threat-protection/auditing/event-4769.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index d15a58aca9..ad744c30a8 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -195,7 +195,7 @@ The most common values: | 0xFFFFFFFF or 0xffffffff | - | This type shows in Audit Failure events. | - **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. -Some errors are only reported when you set KdcExtraLogLevel per [Kerberos and KDC registry entries] (https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) hexadecimal flag, OR-connected for multiple flags being set: +Some errors are only reported when you set [KdcExtraLogLevel](/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) registry key value with the following flags: 0x01: Audit SPN unknown errors. 0x10: Log audit events on encryption type (ETYPE) and bad options errors. From c1053033ecea65d5d606c7daee8901005a361b80 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 20 Mar 2023 11:08:04 -0400 Subject: [PATCH 6/7] Update windows/security/threat-protection/auditing/event-4769.md --- windows/security/threat-protection/auditing/event-4769.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index ad744c30a8..f51f9708f8 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -196,7 +196,7 @@ The most common values: - **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. Some errors are only reported when you set [KdcExtraLogLevel](/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) registry key value with the following flags: -0x01: Audit SPN unknown errors. +- 0x01: Audit SPN unknown errors. 0x10: Log audit events on encryption type (ETYPE) and bad options errors. The table below contains the list of the most common error codes for this event: From 0c3889419f44154ef6d7fb813d5bd12861265ba9 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 20 Mar 2023 11:08:10 -0400 Subject: [PATCH 7/7] Update windows/security/threat-protection/auditing/event-4769.md --- windows/security/threat-protection/auditing/event-4769.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md index f51f9708f8..98746150c6 100644 --- a/windows/security/threat-protection/auditing/event-4769.md +++ b/windows/security/threat-protection/auditing/event-4769.md @@ -197,7 +197,7 @@ The most common values: - **Failure Code** \[Type = HexInt32\]**:** hexadecimal result code of TGS issue operation. Some errors are only reported when you set [KdcExtraLogLevel](/troubleshoot/windows-server/windows-security/kerberos-protocol-registry-kdc-configuration-keys) registry key value with the following flags: - 0x01: Audit SPN unknown errors. -0x10: Log audit events on encryption type (ETYPE) and bad options errors. +- 0x10: Log audit events on encryption type (ETYPE) and bad options errors. The table below contains the list of the most common error codes for this event: