Merge pull request #2349 from MicrosoftDocs/pr-6122-fix

https://github.com/MicrosoftDocs/windows-itpro-docs/pull/6122 fix

windows/security/identity-protection/TOC.md

@@ -24,6 +24,7 @@
 ### [How Credential Guard works](credential-guard/credential-guard-how-it-works.md)
 ### [Credential Guard Requirements](credential-guard/credential-guard-requirements.md)
 ### [Manage Credential Guard](credential-guard/credential-guard-manage.md)
+### [Hardware readiness tool](credential-guard/dg-readiness-tool.md)
 ### [Credential Guard protection limits](credential-guard/credential-guard-protection-limits.md)
 ### [Considerations when using Credential Guard](credential-guard/credential-guard-considerations.md)
 ### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -12,7 +12,6 @@ ms.author: dansimp
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
-ms.date: 03/01/2019
 ms.reviewer: 
 ---
 
@@ -86,22 +85,24 @@ You can do this by using either the Control Panel or the Deployment Image Servic
     ```
     dism /image:<WIM file name> /Enable-Feature /FeatureName:IsolatedUserMode
     ```
-> [!NOTE]
-> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
+    NOTE: In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required.
 
-> [!NOTE]
+> [!TIP]
 > You can also add these features to an online image by using either DISM or Configuration Manager.
 
 #### Enable virtualization-based security and Windows Defender Credential Guard
 
 1.  Open Registry Editor.
+
 2.  Enable virtualization-based security:
     -   Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
     -   Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
     -   Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
+
 3.  Enable Windows Defender Credential Guard:
     -   Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
     -   Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
+
 4.  Close Registry Editor.
 
 
@@ -112,7 +113,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic
 
 ### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
 
-You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg_readiness_tool.md).
+You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool.ps1 -Enable -AutoReboot
@@ -135,7 +136,7 @@ You can view System Information to check that Windows Defender Credential Guard
 
     ![System Information](images/credguard-msinfo32.png)
 
-You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool_v3.6.ps1 -Ready
@@ -152,8 +153,8 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 -   You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
     -   **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
     -   **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
-        -   The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it’s not configured to run.
-        -   The second variable: 0 means it’s configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
+        -   The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means it's not configured to run.
+        -   The second variable: 0 means it's configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
     -   **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
     -   **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
     -   **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
@@ -165,9 +166,11 @@ DG_Readiness_Tool_v3.6.ps1 -Ready
 To disable Windows Defender Credential Guard, you can use the following set of procedures or [the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool). If Credential Guard was enabled with UEFI Lock then you must use the following procedure as the settings are persisted in EFI (firmware) variables and it will require physical presence at the machine to press a function key to accept the change. If Credential Guard was enabled without UEFI Lock then you can turn it off by using Group Policy.
 
 1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
+
 2. Delete the following registry settings:
    - HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\LsaCfgFlags
+
 3. If you also wish to disable virtualization-based security delete the following registry settings:
    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
    - HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\RequirePlatformSecurityFeatures
@@ -188,14 +191,18 @@ To disable Windows Defender Credential Guard, you can use the following set of p
    ```
 
 5. Restart the PC.
+
 6. Accept the prompt to disable Windows Defender Credential Guard.
+
 7. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
 
-> [!NOTE]
-> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
-
-    bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
-    bcdedit /set vsmlaunchtype off
+    > [!NOTE]
+    > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit commands after turning off all virtualization-based security Group Policy and registry settings:
+    >
+    >```
+    >bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
+    >bcdedit /set vsmlaunchtype off
+    >```
 
 > [!NOTE]
 > Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
@@ -206,7 +213,7 @@ For more info on virtualization-based security and Windows Defender Device Guard
 
 #### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
 
-You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
+You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
 ```
 DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot

windows/security/identity-protection/credential-guard/dg-readiness-tool.md

@@ -12,7 +12,6 @@ ms.author: stsyfuhs
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
-ms.date: 09/18/2019
 ms.reviewer: 
 ---
 # Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
@@ -152,8 +151,8 @@ function CheckExemption($_ModName)
 
 }
 
-function CheckFailedDriver($_ModName, $CIStats)
-{
+function CheckFailedDriver($_ModName, $CIStats)''
+{''
     Log "Module: " $_ModName.Trim()
     if(CheckExemption($_ModName.Trim()) - eq 1)
     {