From f6a8aa6fb69c1346ba6e6cf1dc9880699d7c2a91 Mon Sep 17 00:00:00 2001
From: Jake Stoker <94176328+JASTOKER@users.noreply.github.com>
Date: Mon, 17 Oct 2022 14:44:50 +0100
Subject: [PATCH 01/11] Adding cloud kerberos trust
I believe this guide is also for cloud kerberos trust deployments as well? I.e. a customer wants to deploy a cert to enable RDP. This is also linked in the FAQ section of the Cloud Kerberos Trust doc.
---
.../hello-for-business/hello-deployment-rdp-certs.md | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index d0cc1cad93..738635f76d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -15,13 +15,14 @@ appliesto:
- ✅ Windows 11
- ✅ Hybrid deployment
- ✅ Key trust
+- ✅ Cloud kerberos trust
---
-# Deploying Certificates to Key Trust Users to Enable RDP
+# Deploying Certificates to Key Trust/Cloud Kerberos Trust Users to Enable RDP
Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
-This document discusses an approach for key trust deployments where authentication certificates can be deployed to an existing key trust user.
+This document discusses an approach for key trust/cloud kerberos trust deployments where authentication certificates can be deployed to an existing key trust user.
Three approaches are documented here:
From b974f4f0eee7411dfb3b856621acf545c9aba4ab Mon Sep 17 00:00:00 2001
From: greg-lindsay
Date: Mon, 17 Oct 2022 15:58:05 -0700
Subject: [PATCH 02/11] add error found and fixed example
---
windows/deployment/upgrade/quick-fixes.md | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index efd7119b31..681bdcc658 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -134,7 +134,7 @@ To check and repair system files:
4. If you are prompted by UAC, click **Yes**.
-5. Type **sfc /scannow** and press ENTER. See the following example:
+5. Type **sfc /scannow** and press ENTER. See the following examples:
```console
C:\>sfc /scannow
@@ -146,6 +146,20 @@ To check and repair system files:
Windows Resource Protection did not find any integrity violations.
```
+
+ ```console
+ C:\>sfc /scannow
+
+ Beginning system scan. This process will take some time.
+
+ Beginning verification phase of system scan.
+ Verification 100% complete.
+
+ Windows Resource Protection found corrupt files and successfully repaired them.
+ For online repairs, details are included in the CBS log file located at
+ windir\Logs\CBS\CBS.log. For example C:\Windows\Logs\CBS\CBS.log. For offline
+ repairs, details are included in the log file provided by the /OFFLOGFILE flag.
+ ```
6. If you are running Windows 8.1 or later, type **DISM.exe /Online /Cleanup-image /Restorehealth** and press ENTER (the DISM command options are not available for Windows 7). See the following example:
```console
From 0d1dcb9d073b63beda617d80abf8c0cdb60faff5 Mon Sep 17 00:00:00 2001
From: Rick Munck <33725928+jmunck@users.noreply.github.com>
Date: Tue, 18 Oct 2022 10:02:38 -0700
Subject: [PATCH 03/11] Update security-compliance-toolkit-10.md
Added Windows 10 22H2 support
---
.../security-compliance-toolkit-10.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
index 3fb82ea906..e2ece168e1 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
@@ -28,6 +28,7 @@ The Security Compliance Toolkit consists of:
- Windows 11, version 22H2
- Windows 11, version 21H2
- Windows 10 security baselines
+ - Windows 10, version 22H2
- Windows 10, version 21H2
- Windows 10, version 21H1
- Windows 10, version 20H2
From 4f8f8fe656601a1000d077801f5430cda417ed62 Mon Sep 17 00:00:00 2001
From: Rick Munck <33725928+jmunck@users.noreply.github.com>
Date: Tue, 18 Oct 2022 10:07:56 -0700
Subject: [PATCH 04/11] Update get-support-for-security-baselines.md
---
.../get-support-for-security-baselines.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 1e396d55eb..2e32cde2fd 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -55,7 +55,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
| ---- | ----- | --------------------- | -------------- |
| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520)
| September 2022
|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows 10 | [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| December 2021
May 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows 10 | [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
[21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022
December 2021
May 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
From 6b591f5a960d8831cb32612f2b9e664b72026127 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 19 Oct 2022 12:12:36 -0400
Subject: [PATCH 05/11] Updated troubleshooting links
---
.../hello-for-business/hello-errors-during-pin-creation.md | 2 +-
.../identity-protection/hello-for-business/hello-event-300.md | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 3a4f97b0d0..e878788c76 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -108,5 +108,5 @@ For errors listed in this table, contact Microsoft Support for assistance.
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Event ID 300 - Windows Hello successfully created](/troubleshoot/windows-client/user-profiles-and-logon/event-id-300-windows-hello-successfully-created-in-windows-10)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index 8fa58bce19..b0418e21c0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -41,5 +41,5 @@ This is a normal condition. No further action is required.
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
-- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Windows Hello errors during PIN creation](/troubleshoot/windows-client/user-profiles-and-logon/windows-hello-errors-during-pin-creation-in-windows-10)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
From 9c42e429b39e675ef4fa2ca3239e3338914ecaea Mon Sep 17 00:00:00 2001
From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com>
Date: Wed, 19 Oct 2022 11:27:14 -0500
Subject: [PATCH 06/11] Update hello-errors-during-pin-creation.md
---
.../hello-for-business/hello-errors-during-pin-creation.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index e878788c76..ec6b931e13 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -69,7 +69,7 @@ If the error occurs again, check the error code against the following table to s
| 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. |
| | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. |
| 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. |
-| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client can not verify the KDC certificate CRL. Use a different login method.|
+| 0xC00000BB | Your PIN or this option is temporarily unavailable. | The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Another common cause can be the client cannot verify the KDC certificate CRL. Use a different login method.|
## Errors with unknown mitigation
From 1c5372cc1874f36b569b0e1b1fb9767fbb40af29 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 19 Oct 2022 10:35:40 -0700
Subject: [PATCH 07/11] breadcrumb file for redir project
---
windows/deployment/breadcrumb/bread.yml | 12 ++++++++++++
1 file changed, 12 insertions(+)
create mode 100644 windows/deployment/breadcrumb/bread.yml
diff --git a/windows/deployment/breadcrumb/bread.yml b/windows/deployment/breadcrumb/bread.yml
new file mode 100644
index 0000000000..a43252b7e8
--- /dev/null
+++ b/windows/deployment/breadcrumb/bread.yml
@@ -0,0 +1,12 @@
+items:
+- name: Learn
+ tocHref: /
+ topicHref: /
+ items:
+ - name: Windows
+ tocHref: /troubleshoot/windows-client/
+ topicHref: /windows/resources/
+ items:
+ - name: Deployment
+ tocHref: /troubleshoot/windows-client/deployment/
+ topicHref: /windows/deployment/
\ No newline at end of file
From bbab23a08c4b34921f85575cfef144059feb2f08 Mon Sep 17 00:00:00 2001
From: Meghan Stewart <33289333+mestew@users.noreply.github.com>
Date: Wed, 19 Oct 2022 10:39:54 -0700
Subject: [PATCH 08/11] breadcrumb file for redir project
---
windows/deployment/breadcrumb/{bread.yml => toc.yml} | 0
1 file changed, 0 insertions(+), 0 deletions(-)
rename windows/deployment/breadcrumb/{bread.yml => toc.yml} (100%)
diff --git a/windows/deployment/breadcrumb/bread.yml b/windows/deployment/breadcrumb/toc.yml
similarity index 100%
rename from windows/deployment/breadcrumb/bread.yml
rename to windows/deployment/breadcrumb/toc.yml
From 76808d82559c4336dcad88e6353fdcfc89ff59b4 Mon Sep 17 00:00:00 2001
From: Aaron Czechowski
Date: Wed, 19 Oct 2022 13:40:38 -0700
Subject: [PATCH 09/11] Update get-support-for-security-baselines.md
---
.../get-support-for-security-baselines.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
index 2e32cde2fd..0c2b1f1f9a 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
@@ -8,8 +8,8 @@ author: vinaypamnani-msft
manager: aaroncz
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 02/14/2022
-ms.reviewer:
+ms.date: 10/19/2022
+ms.reviewer: jmunck
ms.technology: windows-sec
---
@@ -55,7 +55,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
| ---- | ----- | --------------------- | -------------- |
| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520)
| September 2022
|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
-| Windows 10 | [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
[21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022
December 2021
May 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
+| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724)
[21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703)
[21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353)
[20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393)
[1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082)
[1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016)
[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022
December 2021
May 2021
December 2020
October 2018
October 2016
January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
From 57af324289c36ee268530d458ecccc6f948e6a85 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 19 Oct 2022 16:57:55 -0400
Subject: [PATCH 10/11] Minor fixes
---
.../hello-for-business/hello-deployment-rdp-certs.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 738635f76d..94137f93fb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -15,14 +15,14 @@ appliesto:
- ✅ Windows 11
- ✅ Hybrid deployment
- ✅ Key trust
-- ✅ Cloud kerberos trust
+- ✅ Cloud Kerberos trust
---
-# Deploying Certificates to Key Trust/Cloud Kerberos Trust Users to Enable RDP
+# Deploy Certificates to Key Trust and Cloud Kerberos Trust Users to Enable RDP
Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
-This document discusses an approach for key trust/cloud kerberos trust deployments where authentication certificates can be deployed to an existing key trust user.
+This document discusses an approach for key trust and cloud Kerberos trust deployments where authentication certificates can be deployed to an existing WHFB user.
Three approaches are documented here:
From 743d141abce8aec81ead1aab42fbd2ec87c0fac7 Mon Sep 17 00:00:00 2001
From: Angela Fleischmann
Date: Wed, 19 Oct 2022 15:08:38 -0600
Subject: [PATCH 11/11] Update hello-deployment-rdp-certs.md
Line 81: Delete spaces before period.
Line 91: Added inline code markers.
---
.../hello-for-business/hello-deployment-rdp-certs.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 94137f93fb..50c96ed712 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -78,7 +78,7 @@ Three approaches are documented here:
1. Tick **Microsoft Software Key Storage Provider**
1. Set the Request hash to **SHA256**
-1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them .
+1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them.
1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
@@ -88,7 +88,7 @@ Three approaches are documented here:
1. Execute the following command:
- certutil -dstemplate \ \> \.txt
+ `certutil -dstemplate \ \> \.txt`
Replace \ with the Template name you took note of earlier in step 7.