deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 22:03:46 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'public' into patch-10

Browse Source
This commit is contained in:
mapalko
2021-03-24 17:27:28 -07:00
committed by GitHub
parent 8f5b09d2bb 05d577fcb9
commit 8f85742fa8
1694 changed files with 2607 additions and 50066 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/identity-protection/access-control/active-directory-security-groups.md
View File

@ -1853,7 +1853,7 @@ The Enterprise Key Admins group was introduced in Windows Server 2016.
| Default container | CN=Users, DC=<domain>, DC= |
| Default members | None |
| Default member of | None |
| Protected by ADMINSDHOLDER? | No |
| Protected by ADMINSDHOLDER? | Yes |
| Safe to move out of default container? | Yes |
| Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None |
@ -2331,7 +2331,7 @@ The Key Admins group applies to versions of the Windows Server operating system
| Default container | CN=Users, DC=<domain>, DC= |
| Default members | None |
| Default member of | None |
| Protected by ADMINSDHOLDER? | No |
| Protected by ADMINSDHOLDER? | Yes |
| Safe to move out of default container? | Yes |
| Safe to delegate management of this group to non-Service admins? | No |
| Default User Rights | None |

9
windows/security/identity-protection/credential-guard/credential-guard-manage.md
View File

@ -263,11 +263,10 @@ To disable Windows Defender Credential Guard, you can use the following set of p
>bcdedit /set vsmlaunchtype off
>```
> [!NOTE]
> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity).
For more info on virtualization-based security and HVCI, see [Enable virtualization-based protection of code integrity](/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity
).
> [!NOTE]
> Credential Guard and Device Guard are not supported when using Azure Gen 1 VMs. These options are available with Gen 2 VMs only.
<span id="turn-off-with-hardware-readiness-tool"/>
@ -292,5 +291,3 @@ From the host, you can disable Windows Defender Credential Guard for a virtual m
Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
```

2
windows/security/identity-protection/credential-guard/dg-readiness-tool.md
View File

@ -678,7 +678,7 @@ function CheckDriverCompat
if($verifier_state.ToString().Contains("No drivers are currently verified."))
{
LogAndConsole "Enabling Driver verifier"
verifier.exe /flags 0x02000000 /all /log.code_integrity
verifier.exe /flags 0x02000000 /all /bootmode oneboot /log.code_integrity
LogAndConsole "Enabling Driver Verifier and Rebooting system"
Log $verifier_state

10
windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
View File

@ -22,10 +22,8 @@ ms.reviewer:
**Requirements**
- Windows 10
- Certificate trust deployments
- Hybrid and On-premises Windows Hello for Business deployments
- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
- Certificate trust deployments
Windows Hello for Business supports using a certificate deployed to a Windows Hello for Business container as a supplied credential to establish a remote desktop connection to a server or another device. This functionality is not supported for key trust deployments. This feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Windows Hello for Business key trust can be used with [Windows Defender Remote Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/remote-credential-guard).
@ -35,9 +33,8 @@ Microsoft continues to investigate supporting using keys trust for supplied cred
**Requirements**
- Hybrid and On-premises Windows Hello for Business deployments
- Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments
- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
- Certificate trust deployments
- Biometric enrollments
- Windows 10, version 1809
@ -57,7 +54,8 @@ Windows Hello for Business emulates a smart card for application compatibility.
Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png)
> [!div class="mx-imgBorder"]
> ![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png)
> [!IMPORTANT]
> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.

6
windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
View File

@ -82,7 +82,11 @@ The certificate template is configured to supersede all the certificate template
> [!NOTE]
> A domain controller's certificate must chain to a certificate in the NTAuth store in Active Directory. By default, online "Enterprise" Active Directory Certificate Authority certificates are added to the NTAuth store at installation time. If you are using a third-party CA, this is not done by default. If the domain controller certificate does not chain to a trusted CA in the NTAuth store, user authentication will fail.
> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers.
> You can view an AD forest's NTAuth store (NTAuthCertificates) using PKIVIEW.MSC from an ADCS CA. Open PKIView.msc, then click the Action menu -> Manage AD Containers. The following PowerShell command can be used to check all certificates in the NTAuth store:
>
>```powershell
>Certutil -viewstore -enterprise NTAuth
>```
### Publish Certificate Templates to a Certificate Authority

10
windows/security/identity-protection/vpn/vpn-connection-type.md
View File

@ -42,6 +42,9 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
- [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
> [!NOTE]
> When a VPN plug-in is used, the adapter will be listed as an SSTP adapter, even though the VPN protocol used is the plug-in's protocol.
- Automatic
@ -63,11 +66,13 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.m
The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
![Available connection types](images/vpn-connection-intune.png)
> [!div class="mx-imgBorder"]
> ![Available connection types](images/vpn-connection-intune.png)
In Intune, you can also include custom XML for third-party plug-in profiles:
![Custom XML](images/vpn-custom-xml-intune.png)
> [!div class="mx-imgBorder"]
> ![Custom XML](images/vpn-custom-xml-intune.png)
## Related topics
@ -85,4 +90,3 @@ In Intune, you can also include custom XML for third-party plug-in profiles: