diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 0f8956b7ef..33c5ea3eb0 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -214,7 +214,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v2.0.ps1 -Enable -AutoReboot +DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot ``` #### Credential Guard deployment in virtual machines @@ -283,7 +283,7 @@ For more info on virtualization-based security and Device Guard, see [Device Gua You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v2.0.ps1 -Disable -AutoReboot +DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot ```   ### Check that Credential Guard is running @@ -301,7 +301,7 @@ You can use System Information to ensure that Credential Guard is running on a P You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). ``` -DG_Readiness_Tool_v2.0.ps1 -Ready +DG_Readiness_Tool_v3.0.ps1 -Ready ``` ## Considerations when using Credential Guard diff --git a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md index 9f7be87cbb..b2d83a318c 100644 --- a/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md +++ b/windows/keep-secure/deploy-device-guard-enable-virtualization-based-security.md @@ -33,7 +33,7 @@ In addition to the hardware requirements found in [Hardware, firmware, and softw - With Windows 10, version 1607 or Windows Server 2016:
Hyper-V Hypervisor, which is enabled automatically. No further action is needed. -- With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
+- With an earlier version of Windows 10:
Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1). > **Note**  You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box. @@ -91,7 +91,7 @@ There are multiple ways to configure VBS features for Device Guard: - With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
For an initial deployment or test deployment, we recommend **Enabled without lock**.
When your deployment is stable in your environment, we recommend changing to **Enabled with lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person. - - With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
Select the **Enable Virtualization Based Protection of Code Integrity** check box. + - With earlier versions of Windows 10:
Select the **Enable Virtualization Based Protection of Code Integrity** check box. ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png) @@ -183,7 +183,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformS reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` If you want to customize the preceding recommended settings, use the following settings. @@ -211,7 +211,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforc **To enable virtualization-based protection of Code Integrity policies without UEFI lock** ``` command -reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f +reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f ``` ### Validate enabled Device Guard hardware-based security features