From db805a417dbb5944ad1dc20736407b5eef8b658a Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Mon, 16 Sep 2019 16:06:24 +0200 Subject: [PATCH 01/24] Update build-a-distributed-environment-for-windows-10-deployment.md Updated Notes layout, no other changes. --- ...tributed-environment-for-windows-10-deployment.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 944c8ac8aa..a1db593633 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -33,8 +33,8 @@ Figure 1. The machines used in this topic. Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. -**Note**   -Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. +>[!NOTE] +>Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. ### Linked deployment shares in MDT @@ -103,8 +103,8 @@ When you have multiple deployment servers sharing the same content, you need to UserID=MDT_BA SkipBDDWelcome=YES ``` - **Note** - The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). +>[!NOTE] +>The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). 2. Save the Bootstrap.ini file. 3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. @@ -167,8 +167,8 @@ When you have multiple deployment servers sharing the same content, you need to 1. In the **Staging** tab, set the quota to **20480 MB**. 2. In the **Advanced** tab, set the quota to **8192 MB**. -**Note**   -It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. +>[!NOTE] +>It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. ### Verify replication 1. On MDT02, wait until you start to see content appear in the **E:\\MDTProduction** folder. From 753a01dae23d9a3d201d3ee42f9657c846cb4182 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Tue, 17 Sep 2019 11:22:54 +0200 Subject: [PATCH 02/24] Update set-up-mdt-for-bitlocker.md Separated into new step the GPO setting for System / Trusted Platform Module Services. Changed format of Note; added a space between quote marker and text. --- .../set-up-mdt-for-bitlocker.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 70a3a46434..6ff8d794bd 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -29,8 +29,8 @@ To configure your environment for BitLocker, you will need to do the following: 3. Configure the operating system deployment task sequence for BitLocker. 4. Configure the rules (CustomSettings.ini) for BitLocker. ->[!NOTE] ->Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. +> [!NOTE] +> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). @@ -38,8 +38,8 @@ For the purposes of this topic, we will use DC01, a domain controller that is a To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory. ->[!NOTE] ->Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. +> [!NOTE] +> Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. @@ -79,11 +79,11 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. - Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services - 4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy. + 4. Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services + 1. Enable the **Turn on TPM backup to Active Directory Domain Services** policy. ->[!NOTE] ->If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. +> [!NOTE] +> If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. ### Set permissions in Active Directory for BitLocker From 89b4eb9d639ec97b9ddb465c0c94370729993160 Mon Sep 17 00:00:00 2001 From: Thom McKiernan Date: Wed, 18 Sep 2019 12:27:35 +0100 Subject: [PATCH 03/24] typo corrected on-premise to on-premesis --- windows/deployment/windows-autopilot/autopilot-faq.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index 01cdb3ef63..c97fb6e3bb 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -9,7 +9,8 @@ ms.mktglfcycl: deploy ms.localizationpriority: low ms.sitesec: library ms.pagetype: deploy -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.author: greglin ms.collection: M365-modern-desktop ms.topic: article @@ -109,7 +110,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e | --- | --- | | Must we use Intune for our MDM? | No. No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. | | Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. | -| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premise configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. | +| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premises configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. | | Must we use System Center Configuration Manager (SCCM) for Windows Autopilot | No. Co-management (described above) is optional. | @@ -118,7 +119,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e | Question | Answer | | --- | --- | | Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. It’s useful for scenarios where a standard user account isn’t needed (e.g., shared devices, or KIOSK devices). | -| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premise Active Directory domain controller (in addition to being Azure AD joined). | +| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premises Active Directory domain controller (in addition to being Azure AD joined). | | Windows Autopilot reset | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment. Useful for when transferring a device from one user to another. | | Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The company’s logo can be included | | [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. | From 9d69d9351fbbce367f1a417d5c8f9d12c63b8381 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Wed, 18 Sep 2019 14:32:27 +0200 Subject: [PATCH 04/24] Update windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...build-a-distributed-environment-for-windows-10-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index a1db593633..69d3cb029c 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -33,7 +33,7 @@ Figure 1. The machines used in this topic. Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. ->[!NOTE] +> [!NOTE] >Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. ### Linked deployment shares in MDT From 1aba58828d9c88ec40965ab8116bdd6d0bd4328a Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Wed, 18 Sep 2019 14:33:00 +0200 Subject: [PATCH 05/24] Update windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...build-a-distributed-environment-for-windows-10-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 69d3cb029c..02abaf19d7 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -34,7 +34,7 @@ Figure 1. The machines used in this topic. Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. > [!NOTE] ->Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. +> Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry and, by default, it will only copy/remove files from the source that are newer than files on the target. ### Linked deployment shares in MDT From 2a70a33e3cee2cca53b368cd14c0cf43ab1ec059 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Wed, 18 Sep 2019 14:33:24 +0200 Subject: [PATCH 06/24] Update windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...build-a-distributed-environment-for-windows-10-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 02abaf19d7..fc43620eed 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -168,7 +168,7 @@ When you have multiple deployment servers sharing the same content, you need to 2. In the **Advanced** tab, set the quota to **8192 MB**. >[!NOTE] ->It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. +> It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. ### Verify replication 1. On MDT02, wait until you start to see content appear in the **E:\\MDTProduction** folder. From 552deded52d36b7e90732956556e45b4b8374f59 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Wed, 18 Sep 2019 14:33:42 +0200 Subject: [PATCH 07/24] Update windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...build-a-distributed-environment-for-windows-10-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index fc43620eed..aeeef8d65e 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -167,7 +167,7 @@ When you have multiple deployment servers sharing the same content, you need to 1. In the **Staging** tab, set the quota to **20480 MB**. 2. In the **Advanced** tab, set the quota to **8192 MB**. ->[!NOTE] +> [!NOTE] > It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. ### Verify replication From 47dacf678439f659f8da77f09324d8ce1a280ea5 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Wed, 18 Sep 2019 14:34:04 +0200 Subject: [PATCH 08/24] Update windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...build-a-distributed-environment-for-windows-10-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index aeeef8d65e..7c84befa97 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -104,7 +104,7 @@ When you have multiple deployment servers sharing the same content, you need to SkipBDDWelcome=YES ``` >[!NOTE] ->The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). +> The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). 2. Save the Bootstrap.ini file. 3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. From 29492e5f13f731aad9cf6df4787763cecce52c23 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Wed, 18 Sep 2019 14:34:15 +0200 Subject: [PATCH 09/24] Update windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...build-a-distributed-environment-for-windows-10-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 7c84befa97..634479415f 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -103,7 +103,7 @@ When you have multiple deployment servers sharing the same content, you need to UserID=MDT_BA SkipBDDWelcome=YES ``` ->[!NOTE] +> [!NOTE] > The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). 2. Save the Bootstrap.ini file. From 25992adc0650881b3f3ccfe3db420d3bc89120ad Mon Sep 17 00:00:00 2001 From: Dulce Montemayor Date: Wed, 18 Sep 2019 11:14:47 -0700 Subject: [PATCH 10/24] Updated with KB download --- .../microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index fb697ba2a7..83b6790986 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -25,6 +25,11 @@ ms.topic: article Ensure that your machines: - Are onboarded to Microsoft Defender Advanced Threat Protection - Run with Windows 10 1709 (Fall Creators Update) or later +- Download the following set of optional security updates and deploy them in your network to boost your vulnerability detection rates: +-- KB 4512941 +-- KB 4516077 +-- KB 4516045 +-- KB 4516071 >[!NOTE] >Threat & Vulnerability Management can also scan machines that run on Windows 7 and Windows Server 2019 operating systems and detects vulnerabilities addressed in patch Tuesday. From 5443614e9c99fed605853133cdb1657057b70411 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Wed, 18 Sep 2019 11:28:24 -0700 Subject: [PATCH 11/24] Update faq-wd-app-guard.md --- .../windows-defender-application-guard/faq-wd-app-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 1d5756d650..650fe854db 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -99,8 +99,8 @@ Answering frequently asked questions about Windows Defender Application Guard (A | | | |--------|-----------------------------------------------------------------------------------------------| -| **Q:** | How do I trust a subdomain in my site list? | -| **A:** | To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com. | +| **Q:** | How do I trust a subdomain in my site list? | +| **A:** | To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com will ensure mail.contoso.com or news.contoso.com are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (contoso.com). This prevents sites such as fakesitecontoso.com from being trusted.|
From ced9abd7d9893f25ada3e7dd5593a801f59f3e0c Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 18 Sep 2019 12:18:37 -0700 Subject: [PATCH 12/24] Revert "Update build-a-distributed-environment-for-windows-10-deployment.md" --- ...uted-environment-for-windows-10-deployment.md | 12 ++++++------ .../set-up-mdt-for-bitlocker.md | 16 ++++++++-------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 634479415f..944c8ac8aa 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -33,8 +33,8 @@ Figure 1. The machines used in this topic. Replicating the content between MDT01 (New York) and MDT02 (Stockholm) can be done in a number of different ways. The most common content replication solutions with Microsoft Deployment Toolkit (MDT) use either the Linked Deployment Shares (LDS) feature or Distributed File System Replication (DFS-R). Some organizations have used a simple robocopy script for replication of the content. -> [!NOTE] -> Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry and, by default, it will only copy/remove files from the source that are newer than files on the target. +**Note**   +Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. ### Linked deployment shares in MDT @@ -103,8 +103,8 @@ When you have multiple deployment servers sharing the same content, you need to UserID=MDT_BA SkipBDDWelcome=YES ``` -> [!NOTE] -> The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). + **Note** + The DeployRoot value needs to go into the Bootstrap.ini file, but you can use the same logic in the CustomSettings.ini file. For example, you can redirect the logs to the local deployment server (SLSHARE), or have the User State Migration Tool (USMT) migration store (UDDIR) local. To learn more about USMT, see [Refresh a Windows 7 computer with Windows 10](refresh-a-windows-7-computer-with-windows-10.md) and [Replace a Windows 7 computer with a Windows 10 computer](replace-a-windows-7-computer-with-a-windows-10-computer.md). 2. Save the Bootstrap.ini file. 3. Using the Deployment Workbench, right-click the **MDT Production** deployment share and select **Update Deployment Share**. @@ -167,8 +167,8 @@ When you have multiple deployment servers sharing the same content, you need to 1. In the **Staging** tab, set the quota to **20480 MB**. 2. In the **Advanced** tab, set the quota to **8192 MB**. -> [!NOTE] -> It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. +**Note**   +It will take some time for the replication configuration to be picked up by the replication members (MDT01 and MDT02). The time for the initial sync will depend on the WAN link speed between the sites. After that, delta changes are replicated quickly. ### Verify replication 1. On MDT02, wait until you start to see content appear in the **E:\\MDTProduction** folder. diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 6ff8d794bd..70a3a46434 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -29,8 +29,8 @@ To configure your environment for BitLocker, you will need to do the following: 3. Configure the operating system deployment task sequence for BitLocker. 4. Configure the rules (CustomSettings.ini) for BitLocker. -> [!NOTE] -> Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. +>[!NOTE] +>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). @@ -38,8 +38,8 @@ For the purposes of this topic, we will use DC01, a domain controller that is a To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory. -> [!NOTE] -> Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. +>[!NOTE] +>Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. @@ -79,11 +79,11 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor 3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives 2. Enable the **Configure TPM platform validation profile for BIOS-based firmware configurations** policy. 3. Enable the **Configure TPM platform validation profile for native UEFI firmware configurations** policy. - 4. Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services - 1. Enable the **Turn on TPM backup to Active Directory Domain Services** policy. + Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services + 4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy. -> [!NOTE] -> If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. +>[!NOTE] +>If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. ### Set permissions in Active Directory for BitLocker From d44a531e11bc18859984da0489252d0191e69de4 Mon Sep 17 00:00:00 2001 From: Andres Mariano Gorzelany <36666927+get-itips@users.noreply.github.com> Date: Wed, 18 Sep 2019 18:23:16 -0300 Subject: [PATCH 13/24] Adding DG_Readiness_Tool Script to repo --- .../credential-guard/dg_readiness_tool.md | 1380 +++++++++++++++++ 1 file changed, 1380 insertions(+) create mode 100644 windows/security/identity-protection/credential-guard/dg_readiness_tool.md diff --git a/windows/security/identity-protection/credential-guard/dg_readiness_tool.md b/windows/security/identity-protection/credential-guard/dg_readiness_tool.md new file mode 100644 index 0000000000..4fd4294e84 --- /dev/null +++ b/windows/security/identity-protection/credential-guard/dg_readiness_tool.md @@ -0,0 +1,1380 @@ +--- +title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool +description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +ms.localizationpriority: medium +audience: ITPro +author: SteveSyfuhs +ms.author: steve.syfuhs +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.date: 09/18/2019 +ms.reviewer: +--- +# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool + +```powershell +# Script to find out if machine is Device Guard compliant +# requires driver verifier on system. +param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier) + +$path = "C:\DGLogs\" +$LogFile = $path + "DeviceGuardCheckLog.txt" + +$CompatibleModules = New-Object System.Text.StringBuilder +$FailingModules = New-Object System.Text.StringBuilder +$FailingExecuteWriteCheck = New-Object System.Text.StringBuilder + +$DGVerifyCrit = New-Object System.Text.StringBuilder +$DGVerifyWarn = New-Object System.Text.StringBuilder +$DGVerifySuccess = New-Object System.Text.StringBuilder + + +$Sys32Path = "$env:windir\system32" +$DriverPath = "$env:windir\system32\drivers" + +#generated by certutil -encode +$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA +HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC +NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC +NwoDFQwAAAABCisGAQQBgjdMAwEMAAAAAQorBgEEAYI3TAUBDAAAAAEKKwYBBAGC +N0wLAQEAAAAGAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AQAAAAYAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA +BgAAAAEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAA +AQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAUAAAABAAAA +AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABAAAAAEAAAABAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAYAAAABAAAAAgAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABgAAAAEAAAADAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAQAAAAUAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAABAAAADgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAEAAAAOAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AQAAAA4AAAABAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA +DgAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAA +AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAA4AAAABAAAA +AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADgAAAAEAAAADAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAAAQAAAAEAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQAAAABAAAAAQAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAPye3j3MoJGGstO/m3OKIFDLGlVN +otyttV8/cu4XchN4AQAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AQAAAAYAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA +DgAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAHAAAA +AQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAoAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAKAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAQAAAAYAAAABAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAABAAAABwAAAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAABAAAAFAAAAIMAAAAAAAAADIAAAAsAAAAAAAAAAAAAAAEAAAAAAAAA +AgAAAAAAAAADAAAAAAAAAAQAAAAAAAAABQAAAAAAAAALAAAAAAAAAAwAAAAAAAAA +DQAAAAAAAAAOAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAMAAAAAAAAAAyAAAASAAAABgAAAAAAAAAHAAAAAAAAAAgAAAAAAAAA +CQAAAAAAAAAKAAAAAAAAABMAAAAAAAAADwAAAAAAAAAQAAAAAAAAABEAAAAAAAAA +EgAAAAAAAAAUAAAAAAAAABUAAAAAAAAAGgAAAAAAAAAbAAAAAAAAABwAAAAAAAAA +FgAAAAAAAAAXAAAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAgAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA +SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAQAAABJAGQAAAAAAAMAAAAMAAAA +MAAzADEAMAAxADcAAAAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA +SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAgAAABOAGEAbQBlAAAAAAADAAAA +JgAAAEQAZQBmAGEAdQBsAHQAVwBpAG4AZABvAHcAcwBBAHUAZABpAHQAAAAAAAAA +AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAA +BQAAAAYAAAA=" + +$HSTITest_Encoded = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADxXZfstTz5v7U8+b+1PPm/2GH4vrc8+b+8RGq/ojz5v9hh+r63PPm/2GH9vr48+b+1PPi/qjz5v9hh+b60PPm/2GHwvrc8+b/YYfu+tDz5v1JpY2i1PPm/AAAAAAAAAABQRQAAZIYFAGt3EVgAAAAAAAAAAPAAIiALAg4AABIAAAAaAAAAAAAAkBsAAAAQAAAAAACAAQAAAAAQAAAAAgAACgAAAAoAAAAKAAAAAAAAAABwAAAABAAAxcwAAAMAYEEAAAQAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAEDkAAGQAAAB0OQAABAEAAAAAAAAAAAAAAFAAACABAAAAAAAAAAAAAABgAAAYAAAAwDUAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAA0AAAAAAAAAAAAAAA4DAAAEgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAMURAAAAEAAAABIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAB4DwAAADAAAAAQAAAAFgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAwAUAAABAAAAAAgAAACYAAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAACABAAAAUAAAAAIAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAYAAAAAGAAAAACAAAAKgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIiVwkCFVWV0FWQVdIi+xIg+wwM/9IjUU4TIv5iX1ISI1NSIl9QEUzyYl9OEyNRUBIiUQkIDPS6AwJAACL2D1XAAeAD4WrAAAAi0VASGnYDCIAAP8V/yAAAI13CEyLw0iLyIvW/xX2IAAATIvwSIXAdQe7DgAHgOtxi104/xXWIAAARIvDi9ZIi8j/FdAgAABIi/BIhcB1B7sOAAeA6x5IjUU4TIvOTI1FQEiJRCQgSYvWSI1NSOiNCAAAi9j/FZUgAABNi8Yz0kiLyP8VlyAAAEiF9nQU/xV8IAAATIvGM9JIi8j/FX4gAAA5fUhAD5THQYk/i8NIi1wkYEiDxDBBX0FeX15dw8zMzMzMzMzMzOkzCAAAzMzMzMzMzEiJXCQYSIl0JCBXSIHscAEAAEiLBbsuAABIM8RIiYQkYAEAAA8QBRkhAACL8kiL+TPSSI1MJGBBuPQAAADzD39EJFDo6g4AAEiDZCQwAEiNTCRQg2QkQABFM8nHRCQogAAAALoAAABAx0QkIAMAAABFjUEB/xWSHwAASIvYSIP4/3RGQbkCAAAARTPAM9JIi8j/FX0fAACD+P90HkiDZCQgAEyNTCRARIvGSIvXSIvL/xVmHwAAhcB1Bv8VPB8AAEiLy/8VYx8AAEiLjCRgAQAASDPM6AsLAABMjZwkcAEAAEmLWyBJi3MoSYvjX8PMzMzMzMxIg+woM9JMi8lIhcl0Hrr///9/M8BEi8I4AXQJSP/BSYPoAXXzTYXAdSEz0rhXAAeAM8mFwEgPScp4C41RAUmLyejG/v//SIPEKMNJK9Dr4czMzMzMzMzMSIlcJAhIiXQkEFdIg+wgQYvZSYv4SIvy6Iv///+L00iLz+iN/v//SIvOSItcJDBIi3QkOEiDxCBf6Wr////MzMzMzMyJVCQQSIPsKAkRSI0Nsx8AAOhO////ugQAAABIjUwkOOhL/v//SI0NqB8AAOgz////SIPEKMPMzMzMzMxAVVNWV0FUQVVBVkFXSI1sJOFIgeyYAAAASIsF6CwAAEgzxEiJRQ9FM/ZIiVXnM9JIiU3vRIl1p0GL3kiJXbdJi8BIiUXXTYvpRIl1r0GL/kSJdfdFi+ZIiVX7RYv+SIlVA0yJdc9IhckPhBEFAABIhcAPhAgFAABNhckPhP8EAABBgzkBdBHHRaeAAAAAvwJAAIDp7QQAAEiNDQkfAADohP7//0WLfQREiX2/SWnfDCIAAP8Vtx0AAEyLw7oIAAAASIvI/xWuHQAATIvgSIXAdShIjQ3vHgAA6Er+////FUwdAAAPt/iBzwAAB4CFwA9O+EmL3umLBAAASI0N9x4AAOgi/v//RIl1s0WF/w+EiwIAAEmNXQhIiV3HSY20JAwCAABIjQ32HgAA6Pn9//+LQwiJhvT9//+FwHktPbsAAMB1EUiNDe4eAADo2f3//+kaAgAASI0N/R4AAOjI/f//g02nQOkFAgAAixtJA92DOwN0Gw+6bacIugEAAABIjY78/f//6Dv+///p4AEAAEyNhgD+//+6BAAAAEmLwEiNSwgPEAFIjYmAAAAADxEASI2AgAAAAA8QSZAPEUiQDxBBoA8RQKAPEEmwDxFIsA8QQcAPEUDADxBJ0A8RSNAPEEHgDxFA4A8QSfAPEUjwSIPqAXWuQbkAAgAASI0VgB4AAEiNDYEeAADodP3//4uLCAIAALoAEAAAQYv+TI0ES0iBwQwCAABMA8FIi85MK8ZIjYL+7/9/SIXAdBdBD7cECGaFwHQNZokBSIPBAkiD6gF13UiF0nUJSIPpAr96AAeAZkSJMUiNFSYeAABIjQ0nHgAAQbkAIAAATIvG6AH9//9MjXMEQYsOjUH/g/gDD4fDAAAA/0SN90iNFQMeAACJjvj9//9BuQQAAABIjQ34HQAATYvG6Mj8//9BiwaDfIX3AXZESI2O/P3//7oEAAAA6PH8//9Biw6D6QF0JYPpAXQag+kBdA+D+QEPhaIAAACDTacI63eDTacE63GDTacC62uDTacB62WD+AF1YIuDCAIAAEyNRa9BuQQAAACJRa9IjRWTHQAASI0NrB0AAOhP/P//RTP2RDl1r3UOD7ptpwlBjVYI6TX+//9IjYMMAgAASIlFz+sZD7ptpwlIjY78/f//ugIAAADoWfz//0Uz9otFs0iBxgwiAABIg0XHDP/AiUWzQTvHcxdIi13H6ZP9//+/BUAAgEiLXbfp5wEAAEQ5dad0DkiNDU0dAADoePv//+vji12v/xW1GgAARIvDuggAAABIi8j/FawaAABIiUW3SIvYSIXAdRZIjQ1JHQAA6ET7//+/FwAA0OmXAQAASI0NYx0AAOgu+///i0WvRI2wBgEAAEaNNHBEiXWzRYX/D4TFAAAASY1cJAhJjXUISI0N+xsAAOj++v//gXv4uwAAwHUOSI0N/hsAAOjp+v//63xEOXYEcxS6EAAAAA+6bacJSIvL6Gv7///rYosOSQPNi4EIAgAAO0WvdAe6CAAAAOvaRTPATI0MQUyNFAhEOUWvdjpMi3W3Qw+2jBAMAgAA99FDhIwIDAIAAHQID7ptpwmDCyBDioQIDAIAAEMIBDBB/8BEO0Wvcs5Ei3WzSIPGDEiBwwwiAABJg+8BD4VM////RIt9v0iLXbdFM/ZEOXWndBFIjQ0OHAAA6Dn6///pkQAAAEGL9kQ5da8PhoQAAABMi3W3TIttz0iNDYgcAADoE/r//4vGTI1Fq0G5AQAAAEiNFZgcAABCigwwSo0cKCILiE2rSI0NlBwAAOg/+v//QbkBAAAASI0VkhwAAEyLw0iNDZgcAADoI/r//4oDOEWrdBBIjQ2dHAAA6Lj5//+DTacg/8Y7da9yjuly+///v1cAB4BIjQ2sHAAA6Jf5//9BuQQAAABMjUWnSI0VphwAAEiNDa8cAADo0vn//02F5HRdTIt150iLdddNhfZ0NEQ5PnIvSI0NnBwAAOhX+f//QYvHSYvUTGnADCIAAEmLzuh0BwAASI0NmxwAAOg2+f//6wW/VwAHgESJPv8VbhgAAE2LxDPSSIvI/xVwGAAASIXbdBT/FVUYAABMi8Mz0kiLyP8VVxgAAEiLRe9IhcB0BYtNp4kIi8dIi00PSDPM6NMDAABIgcSYAAAAQV9BXkFdQVxfXltdw8zMzMzMzMxIi8RIiVgISIloEEiJcBhXQVZBV0iD7DCDYNgATYvxSYv4TI1I2EiL8kyL+UUzwDPSuaYAAAD/FWwYAACL2D0EAADAdAkPuusc6dkAAACDfCQgFHMKuwVAAIDpyAAAAItcJCD/FacXAABEi8O6CAAAAEiLyP8VnhcAAEiL6EiFwHUKuw4AB4DpmwAAAESLRCQgRTPJSIvQuaYAAAD/FQYYAACL2IXAeQYPuusc6zdIjQ2TGwAA6A74//+LVCQgSIvN6A73//9IjQ2LGwAA6Pb3//9Mi81Mi8dIi9ZJi8/ovfj//4vYSIt8JHCLdCQgSIX/dBk5N3IVTYX2dBBEi8ZIi9VJi87o8AUAAOsFu1cAB4CJN/8V9xYAAEyLxTPSSIvI/xX5FgAASItsJFiLw0iLXCRQSIt0JGBIg8QwQV9BXl/DzMzMzMzMSIlcJAhXSIPsIIP6AXU8SI0VmhcAAEiNDYsXAADoaAMAAIXAdAczwOmjAAAASI0VbBcAAEiNDV0XAADoVgMAAP8FKiUAAOmAAAAAhdJ1fDkVUyUAAHRtSIsNGiUAAOgxAgAASIsNFiUAAEiL+OgiAgAASI1Y+OsXSIsL6BQCAABIhcB0Bv8VBRcAAEiD6whIO99z5IM9DSUAAAR2FP8VJRYAAEyLxzPSSIvI/xUnFgAA6O4BAABIiQXDJAAASIkFtCQAAIMlpSQAAAC4AQAAAEiLXCQwSIPEIF/DzMzMzMzMzMzMzMzMzMzMzMzMzMzMSIlcJAhIiXQkEFdIg+wgSYv4i9pIi/GD+gF1BeijAQAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pBwAAAMzMzMzMzMxMiUQkGIlUJBBIiUwkCFNWV0iB7JAAAACL+kiL8cdEJCABAAAAhdJ1EzkVDSQAAHULM9uJXCQg6d8AAACNQv+D+AF3MkyLhCTAAAAA6Hv+//+L2IlEJCDrFTPbiVwkIIu8JLgAAABIi7QksAAAAIXbD4SlAAAATIuEJMAAAACL10iLzujoAQAAi9iJRCQg6xUz24lcJCCLvCS4AAAASIu0JLAAAACD/wF1SIXbdURFM8Az0kiLzui1AQAA6xOLvCS4AAAASIu0JLAAAACLXCQgRTPAM9JIi87o7/3//+sTi7wkuAAAAEiLtCSwAAAAi1wkIIX/dAWD/wN1IEyLhCTAAAAAi9dIi87ov/3//4vYiUQkIOsGM9uJXCQgi8NIgcSQAAAAX15bw8zMzMzMzMzMzMxmZg8fhAAAAAAASDsN6SIAAHUQSMHBEGb3wf//dQHDSMHJEOmSAQAAzMzMzMzMSP8ltRQAAMzMzMzMzMzMzDPJSP8lmxQAAMzMzMzMzMxIiVwkIFVIi+xIg+wgSINlGABIuzKi3y2ZKwAASIsFiSIAAEg7ww+FjwAAAEiNTRj/FU4UAABIi0UYSIlFEP8VABQAAIvASDFFEP8V/BMAAIvASDFFEP8VIBQAAIvASMHgGEgxRRD/FRAUAACLwEiNTRBIM0UQSDPBSI1NIEiJRRD/FeUTAACLRSBIuf///////wAASMHgIEgzRSBIM0UQSCPBSLkzot8tmSsAAEg7w0gPRMFIiQXxIQAASItcJEhI99BIiQXqIQAASIPEIF3DzMzMzMzM/yXYEgAAzMzMzMzM/yXEEgAAzMzMzMzMzMxIg+wog/oBdQb/FTUTAAC4AQAAAEiDxCjDzMzMzMzMzMzMzMzMzMzMzMzMzMIAAMzMzMzMzMzMzEBTSIPsIEiL2TPJ/xWTEgAASIvL/xWCEgAA/xUUEwAASIvIugkEAMBIg8QgW0j/JfgSAADMzMzMzMzMzMzMzMzMzMzMSIlMJAhIgeyIAAAASI0NHSIAAP8VLxMAAEiLBQgjAABIiUQkSEUzwEiNVCRQSItMJEj/FSATAABIiUQkQEiDfCRAAHRCSMdEJDgAAAAASI1EJFhIiUQkMEiNRCRgSIlEJChIjQXHIQAASIlEJCBMi0wkQEyLRCRISItUJFAzyf8VyxIAAOsjSIsFOiIAAEiLAEiJBZAiAABIiwUpIgAASIPACEiJBR4iAABIiwV3IgAASIkF6CAAAEiLhCSQAAAASIkF6SEAAMcFvyAAAAkEAMDHBbkgAAABAAAAxwXDIAAAAwAAALgIAAAASGvAAEiNDbsgAABIxwQBAgAAALgIAAAASGvAAUiNDaMgAABIixUsIAAASIkUAbgIAAAASGvAAkiNDYggAABIixUZIAAASIkUAbgIAAAASGvAAEiLDf0fAABIiUwEaLgIAAAASGvAAUiLDfAfAABIiUwEaEiNDdwPAADoU/7//0iBxIgAAADDzMzMzMzMzMzMzMzMzMzMzMzMzMzM/yWUEAAAzMzMzMzM/yWQEAAAzMzMzMzM/yWMEAAAzMzMzMzMzMxIg+woTYtBOEiLykmL0egRAAAAuAEAAABIg8Qow8zMzMzMzMxAU0WLGEiL2kGD4/hMi8lB9gAETIvRdBNBi0AITWNQBPfYTAPRSGPITCPRSWPDSosUEEiLQxCLSAhIA0sI9kEDD3QMD7ZBA4Pg8EiYTAPITDPKSYvJW+kl/P//zMzMzMzMzMzMzMxmZg8fhAAAAAAA/+DMzMzMzMxAVUiD7CBIi+pIiU04SIsBixCJVSRIiU1AM8BIg8QgXcPMQFVIg+wgSIvqSIlNSEiLAYsQiVUoSIlNUDPASIPEIF3DzEBVSIPsIEiL6kiJTVhIiwGLEIlVLEiJTWAzwEiDxCBdw8xAVUiD7CBIi+pIiU1oSIsBixCJVTBIiU1wM8BIg8QgXcPMQFVIg+wgSIvqSIlNeEiLAYsQiVU0SImNgAAAADPASIPEIF3DzEBVSIPsIEiL6kiDxCBdw8wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBAAIABAAAA8EAAgAEAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAgAEAAAAAAAAAAAAAAAAAAAAAAAAAKDIAgAEAAAAwMgCAAQAAAFgyAIABAAAABQAAAAAAAAAANQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeD4AAAAAAABkPwAAAAAAAG4/AAAAAAAAAAAAAAAAAADOOwAAAAAAAMA7AAAAAAAAAAAAAAAAAAAQPQAAAAAAACw9AAAAAAAA6j4AAAAAAAAAAAAAAAAAAPo+AAAAAAAA2D4AAAAAAADMPgAAAAAAAAAAAAAAAAAACD8AAAAAAAAAAAAAAAAAAFI8AAAAAAAAFj8AAAAAAABGPAAAAAAAAAAAAAAAAAAA9DwAAAAAAAAAAAAAAAAAAJ48AAAAAAAAtDwAAAAAAABePQAAAAAAAEo9AAAAAAAAAAAAAAAAAACEPAAAAAAAAAAAAAAAAAAA5DwAAAAAAADKPAAAAAAAAAAAAAAAAAAAZDwAAAAAAAB0PAAAAAAAAAAAAAAAAAAAsD4AAAAAAAD6OwAAAAAAACg8AAAAAAAADjwAAAAAAAAAAAAAAAAAAHAeAIABAAAAACEAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAgEQAAkBsAAHAeAADAHgAAAAAAAC5caHN0aXRyYWNlLmxvZwAgUHJvdmlkZXJFcnJvcjoAOlByb3ZpZGVyRXJyb3IgAERldGVybWluaW5nIENvdW50LiAAAAAAAAAAAAAAAAAAICEhISBFcnJvciBidWZmZXIgZmFpbGVkIGFsbG9jYXRpb24gISEhIAAAAAAAAAAARGV0ZXJtaW5lIFNlY3VyaXR5RmVhdHVyZXNTaXplLiAAAAAAAAAAAExvb3AuLi4gAAAAAAAAAAAAAAAAAAAAACBVbnN1cHBvcnRlZCBBSVAgaWdub3JlZCAAAAAAAAAAICEhISBVRUZJIFByb3RvY29sIEVycm9yIERldGVjdGVkICEhISAAADpJRCAAAAAAIElEOgAAAAA6RVJST1IgACBFUlJPUjoAOlJPTEUgAAAgUk9MRToAAAAAAAAAAAAAOnNlY3VyaXR5RmVhdHVyZXNTaXplIAAAAAAAAAAAAAAgc2VjdXJpdHlGZWF0dXJlc1NpemU6AAAAAAAAAAAAACAhISEgRXJyb3IgZGV0ZWN0ZWQsIGJhaWxpbmcgb3V0ICEhISAAAAAAAAAAAAAAAFZlcmlmaWVkIGJ1ZmZlciBhbGxvY2F0aW9uIGZhaWxlZC4AAAAAAAAAAAAAAAAAAExvb3Bpbmcgb24gcHJvdmlkZXJzIHRvIGFjY3VtdWxhdGUgaW1wbGVtZW50ZWQgYW5kIHZlcmlmaWVkLgAAAABDb21wYXJpbmcgcmVxdWlyZWQgYnl0ZSB0byB2ZXJpZmllZC4uLgAAOlZFUklGSUVEIAAAAAAAACBWRVJJRklFRDoAAAAAAAA6UkVRVUlSRUQgAAAAAAAAIFJFUVVJUkVEOgAAAAAAAAAAAAAAAAAAISEhIHZlcmlmaWVkIGJ5dGUgZG9lcyBub3QgbWF0Y2ggcmVxdWlyZWQgISEhAAAAQ0xFQU5VUCAAAAAAAAAAADpPVkVSQUxMAAAAAAAAAABPVkVSQUxMOgAAAAAAAAAAUHJvdmlkZXIgRXJyb3JzIGNvcHkgc3RhcnQAAAAAAABQcm92aWRlciBFcnJvcnMgY29weSBlbmQAAAAAAAAAAEJMT0IgU3RhcnQ6AAAAAAA6QkxPQiBFbmQgIAAAAAAAAAAAAGt3EVgAAAAAAgAAACUAAAD4NQAA+BsAAAAAAABrdxFYAAAAAA0AAACgAQAAIDYAACAcAABSU0RT1J4Ttoijw0G4zY0uYG3g7wEAAABIc3RpVGVzdC5wZGIAAAAAR0NUTAAQAADwEAAALnRleHQkbW4AAAAA8CAAABIAAAAudGV4dCRtbiQwMAACIQAAwwAAAC50ZXh0JHgAADAAAOAAAAAucmRhdGEkYnJjAADgMAAASAEAAC5pZGF0YSQ1AAAAACgyAAAQAAAALjAwY2ZnAAA4MgAACAAAAC5DUlQkWENBAAAAAEAyAAAIAAAALkNSVCRYQ1oAAAAASDIAAAgAAAAuQ1JUJFhJQQAAAABQMgAACAAAAC5DUlQkWElaAAAAAFgyAAAYAAAALmNmZ3VhcmQAAAAAcDIAAIgDAAAucmRhdGEAAPg1AADIAQAALnJkYXRhJHp6emRiZwAAAMA3AABQAQAALnhkYXRhAAAQOQAAZAAAAC5lZGF0YQAAdDkAAPAAAAAuaWRhdGEkMgAAAABkOgAAFAAAAC5pZGF0YSQzAAAAAHg6AABIAQAALmlkYXRhJDQAAAAAwDsAALgDAAAuaWRhdGEkNgAAAAAAQAAAEAAAAC5kYXRhAAAAEEAAALAFAAAuYnNzAAAAAABQAAAgAQAALnBkYXRhAAABEwgAEzQMABNSDPAK4AhwB2AGUBkkBwASZDMAEjQyABIBLgALcAAAbCAAAGABAAABBAEABEIAAAEPBgAPZAcADzQGAA8yC3ABCAEACEIAABknCgAZARMADfAL4AnQB8AFcARgAzACUGwgAACIAAAAARgKABhkDAAYVAsAGDQKABhSFPAS4BBwGRgFABgBEgARcBBgDzAAAEYgAAAGAAAAGBwAAC0cAAAIIQAALRwAAEocAABkHAAAKiEAAGQcAACCHAAAkRwAAEwhAACRHAAApBwAALMcAABuIQAAsxwAAM8cAADpHAAAkCEAAOkcAAD5GwAA7xwAALUhAAAAAAAAAQYCAAYyAlABCgQACjQGAAoyBnAAAAAAAQAAAAENBAANNAkADTIGUAEGAgAGMgIwAQwCAAwBEQABAAAAAQIBAAIwAAAAAAAAAAAAAAAAAAAAAAAAd24RWAAAAABMOQAAAQAAAAIAAAACAAAAODkAAEA5AABIOQAAEBAAACARAABZOQAAYzkAAAAAAQBIU1RJVEVTVC5kbGwAUXVlcnlIU1RJAFF1ZXJ5SFNUSWRldGFpbHMAmDoAAAAAAAAAAAAA2jsAAAAxAACYOwAAAAAAAAAAAAA8PAAAADIAAAA7AAAAAAAAAAAAAHI9AABoMQAAgDsAAAAAAAAAAAAAkj0AAOgxAABYOwAAAAAAAAAAAACyPQAAwDEAADA7AAAAAAAAAAAAANY9AACYMQAAaDsAAAAAAAAAAAAAAD4AANAxAAAgOwAAAAAAAAAAAAAkPgAAiDEAALA6AAAAAAAAAAAAAE4+AAAYMQAAeDoAAAAAAAAAAAAAkD4AAOAwAADQOgAAAAAAAAAAAAAiPwAAODEAAPA6AAAAAAAAAAAAAEI/AABYMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4PgAAAAAAAGQ/AAAAAAAAbj8AAAAAAAAAAAAAAAAAAM47AAAAAAAAwDsAAAAAAAAAAAAAAAAAABA9AAAAAAAALD0AAAAAAADqPgAAAAAAAAAAAAAAAAAA+j4AAAAAAADYPgAAAAAAAMw+AAAAAAAAAAAAAAAAAAAIPwAAAAAAAAAAAAAAAAAAUjwAAAAAAAAWPwAAAAAAAEY8AAAAAAAAAAAAAAAAAAD0PAAAAAAAAAAAAAAAAAAAnjwAAAAAAAC0PAAAAAAAAF49AAAAAAAASj0AAAAAAAAAAAAAAAAAAIQ8AAAAAAAAAAAAAAAAAADkPAAAAAAAAMo8AAAAAAAAAAAAAAAAAABkPAAAAAAAAHQ8AAAAAAAAAAAAAAAAAACwPgAAAAAAAPo7AAAAAAAAKDwAAAAAAAAOPAAAAAAAAAAAAAAAAAAABwBfaW5pdHRlcm1fZQAGAF9pbml0dGVybQBhcGktbXMtd2luLWNvcmUtY3J0LWwyLTEtMC5kbGwAANACUnRsQ2FwdHVyZUNvbnRleHQAjQRSdGxMb29rdXBGdW5jdGlvbkVudHJ5AAC3BVJ0bFZpcnR1YWxVbndpbmQAAG50ZGxsLmRsbAAGAEhlYXBGcmVlAAAAAEdldFByb2Nlc3NIZWFwAAAEAEVuY29kZVBvaW50ZXIAAQBEZWNvZGVQb2ludGVyAAAAUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIADQBHZXRDdXJyZW50UHJvY2Vzc0lkABEAR2V0Q3VycmVudFRocmVhZElkAAAUAEdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lABgAR2V0VGlja0NvdW50AAABAERpc2FibGVUaHJlYWRMaWJyYXJ5Q2FsbHMAEQBVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAA8AU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAwAR2V0Q3VycmVudFByb2Nlc3MATQBUZXJtaW5hdGVQcm9jZXNzAABhcGktbXMtd2luLWNvcmUtaGVhcC1sMS0yLTAuZGxsAGFwaS1tcy13aW4tY29yZS11dGlsLWwxLTEtMC5kbGwAYXBpLW1zLXdpbi1jb3JlLXByb2ZpbGUtbDEtMS0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLXByb2Nlc3N0aHJlYWRzLWwxLTEtMi5kbGwAYXBpLW1zLXdpbi1jb3JlLXN5c2luZm8tbDEtMi0xLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWxpYnJhcnlsb2FkZXItbDEtMi0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWVycm9yaGFuZGxpbmctbDEtMS0xLmRsbAAAAABfX0Nfc3BlY2lmaWNfaGFuZGxlcgAAYXBpLW1zLXdpbi1jb3JlLWNydC1sMS0xLTAuZGxsAADbAU50UXVlcnlTeXN0ZW1JbmZvcm1hdGlvbgAAWQBXcml0ZUZpbGUAUwBTZXRGaWxlUG9pbnRlcgAABQBHZXRMYXN0RXJyb3IAAAUAQ3JlYXRlRmlsZUEAAABDbG9zZUhhbmRsZQACAEhlYXBBbGxvYwBhcGktbXMtd2luLWNvcmUtZmlsZS1sMS0yLTEuZGxsAGFwaS1tcy13aW4tY29yZS1oYW5kbGUtbDEtMS0wLmRsbAAzAG1lbWNweQAANwBtZW1zZXQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyot8tmSsAAM1dINJm1P//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAXEQAAwDcAACwRAAAaEgAA1DcAACASAABwEgAA8DcAAHgSAAC2EgAA+DcAALwSAADyEgAACDgAAPgSAABRGQAAEDgAAFgZAACaGgAAMDgAAKAaAAB7GwAAyDgAAJAbAADNGwAA+DcAANQbAAD8HAAASDgAABAdAAAuHQAA2DgAAFQdAAAkHgAA3DgAAEQeAABdHgAA8DcAAHweAACwHgAA6DgAAMAeAAAxIAAA8DgAAGwgAACJIAAA8DcAAJAgAADrIAAA/DgAAAAhAAACIQAA+DgAAAghAAAqIQAAwDgAACohAABMIQAAwDgAAEwhAABuIQAAwDgAAG4hAACQIQAAwDgAAJAhAAC1IQAAwDgAALUhAADFIQAAwDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAABgAAAAAoAigaKCAoIigkKAoojCiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" + +function Log($message) +{ + $message | Out-File $LogFile -Append -Force +} + +function LogAndConsole($message) +{ + Write-Host $message + Log $message +} + +function LogAndConsoleWarning($message) +{ + Write-Host $message -foregroundcolor "Yellow" + Log $message +} + +function LogAndConsoleSuccess($message) +{ + Write-Host $message -foregroundcolor "Green" + Log $message +} + +function LogAndConsoleError($message) +{ + Write-Host $message -foregroundcolor "Red" + Log $message +} + +function IsExempted([System.IO.FileInfo] $item) +{ + $cert = (Get-AuthenticodeSignature $item.FullName).SignerCertificate + if($cert.ToString().Contains("CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")) + { + Log $item.FullName + "MS Exempted" + return 1 + } + else + { + Log $item.FullName + "Not-exempted" + Log $cert.ToString() + return 0 + } +} + +function CheckExemption($_ModName) +{ + $mod1 = Get-ChildItem $Sys32Path $_ModName + $mod2 = Get-ChildItem $DriverPath $_ModName + if($mod1) + { + Log "NonDriver module" + $mod1.FullName + return IsExempted($mod1) + } + elseif($mod2) + { + Log "Driver Module" + $mod2.FullName + return IsExempted($mod2) + } + +} + +function CheckFailedDriver($_ModName, $CIStats) +{ + Log "Module: " $_ModName.Trim() + if(CheckExemption($_ModName.Trim()) - eq 1) + { + $CompatibleModules.AppendLine("Windows Signed: " + $_ModName.Trim()) | Out-Null + return + } + $index = $CIStats.IndexOf("execute pool type count:".ToLower()) + if($index -eq -1) + { + return + } + $_tempStr = $CIStats.Substring($index) + $Result = "PASS" + $separator = "`r`n","" + $option = [System.StringSplitOptions]::RemoveEmptyEntries + $stats = $_tempStr.Split($separator,$option) + Log $stats.Count + + $FailingStat = "" + foreach( $stat in $stats) + { + $_t =$stat.Split(":") + if($_t.Count -eq 2 -and $_t[1].trim() -ne "0") + { + $Result = "FAIL" + $FailingStat = $stat + break + } + } + if($Result.Contains("PASS")) + { + $CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null + } + elseif($FailingStat.Trim().Contains("execute-write")) + { + $FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null + } + else + { + $FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null + } + Log "Result: " $Result +} + +function ListCIStats($_ModName, $str1) +{ + $i1 = $str1.IndexOf("Code Integrity Statistics:".ToLower()) + if($i1 -eq -1 ) + { + Log "String := " $str1 + Log "Warning! CI Stats are missing for " $_ModName + return + } + $temp_str1 = $str1.Substring($i1) + $CIStats = $temp_str1.Substring(0).Trim() + + CheckFailedDriver $_ModName $CIStats +} + +function ListDrivers($str) +{ + $_tempStr= $str + + $separator = "module:","" + $option = [System.StringSplitOptions]::RemoveEmptyEntries + $index1 = $_tempStr.IndexOf("MODULE:".ToLower()) + if($index1 -lt 0) + { + return + } + $_tempStr = $_tempStr.Substring($Index1) + $_SplitStr = $_tempStr.Split($separator,$option) + + + Log $_SplitStr.Count + LogAndConsole "Verifying each module please wait ... " + foreach($ModuleDetail in $_Splitstr) + { + #LogAndConsole $Module + $Index2 = $ModuleDetail.IndexOf("(") + if($Index2 -eq -1) + { + "Skipping .." + continue + } + $ModName = $ModuleDetail.Substring(0,$Index2-1) + Log "Driver: " $ModName + Log "Processing module: " $ModName + ListCIStats $ModName $ModuleDetail + } + + $DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile + LogAndConsole $DriverScanCompletedMessage + + if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 ) + { + $WarningMessage = "Incompatible HVCI Kernel Driver Modules found" + if($HLK) + { + LogAndConsoleError $WarningMessage + } + else + { + LogAndConsoleWarning $WarningMessage + } + + LogAndConsoleError $FailingExecuteWriteCheck.ToString() + if($HLK) + { + LogAndConsoleError $FailingModules.ToString() + } + else + { + LogAndConsoleWarning $FailingModules.ToString() + } + if($FailingModules.Length -ne 0 -or $FailingExecuteWriteCheck.Length -ne 0 ) + { + if($HLK) + { + $DGVerifyCrit.AppendLine($WarningMessage) | Out-Null + } + else + { + $DGVerifyWarn.AppendLine($WarningMessage) | Out-Null + } + } + } + else + { + LogAndConsoleSuccess "No Incompatible Drivers found" + } +} + +function ListSummary() +{ + if($DGVerifyCrit.Length -ne 0 ) + { + LogAndConsoleError "Machine is not Device Guard / Credential Guard compatible because of the following:" + LogAndConsoleError $DGVerifyCrit.ToString() + LogAndConsoleWarning $DGVerifyWarn.ToString() + if(!$HVCI -and !$DG) + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 0 /f ' + } + if(!$CG) + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 0 /f ' + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 0 /f ' + } + + } + elseif ($DGVerifyWarn.Length -ne 0 ) + { + LogAndConsoleSuccess "Device Guard / Credential Guard can be enabled on this machine.`n" + LogAndConsoleWarning "The following additional qualifications, if present, can enhance the security of Device Guard / Credential Guard on this system:" + LogAndConsoleWarning $DGVerifyWarn.ToString() + if(!$HVCI -and !$DG) + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 1 /f ' + } + if(!$CG) + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 1 /f ' + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 1 /f ' + } + } + else + { + LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n" + if(!$HVCI -and !$DG) + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f ' + } + if(!$CG) + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 2 /f ' + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 2 /f ' + } + } +} + + +function Instantiate-Kernel32 { + try + { + Add-Type -TypeDefinition @" + using System; + using System.Diagnostics; + using System.Runtime.InteropServices; + + public static class Kernel32 + { + [DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)] + public static extern IntPtr LoadLibrary( + [MarshalAs(UnmanagedType.LPStr)]string lpFileName); + + [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)] + public static extern IntPtr GetProcAddress( + IntPtr hModule, + string procName); + } + +"@ + } + catch + { + Log $_.Exception.Message + LogAndConsole "Instantiate-Kernel32 failed" + } +} + +function Instantiate-HSTI { + try + { + Add-Type -TypeDefinition @" + using System; + using System.Diagnostics; + using System.Runtime.InteropServices; + using System.Net; + + public static class HstiTest3 + { + [DllImport("hstitest.dll", CharSet = CharSet.Unicode)] + public static extern int QueryHSTIdetails( + ref HstiOverallError pHstiOverallError, + [In, Out] HstiProviderErrorDuple[] pHstiProviderErrors, + ref uint pHstiProviderErrorsCount, + byte[] hstiPlatformSecurityBlob, + ref uint pHstiPlatformSecurityBlobBytes); + + [DllImport("hstitest.dll", CharSet = CharSet.Unicode)] + public static extern int QueryHSTI(ref bool Pass); + + [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] + public struct HstiProviderErrorDuple + { + internal uint protocolError; + internal uint role; + internal HstiProviderErrors providerError; + [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)] + internal string ID; + [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)] + internal string ErrorString; + } + + [FlagsAttribute] + public enum HstiProviderErrors : int + { + None = 0x00000000, + VersionMismatch = 0x00000001, + RoleUnknown = 0x00000002, + RoleDuplicated = 0x00000004, + SecurityFeatureSizeMismatch = 0x00000008, + SizeTooSmall = 0x00000010, + VerifiedMoreThanImplemented = 0x00000020, + VerifiedNotMatchImplemented = 0x00000040 + } + + [FlagsAttribute] + public enum HstiOverallError : int + { + None = 0x00000000, + RoleTooManyPlatformReference = 0x00000001, + RoleTooManyIbv = 0x00000002, + RoleTooManyOem = 0x00000004, + RoleTooManyOdm = 0x00000008, + RoleMissingPlatformReference = 0x00000010, + VerifiedIncomplete = 0x00000020, + ProtocolErrors = 0x00000040, + BlobVersionMismatch = 0x00000080, + PlatformSecurityVersionMismatch = 0x00000100, + ProviderError = 0x00000200 + } + + } +"@ + + $LibHandle = [Kernel32]::LoadLibrary("C:\Windows\System32\hstitest.dll") + $FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails") + $FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI") + + if ([System.IntPtr]::Size -eq 8) + { + #assuming 64 bit + Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())" + Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())" + } + else + { + return + } + $overallError = New-Object HstiTest3+HstiOverallError + $providerErrorDupleCount = New-Object int + $blobByteSize = New-Object int + $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize) + + [byte[]]$blob = New-Object byte[] $blobByteSize + [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount + $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize) + $string = $null + $blob | foreach { $string = $string + $_.ToString("X2")+"," } + + $hstiStatus = New-Object bool + $hr = [HstiTest3]::QueryHSTI([ref] $hstiStatus) + + LogAndConsole "HSTI Duple Count: $providerErrorDupleCount" + LogAndConsole "HSTI Blob size: $blobByteSize" + LogAndConsole "String: $string" + LogAndConsole "HSTIStatus: $hstiStatus" + if(($blobByteSize -gt 512) -and ($providerErrorDupleCount -gt 0) -and $hstiStatus) + { + LogAndConsoleSuccess "HSTI validation successful" + } + elseif(($providerErrorDupleCount -eq 0) -or ($blobByteSize -le 512)) + { + LogAndConsoleWarning "HSTI is absent" + $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null + } + else + { + $ErrorMessage = "HSTI validation failed" + if($HLK) + { + LogAndConsoleError $ErrorMessage + $DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null + } + else + { + LogAndConsoleWarning $ErrorMessage + $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null + } + } + + } + catch + { + LogAndConsoleError $_.Exception.Message + LogAndConsoleError "Instantiate-HSTI failed" + } +} + + +function CheckDGRunning($_val) +{ + $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard + for($i=0; $i -lt $DGObj.SecurityServicesRunning.length; $i++) + { + if($DGObj.SecurityServicesRunning[$i] -eq $_val) + { + return 1 + } + + } + return 0 +} + +function CheckDGFeatures($_val) +{ + $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard + Log "DG_obj $DG_obj" + Log "DG_obj.AvailableSecurityProperties.length $DG_obj.AvailableSecurityProperties.length" + for($i=0; $i -lt $DGObj.AvailableSecurityProperties.length; $i++) + { + if($DGObj.AvailableSecurityProperties[$i] -eq $_val) + { + return 1 + } + + } + return 0 +} + +function PrintConfigCIDetails($_ConfigCIState) +{ + $_ConfigCIRunning = "Config-CI is enabled and running." + $_ConfigCIDisabled = "Config-CI is not running." + $_ConfigCIMode = "Not Enabled" + switch ($_ConfigCIState) + { + 0 { $_ConfigCIMode = "Not Enabled" } + 1 { $_ConfigCIMode = "Audit mode" } + 2 { $_ConfigCIMode = "Enforced mode" } + default { $_ConfigCIMode = "Not Enabled" } + } + + if($_ConfigCIState -ge 1) + { + LogAndConsoleSuccess "$_ConfigCIRunning ($_ConfigCIMode)" + } + else + { + LogAndConsoleWarning "$_ConfigCIDisabled ($_ConfigCIMode)" + } +} + +function PrintHVCIDetails($_HVCIState) +{ + $_HvciRunning = "HVCI is enabled and running." + $_HvciDisabled = "HVCI is not running." + + if($_HVCIState) + { + LogAndConsoleSuccess $_HvciRunning + } + else + { + LogAndConsoleWarning $_HvciDisabled + } +} + +function PrintCGDetails ($_CGState) +{ + $_CGRunning = "Credential-Guard is enabled and running." + $_CGDisabled = "Credential-Guard is not running." + + if($_CGState) + { + LogAndConsoleSuccess $_CGRunning + } + else + { + LogAndConsoleWarning $_CGDisabled + } +} + +if(![IO.Directory]::Exists($path)) +{ + New-Item -ItemType directory -Path $path +} +else +{ + #Do Nothing!! +} + +function IsRedstone +{ + $_osVersion = [environment]::OSVersion.Version + Log $_osVersion + #Check if build Major is Windows 10 + if($_osVersion.Major -lt 10) + { + return 0 + } + #Check if the build is post Threshold2 (1511 release) => Redstone + if($_osVersion.Build -gt 10586) + { + return 1 + } + #default return False + return 0 +} + +function ExecuteCommandAndLog($_cmd) +{ + try + { + Log "Executing: $_cmd" + $CmdOutput = Invoke-Expression $_cmd | Out-String + Log "Output: $CmdOutput" + } + catch + { + Log "Exception while exectuing $_cmd" + Log $_.Exception.Message + } + + +} + +function PrintRebootWarning +{ + LogAndConsoleWarning "Please reboot the machine, for settings to be applied." +} + +function AutoRebootHelper +{ + if($AutoReboot) + { + LogAndConsole "PC will restart in 30 seconds" + ExecuteCommandAndLog 'shutdown /r /t 30' + } + else + { + PrintRebootWarning + } + +} + +function VerifierReset +{ + $verifier_state = verifier /query | Out-String + if(!$verifier_state.ToString().Contains("No drivers are currently verified.")) + { + ExecuteCommandAndLog 'verifier.exe /reset' + } + AutoRebootHelper +} + +function PrintHardwareReq +{ + LogAndConsole "###########################################################################" + LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard" + LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education, Enterprise IoT, Pro, and Home" + LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT" + LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr" + LogAndConsole "########################################################################### `n" +} + +function CheckDriverCompat +{ + $_HVCIState = CheckDGRunning(2) + if($_HVCIState) + { + LogAndConsoleWarning "HVCI is already enabled on this machine, driver compat list might not be complete." + LogAndConsoleWarning "Please disable HVCI and run the script again..." + } + $verifier_state = verifier /query | Out-String + if($verifier_state.ToString().Contains("No drivers are currently verified.")) + { + LogAndConsole "Enabling Driver verifier" + verifier.exe /flags 0x02000000 /all /log.code_integrity + + LogAndConsole "Enabling Driver Verifier and Rebooting system" + Log $verifier_state + LogAndConsole "Please re-execute this script after reboot...." + if($AutoReboot) + { + LogAndConsole "PC will restart in 30 seconds" + ExecuteCommandAndLog 'shutdown /r /t 30' + } + else + { + LogAndConsole "Please reboot manually and run the script again...." + } + exit + } + else + { + LogAndConsole "Driver verifier already enabled" + Log $verifier_state + ListDrivers($verifier_state.Trim().ToLowerInvariant()) + } +} +function IsDomainController +{ + $_isDC = 0 + $CompConfig = Get-WmiObject Win32_ComputerSystem + foreach ($ObjItem in $CompConfig) + { + $Role = $ObjItem.DomainRole + Log "Role=$Role" + Switch ($Role) + { + 0 { Log "Standalone Workstation" } + 1 { Log "Member Workstation" } + 2 { Log "Standalone Server" } + 3 { Log "Member Server" } + 4 + { + Log "Backup Domain Controller" + $_isDC=1 + break + } + 5 + { + Log "Primary Domain Controller" + $_isDC=1 + break + } + default { Log "Unknown Domain Role" } + } + } + return $_isDC +} + +function CheckOSSKU +{ + $osname = $((gwmi win32_operatingsystem).Name).ToLower() + $_SKUSupported = 0 + Log "OSNAME:$osname" + $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server", "Pro", "Home") + $HLKAllowed = @("microsoft windows 10 pro") + foreach ($SKUent in $SKUarray) + { + if($osname.ToString().Contains($SKUent.ToLower())) + { + $_SKUSupported = 1 + break + } + } + + # For running HLK tests only, professional SKU's are marked as supported. + if($HLK) + { + if($osname.ToString().Contains($HLKAllowed.ToLower())) + { + $_SKUSupported = 1 + } + } + $_isDomainController = IsDomainController + if($_SKUSupported) + { + LogAndConsoleSuccess "This PC edition is Supported for DeviceGuard"; + if(($_isDomainController -eq 1) -and !$HVCI -and !$DG) + { + LogAndConsoleError "This PC is configured as a Domain Controller, Credential Guard is not supported on DC." + } + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f ' + } + else + { + LogAndConsoleError "This PC edition is Unsupported for Device Guard" + $DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 0 /f ' + } +} + +function CheckOSArchitecture +{ + $OSArch = $(gwmi win32_operatingsystem).OSArchitecture.ToLower() + Log $OSArch + if($OSArch.Contains("64-bit")) + { + LogAndConsoleSuccess "64 bit archictecture" + } + elseif($OSArch.Contains("32-bit")) + { + LogAndConsoleError "32 bit archictecture" + $DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null + } + else + { + LogAndConsoleError "Unknown architecture" + $DGVerifyCrit.AppendLine("Unknown OS, OS Architecture failure.") | Out-Null + } +} + +function CheckSecureBootState +{ + $_secureBoot = Confirm-SecureBootUEFI + Log $_secureBoot + if($_secureBoot) + { + LogAndConsoleSuccess "Secure Boot is present" + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 2 /f ' + } + else + { + LogAndConsoleError "Secure Boot is absent / not enabled." + LogAndConsoleError "If Secure Boot is supported on the system, enable Secure Boot in the BIOS and run the script again." + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 0 /f ' + $DGVerifyCrit.AppendLine("Secure boot validation failed.") | Out-Null + } +} + +function CheckVirtualization +{ + $_vmmExtension = $(gwmi -Class Win32_processor).VMMonitorModeExtensions + $_vmFirmwareExtension = $(gwmi -Class Win32_processor).VirtualizationFirmwareEnabled + $_vmHyperVPresent = (gcim -Class Win32_ComputerSystem).HypervisorPresent + Log "VMMonitorModeExtensions $_vmmExtension" + Log "VirtualizationFirmwareEnabled $_vmFirmwareExtension" + Log "HyperVisorPresent $_vmHyperVPresent" + + #success if either processor supports and enabled or if hyper-v is present + if(($_vmmExtension -and $_vmFirmwareExtension) -or $_vmHyperVPresent ) + { + LogAndConsoleSuccess "Virtualization firmware check passed" + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 2 /f ' + } + else + { + LogAndConsoleError "Virtualization firmware check failed." + LogAndConsoleError "If Virtualization extensions are supported on the system, enable hardware virtualization (Intel Virtualization Technology, Intel VT-x, Virtualization Extensions, or similar) in the BIOS and run the script again." + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 0 /f ' + $DGVerifyCrit.AppendLine("Virtualization firmware check failed.") | Out-Null + } +} + +function CheckTPM +{ + $TPMLockout = $(get-tpm).LockoutCount + + if($TPMLockout) + { + + if($TPMLockout.ToString().Contains("Not Supported for TPM 1.2")) + { + if($HLK) + { + LogAndConsoleSuccess "TPM 1.2 is present." + } + else + { + $WarningMsg = "TPM 1.2 is Present. TPM 2.0 is Preferred." + LogAndConsoleWarning $WarningMsg + $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null + } + } + else + { + LogAndConsoleSuccess "TPM 2.0 is present." + } + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 2 /f ' + } + else + { + $WarningMsg = "TPM is absent or not ready for use" + if($HLK) + { + LogAndConsoleError $WarningMsg + $DGVerifyCrit.AppendLine($WarningMsg) | Out-Null + } + else + { + LogAndConsoleWarning $WarningMsg + $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null + } + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 0 /f ' + } +} + +function CheckSecureMOR +{ + $isSecureMOR = CheckDGFeatures(4) + Log "isSecureMOR= $isSecureMOR " + if($isSecureMOR -eq 1) + { + LogAndConsoleSuccess "Secure MOR is available" + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 2 /f ' + } + else + { + $WarningMsg = "Secure MOR is absent" + if($HLK) + { + LogAndConsoleError $WarningMsg + $DGVerifyCrit.AppendLine($WarningMsg) | Out-Null + } + else + { + LogAndConsoleWarning $WarningMsg + $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null + } + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 0 /f ' + } +} + +function CheckNXProtection +{ + $isNXProtected = CheckDGFeatures(5) + Log "isNXProtected= $isNXProtected " + if($isNXProtected -eq 1) + { + LogAndConsoleSuccess "NX Protector is available" + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 2 /f ' + } + else + { + LogAndConsoleWarning "NX Protector is absent" + $DGVerifyWarn.AppendLine("NX Protector is absent") | Out-Null + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 0 /f ' + } +} + +function CheckSMMProtection +{ + $isSMMMitigated = CheckDGFeatures(6) + Log "isSMMMitigated= $isSMMMitigated " + if($isSMMMitigated -eq 1) + { + LogAndConsoleSuccess "SMM Mitigation is available" + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 2 /f ' + } + else + { + LogAndConsoleWarning "SMM Mitigation is absent" + $DGVerifyWarn.AppendLine("SMM Mitigation is absent") | Out-Null + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 0 /f ' + } +} + +function CheckHSTI +{ + LogAndConsole "Copying HSTITest.dll" + try + { + $HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded) + [System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded) + + } + catch + { + LogAndConsole $_.Exception.Message + LogAndConsole "Copying and loading HSTITest.dll failed" + } + + Instantiate-Kernel32 + Instantiate-HSTI +} + +function PrintToolVersion +{ + LogAndConsole "" + LogAndConsole "###########################################################################" + LogAndConsole "" + LogAndConsole "Readiness Tool Version 3.7 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." + LogAndConsole "" + LogAndConsole "###########################################################################" + LogAndConsole "" + +} + +PrintToolVersion + +if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -and !($ResetVerifier)) +{ + #Print Usage if none of the options are specified + LogAndConsoleWarning "How to read the output:" + LogAndConsoleWarning "" + LogAndConsoleWarning " 1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG" + LogAndConsoleWarning " 2. Yellow Warnings: This device can be used to enable and use DG/CG, but `n additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr" + LogAndConsoleWarning " 3. Green Messages: This device is fully compliant with DG/CG requirements`n" + + LogAndConsoleWarning "###########################################################################" + LogAndConsoleWarning "" + LogAndConsoleWarning "Hardware requirements for enabling Device Guard and Credential Guard" + LogAndConsoleWarning " 1. Hardware: Recent hardware that supports virtualization extension with SLAT" + LogAndConsoleWarning "" + LogAndConsoleWarning "########################################################################### `n" + + LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path" + LogAndConsoleWarning "Log file with details is found here: C:\DGLogs `n" + + LogAndConsoleWarning "To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used" + LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path `n" + + LogAndConsoleWarning "To Enable only HVCI" + LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -HVCI `n" + + LogAndConsoleWarning "To Enable only CG" + LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -CG `n" + + LogAndConsoleWarning "To Verify if DG/CG is enabled" + LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n" + + LogAndConsoleWarning "To Disable DG/CG." + LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Disable `n" + + LogAndConsoleWarning "To Verify if DG/CG is disabled" + LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n" + + LogAndConsoleWarning "To Verify if this device is DG/CG Capable" + LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable`n" + + LogAndConsoleWarning "To Verify if this device is HVCI Capable" + LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable -HVCI`n" + + LogAndConsoleWarning "To Auto reboot with each option" + LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot`n" + LogAndConsoleWarning "###########################################################################" + LogAndConsoleWarning "" + LogAndConsoleWarning "When the Readiness Tool with '-capable' is run the following RegKey values are set:" + LogAndConsoleWarning "" + LogAndConsoleWarning "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" + LogAndConsoleWarning "CG_Capable" + LogAndConsoleWarning "DG_Capable" + LogAndConsoleWarning "HVCI_Capable" + LogAndConsoleWarning "" + LogAndConsoleWarning "Value 0 = not possible to enable DG/CG/HVCI on this device" + LogAndConsoleWarning "Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI" + LogAndConsoleWarning "Value 2 = fully compatible for DG/CG/HVCI" + LogAndConsoleWarning "" + LogAndConsoleWarning "########################################################################### `n" +} + +$user = [Security.Principal.WindowsIdentity]::GetCurrent(); +$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) + +if(!$TestForAdmin) +{ + LogAndConsoleError "This script requires local administrator privileges. Please execute this script as a local administrator." + exit +} + +$isRunningOnVM = (get-wmiobject win32_computersystem).model +if($isRunningOnVM.Contains("Virtual")) +{ + LogAndConsoleWarning "Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization." +} + + +<# Check the DG status if enabled or disabled, meaning if the device is ready or not #> +if($Ready) +{ + PrintHardwareReq + + $DGRunning = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning + $_ConfigCIState = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).CodeIntegrityPolicyEnforcementStatus + Log "Current DGRunning = $DGRunning, ConfigCI= $_ConfigCIState" + $_HVCIState = CheckDGRunning(2) + $_CGState = CheckDGRunning(1) + + if($HVCI) + { + Log "_HVCIState: $_HVCIState" + PrintHVCIDetails $_HVCIState + } + elseif($CG) + { + Log "_CGState: $_CGState" + PrintCGDetails $_CGState + + if($_CGState) + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f' + } + else + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 0 /f' + } + } + elseif($DG) + { + Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" + + PrintHVCIDetails $_HVCIState + PrintConfigCIDetails $_ConfigCIState + + if($_ConfigCIState -and $_HVCIState) + { + LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running." + + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f' + } + else + { + LogAndConsoleWarning "Not all services are running." + + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f' + } + } + else + { + Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" + + PrintCGDetails $_CGState + PrintHVCIDetails $_HVCIState + PrintConfigCIDetails $_ConfigCIState + + if(($DGRunning.Length -ge 2) -and ($_CGState) -and ($_HVCIState) -and ($_ConfigCIState -ge 1)) + { + LogAndConsoleSuccess "HVCI, Credential Guard, and Config CI are enabled and running." + } + else + { + LogAndConsoleWarning "Not all services are running." + } + } +} + +<# Enable and Disable #> +if($Enable) +{ + PrintHardwareReq + + LogAndConsole "Enabling Device Guard and Credential Guard" + LogAndConsole "Setting RegKeys to enable DG/CG" + + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f' + #Only SecureBoot is required as part of RequirePlatformSecurityFeatures + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f' + + $_isRedstone = IsRedstone + if(!$_isRedstone) + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f' + } + else + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f' + } + + if(!$HVCI -and !$DG) + { + # value is 2 for both Th2 and RS1 + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 2 /f' + } + if(!$CG) + { + if(!$_isRedstone) + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f' + } + else + { + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f' + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f' + } + } + + try + { + if(!$HVCI -and !$CG) + { + if(!$SIPolicyPath) + { + Log "Writing Decoded SIPolicy.p7b" + $SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded) + [System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded) + } + else + { + LogAndConsole "Copying user provided SIpolicy.p7b" + $CmdOutput = Copy-Item $SIPolicyPath "$env:windir\System32\CodeIntegrity\SIPolicy.p7b" | Out-String + Log $CmdOutput + } + } + } + catch + { + LogAndConsole "Writing SIPolicy.p7b file failed" + } + + LogAndConsole "Enabling Hyper-V and IOMMU" + $_isRedstone = IsRedstone + if(!$_isRedstone) + { + LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately" + #Enable/Disable IOMMU seperately + ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart' + } + $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String + if(!$CmdOutput.Contains("The operation completed successfully.")) + { + $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Online /All /NoRestart | Out-String + } + + Log $CmdOutput + if($CmdOutput.Contains("The operation completed successfully.")) + { + LogAndConsoleSuccess "Enabling Hyper-V and IOMMU successful" + #Reg key for HLK validation of DISM.EXE step + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 1 /f' + } + else + { + LogAndConsoleWarning "Enabling Hyper-V failed please check the log file" + #Reg key for HLK validation of DISM.EXE step + ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 0 /f' + } + AutoRebootHelper +} + +if($Disable) +{ + LogAndConsole "Disabling Device Guard and Credential Guard" + LogAndConsole "Deleting RegKeys to disable DG/CG" + + ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f' + ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f' + + $_isRedstone = IsRedstone + if(!$_isRedstone) + { + ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f' + } + else + { + ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f' + } + + if(!$CG) + { + ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f' + if($_isRedstone) + { + ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f' + } + } + + if(!$HVCI -and !$DG) + { + ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f' + } + + if(!$HVCI -and !$CG) + { + ExecuteCommandAndLog 'del "$env:windir\System32\CodeIntegrity\SIPolicy.p7b"' + } + + if(!$HVCI -and !$DG -and !$CG) + { + LogAndConsole "Disabling Hyper-V and IOMMU" + $_isRedstone = IsRedstone + if(!$_isRedstone) + { + LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately" + #Enable/Disable IOMMU seperately + ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart' + } + $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String + if(!$CmdOutput.Contains("The operation completed successfully.")) + { + $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Online /NoRestart | Out-String + } + Log $CmdOutput + if($CmdOutput.Contains("The operation completed successfully.")) + { + LogAndConsoleSuccess "Disabling Hyper-V and IOMMU successful" + } + else + { + LogAndConsoleWarning "Disabling Hyper-V failed please check the log file" + } + + #set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS + #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always + #this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS + $FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random + Log "FreeDrive=$FreeDrive" + ExecuteCommandAndLog 'mountvol $FreeDrive /s' + $CmdOutput = Copy-Item "$env:windir\System32\SecConfig.efi" $FreeDrive\EFI\Microsoft\Boot\SecConfig.efi -Force | Out-String + LogAndConsole $CmdOutput + ExecuteCommandAndLog 'bcdedit /create "{0cb3b571-2f2e-4343-a879-d86a476d7215}" /d DGOptOut /application osloader' + ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" path \EFI\Microsoft\Boot\SecConfig.efi' + ExecuteCommandAndLog 'bcdedit /set "{bootmgr}" bootsequence "{0cb3b571-2f2e-4343-a879-d86a476d7215}"' + ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" loadoptions DISABLE-LSA-ISO,DISABLE-VBS' + ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" device partition=$FreeDrive' + ExecuteCommandAndLog 'mountvol $FreeDrive /d' + #steps complete + + } + AutoRebootHelper +} + +if($Clear) +{ + ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" /f' + VerifierReset +} + +if($ResetVerifier) +{ + VerifierReset +} + +<# Is machine Device Guard / Cred Guard Capable and Verify #> +if($Capable) +{ + PrintHardwareReq + + LogAndConsole "Checking if the device is DG/CG Capable" + + $_isRedstone = IsRedstone + if(!$_isRedstone) + { + LogAndConsoleWarning "Capable is currently fully supported in Redstone only.." + } + $_StepCount = 1 + if(!$CG) + { + LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== " + $_StepCount++ + CheckDriverCompat + } + + LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== " + $_StepCount++ + CheckSecureBootState + + if(!$HVCI -and !$DG -and !$CG) + { + #check only if sub-options are absent + LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== " + $_StepCount++ + CheckHSTI + } + + LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== " + $_StepCount++ + CheckOSArchitecture + + LogAndConsole " ====================== Step $_StepCount Supported OS SKU ====================== " + $_StepCount++ + CheckOSSKU + + LogAndConsole " ====================== Step $_StepCount Virtualization Firmware ====================== " + $_StepCount++ + CheckVirtualization + + if(!$HVCI -and !$DG) + { + LogAndConsole " ====================== Step $_StepCount TPM version ====================== " + $_StepCount++ + CheckTPM + + LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== " + $_StepCount++ + CheckSecureMOR + } + + LogAndConsole " ====================== Step $_StepCount NX Protector ====================== " + $_StepCount++ + CheckNXProtection + + LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== " + $_StepCount++ + CheckSMMProtection + + LogAndConsole " ====================== End Check ====================== " + + LogAndConsole " ====================== Summary ====================== " + ListSummary + LogAndConsole "To learn more about required hardware and software please visit: https://aka.ms/dgwhcr" +} + + + +# SIG # Begin signature block +## REPLACE +# SIG # End signature block + +``` From 39f473fff49e7f913b0df719de6b24476800a07d Mon Sep 17 00:00:00 2001 From: Andres Mariano Gorzelany <36666927+get-itips@users.noreply.github.com> Date: Wed, 18 Sep 2019 18:27:24 -0300 Subject: [PATCH 14/24] Changed link of readiness tool --- .../credential-guard/credential-guard-manage.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index b8b2673d47..717eb2741b 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -110,10 +110,10 @@ You can do this by using either the Control Panel or the Deployment Image Servic ### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool -You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). +You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](dg_readiness_tool.md). ``` -DG_Readiness_Tool_v3.6.ps1 -Enable -AutoReboot +DG_Readiness_Tool.ps1 -Enable -AutoReboot ``` > [!IMPORTANT] > When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. From c708351fcc994e28f2de2b955068cb8453a9746f Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 20 Sep 2019 17:13:42 +0500 Subject: [PATCH 15/24] Note addition As per user recommendation, I have updated the note portion with additional required information. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4668 --- .../configure-wd-app-guard.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index d79135d66a..990977f063 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -28,6 +28,8 @@ These settings, located at **Computer Configuration\Administrative Templates\Net >[!NOTE] >You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. +>Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy. + |Policy name|Supported versions|Description| From f30d3e62770f28ae7eb13be607431e9b0c606a74 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Fri, 20 Sep 2019 14:19:01 +0200 Subject: [PATCH 16/24] Update interactive-logon-message-text-for-users-attempting-to-log-on.md Changed formatting to what i believe makes for easier reading. Also corrected some minor formatting to better adhere to markdown standards. --- ...age-text-for-users-attempting-to-log-on.md | 43 ++++++++++--------- 1 file changed, 23 insertions(+), 20 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index dafe367748..8c438440b9 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -19,15 +19,19 @@ ms.date: 04/19/2017 # Interactive logon: Message text for users attempting to log on -**Applies to** -- Windows 10 +## Applies to + +- Windows 10 Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting. ## Reference -The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on. Interactive logon: Message title for users attempting to log on specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn -users about the ramifications of misusing company information, or to warn them that their actions might be audited. +The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related. + +**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on. + +**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons — for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. @@ -37,8 +41,8 @@ When these policy settings are configured, users will see a dialog box before th The possible values for this setting are: -- User-defined text -- Not defined +- User-defined text +- Not defined ### Best practices @@ -46,8 +50,9 @@ The possible values for this setting are: 1. IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION. 2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information. - >**Important:** Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments. - + > [!IMPORTANT] + > Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments. + ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options @@ -58,13 +63,13 @@ The following table lists the actual and effective default values for this polic | Server type or GPO | Default value | | - | - | -| Default Domain Policy| Not defined| -| Default Domain Controller Policy | Not defined| -| Stand-Alone Server Default Settings | Not defined| -| DC Effective Default Settings | Not defined| -| Member Server Effective Default Settings | Not defined| -| Client Computer Effective Default Settings | Not defined| - +| Default Domain Policy| Not defined| +| Default Domain Controller Policy | Not defined| +| Stand-Alone Server Default Settings | Not defined| +| DC Effective Default Settings | Not defined| +| Member Server Effective Default Settings | Not defined| +| Client Computer Effective Default Settings | Not defined| + ## Policy management This section describes different requirements to help you manage this policy. @@ -79,8 +84,8 @@ This section describes how an attacker might exploit a feature or its configurat There are two policy settings that relate to logon displays: -- **Interactive logon: Message text for users attempting to log on** -- [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) +- **Interactive logon: Message text for users attempting to log on** +- [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. @@ -92,12 +97,10 @@ Users often do not understand the importance of security practices. However, the Configure the **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) settings to an appropriate value for your organization. ->**Note:**  Any warning message that displays should be approved by your organization's legal and human resources representatives. - ### Potential impact Users see a message in a dialog box before they can log on to the server console. ## Related topics -- [Security Options](security-options.md)  +- [Security Options](security-options.md) From 4ad287e1ac5b9acbf3a17b24efb43cf80c3327fb Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 20 Sep 2019 18:20:23 +0500 Subject: [PATCH 17/24] Updated the content Updated the content as the Auto-Pilot reset is now available for Intune for education. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4695 --- education/windows/autopilot-reset.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md index 2c11c122c4..5e9add10d7 100644 --- a/education/windows/autopilot-reset.md +++ b/education/windows/autopilot-reset.md @@ -36,8 +36,7 @@ You can set the policy using one of these methods: - MDM provider - - Autopilot Reset in Intune for Education is coming soon. In a future update of Intune for Education, new tenants will automatically have the Autopilot Reset setting enabled by default on the **All devices** group as part of initial tenant configuration. You will also be able to manage this setting to target different groups in the admin console. - - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set. + -Check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set. For example, in Intune, create a new configuration policy and add an OMA-URI. - OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials @@ -93,6 +92,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo Once provisioning is complete, the device is again ready for use. + ## Troubleshoot Autopilot Reset Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`. From 95f36b381fb79334f37582d88cfefd14a715eda6 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 20 Sep 2019 18:55:18 +0500 Subject: [PATCH 18/24] Added OMA-URI Path OMA-URI path was not available in the document. As per the suggestion in the conversation, it has been updated. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4712 --- .../microsoft-defender-atp/configure-endpoints-mdm.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md index 9710f0d825..5a967ffd5a 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md @@ -69,7 +69,13 @@ For security reasons, the package used to Offboard machines will expire 30 days 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*. -3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). +3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. + + OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding + Date type: String + Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file] + +For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). > [!NOTE] From e86e92d2567b8c3c28da38485b2ab71c464eb5bc Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 20 Sep 2019 19:01:08 +0500 Subject: [PATCH 19/24] Syntax was incorrect Syntax has been updated. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4777 --- windows/deployment/usmt/usmt-loadstate-syntax.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md index ea390e9871..3bbf83959b 100644 --- a/windows/deployment/usmt/usmt-loadstate-syntax.md +++ b/windows/deployment/usmt/usmt-loadstate-syntax.md @@ -8,7 +8,8 @@ ms.author: greglin ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.date: 04/19/2017 ms.topic: article --- @@ -247,7 +248,7 @@ USMT provides several command-line options that you can use to analyze problems

/progress:[Path</em>]FileName

Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.

For example:

-

loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log

+

loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:loadlog.log

/c

From 5d48bdbb1f9f16cd3f84ae7ce377afd23bede8ed Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 20 Sep 2019 08:27:02 -0700 Subject: [PATCH 20/24] Update interactive-logon-message-text-for-users-attempting-to-log-on.md backing out applies to change. Accepting the other --- ...ractive-logon-message-text-for-users-attempting-to-log-on.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 8c438440b9..456a194ed3 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -19,7 +19,7 @@ ms.date: 04/19/2017 # Interactive logon: Message text for users attempting to log on -## Applies to +**Applies to:** - Windows 10 From 47f2fc4f687627cd9ef4b3b3bcb8e3b346472e07 Mon Sep 17 00:00:00 2001 From: Albert Cabello Serrano Date: Fri, 20 Sep 2019 10:26:24 -0700 Subject: [PATCH 21/24] Update windows-analytics-get-started.md remove reference to server support for Device health --- windows/deployment/update/windows-analytics-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 0a0a06c7eb..91642db1c4 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -151,7 +151,7 @@ Certain Windows Analytics features have additional settings you can use. - For devices running Windows 10, version 1607 or earlier, Windows diagnostic data must also be set to Enhanced (see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level)) in order to be compatible with Windows Defender Antivirus. See the [Windows Defender Antivirus in Windows 10 and Windows Server 2016](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) for more information about enabling, configuring, and validating Windows Defender AV. -- **Device Health** is only compatible with Windows 10 desktop devices (workstations and laptops) and Windows Server 2016. The solution requires that at least the Enhanced level of diagnostic data is enabled on all devices that are intended to be displayed in the solution. In Windows 10, version 1709, a new policy was added to "limit enhanced telemetry to the minimum required by Windows Analytics". To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). +- **Device Health** is only compatible with Windows 10 desktop devices (workstations and laptops). The solution requires that at least the Enhanced level of diagnostic data is enabled on all devices that are intended to be displayed in the solution. In Windows 10, version 1709, a new policy was added to "limit enhanced telemetry to the minimum required by Windows Analytics". To learn more about Windows diagnostic data, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization). - **IE site discovery** is an optional feature of Upgrade Readiness that provides an inventory of websites that are accessed by client devices using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. To enable IE site discovery, make sure the required updates are installed (per previous section) and enable IE site discovery in the deployment script batch file. From 09d74491348964b0f23270620cf64078f80cf244 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Fri, 20 Sep 2019 16:11:01 -0700 Subject: [PATCH 22/24] Update faq-wd-app-guard.md Added policy names. --- .../windows-defender-application-guard/faq-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 650fe854db..ae7c4a20a4 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -68,7 +68,7 @@ Answering frequently asked questions about Windows Defender Application Guard (A | | | |--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Q:** | How do I configure WDAG to work with my network proxy (IP-Literal Addresses)? | -| **A:** | WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher. | +| **A:** | WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. |
From 3cd9c531b7d111799df32dff9db7f63e7f26141c Mon Sep 17 00:00:00 2001 From: ShrCaJesmo <54860945+ShrCaJesmo@users.noreply.github.com> Date: Mon, 23 Sep 2019 12:07:52 -0400 Subject: [PATCH 23/24] Schedule task hidden from standard users Adds note that the scheduled task that triggers GPO enrollment isn't visible to standard users so to confirm the task was created, admin creds should be used --- ...ll-a-windows-10-device-automatically-using-group-policy.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 6360bcb775..6be9d2621c 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -198,6 +198,10 @@ To collect Event Viewer logs: The auto-enrollment process is triggered by a task (Microsoft > Windows > EnterpriseMgmt) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is successfully deployed to the target machine as shown in the following screenshot: ![Task scheduler](images/auto-enrollment-task-scheduler.png) + + > [!Note] + > This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task. + This task runs every 5 minutes for the duration of 1 day. To confirm if the task succeeded, check the task scheduler event logs: Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational. Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107. From 04b493adde339b51d4d2f4ae03c19d56c92ad050 Mon Sep 17 00:00:00 2001 From: ShrCaJesmo <54860945+ShrCaJesmo@users.noreply.github.com> Date: Tue, 24 Sep 2019 16:19:11 -0400 Subject: [PATCH 24/24] Update windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- ...nroll-a-windows-10-device-automatically-using-group-policy.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 6be9d2621c..cada8db687 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -198,7 +198,6 @@ To collect Event Viewer logs: The auto-enrollment process is triggered by a task (Microsoft > Windows > EnterpriseMgmt) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is successfully deployed to the target machine as shown in the following screenshot: ![Task scheduler](images/auto-enrollment-task-scheduler.png) - > [!Note] > This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.