diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 645db60d9e..2d21a68dd9 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -20519,6 +20519,11 @@ "source_path": "windows/client-management/mdm/policy-ddf-file.md", "redirect_url": "/windows/client-management/mdm/configuration-service-provider-ddf", "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/credential-guard/dg-readiness-tool.md", + "redirect_url": "/windows/security/identity-protection/credential-guard/credential-guard", + "redirect_document_id": true } ] } diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md index d5697e455b..095188a9ba 100644 --- a/windows/client-management/administrative-tools-in-windows-10.md +++ b/windows/client-management/administrative-tools-in-windows-10.md @@ -8,7 +8,9 @@ manager: aaroncz ms.localizationpriority: medium ms.date: 03/28/2022 ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- diff --git a/windows/client-management/azure-active-directory-integration-with-mdm.md b/windows/client-management/azure-active-directory-integration-with-mdm.md index f2c906993c..5cd9b9cbb6 100644 --- a/windows/client-management/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/azure-active-directory-integration-with-mdm.md @@ -1,14 +1,16 @@ --- title: Azure Active Directory integration with MDM description: Azure Active Directory is the world's largest enterprise cloud identity management service. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -46,7 +48,7 @@ Azure AD Join also enables company owned devices to be automatically enrolled in > [!IMPORTANT] > Every user enabled for automatic MDM enrollment with Azure AD Join must be assigned a valid [Azure Active Directory Premium](/previous-versions/azure/dn499825(v=azure.100)) license. - + ### BYOD scenario Windows 10 also introduces a simpler way to configure personal devices to access work apps and resources. Users can add their Microsoft work account to Windows and enjoy simpler and safer access to the apps and resources of the organization. During this process, Azure AD detects if the organization has configured an MDM. If that’s the case, Windows attempts to enroll the device in MDM as part of the “add account” flow. In the BYOD case, users can reject the MDM Terms of Use. The device isn't enrolled in MDM and access to organization resources is typically restricted. @@ -70,7 +72,7 @@ Once a user has an Azure AD account added to Windows and enrolled in MDM, the en > [!NOTE] > Users can't remove the device enrollment through the **Work access** user interface because management is tied to the Azure AD or work account. - + ### MDM endpoints involved in Azure AD–integrated enrollment Azure AD MDM enrollment is a two-step process: @@ -187,7 +189,7 @@ The following image show how MDM applications show up in the Azure app gallery. ### Add cloud-based MDM to the app gallery > [!NOTE] -> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application +> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application The following table shows the required information to create an entry in the Azure AD app gallery. @@ -200,7 +202,7 @@ The following table shows the required information to create an entry in the Azu |**Icons**|A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215| - + ### Add on-premises MDM to the app gallery There are no special requirements for adding on-premises MDM to the app gallery. There's a generic entry for administrators to add an app to their tenant. @@ -232,7 +234,7 @@ An MDM page must adhere to a predefined theme depending on the scenario that is |--- |--- |--- |--- |--- | |FRX|OOBE|Dark theme + blue background color|Filename: Ui-dark.css|Filename: oobe-dekstop.css| |MOSET|Settings/Post OOBE|Light theme|Filename: Ui-light.css|Filename: settings-desktop.css| - + ## Terms of Use protocol semantics The Terms of Use endpoint is hosted by the MDM server. During the Azure AD Join protocol flow, Windows does a full-page redirect to this endpoint. This redirect enables the MDM to display the terms and conditions that apply. It allows the user to accept or reject the terms associated with enrollment. After the user accepts the terms, the MDM redirects back to Windows for the enrollment process to continue. @@ -332,7 +334,7 @@ The following table shows the error codes. |Azure AD token validation failed|302|unauthorized_client|unauthorized_client| |internal service error|302|server_error|internal service error| - + ## Enrollment protocol with Azure AD With Azure integrated MDM enrollment, there's no discovery phase and the discovery URL is directly passed down to the system from Azure. The following table shows the comparison between the traditional and Azure enrollments. diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 18fb8a5311..88a544e7d9 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -6,10 +6,12 @@ author: vinaypamnani-msft ms.localizationpriority: medium ms.author: vinpa ms.date: 01/18/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- @@ -29,23 +31,23 @@ From its release, Windows 10 has supported remote connections to PCs joined to A ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 aren't supported. -- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. -- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. +- Your local PC (where you're connecting from) must be either Azure AD-joined or Hybrid Azure AD-joined if using Windows 10, version 1607 and above, or [Azure AD registered](/azure/active-directory/devices/concept-azure-ad-register) if using Windows 10, version 2004 and above. Remote connections to an Azure AD-joined PC from an unjoined device or a non-Windows 10 device aren't supported. +- The local PC and remote PC must be in the same Azure AD tenant. Azure AD B2B guests aren't supported for Remote desktop. Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you're using to connect to the remote PC. - On the PC you want to connect to: 1. Open system properties for the remote PC. - + 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. ![Allow remote connections to this computer.](images/allow-rdp.png) 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no other configuration is needed. To allow more users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies: - + - Adding users manually - + You can specify individual Azure AD accounts for remote connections by running the following PowerShell cmdlet: ```powershell net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" @@ -62,7 +64,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu > Starting in Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there's a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. - Adding users using policy - + Starting in Windows 10, version 2004, you can add users to the Remote Desktop Users using MDM policies as described in [How to manage the local administrators group on Azure AD-joined devices](/azure/active-directory/devices/assign-local-admin#manage-administrator-privileges-using-azure-ad-groups-preview). > [!TIP] diff --git a/windows/client-management/device-update-management.md b/windows/client-management/device-update-management.md index 4964a3969d..4c730c626d 100644 --- a/windows/client-management/device-update-management.md +++ b/windows/client-management/device-update-management.md @@ -1,7 +1,7 @@ --- title: Mobile device management MDM for device updates description: Windows 10 provides several APIs to help mobile device management (MDM) solutions manage updates. Learn how to use these APIs to implement update management. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 11/15/2017 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile device management (MDM) for device updates diff --git a/windows/client-management/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/diagnose-mdm-failures-in-windows-10.md index 67b61ceb3c..1f8a9dd881 100644 --- a/windows/client-management/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/diagnose-mdm-failures-in-windows-10.md @@ -1,7 +1,7 @@ --- title: Diagnose MDM failures in Windows 10 description: Learn how to collect MDM logs. Examining these logs can help diagnose enrollment or device management issues in Windows 10 devices managed by an MDM server. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/25/2018 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Diagnose MDM failures in Windows 10 diff --git a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md index 80e253c59f..8bffb182d7 100644 --- a/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -7,9 +7,11 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 04/30/2022 -ms.reviewer: +ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Enroll a Windows 10 device automatically using Group Policy @@ -188,19 +190,19 @@ Requirements: - 1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495) - 1909 --> [Administrative Templates (.admx) for Windows 10 November 2019 Update (1909)](https://www.microsoft.com/download/confirmation.aspx?id=100591) - + - 2004 --> [Administrative Templates (.admx) for Windows 10 May 2020 Update (2004)](https://www.microsoft.com/download/confirmation.aspx?id=101445) - + - 20H2 --> [Administrative Templates (.admx) for Windows 10 October 2020 Update (20H2)](https://www.microsoft.com/download/details.aspx?id=102157) - 21H1 --> [Administrative Templates (.admx) for Windows 10 May 2021 Update (21H1)](https://www.microsoft.com/download/details.aspx?id=103124) - 21H2 --> [Administrative Templates (.admx) for Windows 10 November 2021 Update (21H2)-v2.0](https://www.microsoft.com/download/details.aspx?id=104042) - + - 22H2 --> [Administrative Templates (.admx) for Windows 10 October 2022 Update (22H2)](https://www.microsoft.com/download/104677) - 22H2 --> [Administrative Templates (.admx) for Windows 11 2022 September Update (22H2)](https://www.microsoft.com/download/details.aspx?id=104593) - + 2. Install the package on the Domain Controller. 3. Navigate, depending on the version to the folder: @@ -214,13 +216,13 @@ Requirements: - 1909 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)** - 2004 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2020 Update (2004)** - + - 20H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2020 Update (20H2)** - 21H1 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2021 Update (21H1)** - 21H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2021 Update V2 (21H2)** - + - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2022 Update (22H2)** - 22H2 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 11 September 2022 Update (22H2)** diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index ff469792d0..d782edc5b3 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -11,6 +11,7 @@ metadata: ms.technology: itpro-manage ms.collection: - highpri + - tier1 author: aczechowski ms.author: aaroncz manager: dougeby diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md index 7cf55e0587..0771fcc433 100644 --- a/windows/client-management/mandatory-user-profile.md +++ b/windows/client-management/mandatory-user-profile.md @@ -5,10 +5,12 @@ ms.prod: windows-client author: vinaypamnani-msft ms.author: vinpa ms.date: 09/14/2021 -ms.reviewer: +ms.reviewer: manager: aaroncz ms.topic: article -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.technology: itpro-manage --- @@ -51,7 +53,7 @@ First, you create a default user profile with the customizations that you want, 1. Sign in to a computer running Windows 10 as a member of the local Administrator group. Do not use a domain account. > [!NOTE] - > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. + > Use a lab or extra computer running a clean installation of Windows 10 to create a default user profile. Do not use a computer that is required for business (that is, a production computer). This process removes all domain accounts from the computer, including user profile folders. 1. Configure the computer settings that you want to include in the user profile. For example, you can configure settings for the desktop background, uninstall default apps, install line-of-business apps, and so on. diff --git a/windows/client-management/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm-enrollment-of-windows-devices.md index f5d5c1dc39..7023a7b517 100644 --- a/windows/client-management/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm-enrollment-of-windows-devices.md @@ -1,17 +1,19 @@ --- title: MDM enrollment of Windows 10-based devices description: Learn about mobile device management (MDM) enrollment of Windows 10-based devices to simplify access to your organization’s resources. -MS-HAID: +MS-HAID: - 'p\_phdevicemgmt.enrollment\_ui' - 'p\_phDeviceMgmt.mdm\_enrollment\_of\_windows\_devices' -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft -ms.collection: highpri +ms.collection: + - highpri + - tier2 ms.date: 12/31/2017 --- @@ -35,7 +37,7 @@ Devices running Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Educatio > [!NOTE] > Mobile devices can't be connected to an Active Directory domain. -### Out-of-box-experience +### Out-of-box-experience Joining your device to an Active Directory domain during the out-of-box-experience (OOBE) isn't supported. To join a domain: @@ -90,7 +92,7 @@ There are a few instances where your device can't be connected to an Active Dire | You're logged in as a standard user. | Your device can only be connected to an Azure AD domain if you're logged in as an administrative user. You’ll need to switch to an administrator account to continue. | | Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Active Directory domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - + ### Connect your device to an Azure AD domain (join Azure AD) @@ -167,9 +169,9 @@ There are a few instances where your device can't be connected to an Azure AD do | Your device is already managed by MDM. | The connect to Azure AD flow will attempt to enroll your device into MDM if your Azure AD tenant has a preconfigured MDM endpoint. Your device must be unenrolled from MDM to be able to connect to Azure AD in this case. | | Your device is running Windows 10 Home. | This feature isn't available on Windows 10 Home, so you'll be unable to connect to an Azure AD domain. You'll need to upgrade to Windows 10 Pro, Windows 10 Enterprise, or Windows 10 Education to continue. | - -## Connect personally owned devices + +## Connect personally owned devices Personally owned devices, also known as bring your own device (BYOD), can be connected to a work or school account, or to MDM. Windows 10 doesn't require a personal Microsoft account on devices to connect to work or school. @@ -247,7 +249,7 @@ To create a local account and connect the device: ![screen to set up your device](images/unifiedenrollment-rs1-33-b.png) After you complete the flow, your device will be connected to your organization’s MDM. - + ### Help with connecting personally owned devices There are a few instances where your device may not be able to connect to work. @@ -260,7 +262,7 @@ There are a few instances where your device may not be able to connect to work. | You don’t have the right privileges to perform this operation. Talk to your admin. | You can't enroll your device into MDM as a standard user. You must be on an administrator account. | | We couldn’t auto-discover a management endpoint matching the username entered. Check your username and try again. If you know the URL to your management endpoint, enter it. | You need to provide the server URL for your MDM or check the spelling of the username you entered. | - + ## Connect your Windows 10-based device to work using a deep link @@ -283,13 +285,13 @@ The deep link used for connecting your device to work will always use the follow | ownership | Custom parameter for MDM servers to use as they see fit. Typically, this parameter's value can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3. Where "1" means ownership is unknown, "2" means the device is personally owned, and "3" means the device is corporate-owned | > [!NOTE] -> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. +> AWA and Azure Active Directory-joined values for mode are only supported on Windows 10, version 1709 and later. ### Connect to MDM using a deep link > [!NOTE] > Deep links only work with Internet Explorer or Microsoft Edge browsers. Examples of URI's that may be used to connect to MDM using a deep link: -> +> > - **ms-device-enrollment:?mode=mdm** > - **ms-device-enrollment:?mode=mdm&username=`someone@example.com`&servername=`https://example.server.com`** @@ -342,7 +344,7 @@ Starting in Windows 10, version 1709, selecting the **Info** button will show a ![work or school info.](images/unifiedenrollment-rs1-35-b.png) > [!NOTE] -> Starting in Windows 10, version 1709, the **Manage** button is no longer available. +> Starting in Windows 10, version 1709, the **Manage** button is no longer available. ### Disconnect @@ -363,7 +365,7 @@ Starting in Windows 10, version 1709, you can get the advanced diagnostic report ![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png) - + diff --git a/windows/client-management/mdm-overview.md b/windows/client-management/mdm-overview.md index 8c630a325a..fd9f4c2321 100644 --- a/windows/client-management/mdm-overview.md +++ b/windows/client-management/mdm-overview.md @@ -9,7 +9,9 @@ ms.localizationpriority: medium author: vinaypamnani-msft ms.author: vinpa manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile Device Management overview diff --git a/windows/client-management/mdm/configuration-service-provider-ddf.md b/windows/client-management/mdm/configuration-service-provider-ddf.md index b55b3ce963..c8fad72461 100644 --- a/windows/client-management/mdm/configuration-service-provider-ddf.md +++ b/windows/client-management/mdm/configuration-service-provider-ddf.md @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 09/18/2020 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Configuration service provider DDF files diff --git a/windows/client-management/mdm/configuration-service-provider-support.md b/windows/client-management/mdm/configuration-service-provider-support.md index 4afed5993c..80f903585c 100644 --- a/windows/client-management/mdm/configuration-service-provider-support.md +++ b/windows/client-management/mdm/configuration-service-provider-support.md @@ -1,7 +1,7 @@ --- title: Configuration service provider support description: Learn more about configuration service provider (CSP) supported scenarios. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 09/18/2020 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Configuration service provider support diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 241e6803a9..9bb47acd36 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -7,9 +7,11 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 06/26/2017 -ms.reviewer: +ms.reviewer: manager: aaroncz -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # DynamicManagement CSP diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml index db2be7efaf..094b2b87da 100644 --- a/windows/client-management/mdm/index.yml +++ b/windows/client-management/mdm/index.yml @@ -11,6 +11,7 @@ metadata: ms.prod: windows-client ms.collection: - highpri + - tier1 ms.custom: intro-hub-or-landing author: vinaypamnani-msft ms.author: vinpa diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 77a826c617..1da17f0f74 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -150,7 +150,7 @@ Descriptions of the properties: **Policy timeline**: -The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example. +The behavior of this policy setting differs in different Windows 10 versions. For Windows 10, version 1809 through version 1909, you can use name in `` and SID in ``. For Windows 10, version 2004, you can use name or SID for both the elements, as described in the example. The following table describes how this policy setting behaves in different Windows 10 versions: diff --git a/windows/client-management/mobile-device-enrollment.md b/windows/client-management/mobile-device-enrollment.md index 93b93d3872..361556d8dd 100644 --- a/windows/client-management/mobile-device-enrollment.md +++ b/windows/client-management/mobile-device-enrollment.md @@ -1,7 +1,7 @@ --- title: Mobile device enrollment description: Learn how mobile device enrollment verifies that only authenticated and authorized devices can be managed by their enterprise. -ms.reviewer: +ms.reviewer: manager: aaroncz ms.author: vinpa ms.topic: article @@ -9,7 +9,9 @@ ms.prod: windows-client ms.technology: itpro-manage author: vinaypamnani-msft ms.date: 08/11/2017 -ms.collection: highpri +ms.collection: + - highpri + - tier2 --- # Mobile device enrollment diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md index 4fa3d16b29..8dab751eb2 100644 --- a/windows/client-management/quick-assist.md +++ b/windows/client-management/quick-assist.md @@ -9,7 +9,9 @@ author: vinaypamnani-msft ms.author: vinpa manager: aaroncz ms.reviewer: pmadrigal -ms.collection: highpri +ms.collection: + - highpri + - tier1 ms.date: 08/26/2022 --- diff --git a/windows/deployment/update/wufb-reports-overview.md b/windows/deployment/update/wufb-reports-overview.md index aa140f9778..13c5e19777 100644 --- a/windows/deployment/update/wufb-reports-overview.md +++ b/windows/deployment/update/wufb-reports-overview.md @@ -16,7 +16,7 @@ ms.technology: itpro-updates Windows Update for Business reports is a cloud-based solution that provides information about your Azure Active Directory-joined devices' compliance with Windows updates. Windows Update for Business reports is offered through the [Azure portal](https://portal.azure.com), and it's included as part of the Windows 10 or Windows 11 prerequisite licenses. Windows Update for Business reports helps you: -- Monitor security, quality, and feature updates for Windows 11 and Windows 10 devices +- Monitor security, quality, driver, and feature updates for Windows 11 and Windows 10 devices - Report on devices with update compliance issues - Analyze and display your data in multiple ways diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index dc04109fd8..9f840b293a 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -328,8 +328,6 @@ href: identity-protection/credential-guard/credential-guard-requirements.md - name: Manage Credential Guard href: identity-protection/credential-guard/credential-guard-manage.md - - name: Hardware readiness tool - href: identity-protection/credential-guard/dg-readiness-tool.md - name: Credential Guard protection limits href: identity-protection/credential-guard/credential-guard-protection-limits.md - name: Considerations when using Credential Guard diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 0792c6b6b0..8bb5477bed 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -1,6 +1,6 @@ --- title: Manage Windows Defender Credential Guard (Windows) -description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy, the registry, or hardware readiness tools. +description: Learn how to deploy and manage Windows Defender Credential Guard using Group Policy or the registry. ms.date: 11/23/2022 ms.collection: - highpri @@ -38,7 +38,7 @@ Windows Defender Credential Guard will be enabled by default when a PC meets the ## Enable Windows Defender Credential Guard -Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy), the [registry](#enable-windows-defender-credential-guard-by-using-the-registry), or the [Hypervisor-Protected Code Integrity (HVCI) and Windows Defender Credential Guard hardware readiness tool](#enable-windows-defender-credential-guard-by-using-the-hvci-and-windows-defender-credential-guard-hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. +Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-windows-defender-credential-guard-by-using-group-policy) or the [registry](#enable-windows-defender-credential-guard-by-using-the-registry). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines. > [!NOTE] @@ -151,19 +151,6 @@ To enable, use the Control Panel or the Deployment Image Servicing and Managemen > [!NOTE] > You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-firstlogoncommands) unattend setting. -### Enable Windows Defender Credential Guard by using the HVCI and Windows Defender Credential Guard hardware readiness tool - -You can also enable Windows Defender Credential Guard by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). - -```cmd -DG_Readiness_Tool.ps1 -Enable -AutoReboot -``` - -> [!IMPORTANT] -> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. -> -> This is a known issue. - ### Review Windows Defender Credential Guard performance #### Is Windows Defender Credential Guard running? @@ -178,17 +165,6 @@ You can view System Information to check that Windows Defender Credential Guard :::image type="content" source="images/credguard-msinfo32.png" alt-text="The 'Virtualization-based security Services Running' entry lists Credential Guard in System Information (msinfo32.exe)."::: -You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md). - -```cmd -DG_Readiness_Tool_v3.6.ps1 -Ready -``` - -> [!IMPORTANT] -> When running the HVCI and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. -> -> This is a known issue. - > [!NOTE] > For client machines that are running Windows 10 1703, LsaIso.exe is running whenever virtualization-based security is enabled for other features. diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md deleted file mode 100644 index d834db9710..0000000000 --- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md +++ /dev/null @@ -1,1381 +0,0 @@ ---- -title: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool -description: Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool script -ms.date: 11/22/2022 -ms.topic: reference -appliesto: -- ✅ Windows 10 and later -- ✅ Windows Server 2016 and later ---- - -# Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool - -```powershell -# Script to find out if a machine is Device Guard compliant. -# The script requires a driver verifier present on the system. - -param([switch]$Capable, [switch]$Ready, [switch]$Enable, [switch]$Disable, $SIPolicyPath, [switch]$AutoReboot, [switch]$DG, [switch]$CG, [switch]$HVCI, [switch]$HLK, [switch]$Clear, [switch]$ResetVerifier) - -Set-StrictMode -Version Latest - -$path = "C:\DGLogs\" -$LogFile = $path + "DeviceGuardCheckLog.txt" - -$CompatibleModules = New-Object System.Text.StringBuilder -$FailingModules = New-Object System.Text.StringBuilder -$FailingExecuteWriteCheck = New-Object System.Text.StringBuilder - -$DGVerifyCrit = New-Object System.Text.StringBuilder -$DGVerifyWarn = New-Object System.Text.StringBuilder -$DGVerifySuccess = New-Object System.Text.StringBuilder - - -$Sys32Path = "$env:windir\system32" -$DriverPath = "$env:windir\system32\drivers" - -#generated by certutil -encode -$SIPolicy_Encoded = "BQAAAA43RKLJRAZMtVH2AW5WMHbk9wcuTBkgTbfJb0SmxaI0BACNkAgAAAAAAAAA -HQAAAAIAAAAAAAAAAAAKAEAAAAAMAAAAAQorBgEEAYI3CgMGDAAAAAEKKwYBBAGC -NwoDBQwAAAABCisGAQQBgjc9BAEMAAAAAQorBgEEAYI3PQUBDAAAAAEKKwYBBAGC -NwoDFQwAAAABCisGAQQBgjdMAwEMAAAAAQorBgEEAYI3TAUBDAAAAAEKKwYBBAGC -N0wLAQEAAAAGAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAAYAAAABAAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -BgAAAAEAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAA -AQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAUAAAABAAAA -AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABAAAAAEAAAABAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAYAAAABAAAAAgAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABgAAAAEAAAADAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAEAAAAGAAAAAQAAAAEAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAQAAAAUAAAABAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAADgAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAEAAAAOAAAAAQAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAA4AAAABAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -DgAAAAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAA -AQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAA4AAAABAAAA -AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADgAAAAEAAAADAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAOAAAAAQAAAAEAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAQAAAABAAAAAQAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAAAPye3j3MoJGGstO/m3OKIFDLGlVN -otyttV8/cu4XchN4AQAAAAUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AQAAAAYAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA -DgAAAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAHAAAA -AQAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAoAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAKAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAABAAAADAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAQAAAAYAAAABAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAABwAAAAEAAAAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAABAAAAFAAAAIMAAAAAAAAADIAAAAsAAAAAAAAAAAAAAAEAAAAAAAAA -AgAAAAAAAAADAAAAAAAAAAQAAAAAAAAABQAAAAAAAAALAAAAAAAAAAwAAAAAAAAA -DQAAAAAAAAAOAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAMAAAAAAAAAAyAAAASAAAABgAAAAAAAAAHAAAAAAAAAAgAAAAAAAAA -CQAAAAAAAAAKAAAAAAAAABMAAAAAAAAADwAAAAAAAAAQAAAAAAAAABEAAAAAAAAA -EgAAAAAAAAAUAAAAAAAAABUAAAAAAAAAGgAAAAAAAAAbAAAAAAAAABwAAAAAAAAA -FgAAAAAAAAAXAAAAAAAAABkAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAgAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA -SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAQAAABJAGQAAAAAAAMAAAAMAAAA -MAAzADEAMAAxADcAAAAAABQAAABQAG8AbABpAGMAeQBJAG4AZgBvAAAAAAAWAAAA -SQBuAGYAbwByAG0AYQB0AGkAbwBuAAAAAAAAAAgAAABOAGEAbQBlAAAAAAADAAAA -JgAAAEQAZQBmAGEAdQBsAHQAVwBpAG4AZABvAHcAcwBBAHUAZABpAHQAAAAAAAAA -AwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAA -BQAAAAYAAAA=" - -$HSTITest_Encoded = "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA4AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAADxXZfstTz5v7U8+b+1PPm/2GH4vrc8+b+8RGq/ojz5v9hh+r63PPm/2GH9vr48+b+1PPi/qjz5v9hh+b60PPm/2GHwvrc8+b/YYfu+tDz5v1JpY2i1PPm/AAAAAAAAAABQRQAAZIYFAGt3EVgAAAAAAAAAAPAAIiALAg4AABIAAAAaAAAAAAAAkBsAAAAQAAAAAACAAQAAAAAQAAAAAgAACgAAAAoAAAAKAAAAAAAAAABwAAAABAAAxcwAAAMAYEEAAAQAAAAAAAAQAAAAAAAAAAAQAAAAAAAAEAAAAAAAAAAAAAAQAAAAEDkAAGQAAAB0OQAABAEAAAAAAAAAAAAAAFAAACABAAAAAAAAAAAAAABgAAAYAAAAwDUAADgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQMAAA0AAAAAAAAAAAAAAA4DAAAEgBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAudGV4dAAAAMURAAAAEAAAABIAAAAEAAAAAAAAAAAAAAAAAAAgAABgLnJkYXRhAAB4DwAAADAAAAAQAAAAFgAAAAAAAAAAAAAAAAAAQAAAQC5kYXRhAAAAwAUAAABAAAAAAgAAACYAAAAAAAAAAAAAAAAAAEAAAMAucGRhdGEAACABAAAAUAAAAAIAAAAoAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAYAAAAAGAAAAACAAAAKgAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIiVwkCFVWV0FWQVdIi+xIg+wwM/9IjUU4TIv5iX1ISI1NSIl9QEUzyYl9OEyNRUBIiUQkIDPS6AwJAACL2D1XAAeAD4WrAAAAi0VASGnYDCIAAP8V/yAAAI13CEyLw0iLyIvW/xX2IAAATIvwSIXAdQe7DgAHgOtxi104/xXWIAAARIvDi9ZIi8j/FdAgAABIi/BIhcB1B7sOAAeA6x5IjUU4TIvOTI1FQEiJRCQgSYvWSI1NSOiNCAAAi9j/FZUgAABNi8Yz0kiLyP8VlyAAAEiF9nQU/xV8IAAATIvGM9JIi8j/FX4gAAA5fUhAD5THQYk/i8NIi1wkYEiDxDBBX0FeX15dw8zMzMzMzMzMzOkzCAAAzMzMzMzMzEiJXCQYSIl0JCBXSIHscAEAAEiLBbsuAABIM8RIiYQkYAEAAA8QBRkhAACL8kiL+TPSSI1MJGBBuPQAAADzD39EJFDo6g4AAEiDZCQwAEiNTCRQg2QkQABFM8nHRCQogAAAALoAAABAx0QkIAMAAABFjUEB/xWSHwAASIvYSIP4/3RGQbkCAAAARTPAM9JIi8j/FX0fAACD+P90HkiDZCQgAEyNTCRARIvGSIvXSIvL/xVmHwAAhcB1Bv8VPB8AAEiLy/8VYx8AAEiLjCRgAQAASDPM6AsLAABMjZwkcAEAAEmLWyBJi3MoSYvjX8PMzMzMzMxIg+woM9JMi8lIhcl0Hrr///9/M8BEi8I4AXQJSP/BSYPoAXXzTYXAdSEz0rhXAAeAM8mFwEgPScp4C41RAUmLyejG/v//SIPEKMNJK9Dr4czMzMzMzMzMSIlcJAhIiXQkEFdIg+wgQYvZSYv4SIvy6Iv///+L00iLz+iN/v//SIvOSItcJDBIi3QkOEiDxCBf6Wr////MzMzMzMyJVCQQSIPsKAkRSI0Nsx8AAOhO////ugQAAABIjUwkOOhL/v//SI0NqB8AAOgz////SIPEKMPMzMzMzMxAVVNWV0FUQVVBVkFXSI1sJOFIgeyYAAAASIsF6CwAAEgzxEiJRQ9FM/ZIiVXnM9JIiU3vRIl1p0GL3kiJXbdJi8BIiUXXTYvpRIl1r0GL/kSJdfdFi+ZIiVX7RYv+SIlVA0yJdc9IhckPhBEFAABIhcAPhAgFAABNhckPhP8EAABBgzkBdBHHRaeAAAAAvwJAAIDp7QQAAEiNDQkfAADohP7//0WLfQREiX2/SWnfDCIAAP8Vtx0AAEyLw7oIAAAASIvI/xWuHQAATIvgSIXAdShIjQ3vHgAA6Er+////FUwdAAAPt/iBzwAAB4CFwA9O+EmL3umLBAAASI0N9x4AAOgi/v//RIl1s0WF/w+EiwIAAEmNXQhIiV3HSY20JAwCAABIjQ32HgAA6Pn9//+LQwiJhvT9//+FwHktPbsAAMB1EUiNDe4eAADo2f3//+kaAgAASI0N/R4AAOjI/f//g02nQOkFAgAAixtJA92DOwN0Gw+6bacIugEAAABIjY78/f//6Dv+///p4AEAAEyNhgD+//+6BAAAAEmLwEiNSwgPEAFIjYmAAAAADxEASI2AgAAAAA8QSZAPEUiQDxBBoA8RQKAPEEmwDxFIsA8QQcAPEUDADxBJ0A8RSNAPEEHgDxFA4A8QSfAPEUjwSIPqAXWuQbkAAgAASI0VgB4AAEiNDYEeAADodP3//4uLCAIAALoAEAAAQYv+TI0ES0iBwQwCAABMA8FIi85MK8ZIjYL+7/9/SIXAdBdBD7cECGaFwHQNZokBSIPBAkiD6gF13UiF0nUJSIPpAr96AAeAZkSJMUiNFSYeAABIjQ0nHgAAQbkAIAAATIvG6AH9//9MjXMEQYsOjUH/g/gDD4fDAAAA/0SN90iNFQMeAACJjvj9//9BuQQAAABIjQ34HQAATYvG6Mj8//9BiwaDfIX3AXZESI2O/P3//7oEAAAA6PH8//9Biw6D6QF0JYPpAXQag+kBdA+D+QEPhaIAAACDTacI63eDTacE63GDTacC62uDTacB62WD+AF1YIuDCAIAAEyNRa9BuQQAAACJRa9IjRWTHQAASI0NrB0AAOhP/P//RTP2RDl1r3UOD7ptpwlBjVYI6TX+//9IjYMMAgAASIlFz+sZD7ptpwlIjY78/f//ugIAAADoWfz//0Uz9otFs0iBxgwiAABIg0XHDP/AiUWzQTvHcxdIi13H6ZP9//+/BUAAgEiLXbfp5wEAAEQ5dad0DkiNDU0dAADoePv//+vji12v/xW1GgAARIvDuggAAABIi8j/FawaAABIiUW3SIvYSIXAdRZIjQ1JHQAA6ET7//+/FwAA0OmXAQAASI0NYx0AAOgu+///i0WvRI2wBgEAAEaNNHBEiXWzRYX/D4TFAAAASY1cJAhJjXUISI0N+xsAAOj++v//gXv4uwAAwHUOSI0N/hsAAOjp+v//63xEOXYEcxS6EAAAAA+6bacJSIvL6Gv7///rYosOSQPNi4EIAgAAO0WvdAe6CAAAAOvaRTPATI0MQUyNFAhEOUWvdjpMi3W3Qw+2jBAMAgAA99FDhIwIDAIAAHQID7ptpwmDCyBDioQIDAIAAEMIBDBB/8BEO0Wvcs5Ei3WzSIPGDEiBwwwiAABJg+8BD4VM////RIt9v0iLXbdFM/ZEOXWndBFIjQ0OHAAA6Dn6///pkQAAAEGL9kQ5da8PhoQAAABMi3W3TIttz0iNDYgcAADoE/r//4vGTI1Fq0G5AQAAAEiNFZgcAABCigwwSo0cKCILiE2rSI0NlBwAAOg/+v//QbkBAAAASI0VkhwAAEyLw0iNDZgcAADoI/r//4oDOEWrdBBIjQ2dHAAA6Lj5//+DTacg/8Y7da9yjuly+///v1cAB4BIjQ2sHAAA6Jf5//9BuQQAAABMjUWnSI0VphwAAEiNDa8cAADo0vn//02F5HRdTIt150iLdddNhfZ0NEQ5PnIvSI0NnBwAAOhX+f//QYvHSYvUTGnADCIAAEmLzuh0BwAASI0NmxwAAOg2+f//6wW/VwAHgESJPv8VbhgAAE2LxDPSSIvI/xVwGAAASIXbdBT/FVUYAABMi8Mz0kiLyP8VVxgAAEiLRe9IhcB0BYtNp4kIi8dIi00PSDPM6NMDAABIgcSYAAAAQV9BXkFdQVxfXltdw8zMzMzMzMxIi8RIiVgISIloEEiJcBhXQVZBV0iD7DCDYNgATYvxSYv4TI1I2EiL8kyL+UUzwDPSuaYAAAD/FWwYAACL2D0EAADAdAkPuusc6dkAAACDfCQgFHMKuwVAAIDpyAAAAItcJCD/FacXAABEi8O6CAAAAEiLyP8VnhcAAEiL6EiFwHUKuw4AB4DpmwAAAESLRCQgRTPJSIvQuaYAAAD/FQYYAACL2IXAeQYPuusc6zdIjQ2TGwAA6A74//+LVCQgSIvN6A73//9IjQ2LGwAA6Pb3//9Mi81Mi8dIi9ZJi8/ovfj//4vYSIt8JHCLdCQgSIX/dBk5N3IVTYX2dBBEi8ZIi9VJi87o8AUAAOsFu1cAB4CJN/8V9xYAAEyLxTPSSIvI/xX5FgAASItsJFiLw0iLXCRQSIt0JGBIg8QwQV9BXl/DzMzMzMzMSIlcJAhXSIPsIIP6AXU8SI0VmhcAAEiNDYsXAADoaAMAAIXAdAczwOmjAAAASI0VbBcAAEiNDV0XAADoVgMAAP8FKiUAAOmAAAAAhdJ1fDkVUyUAAHRtSIsNGiUAAOgxAgAASIsNFiUAAEiL+OgiAgAASI1Y+OsXSIsL6BQCAABIhcB0Bv8VBRcAAEiD6whIO99z5IM9DSUAAAR2FP8VJRYAAEyLxzPSSIvI/xUnFgAA6O4BAABIiQXDJAAASIkFtCQAAIMlpSQAAAC4AQAAAEiLXCQwSIPEIF/DzMzMzMzMzMzMzMzMzMzMzMzMzMzMSIlcJAhIiXQkEFdIg+wgSYv4i9pIi/GD+gF1BeijAQAATIvHi9NIi85Ii1wkMEiLdCQ4SIPEIF/pBwAAAMzMzMzMzMxMiUQkGIlUJBBIiUwkCFNWV0iB7JAAAACL+kiL8cdEJCABAAAAhdJ1EzkVDSQAAHULM9uJXCQg6d8AAACNQv+D+AF3MkyLhCTAAAAA6Hv+//+L2IlEJCDrFTPbiVwkIIu8JLgAAABIi7QksAAAAIXbD4SlAAAATIuEJMAAAACL10iLzujoAQAAi9iJRCQg6xUz24lcJCCLvCS4AAAASIu0JLAAAACD/wF1SIXbdURFM8Az0kiLzui1AQAA6xOLvCS4AAAASIu0JLAAAACLXCQgRTPAM9JIi87o7/3//+sTi7wkuAAAAEiLtCSwAAAAi1wkIIX/dAWD/wN1IEyLhCTAAAAAi9dIi87ov/3//4vYiUQkIOsGM9uJXCQgi8NIgcSQAAAAX15bw8zMzMzMzMzMzMxmZg8fhAAAAAAASDsN6SIAAHUQSMHBEGb3wf//dQHDSMHJEOmSAQAAzMzMzMzMSP8ltRQAAMzMzMzMzMzMzDPJSP8lmxQAAMzMzMzMzMxIiVwkIFVIi+xIg+wgSINlGABIuzKi3y2ZKwAASIsFiSIAAEg7ww+FjwAAAEiNTRj/FU4UAABIi0UYSIlFEP8VABQAAIvASDFFEP8V/BMAAIvASDFFEP8VIBQAAIvASMHgGEgxRRD/FRAUAACLwEiNTRBIM0UQSDPBSI1NIEiJRRD/FeUTAACLRSBIuf///////wAASMHgIEgzRSBIM0UQSCPBSLkzot8tmSsAAEg7w0gPRMFIiQXxIQAASItcJEhI99BIiQXqIQAASIPEIF3DzMzMzMzM/yXYEgAAzMzMzMzM/yXEEgAAzMzMzMzMzMxIg+wog/oBdQb/FTUTAAC4AQAAAEiDxCjDzMzMzMzMzMzMzMzMzMzMzMzMzMIAAMzMzMzMzMzMzEBTSIPsIEiL2TPJ/xWTEgAASIvL/xWCEgAA/xUUEwAASIvIugkEAMBIg8QgW0j/JfgSAADMzMzMzMzMzMzMzMzMzMzMSIlMJAhIgeyIAAAASI0NHSIAAP8VLxMAAEiLBQgjAABIiUQkSEUzwEiNVCRQSItMJEj/FSATAABIiUQkQEiDfCRAAHRCSMdEJDgAAAAASI1EJFhIiUQkMEiNRCRgSIlEJChIjQXHIQAASIlEJCBMi0wkQEyLRCRISItUJFAzyf8VyxIAAOsjSIsFOiIAAEiLAEiJBZAiAABIiwUpIgAASIPACEiJBR4iAABIiwV3IgAASIkF6CAAAEiLhCSQAAAASIkF6SEAAMcFvyAAAAkEAMDHBbkgAAABAAAAxwXDIAAAAwAAALgIAAAASGvAAEiNDbsgAABIxwQBAgAAALgIAAAASGvAAUiNDaMgAABIixUsIAAASIkUAbgIAAAASGvAAkiNDYggAABIixUZIAAASIkUAbgIAAAASGvAAEiLDf0fAABIiUwEaLgIAAAASGvAAUiLDfAfAABIiUwEaEiNDdwPAADoU/7//0iBxIgAAADDzMzMzMzMzMzMzMzMzMzMzMzMzMzM/yWUEAAAzMzMzMzM/yWQEAAAzMzMzMzM/yWMEAAAzMzMzMzMzMxIg+woTYtBOEiLykmL0egRAAAAuAEAAABIg8Qow8zMzMzMzMxAU0WLGEiL2kGD4/hMi8lB9gAETIvRdBNBi0AITWNQBPfYTAPRSGPITCPRSWPDSosUEEiLQxCLSAhIA0sI9kEDD3QMD7ZBA4Pg8EiYTAPITDPKSYvJW+kl/P//zMzMzMzMzMzMzMxmZg8fhAAAAAAA/+DMzMzMzMxAVUiD7CBIi+pIiU04SIsBixCJVSRIiU1AM8BIg8QgXcPMQFVIg+wgSIvqSIlNSEiLAYsQiVUoSIlNUDPASIPEIF3DzEBVSIPsIEiL6kiJTVhIiwGLEIlVLEiJTWAzwEiDxCBdw8xAVUiD7CBIi+pIiU1oSIsBixCJVTBIiU1wM8BIg8QgXcPMQFVIg+wgSIvqSIlNeEiLAYsQiVU0SImNgAAAADPASIPEIF3DzEBVSIPsIEiL6kiDxCBdw8wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFBAAIABAAAA8EAAgAEAAADQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAgAEAAAAAAAAAAAAAAAAAAAAAAAAAKDIAgAEAAAAwMgCAAQAAAFgyAIABAAAABQAAAAAAAAAANQEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeD4AAAAAAABkPwAAAAAAAG4/AAAAAAAAAAAAAAAAAADOOwAAAAAAAMA7AAAAAAAAAAAAAAAAAAAQPQAAAAAAACw9AAAAAAAA6j4AAAAAAAAAAAAAAAAAAPo+AAAAAAAA2D4AAAAAAADMPgAAAAAAAAAAAAAAAAAACD8AAAAAAAAAAAAAAAAAAFI8AAAAAAAAFj8AAAAAAABGPAAAAAAAAAAAAAAAAAAA9DwAAAAAAAAAAAAAAAAAAJ48AAAAAAAAtDwAAAAAAABePQAAAAAAAEo9AAAAAAAAAAAAAAAAAACEPAAAAAAAAAAAAAAAAAAA5DwAAAAAAADKPAAAAAAAAAAAAAAAAAAAZDwAAAAAAAB0PAAAAAAAAAAAAAAAAAAAsD4AAAAAAAD6OwAAAAAAACg8AAAAAAAADjwAAAAAAAAAAAAAAAAAAHAeAIABAAAAACEAgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAgEQAAkBsAAHAeAADAHgAAAAAAAC5caHN0aXRyYWNlLmxvZwAgUHJvdmlkZXJFcnJvcjoAOlByb3ZpZGVyRXJyb3IgAERldGVybWluaW5nIENvdW50LiAAAAAAAAAAAAAAAAAAICEhISBFcnJvciBidWZmZXIgZmFpbGVkIGFsbG9jYXRpb24gISEhIAAAAAAAAAAARGV0ZXJtaW5lIFNlY3VyaXR5RmVhdHVyZXNTaXplLiAAAAAAAAAAAExvb3AuLi4gAAAAAAAAAAAAAAAAAAAAACBVbnN1cHBvcnRlZCBBSVAgaWdub3JlZCAAAAAAAAAAICEhISBVRUZJIFByb3RvY29sIEVycm9yIERldGVjdGVkICEhISAAADpJRCAAAAAAIElEOgAAAAA6RVJST1IgACBFUlJPUjoAOlJPTEUgAAAgUk9MRToAAAAAAAAAAAAAOnNlY3VyaXR5RmVhdHVyZXNTaXplIAAAAAAAAAAAAAAgc2VjdXJpdHlGZWF0dXJlc1NpemU6AAAAAAAAAAAAACAhISEgRXJyb3IgZGV0ZWN0ZWQsIGJhaWxpbmcgb3V0ICEhISAAAAAAAAAAAAAAAFZlcmlmaWVkIGJ1ZmZlciBhbGxvY2F0aW9uIGZhaWxlZC4AAAAAAAAAAAAAAAAAAExvb3Bpbmcgb24gcHJvdmlkZXJzIHRvIGFjY3VtdWxhdGUgaW1wbGVtZW50ZWQgYW5kIHZlcmlmaWVkLgAAAABDb21wYXJpbmcgcmVxdWlyZWQgYnl0ZSB0byB2ZXJpZmllZC4uLgAAOlZFUklGSUVEIAAAAAAAACBWRVJJRklFRDoAAAAAAAA6UkVRVUlSRUQgAAAAAAAAIFJFUVVJUkVEOgAAAAAAAAAAAAAAAAAAISEhIHZlcmlmaWVkIGJ5dGUgZG9lcyBub3QgbWF0Y2ggcmVxdWlyZWQgISEhAAAAQ0xFQU5VUCAAAAAAAAAAADpPVkVSQUxMAAAAAAAAAABPVkVSQUxMOgAAAAAAAAAAUHJvdmlkZXIgRXJyb3JzIGNvcHkgc3RhcnQAAAAAAABQcm92aWRlciBFcnJvcnMgY29weSBlbmQAAAAAAAAAAEJMT0IgU3RhcnQ6AAAAAAA6QkxPQiBFbmQgIAAAAAAAAAAAAGt3EVgAAAAAAgAAACUAAAD4NQAA+BsAAAAAAABrdxFYAAAAAA0AAACgAQAAIDYAACAcAABSU0RT1J4Ttoijw0G4zY0uYG3g7wEAAABIc3RpVGVzdC5wZGIAAAAAR0NUTAAQAADwEAAALnRleHQkbW4AAAAA8CAAABIAAAAudGV4dCRtbiQwMAACIQAAwwAAAC50ZXh0JHgAADAAAOAAAAAucmRhdGEkYnJjAADgMAAASAEAAC5pZGF0YSQ1AAAAACgyAAAQAAAALjAwY2ZnAAA4MgAACAAAAC5DUlQkWENBAAAAAEAyAAAIAAAALkNSVCRYQ1oAAAAASDIAAAgAAAAuQ1JUJFhJQQAAAABQMgAACAAAAC5DUlQkWElaAAAAAFgyAAAYAAAALmNmZ3VhcmQAAAAAcDIAAIgDAAAucmRhdGEAAPg1AADIAQAALnJkYXRhJHp6emRiZwAAAMA3AABQAQAALnhkYXRhAAAQOQAAZAAAAC5lZGF0YQAAdDkAAPAAAAAuaWRhdGEkMgAAAABkOgAAFAAAAC5pZGF0YSQzAAAAAHg6AABIAQAALmlkYXRhJDQAAAAAwDsAALgDAAAuaWRhdGEkNgAAAAAAQAAAEAAAAC5kYXRhAAAAEEAAALAFAAAuYnNzAAAAAABQAAAgAQAALnBkYXRhAAABEwgAEzQMABNSDPAK4AhwB2AGUBkkBwASZDMAEjQyABIBLgALcAAAbCAAAGABAAABBAEABEIAAAEPBgAPZAcADzQGAA8yC3ABCAEACEIAABknCgAZARMADfAL4AnQB8AFcARgAzACUGwgAACIAAAAARgKABhkDAAYVAsAGDQKABhSFPAS4BBwGRgFABgBEgARcBBgDzAAAEYgAAAGAAAAGBwAAC0cAAAIIQAALRwAAEocAABkHAAAKiEAAGQcAACCHAAAkRwAAEwhAACRHAAApBwAALMcAABuIQAAsxwAAM8cAADpHAAAkCEAAOkcAAD5GwAA7xwAALUhAAAAAAAAAQYCAAYyAlABCgQACjQGAAoyBnAAAAAAAQAAAAENBAANNAkADTIGUAEGAgAGMgIwAQwCAAwBEQABAAAAAQIBAAIwAAAAAAAAAAAAAAAAAAAAAAAAd24RWAAAAABMOQAAAQAAAAIAAAACAAAAODkAAEA5AABIOQAAEBAAACARAABZOQAAYzkAAAAAAQBIU1RJVEVTVC5kbGwAUXVlcnlIU1RJAFF1ZXJ5SFNUSWRldGFpbHMAmDoAAAAAAAAAAAAA2jsAAAAxAACYOwAAAAAAAAAAAAA8PAAAADIAAAA7AAAAAAAAAAAAAHI9AABoMQAAgDsAAAAAAAAAAAAAkj0AAOgxAABYOwAAAAAAAAAAAACyPQAAwDEAADA7AAAAAAAAAAAAANY9AACYMQAAaDsAAAAAAAAAAAAAAD4AANAxAAAgOwAAAAAAAAAAAAAkPgAAiDEAALA6AAAAAAAAAAAAAE4+AAAYMQAAeDoAAAAAAAAAAAAAkD4AAOAwAADQOgAAAAAAAAAAAAAiPwAAODEAAPA6AAAAAAAAAAAAAEI/AABYMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4PgAAAAAAAGQ/AAAAAAAAbj8AAAAAAAAAAAAAAAAAAM47AAAAAAAAwDsAAAAAAAAAAAAAAAAAABA9AAAAAAAALD0AAAAAAADqPgAAAAAAAAAAAAAAAAAA+j4AAAAAAADYPgAAAAAAAMw+AAAAAAAAAAAAAAAAAAAIPwAAAAAAAAAAAAAAAAAAUjwAAAAAAAAWPwAAAAAAAEY8AAAAAAAAAAAAAAAAAAD0PAAAAAAAAAAAAAAAAAAAnjwAAAAAAAC0PAAAAAAAAF49AAAAAAAASj0AAAAAAAAAAAAAAAAAAIQ8AAAAAAAAAAAAAAAAAADkPAAAAAAAAMo8AAAAAAAAAAAAAAAAAABkPAAAAAAAAHQ8AAAAAAAAAAAAAAAAAACwPgAAAAAAAPo7AAAAAAAAKDwAAAAAAAAOPAAAAAAAAAAAAAAAAAAABwBfaW5pdHRlcm1fZQAGAF9pbml0dGVybQBhcGktbXMtd2luLWNvcmUtY3J0LWwyLTEtMC5kbGwAANACUnRsQ2FwdHVyZUNvbnRleHQAjQRSdGxMb29rdXBGdW5jdGlvbkVudHJ5AAC3BVJ0bFZpcnR1YWxVbndpbmQAAG50ZGxsLmRsbAAGAEhlYXBGcmVlAAAAAEdldFByb2Nlc3NIZWFwAAAEAEVuY29kZVBvaW50ZXIAAQBEZWNvZGVQb2ludGVyAAAAUXVlcnlQZXJmb3JtYW5jZUNvdW50ZXIADQBHZXRDdXJyZW50UHJvY2Vzc0lkABEAR2V0Q3VycmVudFRocmVhZElkAAAUAEdldFN5c3RlbVRpbWVBc0ZpbGVUaW1lABgAR2V0VGlja0NvdW50AAABAERpc2FibGVUaHJlYWRMaWJyYXJ5Q2FsbHMAEQBVbmhhbmRsZWRFeGNlcHRpb25GaWx0ZXIAAA8AU2V0VW5oYW5kbGVkRXhjZXB0aW9uRmlsdGVyAAwAR2V0Q3VycmVudFByb2Nlc3MATQBUZXJtaW5hdGVQcm9jZXNzAABhcGktbXMtd2luLWNvcmUtaGVhcC1sMS0yLTAuZGxsAGFwaS1tcy13aW4tY29yZS11dGlsLWwxLTEtMC5kbGwAYXBpLW1zLXdpbi1jb3JlLXByb2ZpbGUtbDEtMS0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLXByb2Nlc3N0aHJlYWRzLWwxLTEtMi5kbGwAYXBpLW1zLXdpbi1jb3JlLXN5c2luZm8tbDEtMi0xLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWxpYnJhcnlsb2FkZXItbDEtMi0wLmRsbAAAYXBpLW1zLXdpbi1jb3JlLWVycm9yaGFuZGxpbmctbDEtMS0xLmRsbAAAAABfX0Nfc3BlY2lmaWNfaGFuZGxlcgAAYXBpLW1zLXdpbi1jb3JlLWNydC1sMS0xLTAuZGxsAADbAU50UXVlcnlTeXN0ZW1JbmZvcm1hdGlvbgAAWQBXcml0ZUZpbGUAUwBTZXRGaWxlUG9pbnRlcgAABQBHZXRMYXN0RXJyb3IAAAUAQ3JlYXRlRmlsZUEAAABDbG9zZUhhbmRsZQACAEhlYXBBbGxvYwBhcGktbXMtd2luLWNvcmUtZmlsZS1sMS0yLTEuZGxsAGFwaS1tcy13aW4tY29yZS1oYW5kbGUtbDEtMS0wLmRsbAAzAG1lbWNweQAANwBtZW1zZXQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyot8tmSsAAM1dINJm1P//AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAQAAAXEQAAwDcAACwRAAAaEgAA1DcAACASAABwEgAA8DcAAHgSAAC2EgAA+DcAALwSAADyEgAACDgAAPgSAABRGQAAEDgAAFgZAACaGgAAMDgAAKAaAAB7GwAAyDgAAJAbAADNGwAA+DcAANQbAAD8HAAASDgAABAdAAAuHQAA2DgAAFQdAAAkHgAA3DgAAEQeAABdHgAA8DcAAHweAACwHgAA6DgAAMAeAAAxIAAA8DgAAGwgAACJIAAA8DcAAJAgAADrIAAA/DgAAAAhAAACIQAA+DgAAAghAAAqIQAAwDgAACohAABMIQAAwDgAAEwhAABuIQAAwDgAAG4hAACQIQAAwDgAAJAhAAC1IQAAwDgAALUhAADFIQAAwDgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADAAABgAAAAAoAigaKCAoIigkKAoojCiAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=" - -function Log($message) -{ - $message | Out-File $LogFile -Append -Force -} - -function LogAndConsole($message) -{ - Write-Host $message - Log $message -} - -function LogAndConsoleWarning($message) -{ - Write-Host $message -foregroundcolor "Yellow" - Log $message -} - -function LogAndConsoleSuccess($message) -{ - Write-Host $message -foregroundcolor "Green" - Log $message -} - -function LogAndConsoleError($message) -{ - Write-Host $message -foregroundcolor "Red" - Log $message -} - -function IsExempted([System.IO.FileInfo] $item) -{ - $cert = (Get-AuthenticodeSignature $item.FullName).SignerCertificate - if($cert.ToString().Contains("CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US")) - { - Log $item.FullName + "MS Exempted" - return 1 - } - else - { - Log $item.FullName + "Not-exempted" - Log $cert.ToString() - return 0 - } -} - -function CheckExemption($_ModName) -{ - $mod1 = Get-ChildItem $Sys32Path $_ModName - $mod2 = Get-ChildItem $DriverPath $_ModName - if($mod1) - { - Log "NonDriver module" + $mod1.FullName - return IsExempted($mod1) - } - elseif($mod2) - { - Log "Driver Module" + $mod2.FullName - return IsExempted($mod2) - } - -} - -function CheckFailedDriver($_ModName, $CIStats) -{ - Log "Module: " $_ModName.Trim() - if(CheckExemption($_ModName.Trim()) - eq 1) - { - $CompatibleModules.AppendLine("Windows Signed: " + $_ModName.Trim()) | Out-Null - return - } - $index = $CIStats.IndexOf("execute pool type count:".ToLower()) - if($index -eq -1) - { - return - } - $_tempStr = $CIStats.Substring($index) - $Result = "PASS" - $separator = "`r`n","" - $option = [System.StringSplitOptions]::RemoveEmptyEntries - $stats = $_tempStr.Split($separator,$option) - Log $stats.Count - - $FailingStat = "" - foreach( $stat in $stats) - { - $_t =$stat.Split(":") - if($_t.Count -eq 2 -and $_t[1].trim() -ne "0") - { - $Result = "FAIL" - $FailingStat = $stat - break - } - } - if($Result.Contains("PASS")) - { - $CompatibleModules.AppendLine($_ModName.Trim()) | Out-Null - } - elseif($FailingStat.Trim().Contains("execute-write")) - { - $FailingExecuteWriteCheck.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null - } - else - { - $FailingModules.AppendLine("Module: "+ $_ModName.Trim() + "`r`n`tReason: " + $FailingStat.Trim() ) | Out-Null - } - Log "Result: " $Result -} - -function ListCIStats($_ModName, $str1) -{ - $i1 = $str1.IndexOf("Code Integrity Statistics:".ToLower()) - if($i1 -eq -1 ) - { - Log "String := " $str1 - Log "Warning! CI Stats are missing for " $_ModName - return - } - $temp_str1 = $str1.Substring($i1) - $CIStats = $temp_str1.Substring(0).Trim() - - CheckFailedDriver $_ModName $CIStats -} - -function ListDrivers($str) -{ - $_tempStr= $str - - $separator = "module:","" - $option = [System.StringSplitOptions]::RemoveEmptyEntries - $index1 = $_tempStr.IndexOf("MODULE:".ToLower()) - if($index1 -lt 0) - { - return - } - $_tempStr = $_tempStr.Substring($Index1) - $_SplitStr = $_tempStr.Split($separator,$option) - - - Log $_SplitStr.Count - LogAndConsole "Verifying each module please wait ... " - foreach($ModuleDetail in $_Splitstr) - { - #LogAndConsole $Module - $Index2 = $ModuleDetail.IndexOf("(") - if($Index2 -eq -1) - { - "Skipping .." - continue - } - $ModName = $ModuleDetail.Substring(0,$Index2-1) - Log "Driver: " $ModName - Log "Processing module: " $ModName - ListCIStats $ModName $ModuleDetail - } - - $DriverScanCompletedMessage = "Completed scan. List of Compatible Modules can be found at " + $LogFile - LogAndConsole $DriverScanCompletedMessage - - if($FailingModules.Length -gt 0 -or $FailingExecuteWriteCheck.Length -gt 0 ) - { - $WarningMessage = "Incompatible HVCI Kernel Driver Modules found" - if($HLK) - { - LogAndConsoleError $WarningMessage - } - else - { - LogAndConsoleWarning $WarningMessage - } - - LogAndConsoleError $FailingExecuteWriteCheck.ToString() - if($HLK) - { - LogAndConsoleError $FailingModules.ToString() - } - else - { - LogAndConsoleWarning $FailingModules.ToString() - } - if($FailingModules.Length -ne 0 -or $FailingExecuteWriteCheck.Length -ne 0 ) - { - if($HLK) - { - $DGVerifyCrit.AppendLine($WarningMessage) | Out-Null - } - else - { - $DGVerifyWarn.AppendLine($WarningMessage) | Out-Null - } - } - } - else - { - LogAndConsoleSuccess "No Incompatible Drivers found" - } -} - -function ListSummary() -{ - if($DGVerifyCrit.Length -ne 0 ) - { - LogAndConsoleError "Machine is not Device Guard / Credential Guard compatible because of the following:" - LogAndConsoleError $DGVerifyCrit.ToString() - LogAndConsoleWarning $DGVerifyWarn.ToString() - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 0 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 0 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 0 /f ' - } - - } - elseif ($DGVerifyWarn.Length -ne 0 ) - { - LogAndConsoleSuccess "Device Guard / Credential Guard can be enabled on this machine.`n" - LogAndConsoleWarning "The following additional qualifications, if present, can enhance the security of Device Guard / Credential Guard on this system:" - LogAndConsoleWarning $DGVerifyWarn.ToString() - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 1 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 1 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 1 /f ' - } - } - else - { - LogAndConsoleSuccess "Machine is Device Guard / Credential Guard Ready.`n" - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Capable" /t REG_DWORD /d 2 /f ' - } - if(!$CG) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Capable" /t REG_DWORD /d 2 /f ' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HVCI_Capable" /t REG_DWORD /d 2 /f ' - } - } -} - - -function Instantiate-Kernel32 { - try - { - Add-Type -TypeDefinition @" - using System; - using System.Diagnostics; - using System.Runtime.InteropServices; - - public static class Kernel32 - { - [DllImport("kernel32", SetLastError=true, CharSet = CharSet.Ansi)] - public static extern IntPtr LoadLibrary( - [MarshalAs(UnmanagedType.LPStr)]string lpFileName); - - [DllImport("kernel32", CharSet=CharSet.Ansi, ExactSpelling=true, SetLastError=true)] - public static extern IntPtr GetProcAddress( - IntPtr hModule, - string procName); - } - -"@ - } - catch - { - Log $_.Exception.Message - LogAndConsole "Instantiate-Kernel32 failed" - } -} - -function Instantiate-HSTI { - try - { - Add-Type -TypeDefinition @" - using System; - using System.Diagnostics; - using System.Runtime.InteropServices; - using System.Net; - - public static class HstiTest3 - { - [DllImport("hstitest.dll", CharSet = CharSet.Unicode)] - public static extern int QueryHSTIdetails( - ref HstiOverallError pHstiOverallError, - [In, Out] HstiProviderErrorDuple[] pHstiProviderErrors, - ref uint pHstiProviderErrorsCount, - byte[] hstiPlatformSecurityBlob, - ref uint pHstiPlatformSecurityBlobBytes); - - [DllImport("hstitest.dll", CharSet = CharSet.Unicode)] - public static extern int QueryHSTI(ref bool Pass); - - [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)] - public struct HstiProviderErrorDuple - { - internal uint protocolError; - internal uint role; - internal HstiProviderErrors providerError; - [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 256)] - internal string ID; - [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 4096)] - internal string ErrorString; - } - - [FlagsAttribute] - public enum HstiProviderErrors : int - { - None = 0x00000000, - VersionMismatch = 0x00000001, - RoleUnknown = 0x00000002, - RoleDuplicated = 0x00000004, - SecurityFeatureSizeMismatch = 0x00000008, - SizeTooSmall = 0x00000010, - VerifiedMoreThanImplemented = 0x00000020, - VerifiedNotMatchImplemented = 0x00000040 - } - - [FlagsAttribute] - public enum HstiOverallError : int - { - None = 0x00000000, - RoleTooManyPlatformReference = 0x00000001, - RoleTooManyIbv = 0x00000002, - RoleTooManyOem = 0x00000004, - RoleTooManyOdm = 0x00000008, - RoleMissingPlatformReference = 0x00000010, - VerifiedIncomplete = 0x00000020, - ProtocolErrors = 0x00000040, - BlobVersionMismatch = 0x00000080, - PlatformSecurityVersionMismatch = 0x00000100, - ProviderError = 0x00000200 - } - - } -"@ - - $LibHandle = [Kernel32]::LoadLibrary("C:\Windows\System32\hstitest.dll") - $FuncHandle = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTIdetails") - $FuncHandle2 = [Kernel32]::GetProcAddress($LibHandle, "QueryHSTI") - - if ([System.IntPtr]::Size -eq 8) - { - #assuming 64 bit - Log "`nKernel32::LoadLibrary 64bit --> 0x$("{0:X16}" -f $LibHandle.ToInt64())" - Log "HstiTest2::QueryHSTIdetails 64bit --> 0x$("{0:X16}" -f $FuncHandle.ToInt64())" - } - else - { - return - } - $overallError = New-Object HstiTest3+HstiOverallError - $providerErrorDupleCount = New-Object int - $blobByteSize = New-Object int - $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $null, [ref] $providerErrorDupleCount, $null, [ref] $blobByteSize) - - [byte[]]$blob = New-Object byte[] $blobByteSize - [HstiTest3+HstiProviderErrorDuple[]]$providerErrors = New-Object HstiTest3+HstiProviderErrorDuple[] $providerErrorDupleCount - $hr = [HstiTest3]::QueryHSTIdetails([ref] $overallError, $providerErrors, [ref] $providerErrorDupleCount, $blob, [ref] $blobByteSize) - $string = $null - $blob | foreach { $string = $string + $_.ToString("X2")+"," } - - $hstiStatus = New-Object bool - $hr = [HstiTest3]::QueryHSTI([ref] $hstiStatus) - - LogAndConsole "HSTI Duple Count: $providerErrorDupleCount" - LogAndConsole "HSTI Blob size: $blobByteSize" - LogAndConsole "String: $string" - LogAndConsole "HSTIStatus: $hstiStatus" - if(($blobByteSize -gt 512) -and ($providerErrorDupleCount -gt 0) -and $hstiStatus) - { - LogAndConsoleSuccess "HSTI validation successful" - } - elseif(($providerErrorDupleCount -eq 0) -or ($blobByteSize -le 512)) - { - LogAndConsoleWarning "HSTI is absent" - $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null - } - else - { - $ErrorMessage = "HSTI validation failed" - if($HLK) - { - LogAndConsoleError $ErrorMessage - $DGVerifyCrit.AppendLine($ErrorMessage) | Out-Null - } - else - { - LogAndConsoleWarning $ErrorMessage - $DGVerifyWarn.AppendLine("HSTI is absent") | Out-Null - } - } - - } - catch - { - LogAndConsoleError $_.Exception.Message - LogAndConsoleError "Instantiate-HSTI failed" - } -} - - -function CheckDGRunning($_val) -{ - $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard - for($i=0; $i -lt $DGObj.SecurityServicesRunning.length; $i++) - { - if($DGObj.SecurityServicesRunning[$i] -eq $_val) - { - return 1 - } - - } - return 0 -} - -function CheckDGFeatures($_val) -{ - $DGObj = Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard - Log "DG_obj $DG_obj" - Log "DG_obj.AvailableSecurityProperties.length $DG_obj.AvailableSecurityProperties.length" - for($i=0; $i -lt $DGObj.AvailableSecurityProperties.length; $i++) - { - if($DGObj.AvailableSecurityProperties[$i] -eq $_val) - { - return 1 - } - - } - return 0 -} - -function PrintConfigCIDetails($_ConfigCIState) -{ - $_ConfigCIRunning = "Config-CI is enabled and running." - $_ConfigCIDisabled = "Config-CI is not running." - $_ConfigCIMode = "Not Enabled" - switch ($_ConfigCIState) - { - 0 { $_ConfigCIMode = "Not Enabled" } - 1 { $_ConfigCIMode = "Audit mode" } - 2 { $_ConfigCIMode = "Enforced mode" } - default { $_ConfigCIMode = "Not Enabled" } - } - - if($_ConfigCIState -ge 1) - { - LogAndConsoleSuccess "$_ConfigCIRunning ($_ConfigCIMode)" - } - else - { - LogAndConsoleWarning "$_ConfigCIDisabled ($_ConfigCIMode)" - } -} - -function PrintHVCIDetails($_HVCIState) -{ - $_HvciRunning = "HVCI is enabled and running." - $_HvciDisabled = "HVCI is not running." - - if($_HVCIState) - { - LogAndConsoleSuccess $_HvciRunning - } - else - { - LogAndConsoleWarning $_HvciDisabled - } -} - -function PrintCGDetails ($_CGState) -{ - $_CGRunning = "Credential-Guard is enabled and running." - $_CGDisabled = "Credential-Guard is not running." - - if($_CGState) - { - LogAndConsoleSuccess $_CGRunning - } - else - { - LogAndConsoleWarning $_CGDisabled - } -} - -if(![IO.Directory]::Exists($path)) -{ - New-Item -ItemType directory -Path $path -} -else -{ - #Do Nothing!! -} - -function IsRedstone -{ - $_osVersion = [environment]::OSVersion.Version - Log $_osVersion - #Check if build Major is Windows 10 - if($_osVersion.Major -lt 10) - { - return 0 - } - #Check if the build is post Threshold2 (1511 release) => Redstone - if($_osVersion.Build -gt 10586) - { - return 1 - } - #default return False - return 0 -} - -function ExecuteCommandAndLog($_cmd) -{ - try - { - Log "Executing: $_cmd" - $CmdOutput = Invoke-Expression $_cmd | Out-String - Log "Output: $CmdOutput" - } - catch - { - Log "Exception while exectuing $_cmd" - Log $_.Exception.Message - } - - -} - -function PrintRebootWarning -{ - LogAndConsoleWarning "Please reboot the machine, for settings to be applied." -} - -function AutoRebootHelper -{ - if($AutoReboot) - { - LogAndConsole "PC will restart in 30 seconds" - ExecuteCommandAndLog 'shutdown /r /t 30' - } - else - { - PrintRebootWarning - } - -} - -function VerifierReset -{ - $verifier_state = verifier /query | Out-String - if(!$verifier_state.ToString().Contains("No drivers are currently verified.")) - { - ExecuteCommandAndLog 'verifier.exe /reset' - } - AutoRebootHelper -} - -function PrintHardwareReq -{ - LogAndConsole "###########################################################################" - LogAndConsole "OS and Hardware requirements for enabling Device Guard and Credential Guard" - LogAndConsole " 1. OS SKUs: Available only on these OS Skus - Enterprise, Server, Education and Enterprise IoT" - LogAndConsole " 2. Hardware: Recent hardware that supports virtualization extension with SLAT" - LogAndConsole "To learn more please visit: https://aka.ms/dgwhcr" - LogAndConsole "########################################################################### `n" -} - -function CheckDriverCompat -{ - $_HVCIState = CheckDGRunning(2) - if($_HVCIState) - { - LogAndConsoleWarning "HVCI is already enabled on this machine, driver compat list might not be complete." - LogAndConsoleWarning "Please disable HVCI and run the script again..." - } - $verifier_state = verifier /query | Out-String - if($verifier_state.ToString().Contains("No drivers are currently verified.")) - { - LogAndConsole "Enabling Driver verifier" - verifier.exe /flags 0x02000000 /all /bootmode oneboot /log.code_integrity - - LogAndConsole "Enabling Driver Verifier and Rebooting system" - Log $verifier_state - LogAndConsole "Please re-execute this script after reboot...." - if($AutoReboot) - { - LogAndConsole "PC will restart in 30 seconds" - ExecuteCommandAndLog 'shutdown /r /t 30' - } - else - { - LogAndConsole "Please reboot manually and run the script again...." - } - exit - } - else - { - LogAndConsole "Driver verifier already enabled" - Log $verifier_state - ListDrivers($verifier_state.Trim().ToLowerInvariant()) - } -} -function IsDomainController -{ - $_isDC = 0 - $CompConfig = Get-WmiObject Win32_ComputerSystem - foreach ($ObjItem in $CompConfig) - { - $Role = $ObjItem.DomainRole - Log "Role=$Role" - Switch ($Role) - { - 0 { Log "Standalone Workstation" } - 1 { Log "Member Workstation" } - 2 { Log "Standalone Server" } - 3 { Log "Member Server" } - 4 - { - Log "Backup Domain Controller" - $_isDC=1 - break - } - 5 - { - Log "Primary Domain Controller" - $_isDC=1 - break - } - default { Log "Unknown Domain Role" } - } - } - return $_isDC -} - -function CheckOSSKU -{ - $osname = $((Get-ComputerInfo).WindowsProductName).ToLower() - $_SKUSupported = 0 - Log "OSNAME:$osname" - $SKUarray = @("Enterprise", "Education", "IoT", "Windows Server") - $HLKAllowed = @("windows 10 pro") - foreach ($SKUent in $SKUarray) - { - if($osname.ToString().Contains($SKUent.ToLower())) - { - $_SKUSupported = 1 - break - } - } - - # For running HLK tests only, professional SKU's are marked as supported. - if($HLK) - { - if($osname.ToString().Contains($HLKAllowed.ToLower())) - { - $_SKUSupported = 1 - } - } - $_isDomainController = IsDomainController - if($_SKUSupported) - { - LogAndConsoleSuccess "This PC edition is Supported for DeviceGuard"; - if(($_isDomainController -eq 1) -and !$HVCI -and !$DG) - { - LogAndConsoleError "This PC is configured as a Domain Controller, Credential Guard is not supported on DC." - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "This PC edition is Unsupported for Device Guard" - $DGVerifyCrit.AppendLine("OS SKU unsupported") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "OSSKU" /t REG_DWORD /d 0 /f ' - } -} - -function CheckOSArchitecture -{ - $OSArch = $(Get-WmiObject win32_operatingsystem).OSArchitecture.ToLower() - Log $OSArch - if($OSArch -match ("^64\-?\s?bit")) - { - LogAndConsoleSuccess "64 bit architecture" - } - elseif($OSArch -match ("^32\-?\s?bit")) - { - LogAndConsoleError "32 bit architecture" - $DGVerifyCrit.AppendLine("32 Bit OS, OS Architecture failure.") | Out-Null - } - else - { - LogAndConsoleError "Unknown architecture" - $DGVerifyCrit.AppendLine("Unknown OS, OS Architecture failure.") | Out-Null - } -} - -function CheckSecureBootState -{ - try { - $_secureBoot = Confirm-SecureBootUEFI - } - catch - { - $_secureBoot = $false - } - Log $_secureBoot - if($_secureBoot) - { - LogAndConsoleSuccess "Secure Boot is present" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "Secure Boot is absent / not enabled." - LogAndConsoleError "If Secure Boot is supported on the system, enable Secure Boot in the BIOS and run the script again." - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureBoot" /t REG_DWORD /d 0 /f ' - $DGVerifyCrit.AppendLine("Secure boot validation failed.") | Out-Null - } -} - -function CheckVirtualization -{ - $_vmmExtension = $(Get-WMIObject -Class Win32_processor).VMMonitorModeExtensions - $_vmFirmwareExtension = $(Get-WMIObject -Class Win32_processor).VirtualizationFirmwareEnabled - $_vmHyperVPresent = (Get-CimInstance -Class Win32_ComputerSystem).HypervisorPresent - Log "VMMonitorModeExtensions $_vmmExtension" - Log "VirtualizationFirmwareEnabled $_vmFirmwareExtension" - Log "HyperVisorPresent $_vmHyperVPresent" - - #success if either processor supports and enabled or if hyper-v is present - if(($_vmmExtension -and $_vmFirmwareExtension) -or $_vmHyperVPresent ) - { - LogAndConsoleSuccess "Virtualization firmware check passed" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleError "Virtualization firmware check failed." - LogAndConsoleError "If Virtualization extensions are supported on the system, enable hardware virtualization (Intel Virtualization Technology, Intel VT-x, Virtualization Extensions, or similar) in the BIOS and run the script again." - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "Virtualization" /t REG_DWORD /d 0 /f ' - $DGVerifyCrit.AppendLine("Virtualization firmware check failed.") | Out-Null - } -} - -function CheckTPM -{ - $TPMLockout = $(get-tpm).LockoutCount - - if($TPMLockout) - { - - if($TPMLockout.ToString().Contains("Not Supported for TPM 1.2")) - { - if($HLK) - { - LogAndConsoleSuccess "TPM 1.2 is present." - } - else - { - $WarningMsg = "TPM 1.2 is Present. TPM 2.0 is Preferred." - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - } - else - { - LogAndConsoleSuccess "TPM 2.0 is present." - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 2 /f ' - } - else - { - $WarningMsg = "TPM is absent or not ready for use" - if($HLK) - { - LogAndConsoleError $WarningMsg - $DGVerifyCrit.AppendLine($WarningMsg) | Out-Null - } - else - { - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "TPM" /t REG_DWORD /d 0 /f ' - } -} - -function CheckSecureMOR -{ - $isSecureMOR = CheckDGFeatures(4) - Log "isSecureMOR= $isSecureMOR " - if($isSecureMOR -eq 1) - { - LogAndConsoleSuccess "Secure MOR is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 2 /f ' - } - else - { - $WarningMsg = "Secure MOR is absent" - if($HLK) - { - LogAndConsoleError $WarningMsg - $DGVerifyCrit.AppendLine($WarningMsg) | Out-Null - } - else - { - LogAndConsoleWarning $WarningMsg - $DGVerifyWarn.AppendLine($WarningMsg) | Out-Null - } - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SecureMOR" /t REG_DWORD /d 0 /f ' - } -} - -function CheckNXProtection -{ - $isNXProtected = CheckDGFeatures(5) - Log "isNXProtected= $isNXProtected " - if($isNXProtected -eq 1) - { - LogAndConsoleSuccess "NX Protector is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleWarning "NX Protector is absent" - $DGVerifyWarn.AppendLine("NX Protector is absent") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "UEFINX" /t REG_DWORD /d 0 /f ' - } -} - -function CheckSMMProtection -{ - $isSMMMitigated = CheckDGFeatures(6) - Log "isSMMMitigated= $isSMMMitigated " - if($isSMMMitigated -eq 1) - { - LogAndConsoleSuccess "SMM Mitigation is available" - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 2 /f ' - } - else - { - LogAndConsoleWarning "SMM Mitigation is absent" - $DGVerifyWarn.AppendLine("SMM Mitigation is absent") | Out-Null - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "SMMProtections" /t REG_DWORD /d 0 /f ' - } -} - -function CheckHSTI -{ - LogAndConsole "Copying HSTITest.dll" - try - { - $HSTITest_Decoded = [System.Convert]::FromBase64String($HSTITest_Encoded) - [System.IO.File]::WriteAllBytes("$env:windir\System32\hstitest.dll",$HSTITest_Decoded) - - } - catch - { - LogAndConsole $_.Exception.Message - LogAndConsole "Copying and loading HSTITest.dll failed" - } - - Instantiate-Kernel32 - Instantiate-HSTI -} - -function PrintToolVersion -{ - LogAndConsole "" - LogAndConsole "###########################################################################" - LogAndConsole "" - LogAndConsole "Readiness Tool Version 3.7.2 Release. `nTool to check if your device is capable to run Device Guard and Credential Guard." - LogAndConsole "" - LogAndConsole "###########################################################################" - LogAndConsole "" - -} - -PrintToolVersion - -if(!($Ready) -and !($Capable) -and !($Enable) -and !($Disable) -and !($Clear) -and !($ResetVerifier)) -{ - #Print Usage if none of the options are specified - LogAndConsoleWarning "How to read the output:" - LogAndConsoleWarning "" - LogAndConsoleWarning " 1. Red Errors: Basic things are missing that will prevent enabling and using DG/CG" - LogAndConsoleWarning " 2. Yellow Warnings: This device can be used to enable and use DG/CG, but `n additional security benefits will be absent. To learn more please go through: https://aka.ms/dgwhcr" - LogAndConsoleWarning " 3. Green Messages: This device is fully compliant with DG/CG requirements`n" - - LogAndConsoleWarning "###########################################################################" - LogAndConsoleWarning "" - LogAndConsoleWarning "Hardware requirements for enabling Device Guard and Credential Guard" - LogAndConsoleWarning " 1. Hardware: Recent hardware that supports virtualization extension with SLAT" - LogAndConsoleWarning "" - LogAndConsoleWarning "########################################################################### `n" - - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Ready/Enable/Disable/Clear] -[DG/CG/HVCI] -[AutoReboot] -Path" - LogAndConsoleWarning "Log file with details is found here: C:\DGLogs `n" - - LogAndConsoleWarning "To Enable DG/CG. If you have a custom SIPolicy.p7b then use the -Path parameter else the hardcoded default policy is used" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable OR DG_Readiness.ps1 -Enable -Path `n" - - LogAndConsoleWarning "To Enable only HVCI" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -HVCI `n" - - LogAndConsoleWarning "To Enable only CG" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Enable -CG `n" - - LogAndConsoleWarning "To Verify if DG/CG is enabled" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n" - - LogAndConsoleWarning "To Disable DG/CG." - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Disable `n" - - LogAndConsoleWarning "To Verify if DG/CG is disabled" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Ready `n" - - LogAndConsoleWarning "To Verify if this device is DG/CG Capable" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable`n" - - LogAndConsoleWarning "To Verify if this device is HVCI Capable" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -Capable -HVCI`n" - - LogAndConsoleWarning "To Auto reboot with each option" - LogAndConsoleWarning "Usage: DG_Readiness.ps1 -[Capable/Enable/Disable] -AutoReboot`n" - LogAndConsoleWarning "###########################################################################" - LogAndConsoleWarning "" - LogAndConsoleWarning "When the Readiness Tool with '-capable' is run the following RegKey values are set:" - LogAndConsoleWarning "" - LogAndConsoleWarning "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" - LogAndConsoleWarning "CG_Capable" - LogAndConsoleWarning "DG_Capable" - LogAndConsoleWarning "HVCI_Capable" - LogAndConsoleWarning "" - LogAndConsoleWarning "Value 0 = not possible to enable DG/CG/HVCI on this device" - LogAndConsoleWarning "Value 1 = not fully compatible but has sufficient firmware/hardware/software features to enable DG/CG/HVCI" - LogAndConsoleWarning "Value 2 = fully compatible for DG/CG/HVCI" - LogAndConsoleWarning "" - LogAndConsoleWarning "########################################################################### `n" -} - -$user = [Security.Principal.WindowsIdentity]::GetCurrent(); -$TestForAdmin = (New-Object Security.Principal.WindowsPrincipal $user).IsInRole([Security.Principal.WindowsBuiltinRole]::Administrator) - -if(!$TestForAdmin) -{ - LogAndConsoleError "This script requires local administrator privileges. Please execute this script as a local administrator." - exit -} - -$isRunningOnVM = (Get-WmiObject win32_computersystem).model -if($isRunningOnVM.Contains("Virtual")) -{ - LogAndConsoleWarning "Running on a Virtual Machine. DG/CG is supported only if both guest VM and host machine are running with Windows 10, version 1703 or later with English localization." -} - - -<# Check the DG status if enabled or disabled, meaning if the device is ready or not #> -if($Ready) -{ - PrintHardwareReq - - $DGRunning = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).SecurityServicesRunning - $_ConfigCIState = $(Get-CimInstance -classname Win32_DeviceGuard -namespace root\Microsoft\Windows\DeviceGuard).CodeIntegrityPolicyEnforcementStatus - Log "Current DGRunning = $DGRunning, ConfigCI= $_ConfigCIState" - $_HVCIState = CheckDGRunning(2) - $_CGState = CheckDGRunning(1) - - if($HVCI) - { - Log "_HVCIState: $_HVCIState" - PrintHVCIDetails $_HVCIState - } - elseif($CG) - { - Log "_CGState: $_CGState" - PrintCGDetails $_CGState - - if($_CGState) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "CG_Running" /t REG_DWORD /d 0 /f' - } - } - elseif($DG) - { - Log "_HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - - PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState - - if($_ConfigCIState -and $_HVCIState) - { - LogAndConsoleSuccess "HVCI, and Config-CI are enabled and running." - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 1 /f' - } - else - { - LogAndConsoleWarning "Not all services are running." - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "DG_Running" /t REG_DWORD /d 0 /f' - } - } - else - { - Log "_CGState: $_CGState, _HVCIState: $_HVCIState, _ConfigCIState: $_ConfigCIState" - - PrintCGDetails $_CGState - PrintHVCIDetails $_HVCIState - PrintConfigCIDetails $_ConfigCIState - - if(($DGRunning.Length -ge 2) -and ($_CGState) -and ($_HVCIState) -and ($_ConfigCIState -ge 1)) - { - LogAndConsoleSuccess "HVCI, Credential Guard, and Config CI are enabled and running." - } - else - { - LogAndConsoleWarning "Not all services are running." - } - } -} - -<# Enable and Disable #> -if($Enable) -{ - PrintHardwareReq - - LogAndConsole "Enabling Device Guard and Credential Guard" - LogAndConsole "Setting RegKeys to enable DG/CG" - - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f' - #Only SecureBoot is required as part of RequirePlatformSecurityFeatures - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f' - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f' - } - - if(!$HVCI -and !$DG) - { - # value is 2 for both Th2 and RS1 - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /t REG_DWORD /d 2 /f' - } - if(!$CG) - { - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f' - } - else - { - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f' - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f' - } - } - - try - { - if(!$HVCI -and !$CG) - { - if(!$SIPolicyPath) - { - Log "Writing Decoded SIPolicy.p7b" - $SIPolicy_Decoded = [System.Convert]::FromBase64String($SIPolicy_Encoded) - [System.IO.File]::WriteAllBytes("$env:windir\System32\CodeIntegrity\SIPolicy.p7b",$SIPolicy_Decoded) - } - else - { - LogAndConsole "Copying user provided SIpolicy.p7b" - $CmdOutput = Copy-Item $SIPolicyPath "$env:windir\System32\CodeIntegrity\SIPolicy.p7b" | Out-String - Log $CmdOutput - } - } - } - catch - { - LogAndConsole "Writing SIPolicy.p7b file failed" - } - - LogAndConsole "Enabling Hyper-V and IOMMU" - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsole "OS Not Redstone, enabling IsolatedUserMode separately" - #Enable/Disable IOMMU separately - ExecuteCommandAndLog 'DISM.EXE /Online /Enable-Feature:IsolatedUserMode /NoRestart' - } - $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Hypervisor /All /NoRestart | Out-String - if(!$CmdOutput.Contains("The operation completed successfully.")) - { - $CmdOutput = DISM.EXE /Online /Enable-Feature:Microsoft-Hyper-V-Online /All /NoRestart | Out-String - } - - Log $CmdOutput - if($CmdOutput.Contains("The operation completed successfully.")) - { - LogAndConsoleSuccess "Enabling Hyper-V and IOMMU successful" - #Reg key for HLK validation of DISM.EXE step - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 1 /f' - } - else - { - LogAndConsoleWarning "Enabling Hyper-V failed please check the log file" - #Reg key for HLK validation of DISM.EXE step - ExecuteCommandAndLog 'REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities\" /v "HyperVEnabled" /t REG_DWORD /d 0 /f' - } - AutoRebootHelper -} - -if($Disable) -{ - LogAndConsole "Disabling Device Guard and Credential Guard" - LogAndConsole "Deleting RegKeys to disable DG/CG" - - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /f' - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /f' - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "NoLock" /f' - } - else - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /f' - } - - if(!$CG) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /f' - if($_isRedstone) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /f' - } - } - - if(!$HVCI -and !$DG) - { - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\Lsa" /v "LsaCfgFlags" /f' - } - - if(!$HVCI -and !$CG) - { - ExecuteCommandAndLog 'del "$env:windir\System32\CodeIntegrity\SIPolicy.p7b"' - } - - if(!$HVCI -and !$DG -and !$CG) - { - LogAndConsole "Disabling Hyper-V and IOMMU" - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsole "OS Not Redstone, disabling IsolatedUserMode separately" - #Enable/Disable IOMMU separately - ExecuteCommandAndLog 'DISM.EXE /Online /disable-Feature /FeatureName:IsolatedUserMode /NoRestart' - } - $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Hypervisor /NoRestart | Out-String - if(!$CmdOutput.Contains("The operation completed successfully.")) - { - $CmdOutput = DISM.EXE /Online /disable-Feature /FeatureName:Microsoft-Hyper-V-Online /NoRestart | Out-String - } - Log $CmdOutput - if($CmdOutput.Contains("The operation completed successfully.")) - { - LogAndConsoleSuccess "Disabling Hyper-V and IOMMU successful" - } - else - { - LogAndConsoleWarning "Disabling Hyper-V failed please check the log file" - } - - #set of commands to run SecConfig.efi to delete UEFI variables if were set in pre OS - #these steps can be performed even if the UEFI variables were not set - if not set it will lead to No-Op but this can be run in general always - #this requires a reboot and accepting the prompt in the Pre-OS which is self explanatory in the message that is displayed in pre-OS - $FreeDrive = ls function:[s-z]: -n | ?{ !(test-path $_) } | random - Log "FreeDrive=$FreeDrive" - ExecuteCommandAndLog 'mountvol $FreeDrive /s' - $CmdOutput = Copy-Item "$env:windir\System32\SecConfig.efi" $FreeDrive\EFI\Microsoft\Boot\SecConfig.efi -Force | Out-String - LogAndConsole $CmdOutput - ExecuteCommandAndLog 'bcdedit /create "{0cb3b571-2f2e-4343-a879-d86a476d7215}" /d DGOptOut /application osloader' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" path \EFI\Microsoft\Boot\SecConfig.efi' - ExecuteCommandAndLog 'bcdedit /set "{bootmgr}" bootsequence "{0cb3b571-2f2e-4343-a879-d86a476d7215}"' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" loadoptions DISABLE-LSA-ISO,DISABLE-VBS' - ExecuteCommandAndLog 'bcdedit /set "{0cb3b571-2f2e-4343-a879-d86a476d7215}" device partition=$FreeDrive' - ExecuteCommandAndLog 'mountvol $FreeDrive /d' - #steps complete - - } - AutoRebootHelper -} - -if($Clear) -{ - ExecuteCommandAndLog 'REG DELETE "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Capabilities" /f' - VerifierReset -} - -if($ResetVerifier) -{ - VerifierReset -} - -<# Is machine Device Guard / Cred Guard Capable and Verify #> -if($Capable) -{ - PrintHardwareReq - - LogAndConsole "Checking if the device is DG/CG Capable" - - $_isRedstone = IsRedstone - if(!$_isRedstone) - { - LogAndConsoleWarning "Capable is currently fully supported in Redstone only.." - } - $_StepCount = 1 - if(!$CG) - { - LogAndConsole " ====================== Step $_StepCount Driver Compat ====================== " - $_StepCount++ - CheckDriverCompat - } - - LogAndConsole " ====================== Step $_StepCount Secure boot present ====================== " - $_StepCount++ - CheckSecureBootState - - if(!$HVCI -and !$DG -and !$CG) - { - #check only if sub-options are absent - LogAndConsole " ====================== Step $_StepCount MS UEFI HSTI tests ====================== " - $_StepCount++ - CheckHSTI - } - - LogAndConsole " ====================== Step $_StepCount OS Architecture ====================== " - $_StepCount++ - CheckOSArchitecture - - LogAndConsole " ====================== Step $_StepCount Supported OS SKU ====================== " - $_StepCount++ - CheckOSSKU - - LogAndConsole " ====================== Step $_StepCount Virtualization Firmware ====================== " - $_StepCount++ - CheckVirtualization - - if(!$HVCI -and !$DG) - { - LogAndConsole " ====================== Step $_StepCount TPM version ====================== " - $_StepCount++ - CheckTPM - - LogAndConsole " ====================== Step $_StepCount Secure MOR ====================== " - $_StepCount++ - CheckSecureMOR - } - - LogAndConsole " ====================== Step $_StepCount NX Protector ====================== " - $_StepCount++ - CheckNXProtection - - LogAndConsole " ====================== Step $_StepCount SMM Mitigation ====================== " - $_StepCount++ - CheckSMMProtection - - LogAndConsole " ====================== End Check ====================== " - - LogAndConsole " ====================== Summary ====================== " - ListSummary - LogAndConsole "To learn more about required hardware and software please visit: https://aka.ms/dgwhcr" -} - - -# SIG # Begin signature block -## REPLACE -# SIG # End signature block - -``` diff --git a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md index c7b9c6ad9d..d6f73cfb32 100644 --- a/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements.md @@ -112,4 +112,4 @@ The use of ALT key character combinations may greatly enhance the complexity of ## Related articles -- [Password Policy](password-policy.md) +- [Password Policy](/microsoft-365/admin/misc/password-policy-recommendations) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 4a63cc1f7c..3c6653f5b0 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -1,16 +1,15 @@ --- title: Windows 11 requirements -description: Hardware requirements to deploy Windows 11 +description: Hardware requirements to deploy Windows 11. manager: aaroncz author: mestew ms.author: mstewart ms.prod: windows-client ms.localizationpriority: medium ms.topic: article -ms.custom: seo-marvel-apr2020 ms.collection: highpri ms.technology: itpro-fundamentals -ms.date: 12/31/2017 +ms.date: 02/13/2023 --- # Windows 11 requirements @@ -19,51 +18,60 @@ ms.date: 12/31/2017 - Windows 11 -This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support). +This article lists the system requirements for Windows 11. Windows 11 is also [supported on a virtual machine (VM)](#virtual-machine-support). ## Hardware requirements To install or upgrade to Windows 11, devices must meet the following minimum hardware requirements: - -- Processor: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](https://aka.ms/CPUlist) or system on a chip (SoC). -- RAM: 4 gigabytes (GB) or greater. -- Storage: 64 GB\* or greater available storage is required to install Windows 11. - - Extra storage space might be required to download updates and enable specific features. -- Graphics card: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. -- System firmware: UEFI, Secure Boot capable. -- TPM: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. -- Display: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. -- Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be more requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). +- **Processor**: 1 gigahertz (GHz) or faster with two or more cores on a [compatible 64-bit processor](/windows-hardware/design/minimum/windows-processor-requirements) or system on a chip (SoC). -Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). +- **Memory**: 4 gigabytes (GB) or greater. -For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). +- **Storage**: 64 GB or greater available disk space. -## Operating system requirements + > [!NOTE] + > There might be more storage requirements over time for updates, and to enable specific features within the OS. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). + +- **Graphics card**: Compatible with DirectX 12 or later, with a WDDM 2.0 driver. + +- **System firmware**: UEFI, Secure Boot capable. + +- **TPM**: [Trusted Platform Module](/windows/security/information-protection/tpm/trusted-platform-module-overview) (TPM) version 2.0. + +- **Display**: High definition (720p) display, 9" or greater monitor, 8 bits per color channel. + +- **Internet connection**: Internet connectivity is necessary to perform updates, and to download and use some features. + + - Windows 11 Home edition requires an internet connection and a Microsoft Account to complete device setup on first use. + +For more information, see the following Windows Insider blog post: [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). + +For more information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). + +## OS requirements Eligible Windows 10 devices must be on version 2004 or later, and have installed the September 14, 2021 security update or later, to upgrade directly to Windows 11. > [!NOTE] -> S mode is only supported on the Home edition of Windows 11. -> If you are running a different edition of Windows in S mode, you will need to first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode) prior to upgrading.
 
-> Switching a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you cannot switch back to S mode later. +> +> - S mode is only supported on the Home edition of Windows 11. +> - If you're running a different edition of Windows in S mode, before upgrading to Windows 11, first [switch out of S mode](/windows/deployment/windows-10-pro-in-s-mode). +> - To switch a device out of Windows 10 in S mode also requires internet connectivity. If you switch out of S mode, you can't switch back to S mode later. ## Feature-specific requirements -Some features in Windows 11 have requirements beyond those requirements listed above. See the following list of features and associated requirements. +Some features in Windows 11 have requirements beyond the minimum [hardware requirements](#hardware-requirements). - **5G support**: requires 5G capable modem. - **Auto HDR**: requires an HDR monitor. -- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. -- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and above. +- **BitLocker to Go**: requires a USB flash drive. This feature is available in Windows Pro and above editions. +- **Client Hyper-V**: requires a processor with second-level address translation (SLAT) capabilities. This feature is available in Windows Pro editions and greater. - **Cortana**: requires a microphone and speaker and is currently available on Windows 11 for Australia, Brazil, Canada, China, France, Germany, India, Italy, Japan, Mexico, Spain, United Kingdom, and United States. - **DirectStorage**: requires an NVMe SSD to store and run games that use the Standard NVM Express Controller driver and a DirectX12 GPU with Shader Model 6.0 support. - **DirectX 12 Ultimate**: available with supported games and graphics chips. - **Presence**: requires sensor that can detect human distance from device or intent to interact with device. -- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output) +- **Intelligent Video Conferencing**: requires video camera, microphone, and speaker (audio output). - **Multiple Voice Assistant**: requires a microphone and speaker. - **Snap**: three-column layouts require a screen that is 1920 effective pixels or greater in width. - **Mute** and **unmute**: from Taskbar requires video camera, microphone, and speaker (audio output). App must be compatible with feature to enable global mute/unmute. @@ -76,35 +84,43 @@ Some features in Windows 11 have requirements beyond those requirements listed a - **Wi-Fi 6E**: requires new WLAN IHV hardware and driver and a Wi-Fi 6E capable AP/router. - **Windows Hello**: requires a camera configured for near infrared (IR) imaging or fingerprint reader for biometric authentication. Devices without biometric sensors can use Windows Hello with a PIN or portable Microsoft compatible security key. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). - **Windows Projection**: requires a display adapter that supports Windows Display Driver Model (WDDM) 2.0 and a Wi-Fi adapter that supports Wi-Fi Direct. -- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live Countries and Regions page for the most up-to-date information on availability. Some features in the Xbox app will require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. +- **Xbox app**: requires an Xbox Live account, which isn't available in all regions. Go to the Xbox Live *Countries and Regions* page for the most up-to-date information on availability. Some features in the Xbox app require an active [Xbox Game Pass](https://www.xbox.com/xbox-game-pass) subscription. ## Virtual machine support -The following configuration requirements apply to VMs running Windows 11. +The following configuration requirements apply to VMs running Windows 11. -- Generation: 2 \* -- Storage: 64 GB or greater -- Security: - - Azure: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled - - Hyper-V: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager) - - General settings: Secure boot capable, virtual TPM enabled -- Memory: 4 GB or greater -- Processor: Two or more virtual processors +- **Generation**: 2 -The VM host CPU must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). + > [!NOTE] + > In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. -\* In-place upgrade of existing generation 1 VMs to Windows 11 isn't possible. +- **Storage**: 64 GB or greater disk space. -> [!NOTE] -> Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. +- **Security**: + + - **Azure**: [Trusted launch](/azure/virtual-machines/trusted-launch) with vTPM enabled. + - **Hyper-V**: [Secure boot and TPM enabled](/windows-server/virtualization/hyper-v/learn-more/Generation-2-virtual-machine-security-settings-for-Hyper-V#secure-boot-setting-in-hyper-v-manager). + + - General settings: Secure boot capable, virtual TPM enabled. + +- **Memory**: 4 GB or greater. + +- **Processor**: Two or more virtual processors. + + - The VM host processor must also meet Windows 11 [processor requirements](/windows-hardware/design/minimum/windows-processor-requirements). + + > [!NOTE] + > There may be some instances where this requirement for the VM host doesn't apply. For more information, see [Options for using Windows 11 with Mac computers](https://support.microsoft.com/topic/cd15fd62-9b34-4b78-b0bc-121baa3c568c). + + - Procedures to configure required VM settings depend on the VM host type. For example, VM hosts running Hyper-V, virtualization (VT-x, VT-d) must be enabled in the BIOS. Virtual TPM 2.0 is emulated in the guest VM independent of the Hyper-V host TPM presence or version. ## Next steps -[Plan for Windows 11](windows-11-plan.md)
-[Prepare for Windows 11](windows-11-prepare.md) +- [Plan for Windows 11](windows-11-plan.md) +- [Prepare for Windows 11](windows-11-prepare.md) ## See also -[Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview)
-[What's new in Windows 11 overview](/windows/whats-new/windows-11-overview) - +- [Windows minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) +- [What's new in Windows 11 overview](/windows/whats-new/windows-11-overview)