From f4eee9c7d20f50d01313137312e9e69c31bb15a5 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Mon, 26 Oct 2020 19:32:05 -0700 Subject: [PATCH 1/6] Update device-guard-signing-portal.md Updating to reflect service is live and to include NuGet link. --- store-for-business/device-guard-signing-portal.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index a3e5be63f9..a891ecd541 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -18,10 +18,10 @@ ms.date: 10/17/2017 # Device Guard signing > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. > > Following are the major changes we are making to the service: -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download. +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). > - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. > @@ -32,7 +32,7 @@ ms.date: 10/17/2017 > - Download root cert > - Download history of your signing operations > -> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration. +> For any questions, please contact us at DGSSMigration@microsoft.com. **Applies to** From dcad2d15c70d56210fb995eb484a2a6113c60fd0 Mon Sep 17 00:00:00 2001 From: Linda Diefendorf Date: Mon, 26 Oct 2020 19:37:10 -0700 Subject: [PATCH 2/6] Update sign-code-integrity-policy-with-device-guard-signing.md Updating to reflect service is now live and adding in NuGet package link. --- .../sign-code-integrity-policy-with-device-guard-signing.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md index e0acead8f1..6512584c76 100644 --- a/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md +++ b/store-for-business/sign-code-integrity-policy-with-device-guard-signing.md @@ -18,10 +18,10 @@ ms.date: 10/17/2017 # Sign code integrity policy with Device Guard signing > [!IMPORTANT] -> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) will be available for consumption starting mid-September 2020, and you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service between September and December 2020. +> We are introducing a new version of the Device Guard Signing Service (DGSS) to be more automation friendly. The new version of the service (DGSS v2) is now available. As announced earlier, you will have until the end of December 2020 to transition to DGSS v2. At the end of December 2020, the existing web-based mechanisms for the current version of the DGSS service will be retired and will no longer be available for use. Please make plans to migrate to the new version of the service by the end of December 2020. > > Following are the major changes we are making to the service: -> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets will be available as a NuGet download. +> - The method for consuming the service will change to a more automation-friendly method based on PowerShell cmdlets. These cmdlets are available as a NuGet download, https://www.nuget.org/packages/Microsoft.Acs.Dgss.Client/. > - In order to achieve desired isolation, you will be required to get a new CI policy from DGSS v2 (and optionally sign it). > - DGSS v2 will not have support for downloading leaf certificates used to sign your files (however, the root certificate will still be available to download). Note that the certificate used to sign a file can be easily extracted from the signed file itself. As a result, after DGSS v1 is retired at the end of December 2020, you will no longer be able to download the leaf certificates used to sign your files. > @@ -32,7 +32,7 @@ ms.date: 10/17/2017 > - Download root cert > - Download history of your signing operations > -> We will share detailed instructions and NuGet location before mid-September 2020. For any questions, please contact us at DGSSMigration@microsoft.com for more information on migration. +> For any questions, please contact us at DGSSMigration@microsoft.com. **Applies to** From ad0f0ee4f4d2f86bdcb7b94002d6536e113c1ecb Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 27 Oct 2020 08:27:00 -0700 Subject: [PATCH 3/6] Update preview.md removing MCAS as this is now GA --- .../threat-protection/microsoft-defender-atp/preview.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md index eca1e04388..5ed93079a0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/preview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md @@ -68,11 +68,6 @@ Information protection is an integral part of Microsoft 365 Enterprise suite, pr >[!NOTE] >Partially available from Windows 10, version 1809. -- [Integration with Microsoft Cloud App Security](microsoft-cloud-app-security-integration.md)
Microsoft Cloud App Security leverages Microsoft Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Microsoft Defender ATP monitored devices. - - >[!NOTE] - >Available from Windows 10, version 1809 or later. - - [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints#windows-server-version-1803-and-windows-server-2019)
Microsoft Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client devices. From b8102c87a7e0b593e62b5884c09a2884874ef9a0 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 27 Oct 2020 08:49:16 -0700 Subject: [PATCH 4/6] Update kernel-dma-protection-for-thunderbolt.md update per MSFT eng team --- .../kernel-dma-protection-for-thunderbolt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 836d7916f5..8c5a881e03 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -95,7 +95,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if - Reboot system into Windows 10. >[!NOTE] - > **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES and the **Hyper-V** Windows feature is enabled. Enabling both is needed to enable **Kernel DMA Protection** even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection). + > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-kernel-dma-protection). 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. From bd1eb85397abfc8b85c98d522a8553dda5a8a370 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 27 Oct 2020 09:26:31 -0700 Subject: [PATCH 5/6] Update kernel-dma-protection-for-thunderbolt.md --- .../kernel-dma-protection-for-thunderbolt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 8c5a881e03..1e6bc6760a 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -95,7 +95,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if - Reboot system into Windows 10. >[!NOTE] - > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-kernel-dma-protection). + > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection). 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. From 13af873e943631b4eaca30cc1ca3b905203f7c4a Mon Sep 17 00:00:00 2001 From: Jeff Borsecnik Date: Tue, 27 Oct 2020 09:56:26 -0700 Subject: [PATCH 6/6] fixed note formatting --- .../kernel-dma-protection-for-thunderbolt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 1e6bc6760a..74e8c2d67c 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -95,7 +95,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if - Reboot system into Windows 10. >[!NOTE] - > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection). + > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-kernel-dma-protection). 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.