diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index c63d72e644..3d8a02bb7d 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -39,7 +39,7 @@ Credential Guard also does not allow older variants of NTLM and Kerberos authent Here's a high-level overview on how the LSA is isolated by using virtualization-based security: -![](images/credguard.png) +![Credential Guard oveview](images/credguard.png) ## New and changed functionality @@ -89,7 +89,19 @@ The PC must meet the following hardware and software requirements to use Credent

Trusted Platform Module (TPM) version 1.2 or 2.0

-

TPM 1.2 and 2.0 provides protection for encryption keys that are stored in the firmware. TPM 1.2 is not supported on Windows 10 (Build 10240); however, it is supported in Windows 10, Version 1511 (Build 10586) and later.

+

TPM 1.2 and 2.0 provides protection for encryption keys that are stored in the firmware and are used by Credential Guard. See the following table to determine which TPM versions are supported on your OS.

+ + + + + + + + + + + +
OS versionRequired TPM
Windows 10 version 1507TPM 2.0
Windows 10 version 1511TPM 2.0 or TPM 1.2
Note  If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.
@@ -490,7 +502,7 @@ help2 = Usage: help3 = The following parameter is mandatory: help4 = -LinkedToGroup: help5 = "yes" will return only Issuance Policies that are linked to groups. Checks that the linked Issuance Policies are linked to valid groups. -help6 = "no" will return only Issuance Policies that are not currently linked to any group. +help6 = "no" will return only Issuance Policies that are not currently linked to any group. help7 = "all" will return all Issuance Policies defined in the forest. Checks that the linked Issuance policies are linked to valid groups. help8 = The following parameter is optional: help9 = -Identity:. If you specify an identity, the option specified in the "-LinkedToGroup" parameter is ignored. @@ -504,7 +516,7 @@ LinkedIPs = The following Issuance Policies are linked to groups: displayName = displayName : {0} Name = Name : {0} dn = distinguishedName : {0} - InfoName = Linked Group Name: {0} + InfoName = Linked Group Name: {0} InfoDN = Linked Group DN: {0} NonLinkedIPs = The following Issuance Policies are NOT linked to groups: '@ @@ -564,15 +576,15 @@ if ($Identity) { $errormsg = $getIP_strings.ErrorIPNotFound -f $Identity write-host $errormsg -ForegroundColor Red } - + foreach ($OID in $OIDs) { - + if ($OID."msDS-OIDToGroupLink") { # In case the Issuance Policy is linked to a group, it is good to check whether there is any problem with the mapping. $groupDN = $OID."msDS-OIDToGroupLink" $group = get-adgroup -Identity $groupDN $groupName = $group.Name - + # Analyze the group if ($group.groupCategory -ne "Security") { $errormsg = $getIP_strings.ErrorNotSecurity -f $Identity, $groupName @@ -591,7 +603,7 @@ write-host $errormsg -ForegroundColor Red } } } - + } return $OIDs break @@ -608,20 +620,20 @@ if (($LinkedToGroup -eq "yes") -or ($LinkedToGroup -eq "all")) { write-host "" if ($LinkedOIDs -ne $null){ foreach ($OID in $LinkedOIDs) { - + # Display basic information about the Issuance Policies "" $getIP_strings.displayName -f $OID.displayName $getIP_strings.Name -f $OID.Name $getIP_strings.dn -f $OID.distinguishedName - - + + # Get the linked group. $groupDN = $OID."msDS-OIDToGroupLink" $group = get-adgroup -Identity $groupDN $getIP_strings.InfoName -f $group.Name $getIP_strings.InfoDN -f $groupDN - + # Analyze the group $OIDName = $OID.displayName $groupName = $group.Name @@ -775,8 +787,8 @@ write-host $ErrorMsg.help10 -# Assumption: The group to which the Issuance Policy is going -# to be linked is (or is going to be created) in +# Assumption: The group to which the Issuance Policy is going +# to be linked is (or is going to be created) in # the domain the user running this script is a member of. import-module ActiveDirectory $root = get-adrootdse @@ -820,7 +832,7 @@ write-host $tmp -ForeGroundColor Green if ($groupOU -eq $null) { # default to the Users container $groupContainer = $domain.UsersContainer -} +} else { $searchBase = [string]$domain.DistinguishedName $groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} @@ -841,7 +853,7 @@ write-host $tmp -ForegroundColor Green } else{ $tmp = $ErrorMsg.OUCreationError -f $groupOU -write-host $tmp -ForeGroundColor Red +write-host $tmp -ForeGroundColor Red break; } $groupContainer = get-adobject -searchBase $searchBase -Filter { (Name -eq $groupOU) -and (objectClass -eq "organizationalUnit")} @@ -880,7 +892,7 @@ $tmp = $ErrorMsg.GroupCreationSuccess -f $groupName write-host $tmp -ForegroundColor Green }else{ $tmp = $ErrorMsg.groupCreationError -f $groupName -write-host $tmp -ForeGroundColor Red +write-host $tmp -ForeGroundColor Red break } $group = get-adgroup -Filter { (Name -eq $groupName) -and (objectClass -eq "group") } -searchBase $searchBase @@ -893,7 +905,7 @@ else { $tmp = $ErrorMsg.GroupFound -f $group.Name write-host $tmp -ForegroundColor Green } -} +} else { ##### ## If the group is not specified, we should remove the link if any exists @@ -911,11 +923,11 @@ write-host $tmp -ForeGroundColor Green $tmp = $ErrorMsg.UnlinkError write-host $tmp -ForeGroundColor Red } -} -else { +} +else { $tmp = $ErrorMsg.UnlinkExit write-host $tmp -break +break } } else { @@ -928,7 +940,7 @@ break; ####################################### ## Verify that the group is ## -## Universal, Security, and ## +## Universal, Security, and ## ## has no members ## ####################################### @@ -953,7 +965,7 @@ break; ####################################### ## We have verified everything. We ## -## can create the link from the ## +## can create the link from the ## ## Issuance Policy to the group. ## ####################################### @@ -971,10 +983,10 @@ write-host $tmp -Foreground Green $tmp = $ErrorMsg.LinkError write-host $tmp -Foreground Red } -} else { +} else { $tmp = $Errormsg.ExitNoLinkReplacement write-host $tmp -break +break } } else { @@ -1017,8 +1029,3 @@ If you're having trouble running this script, try replacing the single quote aft     - - - - - diff --git a/windows/whats-new/applocker.md b/windows/whats-new/applocker.md index 5f46e6349b..1921961c20 100644 --- a/windows/whats-new/applocker.md +++ b/windows/whats-new/applocker.md @@ -5,7 +5,7 @@ ms.assetid: 6F836FF6-7794-4E7B-89AA-1EABA1BF183F ms.prod: W10 ms.mktglfcycl: explore ms.sitesec: library -author: TrudyHa +author: brianlic-msft --- # What's new in AppLocker? diff --git a/windows/whats-new/bitlocker.md b/windows/whats-new/bitlocker.md index 9e9c10c5ac..2d2adc6cff 100644 --- a/windows/whats-new/bitlocker.md +++ b/windows/whats-new/bitlocker.md @@ -5,7 +5,7 @@ ms.assetid: 3F2DE365-68A1-4CDB-AB5F-C65574684C7B ms.prod: W10 ms.mktglfcycl: explore ms.sitesec: library -author: TrudyHa +author: brianlic-msft --- # What's new in BitLocker? diff --git a/windows/whats-new/credential-guard.md b/windows/whats-new/credential-guard.md index 84c8c04062..27c035b5ad 100644 --- a/windows/whats-new/credential-guard.md +++ b/windows/whats-new/credential-guard.md @@ -5,7 +5,7 @@ ms.assetid: 59C206F7-2832-4555-97B4-3070D93CC3C5 ms.prod: W10 ms.mktglfcycl: explore ms.sitesec: library -author: TrudyHa +author: brianlic-msft --- # What's new in Credential Guard? diff --git a/windows/whats-new/device-guard-overview.md b/windows/whats-new/device-guard-overview.md index a6cb5dae84..e9bb342203 100644 --- a/windows/whats-new/device-guard-overview.md +++ b/windows/whats-new/device-guard-overview.md @@ -6,7 +6,7 @@ keywords: ["Device Guard"] ms.prod: W10 ms.mktglfcycl: explore ms.sitesec: library -author: TrudyHa +author: brianlic-msft --- # Device Guard overview diff --git a/windows/whats-new/security-auditing.md b/windows/whats-new/security-auditing.md index 6aa814dc2c..9d88b459f9 100644 --- a/windows/whats-new/security-auditing.md +++ b/windows/whats-new/security-auditing.md @@ -5,7 +5,7 @@ ms.assetid: CB35A02E-5C66-449D-8C90-7B73C636F67B ms.prod: W10 ms.mktglfcycl: explore ms.sitesec: library -author: TrudyHa +author: brianlic-msft --- # What's new in security auditing? diff --git a/windows/whats-new/trusted-platform-module.md b/windows/whats-new/trusted-platform-module.md index f0ce348b69..e1ba634071 100644 --- a/windows/whats-new/trusted-platform-module.md +++ b/windows/whats-new/trusted-platform-module.md @@ -5,7 +5,7 @@ ms.assetid: CE8BBC2A-EE2D-4DFA-958E-2A178F2E6C44 ms.prod: W10 ms.mktglfcycl: explore ms.sitesec: library -author: TrudyHa +author: brianlic-msft --- # What's new in Trusted Platform Module? diff --git a/windows/whats-new/user-account-control.md b/windows/whats-new/user-account-control.md index bd50bdd00a..464a0a7af3 100644 --- a/windows/whats-new/user-account-control.md +++ b/windows/whats-new/user-account-control.md @@ -5,7 +5,7 @@ ms.assetid: 9281870C-0819-4694-B4F1-260255BB8D07 ms.prod: W10 ms.mktglfcycl: explore ms.sitesec: library -author: TrudyHa +author: brianlic-msft --- # What's new in User Account Control?