diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md
index cadcf9664a..4088d331ab 100644
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@@ -342,8 +342,8 @@ Getting the right device identifier to prevent it from being installed:
> ClassGuid = {4d36e979-e325-11ce-bfc1-08002be10318}\
> This class includes printers.
-> [!NOTE]
-> As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system.
+ > [!NOTE]
+ > As mentioned before, preventing an entire Class could block you from using your system completely. Please make sure you understand which devices are going to be blocked when specifying a Class. For our scenario, there are other classes that relate to printers but before you apply them, make sure they are not blocking any other existing device that is crucial to your system.
Creating the policy to prevent all printers from being installed:
@@ -376,9 +376,9 @@ Creating the policy to prevent all printers from being installed:
1. If you have not completed step #9 – follow these steps:
- - Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
- - For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app.
- - You should not be able to reinstall the printer.
+ 1. Uninstall your printer: Device Manager > Printers > right click the Canon Printer > click “Uninstall device”.
+ 1. For USB printer – unplug and plug back the cable; for network device – make a search for the printer in the Windows Settings app.
+ 1. You should not be able to reinstall the printer.
2. If you completed step #9 above and restarted the machine, simply look for your printer under Device Manager or the Windows Settings app and see that it is no-longer available for you to use.
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index 8b2e2bc3e9..25245fa812 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -68,7 +68,7 @@ First, you create a default user profile with the customizations that you want,
1. At a command prompt, type the following command and press **ENTER**.
- ```dos
+ ```console
sysprep /oobe /reboot /generalize /unattend:unattend.xml
```
@@ -100,11 +100,11 @@ First, you create a default user profile with the customizations that you want,
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
- 
+ 
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
- 
+ 
1. Click **OK** to copy the default user profile.
diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md
index 97ae6b939f..c9219f4340 100644
--- a/windows/client-management/mdm/euiccs-csp.md
+++ b/windows/client-management/mdm/euiccs-csp.md
@@ -62,6 +62,36 @@ Required. Indicates whether this eUICC is physically present and active. Updated
Supported operation is Get. Value type is boolean.
+**_eUICC_/PPR1Allowed**
+Profile Policy Rule 1 (PPR1) is required. Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed.
+
+Supported operation is Get. Value type is boolean.
+
+**_eUICC_/PPR1AlreadySet**
+Required. Indicates whether the eUICC already has a profile with PPR1.
+
+Supported operation is Get. Value type is boolean.
+
+**_eUICC_/DownloadServers**
+Interior node. Represents default SM-DP+ discovery requests.
+
+Supported operation is Get.
+
+**_eUICC_/DownloadServers/_ServerName_**
+Interior node. Optional. Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
+
+Supported operations are Add, Get, and Delete.
+
+**_eUICC_/DownloadServers/_ServerName_/DiscoveryState**
+Required. Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
+
+Supported operation is Get. Value type is integer. Default value is 1.
+
+**_eUICC_/DownloadServers/_ServerName_/AutoEnable**
+Required. Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created.
+
+Supported operations are Add, Get, and Replace. Value type is bool.
+
**_eUICC_/Profiles**
Interior node. Required. Represents all enterprise-owned profiles.
diff --git a/windows/client-management/mdm/euiccs-ddf-file.md b/windows/client-management/mdm/euiccs-ddf-file.md
index 38bb8e5f6f..f7d0851746 100644
--- a/windows/client-management/mdm/euiccs-ddf-file.md
+++ b/windows/client-management/mdm/euiccs-ddf-file.md
@@ -49,7 +49,7 @@ The XML below if for Windows 10, version 1803.
- com.microsoft/1.1/MDM/eUICCs
+ com.microsoft/1.2/MDM/eUICCs
@@ -58,7 +58,7 @@ The XML below if for Windows 10, version 1803.
- Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is meaningful only to the LPA (which associates it with an eUICC ID (EID) in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID). The node name "Default" represents the currently active eUICC.
+ Represents information associated with an eUICC. There is one subtree for each known eUICC, created by the Local Profile Assistant (LPA) when the eUICC is first seen. The node name is the eUICC ID (EID). The node name "Default" represents the currently active eUICC.
@@ -79,7 +79,7 @@ The XML below if for Windows 10, version 1803.
- Identifies an eUICC in an implementation-specific manner, e.g., this could be a SHA-256 hash of the EID.
+ The EID.
@@ -118,6 +118,139 @@ The XML below if for Windows 10, version 1803.
+
+ PPR1Allowed
+
+
+
+
+ Indicates whether the download of a profile with PPR1 is allowed. If the eUICC already has a profile (regardless of its origin and policy rules associated with it), the download of a profile with PPR1 is not allowed.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PPR1AlreadySet
+
+
+
+
+ Indicates whether the eUICC already has a profile with PPR1.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ DownloadServers
+
+
+
+
+ Represents default SM-DP+ discovery requests.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Node specifying the server name for a discovery operation. The node name is the fully qualified domain name of the SM-DP+ server that will be used for profile discovery. Creation of this subtree triggers a discovery request.
+
+
+
+
+
+
+
+
+
+ ServerName
+
+
+
+
+
+ DiscoveryState
+
+
+
+
+ 1
+ Current state of the discovery operation for the parent ServerName (Requested = 1, Executing = 2, Completed = 3, Failed = 4). Queried by the CSP and only updated by the LPA.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ AutoEnable
+
+
+
+
+
+
+ Indicates whether the discovered profile must be enabled automatically after install. This must be set by the MDM when the ServerName subtree is created.
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+
Profiles
@@ -145,6 +278,7 @@ The XML below if for Windows 10, version 1803.
+
Node representing an enterprise-owned eUICC profile. The node name is the ICCID of the profile (which is a unique identifier). Creation of this subtree triggers an AddProfile request by the LPA (which installs the profile on the eUICC). Removal of this subtree triggers the LPA to delete the profile (if resident on the eUICC).
@@ -167,6 +301,7 @@ The XML below if for Windows 10, version 1803.
+
Fully qualified domain name of the SM-DP+ that can download this profile. Must be set by the MDM when the ICCID subtree is created.
@@ -192,6 +327,7 @@ The XML below if for Windows 10, version 1803.
+
Matching ID (activation code token) for profile download. Must be set by the MDM when the ICCID subtree is created.
@@ -256,6 +392,70 @@ The XML below if for Windows 10, version 1803.
+
+ PPR1Set
+
+
+
+
+ This profile policy rule indicates whether disabling of this profile is not allowed (true if not allowed, false otherwise).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ PPR2Set
+
+
+
+
+ This profile policy rule indicates whether deletion of this profile is not allowed (true if not allowed, false otherwise).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
+
+ ErrorDetail
+
+
+
+
+ 0
+ Detailed error if the profile download and install procedure failed (None = 0, CardGeneralFailure = 1, ConfirmationCodeMissing = 3, ForbiddenByPolicy = 5, InvalidMatchingId = 6, NoEligibleProfileForThisDevice = 7, NotEnoughSpaceOnCard = 8, ProfileEidMismatch = 10, ProfileNotAvailableForNewBinding = 11, ProfileNotReleasedByOperator = 12, RemoteServerGeneralFailure = 13, RemoteServerUnreachable = 14).
+
+
+
+
+
+
+
+
+
+
+ text/plain
+
+
+
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index d3a3ceb2db..1267dad41f 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -39,7 +39,7 @@ You can view the dynamic port range on a computer by using the following netsh c
The range is set separately for each transport (TCP or UDP). The port range is now a range that has a starting point and an ending point. Microsoft customers who deploy servers that are running Windows Server may have problems that affect RPC communication between servers if firewalls are used on the internal network. In these situations, we recommend that you reconfigure the firewalls to allow traffic between servers in the dynamic port range of **49152** through **65535**. This range is in addition to well-known ports that are used by services and applications. Or, the port range that is used by the servers can be modified on each server. You adjust this range by using the netsh command, as follows. The above command sets the dynamic port range for TCP.
-```cmd
+```console
netsh int set dynamic start=number num=range
```
@@ -58,7 +58,7 @@ Since outbound connections start to fail, you will see a lot of the below behavi
- Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
- 
+ :::image type="content" alt-text="Screenshot of error for NETLOGON in Event Viewer." source="images/tcp-ts-14.png" lightbox="images/tcp-ts-14.png":::
- Group Policy update failures:
@@ -82,32 +82,32 @@ If you suspect that the machine is in a state of port exhaustion:
2. Open event viewer and under the system logs, look for the events which clearly indicate the current state:
- a. **Event ID 4227**
+ 1. **Event ID 4227**
- 
+ :::image type="content" alt-text="Screenshot of event ID 4227 in Event Viewer." source="images/tcp-ts-18.png" lightbox="images/tcp-ts-18.png":::
- b. **Event ID 4231**
+ 1. **Event ID 4231**
- 
+ :::image type="content" alt-text="Screenshot of event ID 4231 in Event Viewer." source="images/tcp-ts-19.png" lightbox="images/tcp-ts-19.png":::
3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
-After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
-
-You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
-
->[!Note]
->Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
->
->Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
->
->Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
+ After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
+
+ You may also see CLOSE_WAIT state connections in the same output, however CLOSE_WAIT state is a state when one side of the TCP peer has no more data to send (FIN sent) but is able to receive data from the other end. This state does not necessarily indicate port exhaustion.
+
+ >[!Note]
+ >Having huge connections in TIME_WAIT state does not always indicate that the server is currently out of ports unless the first two points are verified. Having lot of TIME_WAIT connections does indicate that the process is creating lot of TCP connections and may eventually lead to port exhaustion.
+ >
+ >Netstat has been updated in Windows 10 with the addition of the **-Q** switch to show ports that have transitioned out of time wait as in the BOUND state. An update for Windows 8.1 and Windows Server 2012 R2 has been released that contains this functionality. The PowerShell cmdlet `Get-NetTCPConnection` in Windows 10 also shows these BOUND ports.
+ >
+ >Until 10/2016, netstat was inaccurate. Fixes for netstat, back-ported to 2012 R2, allowed Netstat.exe and Get-NetTcpConnection to correctly report TCP or UDP port usage in Windows Server 2012 R2. See [Windows Server 2012 R2: Ephemeral ports hotfixes](https://support.microsoft.com/help/3123245/update-improves-port-exhaustion-identification-in-windows-server-2012) to learn more.
4. Open a command prompt in admin mode and run the below command
- ```cmd
+ ```console
Netsh trace start scenario=netconnection capture=yes tracefile=c:\Server.etl
```
@@ -119,15 +119,15 @@ The key is to identify which process or application is using all the ports. Belo
### Method 1
-Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below Powershell command to identify the process:
+Start by looking at the netstat output. If you are using Windows 10 or Windows Server 2016, then you can run the command `netstat -anobq` and check for the process ID which has maximum entries as BOUND. Alternately, you can also run the below PowerShell command to identify the process:
-```Powershell
+```powershell
Get-NetTCPConnection | Group-Object -Property State, OwningProcess | Select -Property Count, Name, @{Name="ProcessName";Expression={(Get-Process -PID ($_.Name.Split(',')[-1].Trim(' '))).Name}}, Group | Sort Count -Descending
```
Most port leaks are caused by user-mode processes not correctly closing the ports when an error was encountered. At the user-mode level ports (actually sockets) are handles. Both **TaskManager** and **ProcessExplorer** are able to display handle counts which allows you to identify which process is consuming all of the ports.
-For Windows 7 and Windows Server 2008 R2, you can update your Powershell version to include the above cmdlet.
+For Windows 7 and Windows Server 2008 R2, you can update your PowerShell version to include the above cmdlet.
### Method 2
@@ -157,7 +157,7 @@ Steps to use Process explorer:
File \Device\AFD
- 
+ :::image type="content" alt-text="Screenshot of Process Explorer." source="images/tcp-ts-22.png" lightbox="images/tcp-ts-22.png":::
10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
@@ -165,7 +165,7 @@ Finally, if the above methods did not help you isolate the process, we suggest y
As a workaround, rebooting the computer will get the it back in normal state and would help you resolve the issue for the time being. However, when a reboot is impractical, you can also consider increasing the number of ports on the machine using the below commands:
-```cmd
+```console
netsh int ipv4 set dynamicport tcp start=10000 num=1000
```
@@ -176,7 +176,7 @@ This will set the dynamic port range to start at port 10000 and to end at port 1
For Windows 7 and Windows Server 2008 R2, you can use the below script to collect the netstat output at defined frequency. From the outputs, you can see the port usage trend.
-```
+```console
@ECHO ON
set v=%1
:loop
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.yml b/windows/security/identity-protection/hello-for-business/hello-faq.yml
index a11d68959d..34170a5423 100644
--- a/windows/security/identity-protection/hello-for-business/hello-faq.yml
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.yml
@@ -14,7 +14,7 @@ metadata:
ms.collection: M365-identity-device-management
ms.topic: article
localizationpriority: medium
- ms.date: 01/14/2021
+ ms.date: 10/15/2021
ms.reviewer:
title: Windows Hello for Business Frequently Asked Questions (FAQ)
@@ -212,7 +212,7 @@ sections:
- question: Does Windows Hello for Business work with third-party federation servers?
answer: |
- Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).
+ Windows Hello for Business works with any third-party federation servers that support the protocols used during the provisioning experience.
| Protocol | Description |
| :---: | :--- |
@@ -224,4 +224,4 @@ sections:
- question: Does Windows Hello for Business work with Mac and Linux clients?
answer: |
Windows Hello for Business is a feature of the Windows platform. At this time, Microsoft is not developing clients for other platforms.
-
\ No newline at end of file
+
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index ea4b252a30..a7cdb8f8e9 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -54,8 +54,11 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
### Enable HVCI using Group Policy
1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
+
2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
+
3. Double-click **Turn on Virtualization Based Security**.
+
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
@@ -71,14 +74,17 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
> [!IMPORTANT]
-> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.
+>
+> In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.
+>
> - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
#### For Windows 10 version 1607 and later
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
-``` commands
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
@@ -94,49 +100,49 @@ If you want to customize the preceding recommended settings, use the following s
**To enable VBS**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
```
**To enable VBS and require Secure boot only (value 1)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
**To enable VBS with Secure Boot and DMA (value 3)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
**To enable VBS without UEFI lock (value 0)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f
```
**To enable VBS with UEFI lock (value 1)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 1 /f
```
**To enable virtualization-based protection of Code Integrity policies**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f
```
**To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f
```
**To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
```
@@ -144,7 +150,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
@@ -158,31 +164,31 @@ If you want to customize the preceding recommended settings, use the following s
**To enable VBS (it is always locked to UEFI)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f
```
**To enable VBS and require Secure boot only (value 1)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
```
**To enable VBS with Secure Boot and DMA (value 3)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
```
**To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f
```
**To enable virtualization-based protection of Code Integrity policies without UEFI lock**
-``` command
+```console
reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG_DWORD /d 1 /f
```
@@ -190,7 +196,9 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG
Windows 10 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command:
-`Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard`
+```powershell
+Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
+```
> [!NOTE]
> The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10.
@@ -279,7 +287,7 @@ This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
-
+:::image type="content" alt-text="Windows Defender Device Guard properties in the System Summary." source="../images/dg-fig11-dgproperties.png" lightbox="../images/dg-fig11-dgproperties.png":::
## Troubleshooting
@@ -291,12 +299,15 @@ C. If you experience a critical error during boot or your system is unstable aft
## How to turn off HVCI
-1. Run the following command from an elevated prompt to set the HVCI registry key to off
-```ini
-reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
-```
-2. Restart the device.
-3. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
+1. Run the following command from an elevated prompt to set the HVCI registry key to off:
+
+ ```console
+ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 0 /f
+ ```
+
+1. Restart the device.
+
+1. To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
## HVCI deployment in virtual machines
@@ -311,6 +322,6 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
### Requirements for running HVCI in Hyper-V virtual machines
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
-- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time
+- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the HyperV role on the virtual machine, you must first install the HyperV role in a Windows nested virtualization environment.
- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.