From 828d5a348b08dc5bed5fe7787308e3bc68014242 Mon Sep 17 00:00:00 2001
From: Bill McIlhargey <bill.mcilhargey@microsoft.com>
Date: Mon, 17 Jul 2017 18:28:55 -0400
Subject: [PATCH 1/2] Update tpm-recommendations.md

Modified Device Guard line to match https://docs.microsoft.com/en-us/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard
---
 windows/device-security/tpm/tpm-recommendations.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md
index d0283a1020..a328d7e773 100644
--- a/windows/device-security/tpm/tpm-recommendations.md
+++ b/windows/device-security/tpm/tpm-recommendations.md
@@ -105,10 +105,10 @@ The following table defines which Windows features require TPM support.
 | Passport: Domain AADJ Join                   | Required                 | Required                 | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support.  |
 | Passport: MSA or Local Account               | Required                 | Required                 | TPM 2.0 is required with HMAC and EK certificate for key attestation support.      |
 | Device Encryption                            | Not Applicable           | Required                 | TPM 2.0 is required for all InstantGo devices.                |
-| Device Guard / Configurable Code Integrity   | See next column          | Recommended              |                    |
+| Device Guard / Configurable Code Integrity   | Not Applicable          | Required              | Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.                   |
 | Credential Guard                             | Required                 | Required                 | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.   |
 | Device Health Attestation                    | Required                 | Required                 |                    |
-| Windows Hello                                | Not Required             | Recommended              |                    |
+| Windows Hello                                | Not Required             | Recommended              | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected)                   |
 | UEFI Secure Boot                             | Not Required             | Recommended              |                    |
 | Platform Key Storage provider                | Required                 | Required                 |                    |
 | Virtual Smart Card                           | Required                 | Required                 |                    |

From 9f8a106fe2fbec2d849f8842f216cf8dcc892054 Mon Sep 17 00:00:00 2001
From: Bill McIlhargey <bill.mcilhargey@microsoft.com>
Date: Mon, 17 Jul 2017 18:33:15 -0400
Subject: [PATCH 2/2] Update tpm-recommendations.md

added windows hello for business to clearly state both items
---
 windows/device-security/tpm/tpm-recommendations.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/device-security/tpm/tpm-recommendations.md b/windows/device-security/tpm/tpm-recommendations.md
index a328d7e773..69f5838087 100644
--- a/windows/device-security/tpm/tpm-recommendations.md
+++ b/windows/device-security/tpm/tpm-recommendations.md
@@ -108,7 +108,7 @@ The following table defines which Windows features require TPM support.
 | Device Guard / Configurable Code Integrity   | Not Applicable          | Required              | Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.                   |
 | Credential Guard                             | Required                 | Required                 | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.   |
 | Device Health Attestation                    | Required                 | Required                 |                    |
-| Windows Hello                                | Not Required             | Recommended              | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected)                   |
+| Windows Hello / Windows Hello for Business   | Not Required             | Recommended              | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected)                   |
 | UEFI Secure Boot                             | Not Required             | Recommended              |                    |
 | Platform Key Storage provider                | Required                 | Required                 |                    |
 | Virtual Smart Card                           | Required                 | Required                 |                    |