Some more changes

windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

@@ -53,7 +53,7 @@ Use the **Virtualization Based Technology** > **Hypervisor Enforced Code Integri
 1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
 1. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.
 1. Double-click **Turn on Virtualization Based Security**.
-1. Select **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
+1. Select **Enabled**. Under **Virtualization Based Protection of Code Integrity**, select **Enabled without UEFI lock**. Only select **Enabled with UEFI lock** if you want to prevent memory integrity from being disabled remotely or by policy update. Once enabled with UEFI lock, you must have access to the UEFI BIOS menu to turn off Secure Boot if you want to turn off memory integrity.
 
    ![Enable memory integrity using Group Policy.](images/enable-hvci-gp.png)
 
@@ -146,7 +146,7 @@ If you want to customize the preceding recommended settings, use the following r
     > [!IMPORTANT]
     > Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
 
-- To gray out the memory integrity UI and display the message "This setting is managed by your administrator":
+- To gray out the memory integrity UI and display the message `This setting is managed by your administrator`:
 
     ```cmd
     reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f
@@ -188,9 +188,11 @@ Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\D
 
 The output of this command provides details of the available hardware-based security features and those features that are currently enabled.
 
-##### AvailableSecurityProperties
+- **InstanceIdentifier**: A string that is unique to a particular device and set by WMI.
 
-This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
+- **Version**: This field lists the version of this WMI class. The only valid value now is **1.0**.
+
+- **AvailableSecurityProperties**: This field helps to enumerate and report state on the relevant security properties for VBS and memory integrity.
 
     | Value | Description                                             |
     |-------|---------------------------------------------------------|
@@ -204,13 +206,15 @@ This field helps to enumerate and report state on the relevant security properti
     | **7** | If present, MBEC/GMET is available.                     |
     | **8** | If present, APIC virtualization is available.           |
 
-##### InstanceIdentifier
+- **CodeIntegrityPolicyEnforcementStatus**: This field indicates the code integrity policy enforcement status.
 
-A string that is unique to a particular device and set by WMI.
+    | Value | Description |
+    |-------|-------------|
+    | **0** | Off         |
+    | **1** | Audit.      |
+    | **2** | Enforced.   |
 
-##### RequiredSecurityProperties
-
-This field describes the required security properties to enable VBS.
+- **RequiredSecurityProperties**: This field describes the required security properties to enable VBS.
 
     | Value | Description                                    |
     |-------|------------------------------------------------|
@@ -223,9 +227,7 @@ This field describes the required security properties to enable VBS.
     | **6** | If present, SMM mitigations are needed.        |
     | **7** | If present, MBEC/GMET is needed.               |
 
-##### SecurityServicesConfigured
-
-This field indicates whether Credential Guard or memory integrity is configured.
+- **SecurityServicesConfigured**: This field indicates whether Credential Guard or memory integrity is configured.
 
     | Value | Description                                           |
     |-------|-------------------------------------------------------|
@@ -234,10 +236,11 @@ This field indicates whether Credential Guard or memory integrity is configured.
     | **2** | If present, memory integrity is configured.           |
     | **3** | If present, System Guard Secure Launch is configured. |
     | **4** | If present, SMM Firmware Measurement is configured.   |
+    | **5** | If present, Kernel-mode Hardware-enforced Stack Protection is configured. |
+    | **6** | If present, Kernel-mode Hardware-enforced Stack Protection is configured in Audit mode. |
+    | **7** | If present, Hypervisor-Enforced Paging Translation is configured. |
 
-##### SecurityServicesRunning
-
-This field indicates whether Credential Guard or memory integrity is running.
+- **SecurityServicesRunning**: This field indicates whether Credential Guard or memory integrity is running.
 
     | Value | Description                                        |
     |-------|----------------------------------------------------|
@@ -246,14 +249,21 @@ This field indicates whether Credential Guard or memory integrity is running.
     | **2** | If present, memory integrity is running.           |
     | **3** | If present, System Guard Secure Launch is running. |
     | **4** | If present, SMM Firmware Measurement is running.   |
+    | **5** | If present, Kernel-mode Hardware-enforced Stack Protection is running. |
+    | **6** | If present, Kernel-mode Hardware-enforced Stack Protection is running in Audit mode. |
+    | **7** | If present, Hypervisor-Enforced Paging Translation is running. |
 
-##### Version
+- **SmmIsolationLevel**: This field indicates the SMM isolation level.
 
-This field lists the version of this WMI class. The only valid value now is **1.0**.
+- **UsermodeCodeIntegrityPolicyEnforcementStatus**: This field indicates the user mode code integrity policy enforcement status.
 
-##### VirtualizationBasedSecurityStatus
+    | Value | Description |
+    |-------|-------------|
+    | **0** | Off         |
+    | **1** | Audit.      |
+    | **2** | Enforced.   |
 
-This field indicates whether VBS is enabled and running.
+- **VirtualizationBasedSecurityStatus**: This field indicates whether VBS is enabled and running.
 
     | Value | Description                     |
     |-------|---------------------------------|
@@ -261,9 +271,15 @@ This field indicates whether VBS is enabled and running.
     | **1** | VBS is enabled but not running. |
     | **2** | VBS is enabled and running.     |
 
-##### PSComputerName
+- **VirtualMachineIsolation**: This field indicates whether virtual machine isolation is enabled.
 
-This field lists the computer name. All valid values for computer name.
+- **VirtualMachineIsolationProperties**: This field indicates the set of virtual machine isolation properties that are available.
+
+    | Value | Description                   |
+    |-------|-------------------------------|
+    | **1** | AMD SEV-SNP                   |
+    | **2** | Virtualization-based Security |
+    | **3** | Intel TDX                     |
 
 #### Use msinfo32.exe