From 4b305aed198892b27a12d2bba52a5e678980d150 Mon Sep 17 00:00:00 2001
From: Andrea Allievi <aall86@gmail.com>
Date: Tue, 17 Sep 2024 08:58:12 -0700
Subject: [PATCH 1/4]  Add a brief explanation of the VBS Mandatory mode

Update the public documentation to include VBS Mandatory mode
---
 ...rtualization-based-protection-of-code-integrity.md | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index a5cd24d3c96..a475864ad78 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -61,7 +61,7 @@ To apply the new policy on a domain-joined computer, either restart or run `gpup
 
 ### Use registry keys to enable memory integrity
 
-Set the following registry keys to enable memory integrity. These keys provide exactly the same set of configuration options provided by Group Policy.
+Set the following registry keys to enable memory integrity. These keys provide similar set of configuration options provided by Group Policy
 
 > [!IMPORTANT]
 >
@@ -95,7 +95,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualiza
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f
 ```
 
-**To enable VBS with Secure Boot and DMA (value 3)**
+**To enable VBS with Secure Boot and DMA protection (value 3)**
 
 ```console
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 3 /f
@@ -131,6 +131,13 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 1 /f
 ```
 
+**To enable VBS (and memory integrity) in mandatory mode**
+
+```console
+reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
+```
+The "mandatory" setting <b>prevents</b> the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. Special careful should be used before enabling this mode, since, as explained, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
+
 **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
 ```console
 reg delete HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity /v "WasEnabledBy" /f

From 3ff03435844d867cb61088bd1dbd97b0458c6580 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Tue, 17 Sep 2024 11:23:33 -0600
Subject: [PATCH 2/4] Update
 windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md

---
 ...ble-virtualization-based-protection-of-code-integrity.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index a475864ad78..b9a587d0b82 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -136,7 +136,11 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 ```console
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
 ```
-The "mandatory" setting <b>prevents</b> the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. Special careful should be used before enabling this mode, since, as explained, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
+
+The **Mandatory** setting prevents the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. 
+
+> [!IMPORTANT]
+> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
 
 **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
 ```console

From 5731ebc30f48c9d479d229676941511abb1a20ff Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Thu, 19 Sep 2024 13:44:40 -0600
Subject: [PATCH 3/4] Update
 enable-virtualization-based-protection-of-code-integrity.md

---
 .../enable-virtualization-based-protection-of-code-integrity.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index b9a587d0b82..d8f4c55cfc6 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -140,7 +140,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t RE
 The **Mandatory** setting prevents the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. 
 
 > [!IMPORTANT]
-> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot and will display a Blue Screen of Dead (BSOD).
+> Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.
 
 **To gray out the memory integrity UI and display the message "This setting is managed by your administrator"**
 ```console

From 60c822f01b3accf63afe730e23c71ec9624f2e5b Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Thu, 19 Sep 2024 14:23:44 -0600
Subject: [PATCH 4/4] Update
 enable-virtualization-based-protection-of-code-integrity.md

---
 .../enable-virtualization-based-protection-of-code-integrity.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
index d8f4c55cfc6..b686fb205c3 100644
--- a/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity.md
@@ -137,7 +137,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorE
 reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Mandatory" /t REG_DWORD /d 1 /f
 ```
 
-The **Mandatory** setting prevents the OS loader to continue to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load. 
+The **Mandatory** setting prevents the OS loader from continuing to boot in case the Hypervisor, Secure Kernel or one of their dependent modules fails to load.
 
 > [!IMPORTANT]
 > Special care should be used before enabling this mode, since, in case of any failure of the virtualization modules, the system will refuse to boot.