Merge pull request #274229 from mehasharma/faq-updates

Faq updates

Author: v-shils

articles/operator-nexus/media/network-device-config-difference.png

@@ -35,10 +35,14 @@ sections:
           Register the Microsoft.CodeSigning app in the subscription resource provider page using the below screenshot as a guide: :::image type="content" source="media/trusted-signing-resource-provider.png" alt-text="Screenshot of registering Microsoft.CodeSigning resource provider." lightbox="media/trusted-signing-resource-provider.png"::: 
       - question: What if I fail identity validation?
         answer: | 
-          If more documentation is required for identity validation, you're asked to provide those documents on the Azure portal. Otherwise, we recommend checking for an email sent to the listed address for email validation. However, if your organization fails identity validation we can't onboard you to Trusted Signing. We recommend you delete your Trusted Signing account so you don't get billed for unused resources.
+          To identify why the Identity Validation failed: 
+          - We recommend you check if you failed to verify the link within seven days of receiving the link. This link is sent to the primary email address provided at the time of Identity Validation request creation.
+          OR
+          - If the validation team is unable to make a determination based on the information provided (even after extra documentation is provided), we can't onboard you to Trusted Signing. 
+          We recommend you delete your Trusted Signing account so you don't get billed for unused resources.
       - question: What is the cost of using Trusted Signing?
         answer: | 
-          For Public Preview Trusted Signing is free for now. You'll still be prompted to select a Basic or Premium SKU when you create your account.
+          For Public Preview Trusted Signing is free for now. You are prompted to select a Basic or Premium SKU when you create your account.
       - question: What are my support options when onboarding to Trusted Signing?
         answer: | 
           You can create a support ticket with the service on the Azure portal and be assisted by Azure customer support. Otherwise, we recommend you go to Microsoft Q&A or StackOverflow under the tag Trusted-Signing to ask questions.  
@@ -49,23 +53,24 @@ sections:
           Follow the persistent identity guidance in the [MSIX Persistent Identity](https://learn.microsoft.com/windows/msix/package/persistent-identity) article.
       - question: Does deleting the certificate profile revoke the certificates? 
         answer: |
-          No. If you delete a certificate profile, any certificates that were previously issued or used under that profile will remain valid - they won't be revoked.
+          No. If you delete a certificate profile, any certificates that were previously issued or used under that profile remain valid - they aren't revoked.
       - question: Does Trusted Signing allow me to use a custom CN? 
         answer: |
-          Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (e.g. Microsoft Corporation) so there isn't much flexibility in CN values. However, a `O` value allows for verified legal names, trade names, and DBAs (doing business as). For individuals, there are already requirements for verification of individuals in the baseline requirements that we meet.
+          - For CN: Per the CA/B Forum baseline requirements for publicly trusted code signing certs, CN values must be the legal entity's validated name (for example, Microsoft Corporation) so there is no flexibility in CN values. 
+          - For O: At, this time Trusted Signing does not support customization. 
       - question: What do I do if the new identity validation button on the Azure portal is greyed out?
         answer: |
-          This means you do not have the Identity Verifier role assigned to your account. Follow the [Assigning roles in Trusted Signing](https://learn.microsoft.com/azure/trusted-signing/tutorial-assign-roles) documentation to assign yourself the appropriate role. 
+          This means you don't have the Trusted Signing Identity Verifier role assigned to your account. Follow the [Assigning roles in Trusted Signing](https://learn.microsoft.com/azure/trusted-signing/tutorial-assign-roles) documentation and assign yourself the appropriate role. 
   - name: Signing
     questions:
       - question: What is Trusted Signing’s HSM compliance level?
         answer: |
           FIPS 140-2 level 3 (mHSMs)
       - question: How to include the appropriate EKU for our certificates into the ELAM driver resources? 
         answer: |
-          - For information regarding ELAM driver config for Protected Anti-Malware Services, refer to the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity will begin with the prefix *1.3.6.1.4.1.311.97.*."
+          - For information regarding ELAM driver config for Protected Anti-Malware Services, refer to the following guidance: "Beginning in 2022, all user mode anti-malware service binaries must be signed by Microsoft's Trusted Signing signing service. The Trusted Signing issued Authenticode certificate for signing anti-malware binaries is updated every 30 days for security. To prevent the need to update the ELAM driver every time the certificate is updated, we recommend that anti-malware vendors include the Trusted Signing PCA certificate TBS hash in the CertHash portion of the ELAM driver resource file info. Additionally, the anti-malware vendor must include their unique Trusted Signing EKU identity in the EKU field of the resource file info. The EKU identity begins with the prefix *1.3.6.1.4.1.311.97.*."
           - See the [PKI Repository](https://www.microsoft.com/pkiops/docs/repository.htm) page for the Microsoft ID Verified Code Signing PCA 2021 cert.
-      - question: What happens if we run binaries signed with Trusted Signing on a machine that doesn't have the Trusted Signing update (especially binaries that are INTEGRITYCHECK-ed)?
+      - question: What happens if we execute binaries signed with Trusted Signing on a machine that doesn't have the Trusted Signing update (especially binaries that are INTEGRITYCHECK-ed)?
         answer: |
           - If an INTEGRITYCHECK flag is set, the user's signature isn't validated at runtime and isn't run with INTEGRITYCHECK.  
           - To check if Trusted Signing update is installed or not, we recommend that you check against one of your packaged /IntegrityCheck-linked DLLs. A dummy one works, too. That way you can complete your check independently of the platform and the availability of our IntegrityCheck-linked binaries.
@@ -74,7 +79,7 @@ sections:
           We're not extending any cross-signed certificates. , you must sign with the Trusted Signing service.
       - question: How is Trusted Signing different than the signing customers do with Partner Center?
         answer: |
-          Signing with the Partner Center is Kernel mode signing (no change here with the introduction of Trusted Signing). You'll need to sign your user mode binaries with Trusted Signing. For your apps that interact with the Windows Security Center (WSC) service, you must include the Code Integrity bit (/INTEGRITYCHECK). Without the Trusted Signing signature, you aren't able to register with the WSC, and Windows Defender will run in parallel.
+          Signing with the Partner Center is Kernel mode signing (no change here with the introduction of Trusted Signing). You need to sign your user mode binaries with Trusted Signing. For your apps that interact with the Windows Security Center (WSC) service, you must include the Code Integrity bit (/INTEGRITYCHECK). Without the Trusted Signing signature, you aren't able to register with the WSC, and Windows Defender will run in parallel.
       - question: How do we get the Authenticode certificate?  
         answer: |
           The Authenticode certificate used for signing with the profile is never given to you. All certificates are securely stored within the service and are only accessible at the time of signing. The public certificate is always included in any signed binary by the service. 
@@ -123,6 +128,8 @@ sections:
       - question: What if I change the Subscription ID or Tenant ID?
         answer: |
          At the moment, Trusted Signing resources can't be migrated across Subscriptions or Tenants. Hence, any change to Tenant ID or Subscription ID will need fro you to create all the Trusted Signing resources again.
-  
+      - question: Does Trusted Signing issue EV certificates?
+        answer: |
+          No, Trusted Signing does not issue EV certificates and there are no plans to issue these in the future.
 ##additionalContent: |
     ## Next steps

articles/operator-nexus/media/network-device-dignostics-settings.png

@@ -17,7 +17,7 @@ Trusted Signing (formerly Azure Code Signing) is a Microsoft fully managed end-t
 ## Features
 
 * Simplifies the signing process with an intuitive experience in Azure
-* Zero-touch certificate lifecycle management that is FIPS 140-2 Level 3 compliant.
+* Zero-touch certificate lifecycle management that is FIPS 140-2 Level 3 certified HSMs.
 * Integrations into leading developer toolsets.
 * Supports Public Trust, Test, Private Trust, and CI policy signing scenarios.
 * Timestamping service. 
@@ -28,11 +28,11 @@ Here’s a high-level overview of the service’s resource structure:
 
 ![Diagram of Azure Code Signing resource group and cert profiles.](./media/trusted-signing-resource-structure-overview.png)
 
-* You create a resource group within a subscription. You then create a Trusted Signing account within the resource group.
-* Two resources within an account:
-    *	Identity validation 
+* You create a resource group within a subscription. You then create a Trusted Signing account within that resource group.
+* There are two resources within a Trusted Signing account:
+    * Identity validation 
     * Certificate profile 
-* Two types of accounts (depending on the SKU you choose):
+* There are two types of Trusted Signing accounts (depending on the SKU(Pricing tier) you choose):
     * Basic 
     * Premium
 

articles/trusted-signing/faq.yml

@@ -231,7 +231,7 @@ Here are the steps to create an Identity Validation request:
 | Onboarding           | Trusted Signing at this time can only onboard Legal Business Entities that have verifiable tax history of three or more years. For a quicker onboarding process ensure public records for the Legal Entity being validated are upto date. |
 | Accuracy             | Ensure you provide the correct information for Public Identity Validation. Any changes or typos require you to complete a new Identity Validation request and affect the associated certificates used for signing.|
 | Additional documentation            | You are notified though email, if we need extra documentation to process the identity validation request. The documents can be uploaded in Azure portal. The email contains information about the file size requirements. Ensure the documents provided are latest.|
-| Failed email verification            | You are required to initiate a new Identity Validation request if email verification fails.|
+| Failure to perform email verification            | You are required to initiate a new Identity Validation request if you missed to verify your emaail address within 7 days of receiving the verification link.|
 | Identity Validation status            | You are notified through email when there is an update to the Identity Validation status. You can also check the status in the Azure portal at any time. |
 | Processing time            | Expect anywhere between 1-7 business days (or sometimes longer if we need extra documentation from you) to process your Identity Validation request.|
 
@@ -270,6 +270,17 @@ A certificate profile resource is the logical container of the certificates that
 
 # [Azure CLI](#tab/certificateprofile-cli)
 
+**Prerequisites**
+You need the Identity Validation ID for the entity that the certificate profile is being created for. The below steps will guide you to obtain your Identity Validation ID from Azure Portal. 
+
+1. Navigate to your Trusted Signing account in the Azure portal.
+2. From either the Trusted Signing account overview page or from Objects, select **Identity Validation**.
+3. Select the hyperlink for the relevant entity, from the panel on the right you can copy the **Identity validation Id**.
+
+:::image type="content" source="media/trusted-signing-identity-validation-id.png" alt-text="Screenshot of trusted-signing-identity-validation-id." lightbox="media/trusted-signing-identity-validation-id.png":::
+
+
+
 To create a certificate profile with Azure CLI, follow these steps:
 
 1. Create a certificate profile using the following command: