From 8eada20e80793466ea01abaa32532a72217808e2 Mon Sep 17 00:00:00 2001 From: Jennifer Rowe Date: Tue, 22 Jan 2019 21:59:38 +0000 Subject: [PATCH 01/13] Updated policy-csp-system.md to include link to Configure Windows diagnostics for your organization --- windows/client-management/mdm/policy-csp-system.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 25a2c66a62..e1751117bd 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -552,7 +552,9 @@ The following list shows the supported values: -Allow the device to send diagnostic and usage telemetry data, such as Watson. +Allow the device to send diagnostic and usage telemetry data, such as Watson. + +For more information about diagnostic data, including what is and what is not collected by Windows, see [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/en-us/windows/privacy/configure-windows-diagnostic-data-in-your-organization). The following tables describe the supported values: From 0b26d7b204dd8f6e2f76c0401e70552c4d5f9237 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 23 Jan 2019 14:53:32 +0000 Subject: [PATCH 02/13] Merged PR 13926: Added workaround for MFA Added a note in the requirements section to work around an MFA issue. --- .../windows-10-enterprise-subscription-activation.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-enterprise-subscription-activation.md b/windows/deployment/windows-10-enterprise-subscription-activation.md index 7942cf6e89..d10034c4f5 100644 --- a/windows/deployment/windows-10-enterprise-subscription-activation.md +++ b/windows/deployment/windows-10-enterprise-subscription-activation.md @@ -7,7 +7,6 @@ ms.mktglfcycl: deploy ms.localizationpriority: medium ms.sitesec: library ms.pagetype: mdt -ms.date: 05/23/2018 author: greg-lindsay --- @@ -64,6 +63,9 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & - Azure Active Directory (Azure AD) available for identity management. - Devices must be Azure AD-joined or Active Directory joined with Azure AD Connect. Workgroup-joined devices are not supported. + >[!NOTE] + >In issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](https://docs.microsoft.com/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue, the user must either sign in with an Azure Active Directory account, or you must disable MFA for this user during the 30-day polling period and renewal. + For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3 or E5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) From 93cd0dacd6f12b1f0d10e03390f8ed906e23a972 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 23 Jan 2019 09:47:34 -0800 Subject: [PATCH 03/13] remove extra server --- ...r-endpoints-windows-defender-advanced-threat-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md index 54976ad8b9..848c29f7aa 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md @@ -69,7 +69,7 @@ The following steps are required to enable this integration: 1. In the navigation pane, select **Settings** > **Machine management** > **Onboarding**. -2. Select Windows server 2012, 2012R2 and 2016 as the operating system. +2. Select Windows Server 2012R2 and 2016 as the operating system. 3. Click **Turn on server monitoring** and confirm that you'd like to proceed with the environment set up. When the set up completes, the **Workspace ID** and **Workspace key** fields are populated with unique values. You'll need to use these values to configure the MMA agent. @@ -197,7 +197,7 @@ To offboard the server, you can use either of the following methods: 1. Get your Workspace ID: a. In the navigation pane, select **Settings** > **Onboarding**. - b. Select **Windows server 2012, 2012R2 and 2016** as the operating system and get your Workspace ID: + b. Select **Windows Server 2012R2 and 2016** as the operating system and get your Workspace ID: ![Image of server onboarding](images/atp-server-offboarding-workspaceid.png) From 31bd7482c86e7ad6f389c3afbf5a09b8620b094c Mon Sep 17 00:00:00 2001 From: Kurt Sarens Date: Wed, 23 Jan 2019 18:19:40 +0000 Subject: [PATCH 04/13] Updated command-line-arguments-windows-defender-antivirus.md --- .../command-line-arguments-windows-defender-antivirus.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md index eb9084b991..542f1a4c1e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus.md @@ -44,6 +44,7 @@ Command | Description \-GetFilesDiagTrack | Same as Getfiles but outputs to​ temporary DiagTrack folder​ \-RemoveDefinitions [-All] | Restores the installed​ signature definitions​ to a previous backup copy or to​ the original default set of​ signatures​ \-RemoveDefinitions [-DynamicSignatures] | Removes only the dynamically​ downloaded signatures​ +\-RemoveDefinitions [-Engine] | Restores the previous installed engine \-SignatureUpdate [-UNC \| -MMPC] | Checks for new definition updates​ \-Restore [-ListAll \| [[-Name ] [-All] \| [-FilePath ]] [-Path ]] | Restores or list​s quarantined item(s)​ \-AddDynamicSignature [-Path] | Loads a dynamic signature​ From d56f2e6b255f30896340e4bd13161205319bfbdf Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 23 Jan 2019 10:51:42 -0800 Subject: [PATCH 05/13] update azure steps --- ...dows-defender-advanced-threat-protection.md | 18 +----------------- 1 file changed, 1 insertion(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md index f5f0d320e5..8ae2466e2d 100644 --- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md @@ -11,7 +11,6 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 11/09/2018 --- # Use basic permissions to access the portal @@ -66,23 +65,8 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@C For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). ## Assign user access using the Azure portal +For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). -1. Go to the [Azure portal](https://portal.azure.com). - -2. Select **Azure Active Directory**. - -3. Select **Manage** > **Users and groups**. - -4. Select **Manage** > **All users**. - -5. Search or select the user you want to assign the role to. - -6. Select **Manage** > **Directory role**. - -7. Select **Add role** and choose the role you'd like to assign, then click **Select**. - - - ![Image of Microsoft Azure portal](images/atp-azure-assign-role.png) ## Related topic - [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md) From 7bd6b933d95542e5c9caa7d311c35e3c4f63ba6d Mon Sep 17 00:00:00 2001 From: jaimeo Date: Wed, 23 Jan 2019 13:40:26 -0800 Subject: [PATCH 06/13] corrected strangely worded sentence about MDM in 1709 --- windows/deployment/update/waas-manage-updates-wufb.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md index 4df6cd83e0..d1fbc267eb 100644 --- a/windows/deployment/update/waas-manage-updates-wufb.md +++ b/windows/deployment/update/waas-manage-updates-wufb.md @@ -7,7 +7,6 @@ ms.sitesec: library author: jaimeo ms.localizationpriority: medium ms.author: jaimeo -ms.date: 11/16/2018 --- # Deploy updates using Windows Update for Business @@ -76,7 +75,7 @@ The group policy path for Windows Update for Business has changed to correctly r ## Managing Windows Update for Business with MDM -Starting with Windows 10, version 1709, Windows Update for Business was changed to correctly reflect its association to Windows Update for Business and provide the ability to easily manage Windows Insider Preview builds in 1709. +Starting with Windows 10, version 1709, the Windows Update for Business settings in MDM were changed to correctly reflect the associations with Windows Update for Business and provide the ability to easily manage Windows Insider Preview builds in 1709. | Action | Windows 10 versions prior to 1709 | Windows 10 versions after 1709 | | --- | --- | --- | From c2465e3e43191639ccf8576dd090b08bc27404b9 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Thu, 24 Jan 2019 19:31:39 +0000 Subject: [PATCH 07/13] Merged PR 13957: typos/broken links typos/broken links --- .../cortana-at-work/cortana-at-work-overview.md | 7 ++----- windows/deployment/update/windows-as-a-service.md | 4 ++-- 2 files changed, 4 insertions(+), 7 deletions(-) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 78e5022926..48db68727b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -4,10 +4,9 @@ description: The world’s first personal digital assistant helps users get thin ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: eross-msft +author: lizap ms.localizationpriority: medium -ms.author: lizross -ms.date: 10/05/2017 +ms.author: elizapo --- # Cortana integration in your business or enterprise @@ -57,8 +56,6 @@ Cortana is covered under the [Microsoft Privacy Statement](https://privacy.micro ## See also - [What is Cortana?](https://go.microsoft.com/fwlink/p/?LinkId=746818) -- [Cortana and Windows](https://go.microsoft.com/fwlink/?LinkId=717384) - - [Known issues for Windows Desktop Search and Cortana in Windows 10](https://support.microsoft.com/help/3206883/known-issues-for-windows-desktop-search-and-cortana-in-windows-10) - [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 9412c8eaa1..a1192986c2 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -6,7 +6,7 @@ ms.topic: landing-page ms.manager: elizapo author: lizap ms.author: elizapo -ms.date: 01/17/2019 +ms.date: 01/24/2019 ms.localizationpriority: high --- # Windows as a service @@ -17,7 +17,7 @@ Find the tools and resources you need to help deploy and support Windows as a se Find the latest and greatest news on Windows 10 deployment and servicing. -**Working to WIndows updates clear and transparent** +**Working to make Windows updates clear and transparent** > [!VIDEO https://www.youtube-nocookie.com/embed/u5P20y39DrA] Everyone wins when transparency is a top priority. We want you to know when updates are available, as well as alert you to any potential issues you may encounter during or after you install an update. The Windows update history page is for anyone looking to gain an immediate, precise understanding of particular Windows update issues. From e899e480f63f2a8658bc971d7822590b76c0bcd2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 24 Jan 2019 12:06:53 -0800 Subject: [PATCH 08/13] removed braces --- windows/client-management/mdm/policy-csp-defender.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md index 23c0950c12..3264fb41ea 100644 --- a/windows/client-management/mdm/policy-csp-defender.md +++ b/windows/client-management/mdm/policy-csp-defender.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: MariciaAlforque -ms.date: 11/14/2018 +ms.date: 01/25/2019 --- # Policy CSP - Defender @@ -2457,7 +2457,7 @@ Possible values are: - MMPC - FileShares -For example: { InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC } +For example: InternalDefinitionUpdateServer | MicrosoftUpdateServer | MMPC If you enable this setting, definition update sources will be contacted in the order specified. Once definition updates have been successfully downloaded from one specified source, the remaining sources in the list will not be contacted. From 343f1ac15b71cc836fbbdcb0e9e62d8a19e94394 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 24 Jan 2019 13:48:15 -0800 Subject: [PATCH 09/13] remove en-us --- ...c-permissions-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md index 8ae2466e2d..9468f020d0 100644 --- a/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/basic-permissions-windows-defender-advanced-threat-protection.md @@ -65,7 +65,7 @@ Add-MsolRoleMember -RoleName "Security Reader" -RoleMemberEmailAddress "reader@C For more information see, [Manage Azure AD group and role membership](https://technet.microsoft.com/library/321d532e-407d-4e29-a00a-8afbe23008dd#BKMK_ManageGroups). ## Assign user access using the Azure portal -For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). +For more information, see [Assign administrator and non-administrator roles to uses with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-users-assign-role-azure-portal). ## Related topic From b8d3fc3291f8a5d88d250185671f5e6a293ff19b Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 24 Jan 2019 13:54:17 -0800 Subject: [PATCH 10/13] add link to add tags using API --- ...hine-tags-windows-defender-advanced-threat-protection.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md index b6fc180e59..0e986b8fda 100644 --- a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md @@ -11,7 +11,6 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 09/13/2018 --- # Create and manage machine tags @@ -79,4 +78,9 @@ You can manage tags from the Actions button or by selecting a machine from the M ![Image of adding tags on a machine](images/atp-tag-management.png) +## Add machine tags using APIs +For more information, see [Add or remove machine tags API](add-or-remove-machine-tags-windows-defender-advanced-threat-protection-new.md). + + + From e070e6f73cc513391e20ee1c10bf9381399e80a5 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 24 Jan 2019 14:04:20 -0800 Subject: [PATCH 11/13] add preview --- ...d-downlevel-windows-defender-advanced-threat-protection.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md index 4fdcb667bb..a08224049b 100644 --- a/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md @@ -11,7 +11,6 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: medium -ms.date: 11/19/2018 --- # Onboard previous versions of Windows @@ -30,6 +29,9 @@ ms.date: 11/19/2018 Windows Defender ATP extends support to include down-level operating systems, providing advanced attack detection and investigation capabilities on supported Windows versions. +>[!IMPORTANT] +>This capability is currently in preview. You'll need to turn on the preview features to take advantage of this feature. For more information, see [Preview features](preview-windows-defender-advanced-threat-protection). + To onboard down-level Windows client endpoints to Windows Defender ATP, you'll need to: - Configure and update System Center Endpoint Protection clients. - Install and configure Microsoft Monitoring Agent (MMA) to report sensor data to Windows Defender ATP as instructed below. From ece4d6e323b439cf659f42aa4e99229ef42b09c7 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Fri, 25 Jan 2019 01:40:38 +0000 Subject: [PATCH 12/13] Merged PR 13951: Updates to Windows Hello for Business documentation Updating the documentation for Windows Hello for Business. --- .../hello-how-it-works-device-registration.md | 4 ++-- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 6 +++--- .../hello-for-business/hello-identity-verification.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md index a6b919a090..7f24f72843 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md @@ -77,8 +77,8 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning | Phase | Description | | :----: | :----------- | | A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.| -|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines directs device registration to Azure Device Registration Service (ADRS).| -|C | For the federated environments, the computer authenticates ADFS/STS using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. +|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.| +|C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task. |D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).| |E | To provide SSO for on-premises federated application, the task requests an enterprise PRT from the on-premises STS. Windows Server 2016 running the Active Directory Federation Services role validate the request and return it the running task.| |F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.| diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index cd06ba9e92..b6cbd28438 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastructure](#public-key-infrastructure) +* [Public Key Infrastucture](#public-key-infastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) * [MultiFactor Authentication](#multifactor-authentication) @@ -114,9 +114,9 @@ Organizations wanting to deploy hybrid key trust need their domain joined device
### Next Steps ### -Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**. +Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**. -For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**. +For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Syncrhonization**. For federated and non-federated environments, start with **Configure Windows Hello for Business settings**. diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md index 4d03a84747..9c0f5c3a35 100644 --- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md +++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md @@ -39,7 +39,7 @@ Windows Hello addresses the following problems with passwords: * Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory ### Hybrid Deployments -The table shows the minimum requirements for each deployment. +The table shows the minimum requirements for each deployment. For key trust in a multi-domain/multi-forest deployment, the following requirements are applicable for each domain/forest that hosts Windows Hello for business components or is involved in the Kerberos referral process. | Key trust
Group Policy managed | Certificate trust
Mixed managed | Key trust
Modern managed | Certificate trust
Modern managed | | --- | --- | --- | --- | From 5223aa50e6ac0ecc45be3ec4057189352406a069 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Fri, 25 Jan 2019 16:58:16 +0000 Subject: [PATCH 13/13] Merged PR 13979: add link --- ...ndows-10-device-automatically-using-group-policy.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md index 65b730f7d4..24e4a9039a 100644 --- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md +++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md @@ -11,13 +11,13 @@ ms.date: 10/04/2017 # Enroll a Windows 10 device automatically using Group Policy -Starting in Windows 10, version 1709 you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain joined devices. +Starting in Windows 10, version 1709, you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. Requirements: -- AD-joined PC running Windows 10, version 1709 -- Enterprise has MDM service already configured -- Enterprise AD must be registered with Azure AD -- Device should not already be enrolled in Intune using the classic agents (devices manged using agents will fail enrollment with error 0x80180026) +- AD-joined PC running Windows 10, version 1709 or later +- The enterprise has configured a mobile device management (MDM) service +- The enterprise AD must be [registered with Azure Active Directory (Azure AD)](azure-active-directory-integration-with-mdm.md) +- The device should not already be enrolled in Intune using the classic agents (devices managed using agents will fail enrollment with `error 0x80180026`) > [!Tip] > [How to configure automatic registration of Windows domain-joined devices with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-automatic-device-registration-setup)