deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #1641 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Thomas Raya
2019-12-06 09:12:00 -08:00
committed by GitHub
parent 44bf6d1ec3 924d07341a
commit 024c05a90d
18 changed files with 73 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
windows/deployment/update/waas-servicing-differences.md
View File

@ -39,7 +39,7 @@ Windows 10 provided an opportunity to end the era of infinite fragmentation. Wit
This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU.
Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security, and Internet Explorer 11 (IE11) fixes. A reboot of the device might be required to complete installation of the update.
![High level cumulative update model](images/servicing-cadence.png)

2
windows/deployment/usmt/usmt-general-conventions.md
View File

@ -50,7 +50,7 @@ Before you modify the .xml files, become familiar with the following guidelines:
- The required child elements apply only to the first definition of the element. If these elements are defined and then referred to using their name, the required child elements do not apply. For example, if you define `<detects name="Example">` in **&lt;namedElements&gt;**, and you specify `<detects name="Example"/>` in **&lt;component&gt;** to refer to this element, the definition inside **&lt;namedElements&gt;** must have the required child elements, but the **&lt;component&gt;** element does not need to have the required child elements.
- **File names with brackets**
If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `<pattern type="File">c:\documents\mydocs [file^].txt]</pattern>` instead of `<pattern type="File">c:\documents\mydocs [file].txt]</pattern>`.
- **Using quotation marks**

4
windows/deployment/usmt/usmt-hard-link-migration-store.md
View File

@ -113,6 +113,9 @@ For example, a company has decided to deploy Windows 10 on all of their compute
3. An administrator runs the LoadState command-line tool on each computer. The LoadState tool restores user state back on each computer.
> [!NOTE]
> During the update of a domain-joined computer, the profiles of users whose SID cannot be resolved will not be migrated. When using a hard-link migration store, it could cause a data loss.
## <a href="" id="bkmk-hardlinkstoredetails"></a>Hard-Link Migration Store Details
@ -233,4 +236,3 @@ The following XML sample specifies that files locked by an application under the

7
windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
View File

@ -22,9 +22,6 @@ ms.reviewer:
- Windows 10
- Windows Server 2016
Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
in the Deep Dive into Windows Defender Credential Guard video series.
Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
- Software that manages credentials outside of Windows feature protection
@ -46,4 +43,6 @@ do not qualify as credentials because they cannot be presented to another comput
**Deep Dive into Windows Defender Credential Guard: Related videos**
[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
[Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection: Manage Credential Guard](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/manage-credential-guard?u=3322)
> [!NOTE]
> - Note: Requires [LinkedIn Learning subscription](https://www.linkedin.com/learning/subscription/products) to view the full video

4
windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
View File

@ -69,7 +69,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprises needs.
**Note**If you use different template names, youll need to remember and substitute these names in different portions of the lab.
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
8. Close the console.
@ -104,7 +104,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprises needs.
**Note:** If you use different template names, youll need to remember and substitute these names in different portions of the lab.
6. On the **Request Handling** tab, select **Allow private key to be exported**.
7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
7. On the **Subject Name** tab, select the **Supply in the request** button if it is not already selected.
8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission.
9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**.
10. Close the console.

5
windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
View File

@ -36,7 +36,9 @@ You can create a Group Policy or mobile device management (MDM) policy that will
The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Windows Hello for Business**.
> [!NOTE]
> Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** &gt; **Administrative Templates** &gt; **System** &gt; **PIN Complexity**.
<table>
<tr>
<th colspan="2">Policy</th>
@ -320,4 +322,3 @@ If you want to use Windows Hello for Business with certificates, youll need a
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)

BIN
windows/security/identity-protection/images/remote-credential-guard-gp.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 32 KiB

After

Width:  |  Height:  |  Size: 181 KiB

77
windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
View File

@ -23,22 +23,22 @@ The ideal for BitLocker management is to eliminate the need for IT admins to set
Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers.
>[!IMPORTANT]
> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [SCCM in on-prem scenarios](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology) in the future.
> [!IMPORTANT]
> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [ConfigMgr in on-prem scenarios](https://docs.microsoft.com/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker/) in the future.
## Managing domain-joined computers and moving to cloud
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://docs.microsoft.com/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://docs.microsoft.com/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings/).
Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201/) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
## Managing devices joined to Azure Active Directory
Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones.
Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones.
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD.
This is applicable to Azure Hybrid AD as well.
@ -52,9 +52,9 @@ For Windows PCs and Windows Phones that enroll using **Connect to work or school
Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC.
The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).
The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).
If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md).
@ -65,64 +65,60 @@ If you are installing a server manually, such as a stand-alone server, then choo
For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.
*Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
```
PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
```powershell
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:"
$BLV = Get-BitLockerVolume -MountPoint "C:"
BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
```
PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
```
For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS).
*Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
```
PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
```powershell
Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:"
$BLV = Get-BitLockerVolume -MountPoint "C:"
PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
```
Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
```
Subsequently, you can use PowerShell to enable BitLocker.
*Example: Use PowerShell to enable BitLocker with a TPM protector*
```
PS C:\>Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
```
*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
```
PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
```powershell
Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector
```
PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
```
*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
```powershell
$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
```
## Related Articles
[BitLocker: FAQs](bitlocker-frequently-asked-questions.md)
[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx)
[Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/)
[Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)*
[BitLocker Group Policy Reference](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)
[Enable BitLocker task sequence](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker)
[BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx)
[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune)
[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
*(Overview)*
[Configuration Settings Providers](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
*(Policy CSP: See [Security-RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-policies))*
[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
<br />
[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/)
**Windows Server setup tools**
[Windows Server Installation Options](https://technet.microsoft.com/library/hh831786(v=ws.11).aspx)
[Windows Server Installation Options](https://docs.microsoft.com/windows-server/get-started-19/install-upgrade-migrate-19/)
[How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/)
@ -134,10 +130,9 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
[Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/)
<br />
**Powershell**
**PowerShell**
[BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell)
[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/)

7
windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md
View File

@ -38,8 +38,9 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
>[!Note]
> When obtaining a token using user credentials:
>- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
>- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
> - Response will include only machines that the user have access to based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
> - Response will include only machines that the user have access to based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
## HTTP request
```
@ -57,7 +58,7 @@ Empty
## Response
If successful and machines were found - 200 OK with list of the machines in the response body.
If no machine found - 404 Not Found.
If no machine found - 404 Not Found.
If the timestamp is not in the past 30 days - 400 Bad Request.
## Example

6
windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 03/28/2019
ms.date: 12/04/2019
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -51,7 +51,7 @@ Currently, the Application Guard Edge session doesn't support Extensions. Howeve
### How do I configure Windows Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
Windows Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
Windows Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
### Which Input Method Editors (IME) in 19H1 are not supported?
@ -91,4 +91,4 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca
### Why does my encryption driver break Windows Defender Application Guard?
Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work.
Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT").

3
windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
View File

@ -54,6 +54,9 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
![Secure Launch Registry](images/secure-launch-registry.png)
> [!IMPORTANT]
> If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor.
## How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.

4
windows/whats-new/whats-new-windows-10-version-1909.md
View File

@ -116,7 +116,7 @@ This release adds the ability for Narrator and other assistive technologies to r
This version of Windows 10 will include optimizations to how instructions are processed by the CPU in order to increase the performance and reliability of the operating system and its applications.
When a CPU is manufactured, not all of the cores are created equal. Some of the cores may have slightly different voltage and power characteristics that could allow them to get a "boost" in performance. These cores are called "favored cores" as they can offer better performance then the other cores on the die.
When a CPU is manufactured, not all of the cores are created equal. Some of the cores may have slightly different voltage and power characteristics that could allow them to get a "boost" in performance. These cores are called "favored cores" as they can offer better performance than the other cores on the die.
With Intel Turbo Boost Max Technology 3.0, an operating system will use information stored in the CPU to identify which cores are the fastest and then push more of the CPU intensive tasks to those cores. According to Intel, this technology "delivers more than 15% better single-threaded performance".
@ -139,4 +139,4 @@ General battery life and power efficiency improvements for PCs with certain proc
[Windows 10 features were no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
[How to get the Windows 10 November 2019 Update](https://aka.ms/how-to-get-1909): John Cable blog.<br>
[How to get Windows 10, Version 1909: Enablement Mechanics](https://aka.ms/1909mechanics): Mechanics blog.<br>
[Whats new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.<br>
[Whats new for IT pros in Windows 10, version 1909](https://aka.ms/whats-new-in-1909): Windows IT Pro blog.<br>