Merge remote-tracking branch 'refs/remotes/origin/master' into dh-servicing-sandbox

2025-05-14 14:27:22 +00:00 · 2017-01-26 20:52:44 -08:00 · 2017-01-26 20:52:44 -08:00 · 04dc51911b
commit 04dc51911b
parent 055ddd3ec0 4e5329c77c
15 changed files with 42 additions and 33 deletions
--- a/windows/deploy/index.md
+++ b/windows/deploy/index.md
@ -5,6 +5,7 @@ ms.assetid: E9E2DED5-DBA7-4300-B411-BA0FD39BE18C
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 localizationpriority: high
 author: greg-lindsay
 ---
--- a/windows/deploy/windows-10-poc.md
+++ b/windows/deploy/windows-10-poc.md
@ -844,17 +844,16 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
    ![ISE](images/ISE.png)
 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
-20. In the (lower) terminal input window, type the following command to copy the script to PC1 using integration services:
+20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
    <pre style="overflow-y: visible">
    Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
    Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1"  –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
    </pre>
-    >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not installed, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. You can also try running the following command from an elevated Windows PowerShell prompt on the Hyper-V host:
+    >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
-    <pre style="overflow-y: visible">Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"</pre>
+    If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
    If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
 21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
@ -865,7 +864,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
    >The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
 22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
-    >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all use accounts, or only other specific accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
+    >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
 23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services. 
 24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
--- a/windows/index.md
+++ b/windows/index.md
@ -3,6 +3,7 @@ title: Windows 10 and Windows 10 Mobile (Windows 10)
 description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
 ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
 ms.prod: w10
 localizationpriority: high
 author: brianlic-msft
 ---
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@ -197,7 +197,7 @@
 ###### [Monitor claim types](monitor-claim-types.md)
 ##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 ###### [Audit Credential Validation](audit-credential-validation.md)
-####### [Event 4774 S: An account was mapped for logon.](event-4774.md)
+####### [Event 4774 S, F: An account was mapped for logon.](event-4774.md)
 ####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md)
 ####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md)
 ####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md)
--- a/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-arcsight-windows-defender-advanced-threat-protection.md
@ -79,8 +79,8 @@ The following steps assume that you have completed all the required steps in [Be
    <td>Type in the name of the client property file. It must match the client property file.</td>
    </tr>
    <td>Events URL</td>
-    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
+    <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME
- </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
+ </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts/?sinceTimeUtc=$START_AT_TIME</td>
    <tr>
    <td>Authentication Type</td>
    <td>OAuth 2</td>
--- a/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-splunk-windows-defender-advanced-threat-protection.md
@ -56,7 +56,7 @@ You'll need to configure Splunk so that it can consume Windows Defender ATP aler
  </tr>
  <tr>
  <td>Endpoint URL</td>
-  <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.securitycenter.windows.com/api/alerts </br>**For US:** https://<i></i>wdatp-alertexporter-us.securitycenter.windows.com/api/alerts
+  <td>Depending on the location of your datacenter, select either the EU or the US URL: </br></br> **For EU**:  https://<i></i>wdatp-alertexporter-eu.windows.com/api/alerts  </br>**For US:** https://<i></i>wdatp-alertexporter-us.windows.com/api/alerts
  </tr>
  <tr>
--- a/windows/keep-secure/event-4774.md
+++ b/windows/keep-secure/event-4774.md
@ -1,6 +1,6 @@
 ---
 title: 4774(S) An account was mapped for logon. (Windows 10)
-description: Describes security event 4774(S) An account was mapped for logon.
+description: Describes security event 4774(S, F) An account was mapped for logon.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -8,14 +8,13 @@ ms.sitesec: library
 author: Mir0sh
 ---
-# 4774(S): An account was mapped for logon.
+# 4774(S, F): An account was mapped for logon.
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
-
+Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx). 
 It appears that this event never occurs.
 ***Subcategory:***&nbsp;[Audit Credential Validation](audit-credential-validation.md)
@ -23,7 +22,7 @@ It appears that this event never occurs.
 *An account was mapped for logon.*
-*Authentication Package:%1*
+*Authentication Package:Schannel*
 *Account UPN:%2*
--- a/windows/keep-secure/how-to-configure-security-policy-settings.md
+++ b/windows/keep-secure/how-to-configure-security-policy-settings.md
@ -31,9 +31,9 @@ When a local setting is inaccessible, it indicates that a GPO currently controls
 3.  When you find the policy setting in the details pane, double-click the security policy that you want to modify.
 4.  Modify the security policy setting, and then click **OK**.
-    **Note**  
+    > [!NOTE]
-    -   Some security policy settings require that the device be restarted before the setting takes effect.
+    > -   Some security policy settings require that the device be restarted before the setting takes effect.
-    -   Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
+    > -   Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on.
 ## <a href="" id="bkmk-domain"></a>To configure a security policy setting using the Local Group Policy Editor console
@ -48,11 +48,13 @@ You must have the appropriate permissions to install and use the Microsoft Manag
 4.  In the details pane, double-click the security policy setting that you want to modify.
-    >**Note:**  If this security policy has not yet been defined, select the **Define these policy settings** check box.
+    > [!NOTE]
    > If this security policy has not yet been defined, select the **Define these policy settings** check box.
 5.  Modify the security policy setting, and then click **OK**.
->**Note:**  If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
+> [!NOTE]
 > If you want to configure security settings for many devices on your network, you can use the Group Policy Management Console.
 ## <a href="" id="bkmk-dc"></a>To configure a setting for a domain controller
@ -65,13 +67,15 @@ The following procedure describes how to configure a security policy setting for
    -   Click **Local Policies** to edit the **Audit Policy**, a **User Rights Assignment**, or **Security Options**.
 3.  In the details pane, double-click the security policy that you want to modify.
-    >**Note**  If this security policy has not yet been defined, select the **Define these policy settings** check box.
+
    > [!NOTE]
    > If this security policy has not yet been defined, select the **Define these policy settings** check box.
 4.  Modify the security policy setting, and then click **OK**.
-**Important**  
+> [!IMPORTANT]  
-   Always test a newly created policy in a test organizational unit before you apply it to your network.
+> -   Always test a newly created policy in a test organizational unit before you apply it to your network.
-   When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
+> -   When you change a security setting through a GPO and click **OK**, that setting will take effect the next time you refresh the settings.
 ## Related topics
--- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@ -22,8 +22,8 @@ Credential Manager is a place where credentials in the OS are can be stored for
 For VPN, the VPN stack saves its credential as the session default. 
 For WiFi, EAP does it. 
-The credentials are put in Credential Manager as a "`*Session`" credential. 
+The credentials are put in Credential Manager as a "\*Session" credential. 
-A "`*Session`" credential implies that it is valid for the current user session. 
+A "\*Session" credential implies that it is valid for the current user session. 
 The credentials are also cleaned up when the WiFi or VPN connection is disconnected. 
 When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. 
--- a/windows/keep-secure/index.md
+++ b/windows/keep-secure/index.md
@ -6,6 +6,7 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
 author: brianlic-msft
 ---
 # Keep Windows 10 secure
--- a/windows/keep-secure/using-owa-with-wip.md
+++ b/windows/keep-secure/using-owa-with-wip.md
@ -23,7 +23,6 @@ Because Outlook Web Access (OWA) can be used both personally and as part of your
 |-------|-------------|
 |Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. |
 |Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. |
 |Do all of the following:<ul><li>Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.</li><li>Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.</li><li>Add the following URLs to the Neutral Resources network element in your WIP policy:<ul><li>outlook.office365.com</li><li>outlook.office.com</li><li>outlook-sdf.office.com</li><li>attachment.outlook.office.net</li></ul></li></ul> |Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal. |
 |Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. |
 >[!NOTE]
--- a/windows/manage/index.md
+++ b/windows/manage/index.md
@ -7,6 +7,7 @@ ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
 author: jdeckerMS
 ---
--- a/windows/manage/stop-employees-from-using-the-windows-store.md
+++ b/windows/manage/stop-employees-from-using-the-windows-store.md
@ -29,8 +29,8 @@ You can use these tools to configure access to Windows Store: AppLocker or Group
 ## <a href="" id="block-store-applocker"></a>Block Windows Store using AppLocker
 Applies to: Windows 10 Enterprise, Windows 10 Education, Windows 10 Mobile
 Applies to: Windows 10 Enterprise, Windows 10 Mobile
 AppLocker provides policy-based access control management for applications. You can block access to Windows Store app with AppLocker by creating a rule for packaged apps. You'll give the name of the Windows Store app as the packaged app that you want to block from client computers.
@ -59,7 +59,10 @@ For more information on AppLocker, see [What is AppLocker?](../keep-secure/what-
 ## <a href="" id="block-store-group-policy"></a>Block Windows Store using Group Policy
-Applies to: Windows 10 Enterprise, version 1511
+Applies to: Windows 10 Enterprise, version 1511, Windows 10 Education 
 > [!Note]
 > Not supported on Windows 10 Pro.
 You can also use Group Policy to manage access to Windows Store.
@ -89,7 +92,7 @@ When your MDM tool supports Windows Store for Business, the MDM can use these CS
 For more information, see [Configure an MDM provider](configure-mdm-provider-windows-store-for-business.md).
 ## Show private store only using Group Policy 
-Applies to Windows 10 Enterprise, version 1607.
+Applies to Windows 10 Enterprise, version 1607, Windows 10 Education
 If you're using Windows Store for Business and you want employees to only see apps you're managing in your private store, you can use Group Policy to show only the private store. Windows Store app will still be available, but employees can't view or purchase apps. Employees can view and install apps that the admin has added to your organization's private store. 
--- a/windows/plan/index.md
+++ b/windows/plan/index.md
@ -6,6 +6,7 @@ keywords: deploy, upgrade, update, configure
 ms.prod: w10
 ms.mktglfcycl: plan
 ms.sitesec: library
 localizationpriority: high
 author: TrudyHa
 ---