deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-06 01:27:21 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'public' into repo_sync_working_branch

Browse Source
This commit is contained in:
Tina Burden 2020-03-04 11:46:28 -08:00 committed by GitHub
commit 0c20f6a924
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 105 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
devices/surface-hub/surface-hub-2s-whats-new.md
View File

@ -22,7 +22,7 @@ Surface Hub 2S is an all-in-one collaboration canvas thats built for teamwork
|**Mobile Device Management and UEFI manageability**| Manage settings and policies using a mobile device management (MDM) provider. <br> <br> Full integration with Surface Enterprise Management Mode (SEMM) lets you manage hardware components and firmware. | [Managing Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md) <br> <br> [Surface Enterprise Management Mode](https://docs.microsoft.com/surface/surface-enterprise-management-mode) |
|**Cloud and on-premises coexistence**| Supports on-premises, hybrid, or online. | [Prepare your environment for Microsoft Surface Hub 2S](surface-hub-2s-prepare-environment.md) |
|**Reset and recovery**| Restore from the cloud or USB drive. | [Recover and reset Surface Hub 2S](surface-hub-2s-recover-reset.md) |
|**Microsoft Whiteboard**| Ofice 365 integration, intelligent ink, and Bing search bring powerful new capabilities, enabling a persistent digital canvas shareable across most browsers, Windows and iOS devices. | [Announcing a new whiteboard for your Surface Hub](https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-a-new-Whiteboard-for-your-Surface-Hub/ba-p/637050) |
|**Microsoft Whiteboard**| Office 365 integration, intelligent ink, and Bing search bring powerful new capabilities, enabling a persistent digital canvas shareable across most browsers, Windows and iOS devices. | [Announcing a new whiteboard for your Surface Hub](https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-a-new-Whiteboard-for-your-Surface-Hub/ba-p/637050) |
|**Microsoft Teams Meeting Room License**| Extends Office 365 licensing options across Skype for Business, Microsoft Teams, and Intune. | [Teams Meeting Room Licensing Update](https://docs.microsoft.com/MicrosoftTeams/room-systems/skype-room-systems-v2-0) |
|**On-screen display**| Adjust volume, brightness, and input control directly on the display. | |
|**Sensor-activated Connected Standby**| Doppler sensor activates Connected Standby after 1 minute of inactivity.<br> <br> Manage this setting remotely using Intune or directly on the device from the Settings app. | [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md) |

12
devices/surface-hub/surface-hub-update-history.md
View File

@ -24,6 +24,18 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
## Windows 10 Team Creators Update 1703
<details>
<summary>February 11, 2020—update for Team edition based on KB4537765* (OS Build 15063.2284)</summary>
This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
* Resolves an issue where the Hub 2S cannot be heard well by other participants during Skype for Business calls.
* Improves reliability for some Arabic, Hebrew, and other RTL language usage scenarios on Surface Hub.
Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
*[KB4537765](https://support.microsoft.com/help/4537765)
</details>
<details>
<summary>January 14, 2020—update for Team edition based on KB4534296* (OS Build 15063.2254)</summary>

1
windows/deployment/windows-autopilot/known-issues.md
View File

@ -71,6 +71,7 @@ This happens because Windows 10, version 1903 deletes the AutopilotConfiguration
<tr><td>Error importing Windows Autopilot devices from a .csv file<td>Ensure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid.
<tr><td>Windows Autopilot for existing devices does not follow the Autopilot OOBE experience.<td>Ensure that the JSON profile file is saved in <b>ANSI/ASCII</b> format, not Unicode or UTF-8.
<tr><td><b>Something went wrong</b> is displayed page during OOBE.<td>The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see <a href="windows-autopilot-requirements.md#networking-requirements">Networking requirements</a>.
<tr><td>Using a provisioning package in combination with Windows Autopilot can cause issues, especially if the PPKG contains join, enrollment, or device name information.<td>Using PPKGs in combination with Windows Autopilot is not recommended.
</table>
## Related topics

10
windows/deployment/windows-autopilot/troubleshooting.md
View File

@ -67,10 +67,10 @@ So, as an example (this is not a device hash, but it's misaligned unpadded Base6
Now for the padding rules. The padding character is "=". The padding character can only be at the end of the hash, and there can only be a maximum of 2 padding characters. Here's the basic logic.
- Does decoding the hash fail?
- Yes: Are the last two characters "="?
- Yes: Replace both "=" with a single "A" character, then try again
- No: Add another "=" character at the end, then try again
- No: That hash is valid
- Yes: Are the last two characters "="?
- Yes: Replace both "=" with a single "A" character, then try again
- No: Add another "=" character at the end, then try again
- No: That hash is valid
Looping the logic above on the previous example hash, we get the following permutations:
- Q29udG9zbwAAA
@ -128,6 +128,8 @@ On devices running a [supported version](https://docs.microsoft.com/windows/rele
The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD.
An Azure AD device is created upon import - it's important that this object not be deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object.
Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed.
## Troubleshooting Intune enrollment issues

4
windows/security/identity-protection/hello-for-business/hello-faq.md
View File

@ -50,6 +50,9 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join
## Can I use an external camera when my laptop is closed or docked?
No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
## Why does authentication fail immediately after provisioning Hybrid Key Trust?
In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle.
## What is the password-less strategy?
Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**.
@ -166,4 +169,3 @@ Windows Hello for Business can work with any third-party federation servers that
## Does Windows Hello for Business work with Mac and Linux clients?
Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration).

2
windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
View File

@ -151,7 +151,7 @@ Domain controllers automatically request a certificate from the domain controlle
7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
8. In the details pane, right-click **Certificate Services Client Auto-Enrollment** and select **Properties**.
9. Select **Enabled** from the **Configuration Model** list.
10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box.
11. Select the **Update certificates that use certificate templates** check box.
12. Click **OK**. Close the **Group Policy Management Editor**.

43
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -1,6 +1,6 @@
---
title: Deploy Microsoft Defender ATP for Linux manually
ms.reviewer:
ms.reviewer:
description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line.
keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos
search.product: eADQiWindows 10XVcnh
@ -14,7 +14,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: conceptual
---
@ -53,13 +53,13 @@ In order to preview new features and provide early feedback, it is recommended t
> In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”.
```bash
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel:
For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo
```
- Install the Microsoft GPG public key:
@ -67,12 +67,18 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
```
```bash
sudo rpm --import microsoft.asc
```
- Download and make usable all the metadata for the currently enabled yum repositories:
- Install `yum-utils` if it is not already installed:
```bash
sudo yum install yum-utils
```
- Download and make usable all the metadata for the currently enabled yum repositories:
```bash
yum makecache
@ -85,10 +91,10 @@ In order to preview new features and provide early feedback, it is recommended t
In the following commands, replace *[distro]* and *[version]* with the information you've identified:
```bash
sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo
```
For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel:
For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo
@ -99,7 +105,7 @@ In order to preview new features and provide early feedback, it is recommended t
```bash
curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc
```
```bash
rpm --import microsoft.asc
```
@ -112,6 +118,12 @@ In order to preview new features and provide early feedback, it is recommended t
sudo apt-get install curl
```
- Install `libplist-utils` if it is not already installed:
```bash
sudo apt-get install libplist-utils
```
- Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`.
In the below command, replace *[distro]* and *[version]* with the information you've identified:
@ -123,7 +135,7 @@ In order to preview new features and provide early feedback, it is recommended t
For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insider-fast* channel:
```bash
curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list
```
- Install the repository configuration:
@ -141,12 +153,7 @@ In order to preview new features and provide early feedback, it is recommended t
- Install the Microsoft GPG public key:
```bash
curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg
```
```bash
sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/
curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add -
```
- Install the https driver if it's not already present:
@ -193,7 +200,7 @@ Download the onboarding package from Microsoft Defender Security Center:
4. From a command prompt, verify that you have the file.
Extract the contents of the archive:
```bash
ls -l
total 8

11
windows/security/threat-protection/microsoft-defender-atp/mac-resources.md
View File

@ -13,7 +13,7 @@ author: dansimp
ms.localizationpriority: medium
manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.collection: M365-security-compliance
ms.topic: conceptual
---
@ -59,7 +59,7 @@ If you can reproduce a problem, please increase the logging level, run the syste
If an error occurs during installation, the installer will only report a general failure.
The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause.
The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause.
## Uninstalling
@ -72,6 +72,7 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note
### From the command line
- ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'```
- ```sudo rm -rf '/Library/Application Support/Microsoft/Defender/'```
## Configuring from the command line
@ -98,6 +99,10 @@ Important tasks, such as controlling product settings and triggering on-demand s
|EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` |
|EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` |
## Client Microsoft Defender ATP quarantine directory
`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`.
## Microsoft Defender ATP portal information
[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender ATP Security Center.
[This blog](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/edr-capabilities-for-macos-have-now-arrived/ba-p/1047801) provides detailed guidance on what to expect in Microsoft Defender ATP Security Center.

33
windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md
View File

@ -12,7 +12,7 @@ ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.custom: nextgen
ms.date: 09/03/2018
ms.date: 03/04/2020
ms.reviewer:
manager: dansimp
---
@ -24,8 +24,8 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
There are two types of updates related to keeping Windows Defender Antivirus up to date:
1. Protection updates
1. Protection updates
2. Product updates
You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection.
@ -36,15 +36,40 @@ Windows Defender Antivirus uses both [cloud-delivered protection](utilize-micros
The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection.
Engine updates are included with the Security intelligence updates and are released on a monthly cadense.
## Product updates
Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases.
Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases.
You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network.
## Released platform and engine versions
Only the main version is listed in the following table as reference information:
Month | Platform/Client | Engine
---|---|---
Feb-2020 | - | 1.1.16800.x
Jan-2020 | 4.18.2001.x | 1.1.16700.x
Dec-2019 | - | - |
Nov-2019 | 4.18.1911.x | 1.1.16600.x
Oct-2019 | 4.18.1910.x | 1.1.16500.x
Sep-2019 | 4.18.1909.x | 1.1.16400.x
Aug-2019 | 4.18.1908.x | 1.1.16300.x
Jul-2019 | 4.18.1907.x | 1.1.16200.x
Jun-2019 | 4.18.1906.x | 1.1.16100.x
May-2019 | 4.18.1905.x | 1.1.16000.x
Apr-2019 | 4.18.1904.x | 1.1.15900.x
Mar-2019 | 4.18.1903.x | 1.1.15800.x
Feb-2019 | 4.18.1902.x | 1.1.15700.x
Jan-2019 | 4.18.1901.x | 1.1.15600.x
Dec-18 | 4.18.1812.X | 1.1.15500.x
## In this section
Topic | Description
Article | Description
---|---
[Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources.
[Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded.

18
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -14,7 +14,7 @@ author: jsuther1974
ms.reviewer: isbrahm
ms.author: dansimp
manager: dansimp
ms.date: 02/24/2020
ms.date: 03/04/2020
---
# Understand WDAC policy rules and file rules
@ -126,3 +126,19 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard
> [!NOTE]
> Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md)
## Windows Defender Application Control filename rules
File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies.
Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario.
**Table 3. Windows Defender Application Control policy - filename levels**
| Rule level | Description |
|----------- | ----------- |
| **File Description** | Specifies the file description provided by the developer of the binary. |
| **Internal Name** | Specifies the internal name of the binary. |
| **Original File Name** | Specifies the original file name, or the name with which the file was first created, of the binary. |
| **Package Family Name** | Specifies the package family name of the binary. The package family name consists of two parts: the name of the file and the publisher ID. |
| **Product Name** | Specifies the name of the product with which the binary ships. |

4
windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
View File

@ -63,8 +63,8 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic
![Windows Security Center](images/secure-launch-msinfo.png)
>[!NOTE]
>To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
> [!NOTE]
> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs).
## System requirements for System Guard