From 88020c99371814b2dde7f4135f89634b939c4137 Mon Sep 17 00:00:00 2001 From: Michael Niehaus Date: Wed, 2 Jan 2019 09:18:56 -0800 Subject: [PATCH 1/4] Update windows-autopilot.md Fixed out of date content, removed duplicated content (added links to the new pages), pointed to latest video --- .../windows-autopilot/windows-autopilot.md | 112 ++---------------- 1 file changed, 11 insertions(+), 101 deletions(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index df329861e8..ad0a658e74 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -34,7 +34,8 @@ Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intu The following video shows the process of setting up Windows Autopilot:
- + + ## Benefits of Windows Autopilot @@ -46,109 +47,18 @@ From the IT pros' perspective, the only interaction required from the end user, ## Windows Autopilot Scenarios -### Cloud-Driven +Windows Autopilot enables you to pre-register devices to your organization so that they will be fully configured with no additional intervention required on the users' side. -The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. +Windows Autopilot enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)). +* Restrict the Administrator account creation. +* Create and auto-assign devices to configuration groups based on a device's profile. +* Customize OOBE content specific to the organization. -#### The Windows Autopilot Deployment Program experience +See [Windows Autopilot requirements](windows-autopilot-requirements.md) for additional information on the requirements and pre-requisites for Windows Autopilot. -The Windows Autopilot Deployment Program enables you to: -* Automatically join devices to Azure Active Directory (Azure AD) -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) -* Restrict the Administrator account creation -* Create and auto-assign devices to configuration groups based on a device's profile -* Customize OOBE content specific to the organization - -##### Prerequisites - ->[!NOTE] ->Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. - -* [Devices must be registered to the organization](#device-registration-and-oobe-customization) -* [Company branding needs to be configured](#configure-company-branding-for-oobe) -* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements) -* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later -* Devices must have access to the internet -* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) -* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal) -* Microsoft Intune or other MDM services to manage your devices - -The end-user unboxes and turns on a new device. What follows are a few simple configuration steps: -* Select a language and keyboard layout -* Connect to the network -* Provide email address (the email address of the user's Azure AD account) and password - -Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). - -MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date. +See [Windows Autopilot scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-scenarios) for an overview of the scenarios supported by Windows Autopilot.
- -#### Device registration and OOBE customization - -To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. - -If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID. - -Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703: -* Skipping Work or Home usage selection (*Automatic*) -* Skipping OEM registration, OneDrive and Cortana (*Automatic*) -* Skipping privacy settings -* Skipping EULA (*starting with Windows 10, version 1709*) -* Preventing the account used to set-up the device from getting local administrator permissions - -For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options: -* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) -* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) -* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) - -##### Configure company branding for OOBE - -In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. - -See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. - -##### Configure MDM auto-enrollment in Microsoft Intune - -In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. - ->[!NOTE] ->MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. - -#### Network connectivity requirements - -The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. - -To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: - -* https://go.microsoft.com -* https://login.microsoftonline.com -* https://login.live.com -* https://account.live.com -* https://signup.live.com -* https://licensing.mp.microsoft.com -* https://licensing.md.mp.microsoft.com -* ctldl.windowsupdate.com -* download.windowsupdate.com - ->[!NOTE] ->Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. - ->[!TIP] ->If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). - -### IT-Driven - -If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). - - -### Self-Deploying - -Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying). - - -### Teacher-Driven - -If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. - From 3528c8fde4a989e489f2cc08c70c4713d743ebda Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Thu, 3 Jan 2019 12:19:04 -0800 Subject: [PATCH 2/4] Revert "Update windows-autopilot.md" --- .../windows-autopilot/windows-autopilot.md | 112 ++++++++++++++++-- 1 file changed, 101 insertions(+), 11 deletions(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md index ad0a658e74..df329861e8 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot.md +++ b/windows/deployment/windows-autopilot/windows-autopilot.md @@ -34,8 +34,7 @@ Once deployed, Windows 10 devices can be managed by tools such as Microsoft Intu The following video shows the process of setting up Windows Autopilot:
- - + ## Benefits of Windows Autopilot @@ -47,18 +46,109 @@ From the IT pros' perspective, the only interaction required from the end user, ## Windows Autopilot Scenarios -Windows Autopilot enables you to pre-register devices to your organization so that they will be fully configured with no additional intervention required on the users' side. +### Cloud-Driven -Windows Autopilot enables you to: -* Automatically join devices to Azure Active Directory (Azure AD) or Active Directory (via Hybrid Azure AD Join). See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. -* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)). -* Restrict the Administrator account creation. -* Create and auto-assign devices to configuration groups based on a device's profile. -* Customize OOBE content specific to the organization. +The Cloud-Driven scenario enables you to pre-register devices through the Windows Autopilot Deployment Program. Your devices will be fully configured with no additional intervention required on the users' side. -See [Windows Autopilot requirements](windows-autopilot-requirements.md) for additional information on the requirements and pre-requisites for Windows Autopilot. +#### The Windows Autopilot Deployment Program experience -See [Windows Autopilot scenarios](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-autopilot-scenarios) for an overview of the scenarios supported by Windows Autopilot. +The Windows Autopilot Deployment Program enables you to: +* Automatically join devices to Azure Active Directory (Azure AD) +* Auto-enroll devices into MDM services, such as Microsoft Intune ([*Requires an Azure AD Premium subscription*](#prerequisites)) +* Restrict the Administrator account creation +* Create and auto-assign devices to configuration groups based on a device's profile +* Customize OOBE content specific to the organization + +##### Prerequisites + +>[!NOTE] +>Today, Windows Autopilot user-driven mode supports joining devices to Azure Active Directory. Support for Hybrid Azure Active Directory Join (with devices joined to an on-premises Active Directory domain) will be available in a future Windows 10 release. See [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction) for more information about the differences between these two join options. + +* [Devices must be registered to the organization](#device-registration-and-oobe-customization) +* [Company branding needs to be configured](#configure-company-branding-for-oobe) +* [Network connectivity to cloud services used by Windows Autopilot](#network-connectivity-requirements) +* Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later +* Devices must have access to the internet +* [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features) +* [Users must be allowed to join devices into Azure AD](https://docs.microsoft.com/azure/active-directory/device-management-azure-portal) +* Microsoft Intune or other MDM services to manage your devices + +The end-user unboxes and turns on a new device. What follows are a few simple configuration steps: +* Select a language and keyboard layout +* Connect to the network +* Provide email address (the email address of the user's Azure AD account) and password + +Multiple additional settings are skipped here, since the device automatically recognizes that [it belongs to an organization](#registering-devices-to-your-organization). Following this process the device is joined to Azure AD, enrolled in Microsoft Intune (or any other MDM service). + +MDM enrollment ensures policies are applied, apps are installed and setting are configured on the device. Windows Update for Business applies the latest updates to ensure the device is up to date.
+ +#### Device registration and OOBE customization + +To register devices, you will need to acquire their hardware ID and register it. We are actively working with various hardware vendors to enable them to provide the required information to you, or upload it on your behalf. + +If you would like to capture that information by yourself, you can use the [Get-WindowsAutopilotInfo PowerShell script](https://www.powershellgallery.com/packages/Get-WindowsAutopilotInfo), which will generate a .csv file with the device's hardware ID. + +Once devices are registered, these are the OOBE customization options available for Windows 10, starting with version 1703: +* Skipping Work or Home usage selection (*Automatic*) +* Skipping OEM registration, OneDrive and Cortana (*Automatic*) +* Skipping privacy settings +* Skipping EULA (*starting with Windows 10, version 1709*) +* Preventing the account used to set-up the device from getting local administrator permissions + +For guidance on how to register devices, configure and apply deployment profiles, follow one of the available administration options: +* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles) +* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot) +* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa) + +##### Configure company branding for OOBE + +In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first. + +See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. + +##### Configure MDM auto-enrollment in Microsoft Intune + +In order for your devices to be auto-enrolled into MDM management, MDM auto-enrollment needs to be configured in Azure AD. To do that with Microsoft Intune, please see [Enroll Windows devices for Microsoft Intune](https://docs.microsoft.com/intune/windows-enroll). For other MDM vendors, please consult your vendor for further details. + +>[!NOTE] +>MDM auto-enrollment requires an Azure AD Premium P1 or P2 subscription. + +#### Network connectivity requirements + +The Windows Autopilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices. + +To manage devices behind firewalls and proxy servers, the following URLs need to be accessible: + +* https://go.microsoft.com +* https://login.microsoftonline.com +* https://login.live.com +* https://account.live.com +* https://signup.live.com +* https://licensing.mp.microsoft.com +* https://licensing.md.mp.microsoft.com +* ctldl.windowsupdate.com +* download.windowsupdate.com + +>[!NOTE] +>Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible. + +>[!TIP] +>If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidelines for [Microsoft Intune](https://docs.microsoft.com/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2). + +### IT-Driven + +If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package). + + +### Self-Deploying + +Windows Autopilot self-deploying mode offers truly zero touch provisioning. With this mode, all you need to do is power on a device, plug it into Ethernet, and watch Windows Autopilot fully configure the device. No additional user interaction is required. see [Windows Autopilot Self-Deploying mode (Preview)] (/windows/deployment/windows-autopilot/self-deploying). + + +### Teacher-Driven + +If you're an IT pro or a technical staff member at a school, your scenario might be simpler. The [Set Up School PCs](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) app can be used to quickly set up PCs for students and will get you to a productive state faster and simpler. Please see [Use the Set up School PCs app](https://docs.microsoft.com/education/windows/use-set-up-school-pcs-app) for all the details. + From 879064ffb0cb1a2a8480771848f37d6e0954dbbd Mon Sep 17 00:00:00 2001 From: Jason Gerend Date: Fri, 4 Jan 2019 10:26:46 -0800 Subject: [PATCH 3/4] Updated SMB1 perf note --- .../security-policy-settings/includes/smb1-perf-note.md | 8 ++++++++ ...network-client-digitally-sign-communications-always.md | 4 ++-- ...ient-digitally-sign-communications-if-server-agrees.md | 4 ++-- ...network-server-digitally-sign-communications-always.md | 4 ++-- ...rver-digitally-sign-communications-if-client-agrees.md | 4 ++-- 5 files changed, 16 insertions(+), 8 deletions(-) create mode 100644 windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md diff --git a/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md new file mode 100644 index 0000000000..f8676a335b --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/includes/smb1-perf-note.md @@ -0,0 +1,8 @@ +--- +author: jasongerend +ms.author: jgerend +ms.date: 1/4/2019 +ms.topic: include +ms.prod: w10 +--- +Using SMB packet signing can degrade performance on file service transactions, depending on the version of SMB and available CPU cycles. \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md index 988d211159..78a93d1dc7 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network client: Digitally sign communications (always) @@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: - [Microsoft network server: Digitally sign communications (always)](smbv1-microsoft-network-server-digitally-sign-communications-always.md) diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md index 16cffebd8d..74f1f7f04d 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network client: Digitally sign communications (if server agrees) @@ -29,7 +29,7 @@ If server-side SMB signing is required, a client computer will not be able to es If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md index 8e2cdd2740..9661827e2a 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/201 +ms.date: 01/04/2019 --- # SMB v1 Microsoft network server: Digitally sign communications (always) @@ -33,7 +33,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client devices that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: diff --git a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md index 654a737d1a..7443f0f9de 100644 --- a/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md +++ b/windows/security/threat-protection/security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: brianlic-msft -ms.date: 06/19/2018 +ms.date: 01/04/2019 --- # SMBv1 Microsoft network server: Digitally sign communications (if client agrees) @@ -31,7 +31,7 @@ If server-side SMB signing is required, a client device will not be able to esta If server-side SMB signing is enabled, SMB packet signing will be negotiated with client computers that have SMB signing enabled. -Using SMB packet signing can impose up to a 15 percent performance degradation on file service transactions. +[!INCLUDE [smb1-perf-note](includes/smb1-perf-note.md)] There are three other policy settings that relate to packet-signing requirements for Server Message Block (SMB) communications: From 071499b1a8d49ada37e10e18426af899d7f7b221 Mon Sep 17 00:00:00 2001 From: Ed Gallagher Date: Sun, 6 Jan 2019 14:52:48 -0600 Subject: [PATCH 4/4] Fixed links and capitalization Updated link for TPM PowerShell. Fixed capitalization of Windows Server in note. Update planning and policies link to docs page instead of TechNet page. --- .../tpm/trusted-platform-module-overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md index 1b2b769c35..3d34861247 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md @@ -70,7 +70,7 @@ Some things that you can check on the device are: - Is SecureBoot supported and enabled? > [!NOTE] -> Windows 10, Windows Server 2016 and Windows server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. +> Windows 10, Windows Server 2016 and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected. ## Supported versions for device health attestation @@ -83,5 +83,5 @@ Some things that you can check on the device are: ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) -- [TPM Cmdlets in Windows PowerShell](https://technet.microsoft.com/library/jj603116.aspx) -- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://technet.microsoft.com/itpro/windows/keep-secure/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations) +- [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule) +- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](https://docs.microsoft.com/windows/security/information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies#bkmk-tpmconfigurations)