diff --git a/devices/hololens/hololens-calibration.md b/devices/hololens/hololens-calibration.md index a2696bfe68..cfc55d1070 100644 --- a/devices/hololens/hololens-calibration.md +++ b/devices/hololens/hololens-calibration.md @@ -99,7 +99,7 @@ You can also disable the calibration prompt by following these steps: 1. Turn off **When a new person uses this HoloLens, automatically ask to run eye calibration**. > [!IMPORTANT] -> Please understand that this setting may adversely affect hologram rendering quality and comfort. +> This setting may adversely affect hologram rendering quality and comfort. When you turn off this setting, features that depend on eye tracking (such as text scrolling) no longer work in immersive applications. ### HoloLens 2 eye-tracking technology diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 0729485e7d..d7ca664169 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -56,7 +56,7 @@ To use these commands, gaze at a 3D object, hologram, or app window. | "Face me" | Turn it to face you | | "Move this" | Move it (follow your gaze) | | "Close" | Close it | -| "Follow" / "Stop following" | Make it follow you as you move around | +| "Follow me" / "Stop following" | Make it follow you as you move around | ### See it, say it @@ -64,7 +64,7 @@ Many buttons and other elements on HoloLens also respond to your voice—for exa ### Dictation mode -Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone icon or say "Start dictating." To stop dictating, select **Done** or say "Stop dictating." To delete what you just dictated, say "Delete that." +Tired of typing? Switch to dictation mode any time that the holographic keyboard is active. To get started, select the microphone button or say "Start dictating." To stop dictating, select the button again or say "Stop dictating." To delete what you just dictated, say "Delete that." > [!NOTE] > To use dictation mode, you have to have an internet connection. diff --git a/devices/hololens/hololens2-fit-comfort-faq.md b/devices/hololens/hololens2-fit-comfort-faq.md index 397d61bb67..e97e03f502 100644 --- a/devices/hololens/hololens2-fit-comfort-faq.md +++ b/devices/hololens/hololens2-fit-comfort-faq.md @@ -43,6 +43,15 @@ Try adjusting the position of your device visor so the holographic frame matches - **If you need to look up to see holograms**. First, shift the back of the headband a bit higher on your head. Then use one hand to hold the headband in place and the other to gently rotate the visor so you have a good view of the holographic frame. - **If you need to look down to see holograms**. First, shift the back of the headband a bit lower on your head. Then place your thumbs under the device arms and your index fingers on top of the headband, and gently squeeze with your thumbs to rotate the visor so you have a good view of the holographic frame. +## Hologram image color or brightness does not look right + +For HoloLens 2, take the following steps to ensure the highest visual quality of holograms presented in displays: + +- **Increase brightness of the display.** Holograms look best when the display is at its brightest level. +- **Bring visor closer to your eyes.** Swing the visor down to the closest position to your eyes. +- **Shift visor down.** Try moving the brow pad on your forehead down, which will result in the visor moving down closer to your nose. +- **Run eye calibration.** The display uses your IPD and eye gaze to optimize images on the display. If you don't run eye calibration, the image quality may be made worse. + ## The device slides down when I'm using it, or I need to make the headband too tight to keep it secure The overhead strap can help keep your HoloLens secure on your head, particularly if you're moving around a lot. The strap may also let you loosen the headband a bit. [Learn how to use it](hololens2-setup.md#adjust-fit). diff --git a/devices/hololens/hololens2-language-support.md b/devices/hololens/hololens2-language-support.md index 31e4077fbc..29553845a4 100644 --- a/devices/hololens/hololens2-language-support.md +++ b/devices/hololens/hololens2-language-support.md @@ -17,7 +17,7 @@ appliesto: # Supported languages for HoloLens 2 -HoloLens 2 supports the following languages. This support includes voice commands and dictation features. +HoloLens 2 supports the following languages, including voice commands and dictation features, keyboard layouts, and OCR recognition within apps. - Chinese Simplified (China) - English (Australia) @@ -37,9 +37,37 @@ HoloLens 2 is also available in the following languages. However, this support d - Dutch (Netherlands) - Korean (Korea) -## Changing language or keyboard +# Changing language or keyboard + +The setup process configures your HoloLens for a region and language. You can change this configuration by using the **Time & language** section of **Settings**. > [!NOTE] > Your speech and dictation language depends on the Windows display language. -> -To change the Windows display language, region, or keyboard settings, use the start gesture to open the **Start** menu, and then select **Settings** > **Time and Language** > **Language**. + +## To change the Windows display language + +1. Go to the **Start** menu, and then select **Settings** > **Time and language** > **Language**. +2. Select **Windows display language**, and then select a language. + +If the supported language you’re looking for is not in the menu, follow these steps: + +1. Under **Preferred languages** select **Add a language**. +2. Search for and add the language. +3. Select the **Windows display language** menu again and choose the language you added. + +The Windows display language affects the following settings for Windows and for apps that support localization: + +- The user interface text language. +- The speech language. +- The default layout of the on-screen keyboard. + +## To change the keyboard layout + +To add or remove a keyboard layout, open the **Start** menu and then select **Settings** > **Time & language** > **Keyboard**. + +If your HoloLens has more than one keyboard layout, use the **Layout** key to switch between them. The **Layout** key is in the lower right corner of the on-screen keyboard. + +> [!NOTE] +> The on-screen keyboard can use Input Method Editor (IME) to enter characters in languages such as Chinese. However, HoloLens does not support external Bluetooth keyboards that use IME. +> +> While you use IME with the on-screen keyboard, you can continue to use a Bluetooth keyboard to type in English. To switch between keyboards, press ~. diff --git a/devices/hololens/index.md b/devices/hololens/index.md index 6725da5e81..98835e4ce5 100644 --- a/devices/hololens/index.md +++ b/devices/hololens/index.md @@ -55,4 +55,4 @@ appliesto: ## Related resources * [Documentation for Holographic app development](https://developer.microsoft.com/windows/mixed-reality/development) -* [HoloLens release notes](https://developer.microsoft.com/windows/mixed-reality/release_notes) +* [HoloLens release notes](https://docs.microsoft.com/hololens/hololens-release-notes) diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index c0de52de12..59d2d76a0d 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -7,6 +7,7 @@ ### [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md) ### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md) ### [Adjust Surface Hub 2S brightness, volume, and input](surface-hub-2s-onscreen-display.md) +### [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d) ## Plan ### [Surface Hub 2S Site Readiness Guide](surface-hub-2s-site-readiness-guide.md) @@ -58,6 +59,7 @@ ### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md) ### [Technical information for 55” Microsoft Surface Hub](surface-hub-technical-55.md) ### [Technical information for 84” Microsoft Surface Hub](surface-hub-technical-84.md) +### [Use Microsoft Whiteboard on a Surface Hub](https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d) ## Plan ### [Prepare your environment for Microsoft Surface Hub](prepare-your-environment-for-surface-hub.md) diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md index e4fa9986f3..f60588a000 100644 --- a/devices/surface-hub/index.md +++ b/devices/surface-hub/index.md @@ -30,7 +30,6 @@ Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platfor

Behind the design: Surface Hub 2S

What's new in Surface Hub 2S

Operating system essentials

-

Enable Microsoft Whiteboard on Surface Hub

diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index d3fdb628ab..7f3793ed3f 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -49,6 +49,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 ```PowerShell New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` +[!IMPORTANT] ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. 3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. diff --git a/devices/surface-hub/surface-hub-2s-manage-intune.md b/devices/surface-hub/surface-hub-2s-manage-intune.md index 1e0a03d797..be1df464ef 100644 --- a/devices/surface-hub/surface-hub-2s-manage-intune.md +++ b/devices/surface-hub/surface-hub-2s-manage-intune.md @@ -28,7 +28,7 @@ Surface Hub 2S allows IT administrators to manage settings and policies using a ### Auto registration — Azure Active Directory Affiliated -When affiliating Surface Hub 2S with a tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods). +During the initial setup process, when affiliating a Surface Hub with an Azure AD tenant that has Intune auto enrollment enabled, the device will automatically enroll with Intune. For more information, refer to [Intune enrollment methods for Windows devices](https://docs.microsoft.com/intune/enrollment/windows-enrollment-methods). Azure AD affiliation and Intune auto enrollment is required for the Surface Hub to be a "compliant device" in Intune. ## Windows 10 Team Edition settings diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index 8c512f48c2..47c2ffed10 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -21,11 +21,10 @@ When deploying Surface devices in point of sale or other “always-on” kiosk scenarios, you can optimize power management using the new Surface Brightness Control app. -Available for download with [Surface Tools for -IT](https://www.microsoft.com/download/details.aspx?id=46703), Surface Brightness Control is -designed to help reduce thermal load and lower the overall carbon -footprint for deployed Surface devices. The tool automatically dims the screen when not in use and -includes the following configuration options: +Available for download with [Surface Tools for IT](https://www.microsoft.com/download/details.aspx?id=46703). +Surface Brightness Control is designed to help reduce thermal load and lower the overall carbon footprint for deployed Surface devices. +If you plan to get only this tool from the download page, select the file **Surface_Brightness_Control_v1.16.137.0.msi** in the available list. +The tool automatically dims the screen when not in use and includes the following configuration options: - Period of inactivity before dimming the display. diff --git a/mdop/agpm/troubleshooting-agpm40-upgrades.md b/mdop/agpm/troubleshooting-agpm40-upgrades.md index c19488dbb0..0275e8dc91 100644 --- a/mdop/agpm/troubleshooting-agpm40-upgrades.md +++ b/mdop/agpm/troubleshooting-agpm40-upgrades.md @@ -39,3 +39,18 @@ This section lists common issues that you may encounter when you upgrade your Ad - Install the required hotfix. - Connect to AGPM using an AGPM client to test that your difference reports are now functioning. + +## Install Hotfix Package 1 for Microsoft Advanced Group Policy Management 4.0 SP3 + +**Issue fixed in this hotfix**: AGPM can't generate difference reports when it controls or manages new Group Policy Objects (GPOs). + +**How to get this update**: Install the latest version of Microsoft Desktop Optimization Pack ([March 2017 Servicing Release](https://www.microsoft.com/download/details.aspx?id=54967)). See [KB 4014009](https://support.microsoft.com/help/4014009/) for more information. + +More specifically, you can choose to download only the first file, `AGPM4.0SP1_Server_X64_KB4014009.exe`, from the list presented after pressing the download button. + +The download link to the Microsoft Desktop Optimization Pack (March 2017 Servicing Release) can be found [here](https://www.microsoft.com/download/details.aspx?id=54967). + + +## Reference link +https://support.microsoft.com/help/3127165/hotfix-package-1-for-microsoft-advanced-group-policy-management-4-0-sp + diff --git a/mdop/mbam-v25/deploy-mbam.md b/mdop/mbam-v25/deploy-mbam.md index eefee88047..a921105176 100644 --- a/mdop/mbam-v25/deploy-mbam.md +++ b/mdop/mbam-v25/deploy-mbam.md @@ -1,13 +1,14 @@ --- title: Deploying MBAM 2.5 in a stand-alone configuration description: Introducing how to deploy MBAM 2.5 in a stand-alone configuration. -author: delhan +author: Deland-Han ms.reviewer: dcscontentpm manager: dansimp ms.author: delhan ms.sitesec: library ms.prod: w10 ms.date: 09/16/2019 +manager: dcscontentpm --- # Deploying MBAM 2.5 in a standalone configuration diff --git a/mdop/mbam-v25/troubleshooting-mbam-installation.md b/mdop/mbam-v25/troubleshooting-mbam-installation.md index d58974a50e..b38d7b7818 100644 --- a/mdop/mbam-v25/troubleshooting-mbam-installation.md +++ b/mdop/mbam-v25/troubleshooting-mbam-installation.md @@ -1,13 +1,14 @@ --- title: Troubleshooting MBAM 2.5 installation problems description: Introducing how to troubleshoot MBAM 2.5 installation problems. -author: delhan +author: Deland-Han ms.reviewer: dcscontentpm manager: dansimp ms.author: delhan ms.sitesec: library ms.prod: w10 ms.date: 09/16/2019 +manager: dcscontentpm --- # Troubleshooting MBAM 2.5 installation problems diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md index 662ae5f90e..cee81bcd72 100644 --- a/windows/client-management/introduction-page-file.md +++ b/windows/client-management/introduction-page-file.md @@ -8,7 +8,7 @@ author: Deland-Han ms.localizationpriority: medium ms.author: delhan ms.reviewer: greglin -manager: willchen +manager: dcscontentpm --- # Introduction to page files diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md index d17799b5a8..c5b559cf50 100644 --- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md +++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md @@ -36,8 +36,7 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro > - Bulk-join is not supported in Azure Active Directory Join. > - Bulk enrollment does not work in Intune standalone environment. > - Bulk enrollment works in System Center Configuration Manager (SCCM) + Intune hybrid environment where the ppkg is generated from the SCCM console. - - +> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**. ## What you need @@ -169,4 +168,3 @@ Here are links to step-by-step provisioning topics in Technet. - diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 13a78b2032..414a9c8515 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -635,7 +635,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego > This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education, and Windows 10 Mobile Enterprise > [!Important] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Enterprise. +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Enterprise.

Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. diff --git a/windows/client-management/mdm/policy-csp-appruntime.md b/windows/client-management/mdm/policy-csp-appruntime.md index fce0c40f17..7c7efc8c73 100644 --- a/windows/client-management/mdm/policy-csp-appruntime.md +++ b/windows/client-management/mdm/policy-csp-appruntime.md @@ -99,14 +99,5 @@ ADMX Info:

-Footnotes: - -- 1 - Added in Windows 10, version 1607. -- 2 - Added in Windows 10, version 1703. -- 3 - Added in Windows 10, version 1709. -- 4 - Added in Windows 10, version 1803. -- 5 - Added in Windows 10, version 1809. -- 6 - Added in Windows 10, version 1903. - diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index d096ead06d..9d98a92f10 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -4248,7 +4248,7 @@ ADMX Info: > [!IMPORTANT] -> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enteprise and IoT Mobile. +> Starting in Windows 10, version 1703 this policy is not supported in Windows 10 Mobile Enterprise and IoT Mobile. Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet. diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md index c5727c4674..92f6496c2d 100644 --- a/windows/client-management/mdm/wirednetwork-csp.md +++ b/windows/client-management/mdm/wirednetwork-csp.md @@ -1,6 +1,6 @@ --- title: WiredNetwork CSP -description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. +description: The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP. Learn how it works. ms.author: dansimp ms.topic: article ms.prod: w10 diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md index e902d0cfe2..7741d3ba98 100644 --- a/windows/configuration/setup-digital-signage.md +++ b/windows/configuration/setup-digital-signage.md @@ -58,7 +58,7 @@ This procedure explains how to configure digital signage using Kiosk Browser on - Enter a user name and password, and toggle **Auto sign-in** to **Yes**. - Under **Configure the kiosk mode app**, enter the user name for the account that you're creating. - For **App type**, select **Universal Windows App**. - - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe`. + - In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`. 11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**. 12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu. - In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`. diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 3f8f818281..8741709766 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -1,6 +1,6 @@ --- title: Configure MDT deployment share rules (Windows 10) -description: In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. +description: Learn how to configure the MDT rules engine to reach out to other resources for additional information instead of storing settings directly in the rules engine. ms.assetid: b5ce2360-33cc-4b14-b291-16f75797391b ms.reviewer: manager: laurawi @@ -27,7 +27,7 @@ When using MDT, you can assign setting in three distinct ways: - You can prompt the user or technician for information. - You can have MDT generate the settings automatically. -In order illustrate these three options, let's look at some sample configurations. +In order to illustrate these three options, let's look at some sample configurations. ## Sample configurations diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md index 4f7de42969..2d1cffeadc 100644 --- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md +++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md @@ -1,6 +1,6 @@ --- title: Use web services in MDT (Windows 10) -description: In this topic, you will learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. +description: Learn how to create a simple web service that generates computer names and then configure MDT to use that service during your Windows 10 deployment. ms.assetid: 8f47535e-0551-4ccb-8f02-bb97539c6522 ms.reviewer: manager: laurawi diff --git a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index d7435593a7..2951abbc45 100644 --- a/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -1,6 +1,6 @@ --- title: Prepare for Zero Touch Installation of Windows 10 with Configuration Manager (Windows 10) -description: This topic will walk you through the process of integrating Microsoft System Center 2012 R2 Configuration Manager SP1 with Microsoft Deployment Toolkit (MDT) 2013 Update 2, as well as the other preparations needed to deploying Windows 10 via Zero Touch Installation. Additional preparations include the installation of hotfixes as well as activities that speed up the Pre-Boot Execution Environment (PXE). +description: Learn how to prepare a Zero Touch Installation of Windows 10 with Configuration Manager, by integrating Configuration Manager with Microsoft Deployment Toolkit. ms.assetid: 06e3a221-31ef-47a5-b4da-3b927cb50d08 ms.reviewer: manager: laurawi diff --git a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 78e75ded51..f807d3f0e8 100644 --- a/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-sccm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,147 +1,148 @@ ---- -title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) -description: This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. -ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7 -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: upgrade, install, installation, computer refresh -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager - - -**Applies to** - -- Windows 10 versions 1507, 1511 - ->[!IMPORTANT] ->For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). ->Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). - -This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). - -A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps: - -1. Data and settings are backed up locally in a backup folder. - -2. The partition is wiped, except for the backup folder. - -3. The new operating system image is applied. - -4. Other applications are installed. - -5. Data and settings are restored. - -For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). - -In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed. - -## Create a device collection and add the PC0003 computer - - -1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - - * General - - * Name: Install Windows 10 Enterprise x64 - - * Limited Collection: All Systems - - * Membership rules: - - * Direct rule - - * Resource Class: System Resource - - * Attribute Name: Name - - * Value: PC0003 - - * Select **Resources** - - * Select **PC0003** - -2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection. - - >[!NOTE] - >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. - - - -## Create a new deployment - - -Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings: - -- General - - - Collection: Install Windows 10 Enterprise x64 - -- Deployment Settings - - - Purpose: Available - - - Make available to the following: Configuration Manager clients, media and PXE - - >[!NOTE] - >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. - - - -- Scheduling - - - <default> - -- User Experience - - - <default> - -- Alerts - - - <default> - -- Distribution Points - - - <default> - -## Initiate a computer refresh - - -Now you can start the computer refresh on PC0003. - -1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**. - - >[!NOTE] - >The Client Notification feature is new in Configuration Manager. - -2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**. - -3. In the **Software Center** warning dialog box, click **INSTALL OPERATING SYSTEM**. - -## Related topics - - -[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) - -[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) +--- +title: Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager (Windows 10) +description: Learn how to use Configuration Manager and Microsoft Deployment Toolkit (MDT) to refresh a Windows 7 SP1 client with Windows 10. +ms.assetid: 57c81667-1019-4711-b3de-15ae9c5387c7 +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: upgrade, install, installation, computer refresh +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager + + +**Applies to** + +- Windows 10 versions 1507, 1511 + +>[!IMPORTANT] +>For instructions to deploy the most recent version of Windows 10 with Configuration Manager, see [Scenarios to deploy enterprise operating systems with System Center Configuration Manager](https://docs.microsoft.com/sccm/osd/deploy-use/scenarios-to-deploy-enterprise-operating-systems). +>Configuration Manager 2012 and 2012 R2 provide support for Windows 10 versions 1507 and 1511 only. Later versions of Windows 10 require an updated Configuration Manager release. For a list of Configuration Manager versions and the corresponding Windows 10 client versions that are supported, see [Support for Windows 10 for System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/configs/support-for-windows-10). + +This topic will show you how to use a previously created task sequence to refresh a Windows 7 SP1 client with Windows 10 using Microsoft System Center 2012 R2 Configuration Manager and Microsoft Deployment Toolkit (MDT) 2013 Update 2. When refreshing a machine to a later version, it appears as an upgrade to the end user, but technically it is not an in-place upgrade. A computer refresh also involves taking care of user data and settings from the old installation and making sure to restore those at the end of the installation. For more information, see [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). + +A computer refresh with System Center 2012 R2 Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager involves the following steps: + +1. Data and settings are backed up locally in a backup folder. + +2. The partition is wiped, except for the backup folder. + +3. The new operating system image is applied. + +4. Other applications are installed. + +5. Data and settings are restored. + +For the purposes of this topic, we will use three machines: DC01, CM01, and PC0003. DC01 is a domain controller and CM01 is a machine running Windows Server 2012 R2 Standard. PC0003 is a machine with Windows 7 SP1, on which Windows 10 will be deployed. DC01, CM01, and PC003 are all members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](../deploy-windows-mdt/deploy-windows-10-with-the-microsoft-deployment-toolkit.md). + +In this topic, we assume that you have a Windows 7 SP1 client named PC0003 with the Configuration Manager client installed. + +## Create a device collection and add the PC0003 computer + + +1. On CM01, using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: + + * General + + * Name: Install Windows 10 Enterprise x64 + + * Limited Collection: All Systems + + * Membership rules: + + * Direct rule + + * Resource Class: System Resource + + * Attribute Name: Name + + * Value: PC0003 + + * Select **Resources** + + * Select **PC0003** + +2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection. + + >[!NOTE] + >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. + + + +## Create a new deployment + + +Using the Configuration Manager console, in the Software Library workspace, select **Task Sequences**, right-click **Windows 10 Enterprise x64 RTM**, and then select **Deploy**. Use the following settings: + +- General + + - Collection: Install Windows 10 Enterprise x64 + +- Deployment Settings + + - Purpose: Available + + - Make available to the following: Configuration Manager clients, media and PXE + + >[!NOTE] + >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. + + + +- Scheduling + + - <default> + +- User Experience + + - <default> + +- Alerts + + - <default> + +- Distribution Points + + - <default> + +## Initiate a computer refresh + + +Now you can start the computer refresh on PC0003. + +1. Using the Configuration Manager console, in the Asset and Compliance workspace, in the Install Windows 10 Enterprise x64 collection, right-click **PC0003** and select **Client Notification / Download Computer Policy**. Click **OK**. + + >[!NOTE] + >The Client Notification feature is new in Configuration Manager. + +2. On PC0003, using the Software Center (begin using the Start screen, or click the **New software is available** balloon in the system tray), select the **Windows 10 Enterprise x64 RTM** deployment and click **INSTALL**. + +3. In the **Software Center** warning dialog box, click **INSTALL OPERATING SYSTEM**. + +## Related topics + + +[Integrate Configuration Manager with MDT](../deploy-windows-mdt/integrate-configuration-manager-with-mdt.md) + +[Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) + +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) + +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) + +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) + +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) + +[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md) + +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) + +[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/planning/index.md b/windows/deployment/planning/index.md index 454580a0c1..6f28178063 100644 --- a/windows/deployment/planning/index.md +++ b/windows/deployment/planning/index.md @@ -1,6 +1,6 @@ --- title: Plan for Windows 10 deployment (Windows 10) -description: Windows 10 provides new deployment capabilities, scenarios, and tools by building on technologies introduced in Windows 7, and Windows 8.1, while at the same time introducing new Windows as a service concepts to keep the operating system up to date. +description: Find resources for your Windows 10 deployment. Windows 10 provides new deployment capabilities and tools, and introduces new ways to keep the OS up to date. ms.assetid: 002F9B79-B50F-40C5-A7A5-0B4770E6EC15 keywords: deploy, upgrade, update, configure ms.prod: w10 diff --git a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md index 47e9283fef..3aac6db8f1 100644 --- a/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md +++ b/windows/deployment/planning/managing-application-compatibility-fixes-and-custom-fix-databases.md @@ -1,66 +1,67 @@ ---- -title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) -description: This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. -ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017 -ms.reviewer: -manager: laurawi -ms.author: greglin -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: appcompat -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.date: 04/19/2017 -ms.topic: article ---- - -# Managing Application-Compatibility Fixes and Custom Fix Databases - - -**Applies to** - -- Windows 10 -- Windows 8.1 -- Windows 8 -- Windows 7 -- Windows Server 2012 -- Windows Server 2008 R2 - -This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. - -## In this section - - - ---- - - - - - - - - - - - - - - - - - - - - -
TopicDescription

Understanding and Using Compatibility Fixes

As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.

Compatibility Fix Database Management Strategies and Deployment

After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:

Testing Your Application Mitigation Packages

This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.

- - - -## Related topics -[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) - -[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) +--- +title: Managing Application-Compatibility Fixes and Custom Fix Databases (Windows 10) +description: Learn why you should use compatibility fixes, and how to deploy and manage custom-compatibility fix databases. +ms.assetid: 9c2e9396-908e-4a36-ad67-2e40452ce017 +ms.reviewer: +manager: laurawi +ms.author: greglin +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: appcompat +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.date: 04/19/2017 +ms.topic: article +--- + +# Managing Application-Compatibility Fixes and Custom Fix Databases + + +**Applies to** + +- Windows 10 +- Windows 8.1 +- Windows 8 +- Windows 7 +- Windows Server 2012 +- Windows Server 2008 R2 + +This section provides information about managing your application-compatibility fixes and custom-compatibility fix databases. This section explains the reasons for using compatibility fixes and how to deploy custom-compatibility fix databases. + +## In this section + + + ++++ + + + + + + + + + + + + + + + + + + + + +
TopicDescription

Understanding and Using Compatibility Fixes

As the Windows operating system evolves to support new technology and functionality, the implementations of some functions may change. This can cause problems for applications that relied upon the original implementation. You can avoid compatibility issues by using the Microsoft Windows Application Compatibility (Compatibility Fix) infrastructure to create a specific application fix for a particular version of an application.

Compatibility Fix Database Management Strategies and Deployment

After you determine that you will use compatibility fixes in your application-compatibility mitigation strategy, you must define a strategy to manage your custom compatibility-fix database. Typically, you can use one of two approaches:

Testing Your Application Mitigation Packages

This topic provides details about testing your application-mitigation packages, including recommendations about how to report your information and how to resolve any outstanding issues.

+ + + +## Related topics +[Compatibility Administrator User's Guide](compatibility-administrator-users-guide.md) + +[Using the Compatibility Administrator Tool](using-the-compatibility-administrator-tool.md) diff --git a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md index 7eeaf18a3f..905e495858 100644 --- a/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md +++ b/windows/deployment/planning/security-and-data-protection-considerations-for-windows-to-go.md @@ -1,86 +1,87 @@ ---- -title: Security and data protection considerations for Windows To Go (Windows 10) -description: One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. -ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe -ms.reviewer: -manager: laurawi -ms.author: greglin -keywords: mobile, device, USB, secure, BitLocker -ms.prod: w10 -ms.mktglfcycl: plan -ms.pagetype: mobility, security -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.topic: article ---- - -# Security and data protection considerations for Windows To Go - - -**Applies to** - -- Windows 10 - ->[!IMPORTANT] ->Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. - -One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. - -## Backup and restore - - -As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](https://go.microsoft.com/fwlink/p/?LinkId=619102) for different solutions you could implement. - -If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and re-provision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924). - -## BitLocker - - -We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace, this helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. - -You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. - -**Tip**   -If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg-faq-blfail) - - - -If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode. - -## Disk discovery and data leakage - - -We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an AutoPlay prompt will not be displayed to the user. This reduces the likelihood that an end-user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. - -To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and therefor user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. - -For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](https://go.microsoft.com/fwlink/p/?LinkId=619103). - -## Security certifications for Windows To Go - - -Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for additional certifications by the solution provider that cover the solution provider’s specific hardware environment. For more details about Windows security certifications, see the following topics. - -- [Windows Platform Common Criteria Certification](https://go.microsoft.com/fwlink/p/?LinkId=619104) - -- [FIPS 140 Evaluation](https://go.microsoft.com/fwlink/p/?LinkId=619107) - -## Related topics - - -[Windows To Go: feature overview](windows-to-go-overview.md) - -[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) - -[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) - -[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) - - - - - - - - - +--- +title: Security and data protection considerations for Windows To Go (Windows 10) +description: Ensure that the data, content, and resources you work with in the Windows To Go workspace are protected and secure. +ms.assetid: 5f27339f-6761-44f4-8c29-9a25cf8e75fe +ms.reviewer: +manager: laurawi +ms.author: greglin +keywords: mobile, device, USB, secure, BitLocker +ms.prod: w10 +ms.mktglfcycl: plan +ms.pagetype: mobility, security +ms.sitesec: library +audience: itpro +author: greg-lindsay +ms.topic: article +--- + +# Security and data protection considerations for Windows To Go + + +**Applies to** + +- Windows 10 + +>[!IMPORTANT] +>Windows To Go is no longer being developed. The feature does not support feature updates and therefore does not enable you to stay current. It also requires a specific type of USB that is no longer supported by many OEMs. + +One of the most important requirements to consider when you plan your Windows To Go deployment is to ensure that the data, content, and resources you work with in the Windows To Go workspace is protected and secure. + +## Backup and restore + + +As long as you are not saving data on the Windows To Go drive, there is no need for a backup and restore solution for Windows To Go. If you are saving data on the drive and are not using folder redirection and offline files, you should back up all of your data to a network location, such as cloud storage or a network share after each work session. Review the new and improved features described in [Supporting Information Workers with Reliable File Services and Storage](https://go.microsoft.com/fwlink/p/?LinkId=619102) for different solutions you could implement. + +If the USB drive fails for any reason, the standard process to restore the drive to working condition is to reformat and re-provision the drive with Windows To Go, so all data and customization on the drive will be lost. This is another reason why using roaming user profiles, folder redirection and offline files with Windows To Go is strongly recommended. For more information, see [Folder Redirection, Offline Files, and Roaming User Profiles overview](https://go.microsoft.com/fwlink/p/?LinkId=618924). + +## BitLocker + + +We recommend that you use BitLocker with your Windows To Go drives to protect the drive from being compromised if the drive is lost or stolen. When BitLocker is enabled, the user must provide a password to unlock the drive and boot the Windows To Go workspace, this helps prevent unauthorized users from booting the drive and using it to gain access to your network resources and confidential data. Because Windows To Go drives are meant to be roamed between computers, the Trusted Platform Module (TPM) cannot be used by BitLocker to protect the drive. Instead, you will be specifying a password that BitLocker will use for disk encryption and decryption. By default, this password must be eight characters in length and can enforce more strict requirements depending on the password complexity requirements defined by your organizations domain controller. + +You can enable BitLocker while using the Windows To Go Creator wizard as part of the drive provisioning process before first use; or it can be enabled afterward by the user from within the Windows To Go workspace. + +**Tip**   +If the Windows To Go Creator wizard is not able to enable BitLocker, see [Why can't I enable BitLocker from Windows To Go Creator?](windows-to-go-frequently-asked-questions.md#wtg-faq-blfail) + + + +If you are using a host computer running Windows 7 that has BitLocker enabled, you should suspend BitLocker before changing the BIOS settings to boot from USB and then resume BitLocker protection. If BitLocker is not suspended first, the next time the computer is started it will boot into recovery mode. + +## Disk discovery and data leakage + + +We recommend that you use the **NoDefaultDriveLetter** attribute when provisioning the USB drive to help prevent accidental data leakage. **NoDefaultDriveLetter** will prevent the host operating system from assigning a drive letter if a user inserts it into a running computer. This means the drive will not appear in Windows Explorer and an AutoPlay prompt will not be displayed to the user. This reduces the likelihood that an end-user will access the offline Windows To Go disk directly from another computer. If you use the Windows To Go Creator to provision a workspace, this attribute will automatically be set for you. + +To prevent accidental data leakage between Windows To Go and the host system Windows 8 has a new SAN policy—OFFLINE\_INTERNAL - “4” to prevent the operating system from automatically bringing online any internally connected disk. The default configuration for Windows To Go has this policy enabled. It is strongly recommended you do not change this policy to allow mounting of internal hard drives when booted into the Windows To Go workspace. If the internal drive contains a hibernated Windows 8 operating system, mounting the drive will lead to loss of hibernation state and, therefore, user state or any unsaved user data when the host operating system is booted. If the internal drive contains a hibernated Windows 7 or earlier operating system, mounting the drive will lead to corruption when the host operating system is booted. + +For more information, see [How to Configure Storage Area Network (SAN) Policy in Windows PE](https://go.microsoft.com/fwlink/p/?LinkId=619103). + +## Security certifications for Windows To Go + + +Windows to Go is a core capability of Windows when it is deployed on the drive and is configured following the guidance for the applicable security certification. Solutions built using Windows To Go can be submitted for additional certifications by the solution provider that cover the solution provider’s specific hardware environment. For more details about Windows security certifications, see the following topics. + +- [Windows Platform Common Criteria Certification](https://go.microsoft.com/fwlink/p/?LinkId=619104) + +- [FIPS 140 Evaluation](https://go.microsoft.com/fwlink/p/?LinkId=619107) + +## Related topics + + +[Windows To Go: feature overview](windows-to-go-overview.md) + +[Prepare your organization for Windows To Go](prepare-your-organization-for-windows-to-go.md) + +[Deployment considerations for Windows To Go](deployment-considerations-for-windows-to-go.md) + +[Windows To Go: frequently asked questions](windows-to-go-frequently-asked-questions.md) + + + + + + + + + diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md index af934eec08..58e8a9e6c2 100644 --- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md +++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md @@ -33,7 +33,7 @@ In order to use the direct connection scenario, set the parameter **ClientProxy= ### Connection through the WinHTTP proxy -This is the first and most simple proxy scenario. The WinHTTP stack was designed for use in services and does not support proxy autodetection, PAC scripts or authentication. +This is the first and most simple proxy scenario. In order to set the WinHTTP proxy system-wide on your computers, you need to - Use the command netsh winhttp set proxy \:\ diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index cd9f31b0f5..e2ac992f75 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -39,6 +39,7 @@ A [glossary](#glossary) of abbreviations used in this article is provided at the | Must I become a CSP to participate in Windows Autopilot? | Top volume OEMs do not, as they can use the OEM Direct API. All others who choose to use MPC to register devices must become CSPs in order to access MPC. | | Do the different CSP levels have all the same capabilities when it comes to Windows Autopilot? | For purposes of Windows Autopilot, there are three different types of CSPs, each with different levels of authority and access:

1. Direct CSP: Gets direct authorization from the customer to register devices.

2. Indirect CSP Provider: Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer. Indirect CSP Providers register devices through Microsoft Partner Center.

3. Indirect CSP Reseller: Gets direct authorization from the customer to register devices. At the same time, their indirect CSP Provider partner also gets authorization, which means that either the Indirect Provider or the Indirect Reseller can register devices for the customer. However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs. | + ## Manufacturing | Question | Answer | diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md index 76456c8e39..a91c17be27 100644 --- a/windows/deployment/windows-autopilot/registration-auth.md +++ b/windows/deployment/windows-autopilot/registration-auth.md @@ -51,7 +51,8 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus ![Global admin](images/csp3.png) - NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: + > [!NOTE] + > A user without global admin privileges who clicks the link will see a message similar to the following: ![Not global admin](images/csp4.png) @@ -69,14 +70,17 @@ Each OEM has a unique link to provide to their respective customers, which the O ![Global admin](images/csp6.png) - NOTE: A user without global admin privileges who clicks the link will see a message similar to the following: + > [!NOTE] + > A user without global admin privileges who clicks the link will see a message similar to the following: ![Not global admin](images/csp7.png) 3. Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done. Authorization happens instantaneously. 4. The OEM can use the Validate Device Submission Data API to verify the consent has completed. This API is discussed in the latest version of the API Whitepaper, p. 14ff [https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx](https://devicepartner.microsoft.com/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process. + > [!NOTE] + > During the OEM authorization registration process, no delegated admin permissions are granted to the OEM. + ## Summary At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer. And, it all happens instantaneously - as quickly as buttons are clicked. - diff --git a/windows/privacy/windows-personal-data-services-configuration.md b/windows/privacy/windows-personal-data-services-configuration.md index 1366bdd1e6..273f2bac8d 100644 --- a/windows/privacy/windows-personal-data-services-configuration.md +++ b/windows/privacy/windows-personal-data-services-configuration.md @@ -1,6 +1,6 @@ --- title: Windows 10 personal data services configuration -description: An overview of Windows 10 services configuration settings that are used for personal data privacy protection relevant for regulations, such as the General Data Protection Regulation (GDPR) +description: Learn more about Windows 10 configuration settings that are useful for complying with regulations such as the GDPR and protecting users' personal data. keywords: privacy, GDPR, windows, IT ms.prod: w10 ms.mktglfcycl: manage diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 3da855c332..4ddcb35964 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -31,7 +31,7 @@ ms.reviewer: Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. -Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. +Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. Which organizations can take advantage of Multi-factor unlock? Those who: * Have expressed that PINs alone do not meet their security needs. @@ -101,7 +101,7 @@ Each rule element has a **signal** element. All signal elements have a **type** | type| "wifi" (Windows 10, version 1803) #### Bluetooth -You define the bluetooth signal with additional attribute in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>". +You define the bluetooth signal with additional attributes in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>". |Attribute|Value|Required| |---------|-----|--------| @@ -117,7 +117,7 @@ Example: ``` -The **classofDevice** attribute defaults Phones and uses the values from the following table +The **classofDevice** attribute defaults to Phone and uses the values from the following table: |Description|Value| |:-------------|:-------:| @@ -138,7 +138,7 @@ The **rssiMin** attribute value signal indicates the strength needed for the dev RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. >[!IMPORTANT] ->Microsoft recommends using the default values for this policy settings. Measurements are relative, based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values. +>Microsoft recommends using the default values for this policy setting. Measurements are relative, based on the varying conditions of each environment. Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting. Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values. #### IP Configuration You define IP configuration signals using one or more ipConfiguration elements. Each element has a string value. IpConfiguration elements do not have attributes or nested elements. @@ -198,7 +198,7 @@ The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IP 21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2 ``` ##### dnsSuffix -The fully qualified domain name of your organizations internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+The fully qualified domain name of your organization's internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
**Example** ``` corp.contoso.com diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md index a408a47cf2..17564fc13b 100644 --- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md +++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md @@ -185,7 +185,7 @@ Certificate requirements are listed by versions of the Windows operating system. The smart card certificate has specific format requirements when it is used with Windows XP and earlier operating systems. You can enable any certificate to be visible for the smart card credential provider. -| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, and Windows Vista** | **Requirements for Windows XP** | +| **Component** | **Requirements for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows 10** | **Requirements for Windows XP** | |--------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | CRL distribution point location | Not required | The location must be specified, online, and available, for example:
\[1\]CRL Distribution Point
Distribution Point Name:
Full Name:
URL= | | Key usage | Digital signature | Digital signature | diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md index 8d19264cfa..aa61d00b97 100644 --- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md +++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-overview.md @@ -1,6 +1,6 @@ --- title: Virtual Smart Card Overview (Windows 10) -description: This topic for IT professional provides an overview of the virtual smart card technology that was developed by Microsoft, and links to additional topics about virtual smart cards. +description: Learn more about the virtual smart card technology that was developed by Microsoft. Find links to additional topics about virtual smart cards. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index 8c73819a8e..6c672171ac 100644 --- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -1,6 +1,6 @@ --- title: Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune (Windows 10) -description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to associate and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy. +description: After you've created and deployed your Windows Information Protection (WIP) policy, use Microsoft Intune to link it to your Virtual Private Network (VPN) policy keywords: WIP, Enterprise Data Protection ms.prod: w10 ms.mktglfcycl: explore diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 8f850eed95..b3f555bb13 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -1,6 +1,6 @@ --- title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10) -description: The Azure portal for Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, supporting mobile device management (MDM), to let you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -30,7 +30,7 @@ You can create an app protection policy in Intune either with device enrollment - MAM has additional **Access** settings for Windows Hello for Business. - MAM can [selectively wipe company data](https://docs.microsoft.com/intune/apps-selective-wipe) from a user's personal device. -- MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). +- MAM requires an [Azure Active Directory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). - An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. - MAM supports only one user per device. - MAM can only manage [enlightened apps](enlightened-microsoft-apps-and-wip.md). @@ -40,7 +40,7 @@ You can create an app protection policy in Intune either with device enrollment ## Prerequisites -Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Direcory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. +Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an [Azure Active Directory (Azure AD) Premium license](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis#what-are-the-azure-ad-licenses). An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM. ## Configure the MDM or MAM provider diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 61ce1a5f3b..2e4f0f0749 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -1,6 +1,6 @@ --- title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10) -description: Configuration Manager (version 1606 or later) helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 ms.reviewer: keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md index 6b736fd281..27d3f1d9c9 100644 --- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -1,6 +1,6 @@ --- title: Mandatory tasks and settings required to turn on Windows Information Protection (WIP) (Windows 10) -description: This list provides all of the tasks that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP) in your enterprise. +description: Review all of the tasks required for Windows to turn on Windows Information Protection (WIP), formerly enterprise data protection (EDP), in your enterprise. keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection, protected apps, protected app list, App Rules, Protected apps list ms.prod: w10 ms.mktglfcycl: explore diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md index b11eab1f7d..c3e7e88640 100644 --- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -35,7 +35,7 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc |-----------------------------|---------------------------------------------------------------------| |Office 365 for Business |
  • contoso.sharepoint.com
  • contoso-my.sharepoint.com
  • contoso-files.sharepoint.com
  • tasks.office.com
  • protection.office.com
  • meet.lync.com
  • teams.microsoft.com
| |Yammer |
  • www.yammer.com
  • yammer.com
  • persona.yammer.com
| -|Outlook Web Access (OWA) |attachments.office.net | +|Outlook Web Access (OWA) |
  • outlook.office.com
  • outlook.office365.com
  • attachments.office.net
| |Microsoft Dynamics |contoso.crm.dynamics.com | |Visual Studio Online |contoso.visualstudio.com | |Power BI |contoso.powerbi.com | diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md index 4110cd1ec6..1a962ee86f 100644 --- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md +++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md @@ -1,6 +1,6 @@ --- title: Audit Directory Service Changes (Windows 10) -description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (ADÂ DS). +description: The policy setting Audit Directory Service Changes determines if audit events are generated when objects in Active Directory Domain Services (AD DS) are changed ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md index b953cf56c0..bdaff33b06 100644 --- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md +++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md @@ -1,6 +1,6 @@ --- title: Audit Filtering Platform Packet Drop (Windows 10) -description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform. +description: The policy setting, Audit Filtering Platform Packet Drop, determines if audit events are generated when packets are dropped by the Windows Filtering Platform. ms.assetid: 95457601-68d1-4385-af20-87916ddab906 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md index edbcb2555d..959a951636 100644 --- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md +++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md @@ -1,6 +1,6 @@ --- title: Audit Other Account Logon Events (Windows 10) -description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets. +description: The policy setting, Audit Other Account Logon Events, allows you to audit events generated by responses to credential requests for certain kinds of user logons. ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md index 8532644095..2eb2aa20f8 100644 --- a/windows/security/threat-protection/auditing/audit-process-creation.md +++ b/windows/security/threat-protection/auditing/audit-process-creation.md @@ -1,6 +1,6 @@ --- title: Audit Process Creation (Windows 10) -description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts). +description: The Advanced Security Audit policy setting, Audit Process Creation, determines if audit events are generated when a process is created (starts). ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md index 96314fa0bd..82d5170b7c 100644 --- a/windows/security/threat-protection/auditing/audit-removable-storage.md +++ b/windows/security/threat-protection/auditing/audit-removable-storage.md @@ -1,6 +1,6 @@ --- title: Audit Removable Storage (Windows 10) -description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive. +description: The Advanced Security Audit policy setting, Audit Removable Storage, determines when there is a read or a write to a removable drive. ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26 ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md index f11c4a64fd..88585f3a9a 100644 --- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md +++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md @@ -1,6 +1,6 @@ --- title: Registry (Global Object Access Auditing) (Windows 10) -description: This topic for the IT professional describes the Advanced Security Audit policy setting, Registry (Global Object Access Auditing), which enables you to configure a global system access control list (SACL) on the registry of a computer. +description: The Advanced Security Audit policy setting, Registry (Global Object Access Auditing), enables you to configure a global system access control list (SACL). ms.assetid: 953bb1c1-3f76-43be-ba17-4aed2304f578 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 32bbf69dc2..c91f55f5cf 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -57,7 +57,7 @@ The cadence for starting module validation aligns with the feature updates of Wi ### What is the difference between “FIPS 140 validated” and “FIPS 140 compliant”? -“FIPS 140 validated” means that the cryptographic module, or a product that embeds the module, has been validated (“certified”) by the CMVP as meeting as meeting the FIPS 140-2 requirements. “FIPS 140 compliant” is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality. +“FIPS 140 validated” means that the cryptographic module, or a product that embeds the module, has been validated (“certified”) by the CMVP as meeting the FIPS 140-2 requirements. “FIPS 140 compliant” is an industry term for IT products that rely on FIPS 140 validated products for cryptographic functionality. ### I need to know if a Windows service or application is FIPS 140-2 validated. @@ -7191,4 +7191,4 @@ Version 6.3.9600

\[[SP 800-57](http://csrc.nist.gov/publications/pubssps.html#800-57-part1)\] - Recommendation for Key Management – Part 1: General (Revised) -\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths \ No newline at end of file +\[[SP 800-131A](http://csrc.nist.gov/publications/nistpubs/800-131a/sp800-131a.pdf)\] - Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths diff --git a/windows/security/threat-protection/intelligence/prevent-malware-infection.md b/windows/security/threat-protection/intelligence/prevent-malware-infection.md index 3659eaeffb..7bce69882c 100644 --- a/windows/security/threat-protection/intelligence/prevent-malware-infection.md +++ b/windows/security/threat-protection/intelligence/prevent-malware-infection.md @@ -85,6 +85,8 @@ To further ensure that data is protected from malware as well as other threats: * Do not use untrusted devices to log on to email, social media, and corporate accounts. +* Avoid downloading or running older apps. Some of these apps might have vulnerabilities. Also, older file formats for Office 2003 (.doc, .pps, and .xls) allow macros or run. This could be a security risk. + ## Software solutions Microsoft provides comprehensive security capabilities that help protect against threats. We recommend: diff --git a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md index 28d3920de1..a4990b44f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md +++ b/windows/security/threat-protection/microsoft-defender-atp/automated-investigations.md @@ -68,7 +68,7 @@ You can configure the following levels of automation: |Automation level | Description| |---|---| -|Not protected | Machines do not get any automated investigations run on them. | +|No automated response | Machines do not get any automated investigations run on them. | |Semi - require approval for any remediation | This is the default automation level.

An approval is needed for any remediation action. | |Semi - require approval for non-temp folders remediation | An approval is required on files or executables that are not in temporary folders.

Files or executables in temporary folders, such as the user's download folder or the user's temp folder, will automatically be remediated if needed.| |Semi - require approval for core folders remediation | An approval is required on files or executables that are in the operating system directories such as Windows folder and Program files folder.

Files or executables in all other folders will automatically be remediated if needed.| diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md index a5cb971e01..367c0685a8 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md @@ -80,6 +80,13 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa b. Copy _AtpConfiguration.adml_ into _C:\\Windows\\PolicyDefinitions\\en-US_ + If you are using a [Central Store for Group Policy Administrative Templates](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra), copy the following files from the + configuration package: + + a. Copy _AtpConfiguration.admx_ into _\\\\\\\SysVol\\\\\Policies\\PolicyDefinitions_ + + b. Copy _AtpConfiguration.adml_ into _\\\\\\\SysVol\\\\\Policies\\PolicyDefinitions\\en-US_ + 2. Open the [Group Policy Management Console](https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11), right-click the GPO you want to configure and click **Edit**. 3. In the **Group Policy Management Editor**, go to **Computer configuration**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md index 151cc9a4d1..3003c707b4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md +++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md @@ -55,6 +55,9 @@ You'll need to enable the live response capability in the [Advanced features set - **Ensure that you have the appropriate permissions**
Only users who have been provisioned with the appropriate permissions can initiate a session. For more information on role assignments see, [Create and manage roles](user-roles.md). + > [!IMPORTANT] + > The option to upload a file to the library is only available to those with the appropriate RBAC permissions. The button is greyed out for users with only delegated permissions. + Depending on the role that's been granted to you, you can run basic or advanced live response commands. Users permission are controlled by RBAC custom role. ## Live response dashboard overview @@ -250,4 +253,3 @@ Each command is tracked with full details such as: - diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md index 996ac58a26..5779992a72 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-cloud-app-security-config.md @@ -31,6 +31,10 @@ To benefit from Microsoft Defender Advanced Threat Protection (ATP) cloud app di >[!NOTE] >This feature will be available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10, version 1709 (OS Build 16299.1085 with [KB4493441](https://support.microsoft.com/help/4493441)), Windows 10, version 1803 (OS Build 17134.704 with [KB4493464](https://support.microsoft.com/help/4493464)), Windows 10, version 1809 (OS Build 17763.379 with [KB4489899](https://support.microsoft.com/help/4489899)) or later Windows 10 versions. +> See [Microsoft Defender Advanced Threat Protection integration with Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration) for detailed integration of Microsoft Defender ATP with Microsoft Cloud App Security. + +## Enable Microsoft Cloud App Security in Microsoft Defender ATP + 1. In the navigation pane, select **Preferences setup** > **Advanced features**. 2. Select **Microsoft Cloud App Security** and switch the toggle to **On**. 3. Click **Save preferences**. @@ -39,21 +43,7 @@ Once activated, Microsoft Defender ATP will immediately start forwarding discove ## View the data collected -1. Browse to the [Cloud App Security portal](https://portal.cloudappsecurity.com). - -2. Navigate to the Cloud Discovery dashboard. - - ![Image of menu to cloud discovery dashboard](images/atp-cloud-discovery-dashboard-menu.png) - -3. Select **Win10 Endpoint Users report**, which contains the data coming from Microsoft Defender ATP. - - ![Win10 endpoint users](./images/win10-endpoint-users.png) - -This report is similar to the existing discovery report with one major difference: you can now benefit from visibility to the machine context. - -Notice the new **Machines** tab that allows you to view the data split to the device dimensions. This is available in the main report page or any subpage (for example, when drilling down to a specific cloud app). - -![Cloud discovery](./images/cloud-discovery.png) +To view and access Microsoft Defender ATP data in Microsoft Cloud Apps Security, see [Investigate machines in Cloud App Security](https://docs.microsoft.com/cloud-app-security/wdatp-integration#investigate-machines-in-cloud-app-security). For more information about cloud discovery, see [Working with discovered apps](https://docs.microsoft.com/cloud-app-security/discovered-apps). diff --git a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md index b498d66535..56b73435ad 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md @@ -1,6 +1,6 @@ --- title: Microsoft Defender Advanced Threat Protection -description: Microsoft Defender Advanced Threat Protection is an enterprise security platform that helps secops to prevent, detect, investigate, and respond to possible cybersecurity threats related to advanced persistent threats. +description: Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) is an enterprise security platform that helps defend against advanced persistent threats. keywords: introduction to Microsoft Defender Advanced Threat Protection, introduction to Microsoft Defender ATP, cybersecurity, advanced persistent threat, enterprise security, machine behavioral sensor, cloud security, analytics, threat intelligence, attack surface reduction, next generation protection, automated investigation and remediation, microsoft threat experts, secure score, advanced hunting, microsoft threat protection, cyber threat hunting search.product: eADQiWindows 10XVcnh search.appverid: met150 diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md index 4725c3e9ba..d1dd82ef56 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md @@ -52,7 +52,8 @@ The following table lists the actual and effective default policy values. Defaul | Server type or GPO | Default value | | - | - | | Default Domain Policy | Not Defined | -| Default Domain Controller Policy | Administrators | +| Default Domain Controller Policy | Not Defined | +| Domain Controller Local Security Policy | Administrators | | Stand-Alone Server Default Settings | Administrators
Remote Desktop Users | | Domain Controller Effective Default Settings | Administrators | | Member Server Effective Default Settings | Administrators
Remote Desktop Users | diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md index 621bf61523..5ba0488e44 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md @@ -1,6 +1,6 @@ --- title: Deny log on through Remote Desktop Services (Windows 10) -description: Describes the best practices, location, values, policy management, and security considerations for the Deny log on through Remote Desktop Services security policy setting. +description: Best practices, location, values, policy management, and security considerations for the security policy setting, Deny log on through Remote Desktop Services. ms.assetid: 84bbb807-287c-4acc-a094-cf0ffdcbca67 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md index f4021623d1..9660f69829 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -1,6 +1,6 @@ --- title: Domain member Require strong (Windows 2000 or later) session key (Windows 10) -description: Describes the best practices, location, values, and security considerations for the Domain member Require strong (Windows 2000 or later) session key security policy setting. +description: Best practices, location, values, and security considerations for the security policy setting, Domain member Require strong (Windows 2000 or later) session key. ms.assetid: 5ab8993c-5086-4f09-bc88-1b27454526bd ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index dc5baed9b0..98bcd11836 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -1,6 +1,6 @@ --- title: Interactive logon Display user information when the session is locked (Windows 10) -description: Describes the best practices, location, values, and security considerations for the Interactive logon Display user information when the session is locked security policy setting. +description: Best practices, security considerations, and more for the security policy setting, Interactive logon Display user information when the session is locked. ms.assetid: 9146aa3d-9b2f-47ba-ac03-ff43efb10530 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md index 1622780408..384e9959b1 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md @@ -1,6 +1,6 @@ --- title: Interactive logon Machine account lockout threshold (Windows 10) -description: Describes the best practices, location, values, management, and security considerations for the Interactive logon Machine account lockout threshold security policy setting. +description: Best practices, location, values, management, and security considerations for the security policy setting, Interactive logon Machine account lockout threshold. ms.assetid: ebbd8e22-2611-4ebe-9db9-d49344e631e4 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md index c5496a79f8..1ada850d3b 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md @@ -1,6 +1,6 @@ --- title: Network security Configure encryption types allowed for Kerberos -description: Describes the best practices, location, values and security considerations for the Network security Configure encryption types allowed for Kerberos Win7 only security policy setting. +description: Best practices, location, values and security considerations for the policy setting, Network security Configure encryption types allowed for Kerberos Win7 only. ms.assetid: 303d32cc-415b-44ba-96c0-133934046ece ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md index 8677916153..c39e1de1d2 100644 --- a/windows/security/threat-protection/security-policy-settings/profile-system-performance.md +++ b/windows/security/threat-protection/security-policy-settings/profile-system-performance.md @@ -1,6 +1,6 @@ --- title: Profile system performance (Windows 10) -description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management, and security considerations for the Profile system performance security policy setting. +description: Best practices, location, values, policy management, and security considerations for the security policy setting, Profile system performance. ms.assetid: ffabc3c5-9206-4105-94ea-84f597a54b2e ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md index 3b79ce3312..4ffbf4911b 100644 --- a/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md +++ b/windows/security/threat-protection/security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md @@ -1,6 +1,6 @@ --- title: System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing (Windows 10) -description: This security policy reference topic for the IT professional describes the best practices, location, values, policy management and security considerations for this policy setting. +description: Best practices, security considerations, and more for the policy setting, System cryptography Use FIPS compliant algorithms for encryption, hashing, and signing ms.assetid: 83988865-dc0f-45eb-90d1-ee33495eb045 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md index 623538938f..c55c11df6a 100644 --- a/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md @@ -1,6 +1,6 @@ --- title: User Account Control Admin Approval Mode for the Built-in Administrator account (Windows 10) -description: Describes the best practices, location, values, policy management and security considerations for the User Account Control Admin Approval Mode for the Built-in Administrator account security policy setting. +description: Best practices, security considerations, and more for the policy setting, User Account Control Admin Approval Mode for the Built-in Administrator account. ms.assetid: d465fc27-1cd2-498b-9cf6-7ad2276e5998 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 13450b73a4..176f9a041b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -27,7 +27,8 @@ ms.date: 05/17/2018 - Windows 10 - Windows Server 2016 -You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph. + +You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can either configure an Endpoint Protection profile for WDAC, or create a custom profile with an OMA-URI setting. By using an Endpoint Protection profile, you can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps as defined by the Intelligent Security Graph. 1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**. @@ -41,3 +42,5 @@ You can use Microsoft Intune to configure Windows Defender Application Control ( - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps. ![Configure WDAC](images/wdac-intune-wdac-settings.png) + +To add a custom profile with an OMA-URI see, [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/en-us/intune/configuration/custom-settings-windows-10). diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index 9d10a82e3a..bdbd3df95e 100644 --- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -1,6 +1,6 @@ --- title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10) -description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Security to set Windows Defender SmartScreen for individual devices. +description: Learn how employees can use Windows Security to set up Windows Defender SmartScreen. Windows Defender SmartScreen protects users from running malicious apps. keywords: SmartScreen Filter, Windows SmartScreen, Windows Defender SmartScreen ms.prod: w10 ms.mktglfcycl: explore diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 5b92c4240f..05dc390aef 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -66,8 +66,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic >[!NOTE] >To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity). -## Requirements Met by System Guard Enabled Machines -Any machine with System Guard enabled will automatically meet the following low-level hardware requirements: +## System requirements for System Guard |For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description| |--------|-----------| diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index d5b5e148ca..e5ab713e82 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -162,7 +162,7 @@ Onboard supported versions of Windows machines so that they can send sensor data ## Cloud Clipboard -Cloud clipboard helps users copy content between devices. It also manages the clipboard histroy so that you can paste your old copied data. You can access it by using **Windows+V**. Set up Cloud clipboard: +Cloud clipboard helps users copy content between devices. It also manages the clipboard history so that you can paste your old copied data. You can access it by using **Windows+V**. Set up Cloud clipboard: 1. Go to **Windows Settings** and select **Systems**. 2. On the left menu, click on **Clipboard**.