From 4fbd692792866a13847ed86a583b94c2aa9f46d8 Mon Sep 17 00:00:00 2001 From: brianlic-msft Date: Tue, 9 May 2017 23:15:27 +0000 Subject: [PATCH 01/34] Initialize open publishing repository: https://github.com/Microsoft/win-cpub-itpro-docs of branch live --- .openpublishing.publish.config.json | 31 ++++++++++++++++++++---- bcs/docfx.json | 37 +++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+), 5 deletions(-) create mode 100644 bcs/docfx.json diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 006a4bbd17..2d2913c2b1 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -374,6 +374,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "bcs", + "build_source_folder": "bcs", + "build_output_subfolder": "bcs", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ @@ -386,7 +402,6 @@ "git_repository_branch_open_to_public_contributors": "master", "skip_source_output_uploading": false, "need_preview_pull_request": true, - "enable_incremental_build": true, "dependent_repositories": [ { "path_to_root": "_themes.pdf", @@ -402,10 +417,16 @@ } ], "branch_target_mapping": { - "live": ["Publish","Pdf"], - "master": ["Publish", "Pdf"] - }, - "need_generate_pdf_url_template": true, + "live": [ + "Publish", + "Pdf" + ], + "master": [ + "Publish", + "Pdf" + ] + }, + "need_generate_pdf_url_template": false, "Targets": { "Pdf": { "template_folder": "_themes.pdf" diff --git a/bcs/docfx.json b/bcs/docfx.json new file mode 100644 index 0000000000..9901c08bd0 --- /dev/null +++ b/bcs/docfx.json @@ -0,0 +1,37 @@ +{ + "build": { + "content": [ + { + "files": [ + "**/*.md" + ], + "exclude": [ + "**/obj/**", + "**/includes/**", + "README.md", + "LICENSE", + "LICENSE-CODE", + "ThirdPartyNotices" + ] + } + ], + "resource": [ + { + "files": [ + "**/*.png", + "**/*.jpg" + ], + "exclude": [ + "**/obj/**", + "**/includes/**" + ] + } + ], + "overwrite": [], + "externalReference": [], + "globalMetadata": {}, + "fileMetadata": {}, + "template": [], + "dest": "bcs" + } +} \ No newline at end of file From 0f989e5bb86efba6d18147826a07df5dfb55f38c Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 23 May 2017 16:16:14 -0700 Subject: [PATCH 02/34] updating repo URL (public) --- .openpublishing.publish.config.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index d9d23b1445..340a768d75 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -398,7 +398,8 @@ "branches_to_filter": [ "" ], - "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/win-cpub-itpro-docs", + "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/windows-itpro-docs", + "git_repository_branch_open_to_public_contributors": "master", "skip_source_output_uploading": false, "need_preview_pull_request": true, "dependent_repositories": [ From 69fba6f6794a11f5352ba3e1f965b9e2013e8d0e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 16:23:02 +0000 Subject: [PATCH 03/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 34d0f0817f..8dc6a8e913 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -390,6 +390,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "mdop-VSTS", + "build_source_folder": "mdop", + "build_output_subfolder": "mdop-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ @@ -429,9 +445,8 @@ "Publish", "Pdf" ] - }, - "need_generate_pdf_url_template": true, + "need_generate_pdf_url_template": false, "Targets": { "Pdf": { "template_folder": "_themes.pdf" From bc701df45776f83b07a41e11b51c67dcd92524fa Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 16:26:34 +0000 Subject: [PATCH 04/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 8dc6a8e913..bceb621e3c 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -406,6 +406,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "windows-manage-VSTS", + "build_source_folder": "windows/manage", + "build_output_subfolder": "windows-manage-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 94c872d40df322d9ee60ddfcd87b137cbeb256d3 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 16:30:34 +0000 Subject: [PATCH 05/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index bceb621e3c..df3502d649 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -422,6 +422,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "smb-VSTS", + "build_source_folder": "smb", + "build_output_subfolder": "smb-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 2cb220c9d9e4b1720612f1d8f86f9b9f029d0898 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 16:34:29 +0000 Subject: [PATCH 06/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index df3502d649..c4a642ac72 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -438,6 +438,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "surface-hub-VSTS", + "build_source_folder": "devices/surface-hub", + "build_output_subfolder": "surface-hub-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 6be04319c9090960ed3f607ddac71385f0f56829 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 16:45:24 +0000 Subject: [PATCH 07/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index c4a642ac72..0f1dcf072b 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -454,6 +454,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "microsoft-edge-VSTS", + "build_source_folder": "browsers/edge", + "build_output_subfolder": "microsoft-edge-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 4758b63a6818b80bc753ed13ef9a7d815d8f5353 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 16:52:01 +0000 Subject: [PATCH 08/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 0f1dcf072b..c6aa648abd 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -470,6 +470,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "win-development-VSTS", + "build_source_folder": "windows/deployment", + "build_output_subfolder": "win-development-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 365321711aec8e5ad9cc0765d05046ff8a0d9d77 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 16:53:45 +0000 Subject: [PATCH 09/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index c6aa648abd..1c91a57802 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -486,6 +486,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "windows-plan-VSTS", + "build_source_folder": "windows/plan", + "build_output_subfolder": "windows-plan-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From a8d53f860ae90461a7c416cfb8c6ee765f39f6bc Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 16:56:05 +0000 Subject: [PATCH 10/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 1c91a57802..f373001d3c 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -502,6 +502,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "win-client-management-VSTS", + "build_source_folder": "windows/client-management", + "build_output_subfolder": "win-client-management-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From f8bcc7fae48113fddaa3281baffb60e2c5099ff1 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 16:58:01 +0000 Subject: [PATCH 11/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index f373001d3c..0046ba0592 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -518,6 +518,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "win-threat-protection-VSTS", + "build_source_folder": "windows/threat-protection", + "build_output_subfolder": "win-threat-protection-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From b79928c021a8baad27c64f33211a3dee5fa5d86b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:02:10 +0000 Subject: [PATCH 12/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 0046ba0592..63c2dc107e 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -534,6 +534,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "win-app-management-VSTS", + "build_source_folder": "windows/application-management", + "build_output_subfolder": "win-app-management-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 3140f903d654d8bc9f13c8b76ebe451875e387d4 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:03:39 +0000 Subject: [PATCH 13/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 63c2dc107e..61d8772953 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -550,6 +550,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "windows-deploy-VSTS", + "build_source_folder": "windows/deploy", + "build_output_subfolder": "windows-deploy-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From d258d3e1a408ec901f140df24d16eec518ba0bdf Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:08:14 +0000 Subject: [PATCH 14/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 61d8772953..c734191672 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -566,6 +566,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "keep-secure-VSTS", + "build_source_folder": "windows/keep-secure", + "build_output_subfolder": "keep-secure-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 229aeb3c509d8b91ace06191122e17ed9d105a15 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:10:14 +0000 Subject: [PATCH 15/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index c734191672..1730de3190 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -582,6 +582,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "surface-VSTS", + "build_source_folder": "devices/surface", + "build_output_subfolder": "surface-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 8633fc278e7b45e0d20ac03f94c908fa9c6683ac Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:13:27 +0000 Subject: [PATCH 16/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 1730de3190..d09f9b5c08 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -598,6 +598,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "windows-hub-VSTS", + "build_source_folder": "windows/hub", + "build_output_subfolder": "windows-hub-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 0495df66c30225c949368b9fdaa4b037e04b0f6b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:15:32 +0000 Subject: [PATCH 17/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index d09f9b5c08..94753509eb 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -614,6 +614,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "internet-explorer-VSTS", + "build_source_folder": "browsers/internet-explorer", + "build_output_subfolder": "internet-explorer-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 69e5f295f366e49cddebe4302327abe7032480f2 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:16:53 +0000 Subject: [PATCH 18/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 94753509eb..9b18a86c09 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -630,6 +630,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "bcs-VSTS", + "build_source_folder": "bcs", + "build_output_subfolder": "bcs-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 6ed260a9a9d88c009f7991d1937fa61eb6a22568 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:18:27 +0000 Subject: [PATCH 19/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 9b18a86c09..2cebd7ddbf 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -646,6 +646,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "win-access-protection-VSTS", + "build_source_folder": "windows/access-protection", + "build_output_subfolder": "win-access-protection-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From d39bb9fcbd2ec1aeab56b41cf74c47d44147f5d7 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:19:49 +0000 Subject: [PATCH 20/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 2cebd7ddbf..b529e24bb5 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -662,6 +662,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "win-device-security-VSTS", + "build_source_folder": "windows/device-security", + "build_output_subfolder": "win-device-security-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 1523fc299dabadfe4625052bf8fa1eef3af4a09b Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:21:49 +0000 Subject: [PATCH 21/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index b529e24bb5..0ae20944bd 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -678,6 +678,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "education-VSTS", + "build_source_folder": "education", + "build_output_subfolder": "education-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From e43b3e88ef3c65be77cd585997cfe8317b307c8e Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:23:53 +0000 Subject: [PATCH 22/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 0ae20944bd..0c3c8297c3 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -694,6 +694,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "store-for-business-VSTS", + "build_source_folder": "store-for-business", + "build_output_subfolder": "store-for-business-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From bce864f41080044ed0df29d54548e3bc1e2d7000 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:25:22 +0000 Subject: [PATCH 23/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 0c3c8297c3..0b17bcb46f 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -710,6 +710,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "win-configuration-VSTS", + "build_source_folder": "windows/configuration", + "build_output_subfolder": "win-configuration-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 647aa64766888283dcc56a88dad2a499390205f7 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:26:48 +0000 Subject: [PATCH 24/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 0b17bcb46f..ff6652a74a 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -726,6 +726,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "windows-update-VSTS", + "build_source_folder": "windows/update", + "build_output_subfolder": "windows-update-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 81c9cab1991a1baec6619391feed89affaa11d38 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:28:11 +0000 Subject: [PATCH 25/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index ff6652a74a..4accd8fb44 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -742,6 +742,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "win-whats-new-VSTS", + "build_source_folder": "windows/whats-new", + "build_output_subfolder": "win-whats-new-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 5edadae66bbf106190355ac7b2375a6046be8515 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:29:24 +0000 Subject: [PATCH 26/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 4accd8fb44..c370569428 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -758,6 +758,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "itpro-hololens-VSTS", + "build_source_folder": "devices/hololens", + "build_output_subfolder": "itpro-hololens-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From 684a6a23efc9f2c95a4f4cf9cba9643528e56b28 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Tue, 20 Jun 2017 17:31:59 +0000 Subject: [PATCH 27/34] Initialize open publishing repository: https://cpubwin.visualstudio.com/DefaultCollection/it-client/_git/it-client of branch live --- .openpublishing.publish.config.json | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index c370569428..52314fced8 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -774,6 +774,22 @@ "build_entry_point": "docs", "template_folder": "_themes", "version": 0 + }, + { + "docset_name": "windows-configure-VSTS", + "build_source_folder": "windows/configure", + "build_output_subfolder": "windows-configure-VSTS", + "locale": "en-us", + "monikers": [], + "open_to_public_contributors": false, + "type_mapping": { + "Conceptual": "Content", + "ManagedReference": "Content", + "RestApi": "Content" + }, + "build_entry_point": "docs", + "template_folder": "_themes", + "version": 0 } ], "notification_subscribers": [ From a94d51dbfe5930b8394540568276572677792779 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 22 Jun 2017 22:11:12 +0000 Subject: [PATCH 28/34] Updated .openpublishing.publish.config.json --- .openpublishing.publish.config.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index 77d849c6e5..e76d9612c0 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -410,7 +410,8 @@ "branches_to_filter": [ "" ], - "git_repository_url_open_to_public_contributors": "https://cpubwin.visualstudio.com/_git/it-client", + "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/windows-itpro-docs", + "git_repository_branch_open_to_public_contributors": "master", "skip_source_output_uploading": false, "need_preview_pull_request": true, "dependent_repositories": [ From 40ca2afabe515e8df46ccee8689f104472043ddf Mon Sep 17 00:00:00 2001 From: Elizabeth Ross Date: Fri, 23 Jun 2017 21:21:14 +0000 Subject: [PATCH 29/34] Merged PR 1906: Merge master to live --- .openpublishing.publish.config.json | 50 +++---- .../surface-hub/whiteboard-collaboration.md | 3 + windows/client-management/mdm/defender-csp.md | 2 +- .../new-policies-for-windows-10.md | 1 + windows/configuration/TOC.md | 2 +- ...change-history-for-configure-windows-10.md | 7 + .../provisioning-command-line.md | 4 +- ...osk-for-windows-10-for-desktop-editions.md | 3 + windows/deployment/deploy-whats-new.md | 6 +- windows/deployment/mbr-to-gpt.md | 7 +- .../resolve-windows-10-upgrade-errors.md | 37 ++++- .../upgrade/upgrade-readiness-get-started.md | 3 + .../windows-10-poc-sc-config-mgr.md | 8 +- windows/deployment/windows-10-poc.md | 3 - windows/threat-protection/TOC.md | 10 +- .../change-history-for-threat-protection.md | 1 + .../dn168167.boot_process(en-us,MSDN.10).png | Bin 0 -> 38711 bytes .../dn168167.measure_boot(en-us,MSDN.10).png | Bin 0 -> 13801 bytes .../secure-the-windows-10-boot-process.md | 129 ++++++++++++++++++ ...-connections-windows-defender-antivirus.md | 8 +- ...ure-windows-defender-antivirus-features.md | 2 +- 21 files changed, 233 insertions(+), 53 deletions(-) create mode 100644 windows/threat-protection/images/dn168167.boot_process(en-us,MSDN.10).png create mode 100644 windows/threat-protection/images/dn168167.measure_boot(en-us,MSDN.10).png create mode 100644 windows/threat-protection/secure-the-windows-10-boot-process.md diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index e76d9612c0..31d0b676f7 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -9,7 +9,7 @@ "build_output_subfolder": "mdop-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -25,7 +25,7 @@ "build_output_subfolder": "windows-manage-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -41,7 +41,7 @@ "build_output_subfolder": "smb-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -57,7 +57,7 @@ "build_output_subfolder": "surface-hub-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -73,7 +73,7 @@ "build_output_subfolder": "microsoft-edge-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -89,7 +89,7 @@ "build_output_subfolder": "win-development-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -105,7 +105,7 @@ "build_output_subfolder": "windows-plan-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -121,7 +121,7 @@ "build_output_subfolder": "win-client-management-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -137,7 +137,7 @@ "build_output_subfolder": "win-threat-protection-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -153,7 +153,7 @@ "build_output_subfolder": "win-app-management-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -169,7 +169,7 @@ "build_output_subfolder": "windows-deploy-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -185,7 +185,7 @@ "build_output_subfolder": "keep-secure-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -201,7 +201,7 @@ "build_output_subfolder": "surface-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -217,7 +217,7 @@ "build_output_subfolder": "windows-hub-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -233,7 +233,7 @@ "build_output_subfolder": "internet-explorer-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -265,7 +265,7 @@ "build_output_subfolder": "win-access-protection-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -281,7 +281,7 @@ "build_output_subfolder": "win-device-security-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -297,7 +297,7 @@ "build_output_subfolder": "education-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -313,7 +313,7 @@ "build_output_subfolder": "store-for-business-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -329,7 +329,7 @@ "build_output_subfolder": "win-configuration-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -345,7 +345,7 @@ "build_output_subfolder": "windows-update-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -361,7 +361,7 @@ "build_output_subfolder": "win-whats-new-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -377,7 +377,7 @@ "build_output_subfolder": "itpro-hololens-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -393,7 +393,7 @@ "build_output_subfolder": "windows-configure-VSTS", "locale": "en-us", "monikers": [], - "open_to_public_contributors": false, + "open_to_public_contributors": true, "type_mapping": { "Conceptual": "Content", "ManagedReference": "Content", @@ -442,7 +442,7 @@ "Pdf" ] }, - "need_generate_pdf_url_template": false, + "need_generate_pdf_url_template": true, "Targets": { "Pdf": { "template_folder": "_themes.pdf" diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 5873701961..7633008a2d 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -50,6 +50,9 @@ When the other Surface Hub receives the link, the recipient can tap on the link, After you’re done, you can export a copy of the Whiteboard collaboration for yourself through the Share charm and leave the board for others to continue working. +>[!TIP] +>When you start a collaboration session, Whiteboard creates a folder named **Whiteboard App Data** in your OneDrive for Business to store your shared whiteboards. After some collaboration sessions, this folder may continue to sync or process changes indefinitely. You can fix this by choosing to not sync the **Whiteboard App Data** folder to your device. Disabling sync for this folder won't limit your ability to use Whiteboard for collaboration sessions. + ## How to control and manage Whiteboard to Whiteboard collaboration Whiteboard has settings that can be managed via MDM. These allow you to disable or enable collaboration functionality in case your organization can’t meet the prerequisites or you’d rather not have your organization use this feature. diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 71e91e480e..7ef981d08d 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -14,7 +14,7 @@ author: nickbrower The Windows Defender configuration service provider is used to configure various Windows Defender actions across the enterprise. -The following image shows the Windows Defender configuration service provider in tree format +The following image shows the Windows Defender configuration service provider in tree format. ![defender csp diagram](images/provisioning-csp-defender.png) diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md index 29b5b23d90..06c0919533 100644 --- a/windows/client-management/new-policies-for-windows-10.md +++ b/windows/client-management/new-policies-for-windows-10.md @@ -103,6 +103,7 @@ The following Group Policy settings were added in Windows 10, version 1703: - Windows Components\Internet Explorer\Accelerators\Restrict Accelerators to those deployed through Group Policy - Windows Components\Internet Explorer\Compatibility View\Turn on Internet Explorer 7 Standards Mode - Windows Components\Location and Sensors\Windows Location Provider\Turn off Windows Location Provider +- Windows Components\Microsoft Account\Block all consumer Microsoft account user authentication - Windows Components\Microsoft Edge\Configure Autofill - Windows Components\Microsoft Edge\Allow Developer Tools - Windows Components\Microsoft Edge\Allow Developer Tools diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md index e91e9f7bda..f4a06d5d6a 100644 --- a/windows/configuration/TOC.md +++ b/windows/configuration/TOC.md @@ -59,7 +59,7 @@ ### [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md) ### [Use a script to install a desktop app in provisioning packages](provisioning-packages/provisioning-script-to-install-app.md) ### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md) -### [Windows ICD command-line interface (reference)](provisioning-packages/provisioning-command-line.md) +### [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md) ### [Create a provisioning package with multivariant settings](provisioning-packages/provisioning-multivariant.md) ## [Lockdown features from Windows Embedded 8.1 Industry](lockdown-features-windows-10.md) ## [User Experience Virtualization (UE-V) for Windows](ue-v/uev-for-windows.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 10733f5cf7..7fa036486d 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -14,6 +14,13 @@ author: jdeckerms This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile. +## June 2017 + +| New or changed topic | Description | +| --- | --- | +| [Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Added warning about using Shell Launcher to set a custom shell with an application that launches a different process and then exits | +| [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md) | Removed references to imaging | + ## May 2017 | New or changed topic | Description | diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md index 79a293c1b6..1204c7c83d 100644 --- a/windows/configuration/provisioning-packages/provisioning-command-line.md +++ b/windows/configuration/provisioning-packages/provisioning-command-line.md @@ -16,11 +16,11 @@ localizationpriority: high - Windows 10 - Windows 10 Mobile -You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages and Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) and Windows 10 Mobile or Windows 10 IoT Core (IoT Core) images. +You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages. - IT pros can use the Windows Configuration Designer CLI to require less re-tooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges. -- You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create an image and/or provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). +- You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create a provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md). diff --git a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md index c302cdc63f..41b090e5e9 100644 --- a/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md +++ b/windows/configuration/set-up-a-kiosk-for-windows-10-for-desktop-editions.md @@ -220,6 +220,9 @@ Using Shell Launcher, you can configure a kiosk device that runs a Classic Windo >[!NOTE] >You can also configure a kiosk device that runs a Classic Windows application by using the [Provision kiosk devices wizard](#wizard). +>[!WARNING] +>Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell. + ### Requirements - A domain or local user account. diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md index a4e547e904..e872024dd2 100644 --- a/windows/deployment/deploy-whats-new.md +++ b/windows/deployment/deploy-whats-new.md @@ -106,9 +106,9 @@ For more information, see the following guides: The following topics provide a change history for Windows 10 ITPro TechNet library content related to deploying and using Windows 10. [Change history for Deploy Windows 10](change-history-for-deploy-windows-10.md) -[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection) -[Change history for Device Security](/windows/device-security/change-history-for-device-security) -[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) +
[Change history for Access Protection](/windows/access-protection/change-history-for-access-protection) +
[Change history for Device Security](/windows/device-security/change-history-for-device-security) +
[Change history for Threat Protection](/windows/threat-protection/change-history-for-threat-protection) ## Related topics diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 87134c472f..1cc9702d45 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -19,10 +19,12 @@ localizationpriority: high **MBR2GPT.EXE** converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). +MBR2GPT.EXE is located in the **Windows\\System32** directory on a Windows 10 computer running Windows 10 version 1703 or later. + You can use MBR2GPT to perform the following: -- \[Within the Windows PE environment\]: Convert any attached MBR-formatted disk to GPT, including the system disk. -- \[From within the currently running OS\]: Convert any attached MBR-formatted disk to GPT, including the system disk. +- \[Within the Windows PE environment\]: Convert any attached MBR-formatted system disk to the GPT partition format. +- \[From within the currently running OS\]: Convert any attached MBR-formatted system disk to the GPT partition format. >MBR2GPT is available in Windows 10 version 1703, also known as Windows 10 Creator's Update, and later versions. >The tool is available in both the full OS environment and Windows PE. @@ -224,6 +226,7 @@ Before any change to the disk is made, MBR2GPT validates the layout and geometry - 16KB + 1 sector at the end of the disk - There are at most 3 primary partitions in the MBR partition table - One of the partitions is set as active and is the system partition +- The disk does not have any extended/logical partition - The BCD store on the system partition contains a default OS entry pointing to an OS partition - The volume IDs can be retrieved for each volume which has a drive letter assigned - All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md index 73f648a7ef..7df51a183e 100644 --- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md +++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md @@ -74,7 +74,7 @@ The following steps can resolve many Windows upgrade problems.
  • sfc /scannow
    • -
  • Update Windows so that all available recommended updates are installed.
    • +
  • Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update.
  • Uninstall non-Microsoft antivirus software.
    • Use Windows Defender for protection during the upgrade. @@ -573,7 +573,7 @@ For more information, see [How to perform a clean boot in Windows](https://suppo Code -8000405 - 0x20007 +800040005 - 0x20007 @@ -667,6 +667,39 @@ The installation failed during the second boot phase while attempting the MIGRAT Code +8007001F - 0x3000D + + + +

      +
      Cause +
      + +The installation failed in the FIRST_BOOT phase with an error during MIGRATE_DATA operation. + +
      + + + + + +
      Mitigation +
      + +[Analyze log files](#analyze-log-files) in order to determine the files that are blocking data migration. + +Note: This error can occur if Active Directory integrated user accounts exist on the computer, but these accounts are no longer present in Active Directory. To repair this error, delete the invalid accounts from the **Users** directory on the local computer and restart the upgrade process. + +
      + + + + + + +
      Code +
      + 8007001F - 0x4000D
      diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index bb6ce8f949..937be3b7e3 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -40,6 +40,9 @@ To enable system, application, and driver data to be shared with Microsoft, you Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). +>[!IMPORTANT] +>Upgrade Readiness is a free solution. When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure. Upgrade Readiness data **do not** count toward OMS daily upload limits. + If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. If you are not using OMS: diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md index 4e36256cae..7cd077d90a 100644 --- a/windows/deployment/windows-10-poc-sc-config-mgr.md +++ b/windows/deployment/windows-10-poc-sc-config-mgr.md @@ -1,10 +1,11 @@ --- -title: Deploy Windows 10 using System Center Configuration Manager -description: Deploy Windows 10 in a test lab using System Center Configuration Manager +title: Step by step - Deploy Windows 10 using System Center Configuration Manager +description: Deploy Windows 10 in a test lab using System Center Configuration Manager ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.pagetype: deploykeywords: deployment, automate, tools, configure, sccm, configuration manager +ms.pagetype: deploy +keywords: deployment, automate, tools, configure, sccm localizationpriority: high author: greg-lindsay --- @@ -14,6 +15,7 @@ author: greg-lindsay **Applies to** - Windows 10 + **Important**: This guide leverages the proof of concept (PoC) environment, and some settings that are configured in the following guides: - [Step by step guide: Deploy Windows 10 in a test lab](windows-10-poc.md) - [Deploy Windows 10 in a test lab using Microsoft Deployment Toolkit](windows-10-poc-mdt.md) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index 32af71bf09..ebdbe4e613 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -54,11 +54,8 @@ Topics and procedures in this guide are summarized in the following table. An es [Convert PC to VM](#convert-pc-to-vm)Convert a physical computer on your network to a VM hosted in Hyper-V.30 minutes [Resize VHD](#resize-vhd)Increase the storage capacity for one of the Windows Server VMs.5 minutes [Configure Hyper-V](#configure-hyper-v)Create virtual switches, determine available RAM for virtual machines, and add virtual machines.15 minutes -<<<<<<< HEAD:windows/deployment/windows-10-poc.md [Configure service and user accounts](#configure-service-and-user-accounts)Start virtual machines and configure all services and settings.60 minutes -======= [Configure VMs](#configure-vms)Start virtual machines and configure all services and settings.60 minutes ->>>>>>> bb842731e73d0f219d021f0869d9b36c8aba222c:windows/deploy/windows-10-poc.md [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration)Verify and troubleshoot network connectivity and services in the PoC environment.30 minutes [Appendix B: Terminology in this guide](#appendix-b-terminology-used-in-this-guide)Terms used in this guide.Informational diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index 2a1c0426c4..266a77fc24 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -127,11 +127,9 @@ #### [Use PowerShell cmdlets to configure and manage Windows Defender AV](windows-defender-antivirus\use-powershell-cmdlets-windows-defender-antivirus.md) #### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](windows-defender-antivirus\use-wmi-windows-defender-antivirus.md) #### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](windows-defender-antivirus\command-line-arguments-windows-defender-antivirus.md) - ## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md) ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md) ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md) - ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md) ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md) #### [Create a Windows Information Protection (WIP) using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md) @@ -152,13 +150,9 @@ #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](windows-information-protection\app-behavior-with-wip.md) #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](windows-information-protection\recommended-network-definitions-for-wip.md) #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md) - ## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) - ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) - +## [Secure the windows 10 boot process](secure-the-windows-10-boot-process.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) - ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) - -## [Change history for Threat Protection](change-history-for-threat-protection.md) +## [Change history for Threat Protection](change-history-for-threat-protection.md) \ No newline at end of file diff --git a/windows/threat-protection/change-history-for-threat-protection.md b/windows/threat-protection/change-history-for-threat-protection.md index ed82259478..c664fa8066 100644 --- a/windows/threat-protection/change-history-for-threat-protection.md +++ b/windows/threat-protection/change-history-for-threat-protection.md @@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Threat protection](index.md) doc [Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune](windows-information-protection\deploy-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| [Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune](windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md)|New topic for MDM using the Azure portal.| |[List of enlightened Microsoft apps for use with Windows Information Protection (WIP)](windows-information-protection\enlightened-microsoft-apps-and-wip.md)|Updated to include newly enlightened and supported apps.| +[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Updated from existing applicable and relevant Windows 8.1 content | ## March 2017 diff --git a/windows/threat-protection/images/dn168167.boot_process(en-us,MSDN.10).png b/windows/threat-protection/images/dn168167.boot_process(en-us,MSDN.10).png new file mode 100644 index 0000000000000000000000000000000000000000..97fabb4625b7d5ce627af892cd097ddc6ee934f7 GIT binary patch literal 38711 zcma&OWk6JI7dAQuA|Rlo3W$JoNq37d(w)-X-JJp=0wUer(j6k*(p?fmch|WGpXYtw zbG{$v`@sk^v-iGZ-D_Rfwbn97T2cfR`6V(00zrj}zLSMO?th0s9^89;AG|Z=r;7pp zL9!B6v4ucTFyTMU((BxO0Ji(3*?uOF28X^*RYXov~;vsIPKueI|leZS|9DVlclE1Mcl zD@fMw6!1M zLLR(JjezD^wxG9v_KnK-9o#0u)*~GqB^|ZGO1`J@fX0kw5fMC#M@T@}Mdyajg>d8f zW6S5XL#oiPuC02z!sxlS*Yc7(UHIW4v@>neVy*D)-A+3V6mwElr)oePK=-a=2M_Mz>JMTHNxCvRfzXq) zXAJlnE;dV7E4q9+a<#S+KU;7fw1jYab+$Q7aWV1ys_(ZD&q%>X^Y(i%D1l#d(}q7^ zHES056B`2i)ruWSYerLy-|a^YmflY8vE*)g0(mp|NNUgL>r5oa-h(&zUOW8i?hh_d z`3)C&4PH0Q_t5*^eH+o~2E3P7eaqh!MSOM-zFjHNL^dUb`7$l&|K~#g-CLN1R;b-z zd`_Nh{r;FEl=56&<95BiAb)9_YoP3-YtzRiwyA61ion}C`cT%bV+1FLZbstopBOZ)PH7pW3lT-pb*d?ivy@kcN6g|4?I4%DWE?R8j_^a%T2 z%6jvfc8srC&gVYgTC6r{`!?;EaYQ*&l{t_p)gki$0u15lSN@1^jH!hMd6|sabr09s zpftlaS>5I>abSSF8{2G$K7<(+8N(ipJM>K#ghR#{TMCxjhtHS4y07z0WuU*@T3lFM z6h$CglXvpmUepb|;n&~bpd<~uRD?hVg%{p)!X&<4$bND=a$?1%*jw36la6UUuBrK% zF;C;-A!lN|4^!y(D=7SDclC_sVkezFxi`YMJ z&~)#JXNCUh5~OE^gpNd;+r&xekEwB`olM0JyF=TmcIDS}CL85=JR~p^U4Pp{@bGcV z*0B^)O#X92fy&(p^ki2Lt}b%Cp!S{M;gF-4`*vXhXwSlL)B0jU$yvgWzHQ~}Ol6$L ze19-ToE1j)(a@#1CcJ1TBN(@|!;JF<>w4KwUwlfK;cvdnf^E%Y5|ob*2Sbp{q3v9b zR1?ki_#_bis^7)Axkwri9!Z@!I+x_FhQ~#aZEnJ$CE0ZzCy&Q72)D11{}1Q)*Vp{t zc%uK)`FT|`Y_1Mahb2AAJ|#9AceCK-9JFd2xFpYBN;x9NLF{;9|HO|F!jJVo4)*`b z{nl4$v2vzh=EFU2gDk4+pJ)pj+DeZ_$Lj*&14~x6F4OXpld{SZ4{hg2^(^*MLPU5V zO0yD**elgJXS-F@&*n1w%tEmAYhE~BFXN-Ucitid7$`rMh1JNl-RHUOxyyt!b4)`e zoJ17EzNp=~UI+NIzFIvHR&a`(D_o^rrjf9D!E`@ee`w)cR@m5O9a?CUaww0OdKf!x zEq_veh-b2!tl=h}N8|VdMhN3fPhl+kL6x5A{q=4$%tpKk$pTjpxVkdME1fM z7p?F&qkij9iZ_#LbS{5P#g2zy;_+HPmU(vSu$kjCqmqZd^h8S~56koQK@Mp*06t5ea|H}Gaa=!t^ zu>V&oi)wwMU~Q3YkJ~fuC-A}0E{dG0^r;zfF!*$1izTNz28Na#X*jZ`I?P+(tHM`n zFUe2PL{93scei~==Z4#|r^8U0UVYAm2Co6Q>e?cfir&_)C<$&;iuy?x7Wfu{=XYJ0 zSCIukog&p0j~C-nt46{a%)eg;AKv)BAZN>98>;VZ(8jjYHlKlfbpf2EX`0p0_}D;`X{E<|o!(WS&0xl3d{+v|k1~NY z-wcz}YU6&-S+cZtxTLzgw3Z7McV-oE-sg^@Z4a$VU>O+cQgGf+xQh2Ii|aMgp-meo zoNb!E@Sl%$LHl!&t8q!DveA#9PA}vi;1h4pM^N_hu*U7wpa;rSZnE@no9SU~9o&mN0d(GT%`}qY?FV@LxxR$UFo4+ zW44(s!NQWJG@lkAK6TlVl%rY~?2f-~#}{uaKkR1rbXtr@?zYhMzAs7^?JP1vVs5T* z)c6;T`CfC4dV7k7GpEE4tTz1Y^{5b-J4O+EZL&t;HUY{{HMTd{(M4D0h}SHf{Dl>D zY-JXd{RXOPb(YbyanFaef}7TRm~>|+ANB-2!}?UU6R2Y+dqLGY*$`TDFMsx+9^;_O zQ87@^_P4aFXKvcJk1yC&>xK;k^vTpwAx>`^3_|UO`d^v#3s~FonTE$&rc60XT5NUI zt|kc_CfLi7k7vE?r*Izp@Ud!_$<0$+idpT&iI8Yjd^+ z^1LFWH5;V&&xu`oi~I@7j)!ddV{MRNGthtJT33qVi*!z6zl3GF;Pt2-)nJ`-=fldp zC)hD1EO{+>BfdtX^G{B_9UE#=erA;9RP%DQ9jtd6IP=Elbl2-Jn149Dj+m%!$FO&J zx~V`tCFiX&!uD2GQQ8fU{;_9P)zv^kZDZksLM*D|BSbblOBd8~LIpL=wymY^&AOra zRmXmtc*&RCgnUxqFi|aHHIQd5>NP;&nq8Nauwg_V5-weA&uUVpQ~E8L8SEHgh3;iH?)dYt^Oddrapn8%Abl>>94YMp}QSd8XuZ zzKD~TiPLbAr5?$melVpb9orR<0z3q2#VL8Zyvm%br{>= zsRb1ogClGHjbAXyC3J17hIm>ihbw+iS(PS%C7Kk=Fx>7kJ~FG4^N~j?Pwmsel>~7 zvUE*yxleyhL%d$KJ{8GO*pa?TxUxNHI*bNB{DdAb|k?5zy+BVCy|e{ zp)7_`$9S;$MPZM8ii9HBbyjJ^U}E=?q`v=$%Ehb0OQx|3k@_YHwFU-bnc~JaR1iNL zY0WNJgxm*e24jB=4Bga4vt)RVOK52}GVk2LC)?3bhN4F+JT@`3aT)5Al$6&-&UT-SDv*8!mcQbyJDeliwNeM*;C!!=qWBl2Aifu^@ ztA9L!#cOuubt`Y!YrCHU4*@_Ye8d)&FPBo3BeeV+!92oBx6HSqu9}f8o5pxGXXUz( zr<_VJ1hY7bEYt=KH*PvBI?1a89y&!n(NQyZ>4P{Vo-otv{$M)U=9}uMVK&=$C=L1h zABvp%E0MBQbf;}Fjnc3jIwlJ_YgS20R!LB<*ZaA<$ObIp{fb+ zKl&)gbDeW66oHHu3tFJQUYCjK}JIV^Ze>^);&-X!~3<>B_~b zKlOPSltnAo+sqF{DnU4YQ~xoBv!?W`s_B!L=G|jW1G2H!-uA%rACnwbVuZ`MPYJWA z1i~T1n|iLC0ShjDa%csJp0@EUYJ9Fvn*DuN(BmyJfgKXT z^AI`((a%gzP+wqm-B{(Ov9F)-I{to}z-PzE{&*Hl7z_t@L2E_vwS-jfyuP2OtFD|c zlrOS9>phhw-G^!e541I3{)QNfrwQ;m*wLaop98RAaHD&)u22%Ac6q%i`9_eK!#+5&~HMyabC4)yTC~=SEcYsI1)? zWF}1rOM_n5|Mlr(KVSpz7E>;z_0<=Rol!k;+g1)@Bq}s_yrS>c^a)zXdLL5<1x~Tl z2jj8hUg}c5;#?Qw*aN+^mErI`AePx7REMJ-ad}^L#8k7F`A?WsnORo5SKVw$&D5G1 z+<1@`(ZRn4C|SVcXtes=%F3O(>nnSOaO3i8EYXr$D)`pb;ts8Qu#Ty|FMXUG=Htf~ zQSu<(@E5Lph9(AiGZCDx!W7TY>w)1F&Y$_t_S4tE@VOr%rmB6te4@ykScQUi4^mDD zEGCg?ao`?P;<50u(S@ zcf^8lG#7;V2AuJM3{5#*xrLe6O`VX6oM?ISU3T(*8f1;92Ua0zrDM*1VoPfsAK%w5 zWN`w4sqw*>C}O~X)Gg<1irHSs5qc7#j<#-YL2jK5#i6V^l}cKraMkd^c1YcqLLNrP zKb8wp@W+uNcf4G0UZ51G+`Flen&`pINpPhicfPE-(U6qUd>^82Hf@<(T&N^ZwIB{B z;9fiFl39CC4skRoiM18SD6$Kax_C}3n)KUUrEaQMUnd~J$@5?+Gty4RER}fwX*|JG zZoYRZ&Yg)k(Ruj@cU1leauqnEg2=@EtKP1nIq**Bn(YHZ8bX}Nl(DOKR3&+L>F2l~&}0RLYestg-72vppl?uLhB}0u+iA4y=QG4hk|m!aC^9Vq{6}9wD06bB(5XHPC%jbF@BVxD9l& zJSm>tvx}>3E^J>Oe5Jw|42Ie06N`E0q{au>EkX^v%7^m3S#qk$oySPE_iT6*k+v3w z$hcmVf2kPL;Iy)HGmbndaxo<&(4>;{e-VCr)mN{@>7$ojDG$Up{=_nLokG~)Fj8}3 zGNGH3^1v{(2QF&8;z(RIbNVuiBo!j2k6y#2^>gwu65@N*>(4e#Nk=_x%L(0!+8TN@ zb$osOV;}O7u1|i4F)C!40I6_s2j*P%`F%fD3uw+)l!{PZ9;P8qCO6@sk{(TNuS^L_h3e>dNR4|sYu%(cUIx3 z`SQ5eBV5x%#+^riuhs5_KynK&tj780(eMC*b_(JP?#^(!g&Zp&5=IfqhoX%Ek#8`S zySsHlQCXqzH3>rZ_Bj?hdWR%$;uPb_rw8awu6wPu=|52fDSjvxyJ^VI-b3jZ0!BV1 zZ6##=q>a;jPDZ{%HtsC`el+6s)o=8CppezL9yFC#U{~H0u+2?nKQrF#ra~ZpWS5$9 z!%4-)M$l>SC2`Ad?d`E%D+@12_m>6OCh$&9jxUoX|Ks7nZbEO2kxfskesS(MsoiapzL^y6IBMTSm+&9a<8U{!9O z+uE|QjJm!9_1vIL?nfL$_@Icma>j{P{ios?wP`40yPgYLtMu?;m!B8yxExU>ZZD3>|YD}BJ3$h%%$>FV|I%Z z@*)w|h|;VeQ^>xn2=k3{0)qX-3x0o;))U_)&JG%&vu|$|*lk35?B@=!l4@cakIJqc zq4c!VwV81W6AIuWKN}V)GYWIqo{fJ0^6kX0XNWl++K9xPHpXjMeWLVN#6>BR(BoS(0EwJk?W565~rBK?gCGXRxsnbqP1E+%9P!}6v^{) zeAMUgsSG>BoWIEwOM7@=6LHvmT`8vfC@q}W#*;tc~t~6^vIjh%3S1TUl!p28xs*JV|6n9XQWJ zL7kg)cA-~klXvz(W-3YkBkdgmOR2LyCCrhElQHndBU%Iyq83k9$9?ECBgzbLFDc_B zxs3w57L~s^f8ct(N_|Vp=X~kxf&3dy*+y!mITCnr7dB*tzNF8mfNqwL84v9y8t3CY zbbCyH&)4T0yOTiY9wiAvJyu$+>cV???0MG)&4ae7ZL)3qczUHW82&1|$atZD=eGHi zW%n71A}6!NRnV>)A&U}dxd)S@@=!@=?v|Hk8T&=v{5DAQWj+{p z2Bj}Z(1<+Wc>a8u_fP5B^C*tVRpjyzs%Ej~l!aHuJsj&|J#Vtjct|5|R@``fwhnIg=~ zUTU$>feZfBJbzbjnN-7n4XqqEYrf)G0f<0}PY2^e9!-TEI3Oe0C4DF6eRz65-RGNf zGIM&bjRU4UJ_Z{9rPluGcrLXF+GD9_w<%IE@q6ypeW6ex%{}{M?h%Hk7-*kE%d6!p z;r8-PjicfkN0c4pN@t~W@_sd>y(zs)2>yoVh_TASR%6waaq$RRJ%}%L?Dd!@0#T7r#k~7drqE?r+Z6-kIepJ zL5^7LdH3B;nKvO=02nnWK;}Yc)*!29?ygXICY~uMxbiworI7GzpsVmYM>as1-n_=| zV-a}a-+kt1p!g@?oym(3s^Y}P8m>lC{%78+lKBt$apnK^;yZvZM zH|a!oG7D&Ma@Mb;PQ4}Xw*1b;5kw3i(wIrc73M@kqe%US#3QV}4~xra&SGCQP{0Uh zbgY0P?eOtNH|KI#?mdmZK-03|tH?Q!e}UciiQJ=@XKCDtJTDY=hmK6ndQ_g&0Y%I6 zFj+zO+N!pH9vr7OJ&qL2j8?ec{7yKI?+15MFmZu%(!yp{BPyLKXt92ndFrQxZ($oi zdZq2uRm}FhCu=&id+6*6Of>9yWrDnO#-Fp)>yDu!)U{;XIAzM0(~mWZIb&NuSB!0=-g4<4-;IWQkRXwgjg`{&=>Q398sI0-?)ez4|iLd zY^n&oTgSa_X>nGX?82sZD+$L(wlnkz&1h*f|;0FdE z6HYn2DY2R(BcHbswr7O|u?y53D9 z?>=-sN>&)UX_sS9bzI@!kcl@cUxob`#wB+~Cq3YRiPUF4>RtWE$vDx^bm_I7jAue# z)^T)pcgFR~0hggg$I>?l=d+W8hu*K?C+P09rBbM?6a}e}ABKW+6p@tJSQ7u{tDb#^ z9DBTOmaxk{!*vrsP&?dRTK87QKir7mqUv?kL^B)jxq+O5&eHxIil0Fm&VCgcf{8b? zZN1h{OkNa%o!W<}ak-5+;RXTD{n&d+J7G3xhT07cgS0KCT@yd0Wb`zZV;QtEYm|JIsLxg=CXOjv8A6}Eh8SdiWvhm~lKqoC1~%RW$iJER*AyUs_Up5V4W zL0#_|#7#17ilY-*DjSc`SLwt(68VTjXsGn2AfK?5FSGyrTAI8snk17v`73=!oFR%M zNh*~QANd%;F`Pkay4QAp$Qxdg1woHfxx$*OGwK#hq!m zX6!4z!xE1nvRl}SrG3ST0m(qn$92m(6;~?xQ8$*+m(-F`12bRJQxZ(u2vaLrjw{C6 zSuYm@sx8G;{UYzdf|LH;r4*6Z9$b<}WD%VQu^wfe70M2W0v80y`x21rS*$ zfyZhbQDQ^@GsA%dyTw?N+cjAPN@G0t6)Ek$WMf6s@q!iP^9#pY@BbpB>~%K(h4oDG zj9`pP9~S|AgA#7^a5hMxw$KnKzM*NIzX4gg%0@XM5SkW7}>jRqb zfDhLUyeuAaN|E*{=9tK}26E1Hf!GaVR*26H(O|}84lf|{0D#x^t&;N$`6;{%!{YTfEu>yHOd@@4wjP;khukz=^&2 zft9I@_~<#2%yb%p%YP88YdBR;1%}0a2ge@qV!)kK59zI4+>(0n%f3*I!U?PY7Q(g=R22aEZ`eLcYFQJdtpNB`MA zkTCIXG5W8cf#2px9NZ*E9w=5onVAJ3ZPeCY;S3Ix5}PEqO`(mLhYpGTN`}1dEvAd0 z)QY{e`R#9}f1wZrGK)%C0uTM9&WKq7Lcmg2eq>|{GRYvG+#e*#Xv?gWBGQaEDd1p-qk&>MW+Mra}Y{7AdsYrJr8|=!)pXfy9hnGklT}tZtTk zWmNfBtl>|Vww{!TFp=FKyO5|`Ak;GAKK^ZXkKW%14s4;q)4F%)^oSChkadBfGS@_2 zu*v&p3s~IDr`ulo9ZYI}H8hbn{can@MjFYll++8DS}|bC$4?HI6eZ!f=x(W9cz}#; zK}?8aWn0>ZZG@}f740SPUqpK30-S5xADyXsbIFU@)wgUA7o5LTsAp0lXzvYNZ_8a8 zwAA_mM8S?byk$e3T{(XrDG-1oHU<0()F&^H(`)W_>o47TYl2KQbUC5PJi3-iGTsCm zFAhhJ*l1+MpY0n%#3gn2HQw#Tf`$KcfZv)pWEF1Yd#ajU)Vc45sp8}NvY1?mV->;K z*?(X=*-eyklc*=1KP*Zp)~rF{AJ7QlcTE2exc)DT>j^VOYk|`=u%q2z8h~2pla2ze zQ>%Jc708dCa>xD9|Jqf25H%Ufkti^oe=OGVS79Uo_S;?vk==K7Hns7D^E@y%F0X&R z*j-?Yb-GJEW($HCwtiio41v(z86f;FUi~Ax(XXakyB9TN@cQ|RrAJ$6A>{#o0scP` zCzOADU4629hHlVVHTdl5%zb`Sv?f>Se_cl+)VjxRR#q6v?LL2e^(Ff9KWO*PGVERg z$C!jwu*^!m`DPCZV%{=lux|A)&w#zZD~_=RK2uxa`&g0mX*T^Fr=C7tg#3I8vW&MU zm%DCNw(o7pRpE?~wGoE3oEFDJFr==1jHVe-mYM`3^&7eA3kO z;y?V#<=nwxZ4mxf==4Ifx}Y8W%wdSJW3YX$)A@+nw$5@`@lYYQE?ly-VXK5T*yY8r zr2$dq8c5;1Wj))>D22O&JBr5HU;34vU4iU9r~jIKhE+U<^CCdX?WjR|`z|@IZ<-h( z?N9zW$iQx#FaVcw)sE=x{+oQq$szO>;a$&v)%IP(O+CLcss?r)DW{@h`a?~CG=drO zXJxMr5!ef+W^%8hB(^5yhv~?_dhVb%2nDd&-&5CiH#=bS$^whuhy|a0m6yR_)hil< zupx%rL~P*AtOA6A^(D;4J)t|>a>s(_B^u<<&sonDxNEt?L@9Vt$VkG|Z<>#YkqoJl zGiV`P()3O)lk5JO143ha+?9W>+K#AZ~YDhg*oxtZ-ZzElODcDyHgX&AAFyY&#$WHXpuC8Y zdGz^(?9u`Pk=Z}=7#@B2U1gYWh-(FQhW!nQ$$G`x9wcT1NVXEjF@Qtl{#fC?}*8B4p_*STG~(4mKM+{S=a5cu``tX`h1tp{rZ+9@AOJ1se{ z__6Tl&5Ih|T!oa)&#X#?_fl+Q%NAAstJ7S|REq%)C+op2_J(tafw|i;v|KU5#u0AU z)E%B;_c)t)5oQE!r~hK284#?W^fVNa-HMXC8z$WFurYw(!vXA>!r1i;-R|&KTC<%Qi_^+P| z^SVE#lI}UM?CjajDd`A(ye?eAB3yJL2q1{T*H5Jr(Q3L;M@h@csvw?j1DeO}Vty!^ zy=N^%3>^wT74;!;$EObGCb6LW$`zHt9fO)-6F7(jilJZ|H@agnvjzr}_BY?L|5 zN<{P`2$-s@9Z3>q+%c%+FovOw9JZr_ZJB;U9)xeYi)kkE>zIdh~HnSDL zS87YO=^~PN6t5a;hd*HK37DFTQchfS*onfi7a@+SW=TnXAUiq+HKNh-t9jp$|Z+4|0&JDYQF5#f}M zN3V;qw_|7e3z^+^3AHpamH?Uju(0{_U$_y3^Q-C zkeB(=%25jP&VAFApp1oYeB-h}N`>W-yKUw9s6Y0WQORvwn1t6Z>#IpE!D*|;L*wvm`cI){cA2-q%vUxGZ(MJK zFR}T3dp}YKc52Vw$8X$NQN$Pw4~b?>ax)k#D{1)`<`$RSXB!HQv(hhIv{a3U*ggAy z0XZ);3i%4z8b2tD@Ur-n{~d;WmV6WaS8?i9$dXo0&C||rd@F!zm-Hb%3fUe*mNkB} zV+)l4)R4Pyxnu!uZkgtI7kcd$>~1V9v%gMVPz{+$HbtVG%Kgxg4!`+zJRrjPMJY!w z${s_E>6s^iy|=+D)&`0jk3ahjeI?a{*mMZ*JH4akg8*JqxusF#U^$hS{8zg5vcT#& z1hUG+tfger#s!h{7>X;vu^2}q%QD0_-#R2mbM3)3) z(hC0*KJ0!Cv%YTHk~O_n%%(JrrLUJIO7)62sZ`v@+9x`e+w1Xc{jlCFdK)I#0N^GZ zP>!twUY}ygH1e}aIxaVJzLjFls?Z*4yF<#uquNlLx8RXxEo*II37i}Zl!1u`pclyV zNd`~h^p)4>;(+P}FNZ)h2M-~{&zVMQVolI&6sn;LsxbVgJKI8PkFVp%E^K3}?9&Qfs@bkBY%WoTd;(O%4pcDEAZFpUka(FoYLXGS6X! z6%qz8fyOzP^fJx!BENd{w7&J-bSfhUCd zImNs{VtJJL;E&(`M{RvQN!Q!&BI?iCS7?tW+#}H#e2B{gA}=DBl4knNa8V z2X5p$>}#AcGt1|&Cudf!3RWy380+kz7wa=a9BayVYUHoXv;T@8#-dRx0RQcpZ1)K| zus`%d{7DvN&;Bpt;KcOL!&yRYCi(q=C=VpCf2Gz9wRYEynE36ew-r5XG%_M~QLVS=E)Ve4Fs5iHEV!Zy=V@d`F*G(MwBlU@QbXpU+HxpNCfI-^ zCa64QbKnGp8W70BGb{F0M5y30x2WQ=G+a2Q) zbO)yDrg<`^=FXCJ$H@0+aag~P1Rvo=c7x22?pm>&)JaJb1%u`I`qiww(|>v2;uy5B znszidwJ?M>mtBk-8P54Z+K3IbT4?9w+M|qqy6F4fJ0siJ=2^|;SthB0+r<2x^wqU> zpTHfY+zrTlhZz@imm^wi?GTyd%st4%Id^E_Nh~)pQK3Ta>F7N<4SC`Prx`~GZ${a| z)Ngh6t7FDEB`z8cm-19dH1I(0kH|gW;1+N(WnIMCNf@8&iALkC{49p5lX6GAM^}gLG?-5#E?B|yD-9ZWM2S&!<)IpsLw&Ii9_D` z4SNsit+-?X*9IHcYbTFR{|T%{p5h<9K-B3-<`G+2TMeUDsb~5V=coCzdyL8^o^!mq zAmgRQU6$8tr@e2iLt^KM!jv%f0;!htJM$2-YsImV*`B73syg;boai3RFM24< zo3&p(>OjR9^+fH2Y<_w5$OG!r7I@Oeg-4L-_mVY3LU5I|W4KiOuNeqTWx{vw0d-TP z*oxa_Yfw7uI&}2Xt;2(T?VR2eD{np0?Ht=A)5e6fpT^}NeG5W3gR> z(0^Q0B5>Gs_Yuzlv_BYAJ{I3Ux3gngAZKZd4Orsiu^6-`N) z4^Mtnm6X&+SVuRF_qTmf4foKMRnhzeKVe6lV12;UBW5rPKY~IoOV4U?|9Y+{XGgkA zbVm>8$>N#@MYJ(9Srr@{Wq;r>TySND4+RN{Lv9SnaI8e>{l%V}u(f(yCSS`Bj>K_F z6>BDWa+NNtBsAD;@G$arh2rODNA{ zsX1#jxB>uoWz~ME=TNp^nn}&`QI6RMz{aX2ZWsIa7mID;Ls3J4=n%amdrf@32u}p3 zRQaqeHADk0)-^qFd}?!mJg)J4V*1w&dQbL#y4B5G#AcfTS=QfjB!)CpP!I$wT&Qu{ zB{i4YXdNea4RA5mry?;cpdmIm=gmp|^*RvRluR?2LG2In*ghU(tT=zjKpks$$Qq$+ z-@*QiqoR7JBB+M%uO|@5#a$v6`kbm}iZ~jU$3~nnG!@8=f;*)m13yYF%WiRi*69Hy+tN+mkqwbQ+or*5F+)6iOL#gQ0y znw&2#(ecJ$lOh2bSJt8wL8Bgc(DGze)IA#?upLv2PNP$7+hcAP43s{Fe?EG$%#L(L zeIB$N3^X97h#qI_zM|{F-0Y*`&(J9U?H0( z@4=&FHB=@w!l#zqzy|^;M-B)zt8LE~VTQ8m_3|wFhci&lm+_U5a>*)rDgHPdQ``6X|DJDlFhFfP^Cgz-Yp`PMG%K%BRt8Q6Iyxupr_Xcd+v-Rb##ZzWr5 z;`ruyn$a7Pg6pZ5b!df~)a{<^AiTdH{nk#p^JyawDdp`i`@n-8`O-dG&D*2mnDZ;= z#V8$PP;sQY7AUSs;0@BSdzx)4XT+(Iwn_$1J(h<{O!s4Ml4vt%_BDNY%;DZwYLtSj-Y~oA|gN(1JHZ zMR#3bE?PKwb~yGmXS)94yK|=>XkN1^>!E26Wjn^tYWyzFGj6p>hE~t;79{3|EWKC1 zpUrrUS~zQfq+jiH*uuE=_-E;OSk2dvAGuj?r{g>WuS(C@srLfYspV}F8^uB1_vjhO zTa_~6La{e8-x?j7E$#rWT8ez6u&$a~squcr=Rgc-C3*b6`J%x7T4q00%&PouK#Pi@|w(aT3Js2@?xfO9L3;53d`g5;N2tBiSLrDzI4fJOFtH*TCEAMGY-oe(c z>G0g%&NraHWv5}_a<)lIqijVkxDeX3J=PlIa=~3si`0~BD?U1yMe<%aw7!FZhQh-70u{{w-KUZqmWBL zep|)oQQsS+Q~P8;AbY%|(>7B1$sdU=@(aqwf`dbEAYbA0#5C2D*8vtXr z#R`Kez6eJx6DM-r>d5Z$qxjb^aQYKW%eD$dHXLoylX&G-W|td1Oo^SI*^4FqnK*Th z*u{q_|I(T41A6pPPuMrP&dtTT@BVH-cgmS^@E0pGuH7TXWFJe8Kka!ny=1Vhq8ueG z!?NyJa|Ox>pi@^2t`FP?^R>Col+fKof3K?{)UwX&X0O^^3n*cOT;vE75QbzyTk9Xq zpiHMJ(|We~o8B2~R>87UzVqLXTY(|bx7qJg;|@K4ULgaHlB+OMY4qI!|GB^4;c;E+ zo&jjTGN=MgZj$MJxr{8@`Wt?=KEZhC;$-&b!ZxBZ)!)O*zaPnRbywld-B=LNToCro zTJc(<+aKo(*p4VYuR1|tmTH{T7;-}HfQC)_ZnHK`DB&t*;Ig3~X!)*_p?l`$9H?dr z`uswz#X?R8nt~Z9{uS?4&3SKBJ>I0VDusG_Lb!wfYI%RWD%lOdk8|vV01i276uce~ zr~xk2{lqpTk)Y0TUBneHU3SdmZLn|a@wSk9i>#jWo8}2Q=#CR_qn=k8Q&ub(#$~d0 z&{x8~Vo{%jI29JbFj7mzTk`g!SBjK(c9y2P^Au*}rvDqyl*9lwE> z6C^YaF^-KX1yL8HjG(uO>;)z=c{IB6=h5ujC%+plf_l6JPJs<6w4%Z8a&PdSE}YKYFg5%R0Z%xt~WTR(e(c;($ufNpIu z_O&&hjs|1bgOs`KXUU_F-2l7c7_B;(N>Hg?{!H!Ns@uOc?>9XNTq!ZeJ)BIp4yYOQ zQO(?jMn%d03T-D^>@QNiD5Sf!>$S@n5c+QG{5UxMvijaeAMV4K*xBeq(3adNt1)$j zMTx`T-W8V)<2&daM15H&lsvD+}MZE1tYgD*amCSM4?>rT@-F*EBGKC)fc4V?jIL&cr zH%^swJ|baEC)Gc=4tqSz;Ia?xaS~zapIF*Gz4>S>IdV1(j?q!Ow%<51U(R7EU+i;6 zzcNR)7?u6@J`$kvwg{;Xmy8@#ZQA1kowYwbg4gHsnp|R$3IRfDiM3tliuCAlv@{^u z#b<3F%T7us%NTnzEx+Jnb6kC)Z>i96AV{xm-m@^EML*;m{7%==BQu6sI!MW#Mvn)<*-H6f>C*M;Sxk9Rg{{HPv}5l*^B?G z%Jh@WXSs}(jFu`#)DR~)V)SB`NVKwoEcG|rVwN|yqCU2PA&*gU%BUYhCDdLyc}Oww z!C(y_=fh1+y;UJ*G)%T)yHQ;e8?f`L-LB;ig_R@SE$tY*%s5Eo`=&hk@ehj=((4-WePYo1AWA7$sFG6@DD0k<4A|6(Sok%$9R2uFpy06-XA1 z-{>;KoqirjnZOa2_rgi`@FFsM!~H?bQUo`(6j>f)vDN*8PobtXGJ!$j8DPRHXBZlX ziyiU;g`1wqzg39Nd>u$Z1!S1}jOhzr6m)D2*01%W#fmc_^UwrYQO(=2) z;kgCWFa%>s@dWkb-lqR2`e3V;~qmCi*qXqUeKYk{a z&GQBOIY}Zc<))(vvhS6CcqC&ll}s&z>;IIE%Pxqyge5=GO8Dvl{+kW1tDT=ic(kv0 z8*e&{<$g7U^sLO^SjDzjTcTe|@wpZWKTnaCr5@T{Ku~UIW>2%yNZ^dtAnUhy6N*~P zU2YLNS}&Zn@zZFdh~lA=9r)R_P$@CHzN|FmH9YOz>?c$1kISa2H(uKM;6ih2V5_TQ zEwm`HSWp9wczhTd^WjnM$dRGOAsoHK-JN z({{oKDNP6vchNa(x=ra-Q2%ypf2>+}Q^Roq81``sEg~ZIO|98y*Yndyh-j}c*QH9% z;OXm(5>a;H-Wj*I9F$n!bC2)$edqT(>-@o5Fl%_? zes)~@y7s=GK+Slas7+rT0*42Yv%Xi`3Sw*w?pez(7)kHhSE~?4Ibruq%p6CAreCeh z8G}*4pWGen8obBAG&jA>8s~m5#nZ-XeA!m-xOvwM$bC7e;QBI0EUk`06hr@e966|v zc5Y~aa$IRnCzAh_5dvCp+2l0J>t0%{BrOs zAJJO;9b-caPw}S%CNJ&#E{PCiTt6GC zS8gNUT=cADVf3%dpUpetrKmcW-}Do&|G4=sa8j}tmj7LU^M)$55pJ|34A7iK`sTUe zFcav6l2*aKX!Jb=8)j&ad)(Km1fWz3rowL4c>X$7D4*BywN}TDaC}bK%d2z)&&OP< z$v7W&u~Bd~1E0}S7Q(__sz!xOj|#$>6{RfnM4p&m^fUx@>+Db#7|FTm124AoSwD!Xm(vt5rV4QD^`cr(f7Y# zzjiw-0`1Z%PVgga$1vKTL!GyJ(^ecF^^3)kh*Fj1eNc4`RO49h+Ny5tBkl0J?0ENC zM!mPkkf8#8v!t{GzdWxOBy0?`gXKP_Tz_24jI!Ja%5aj?cp;9%7Y`~Rz^2A5Fg4D! zc5v-FwIZ8TibJnQH`$v%3xaHQPP8>c2`H$2XqEOtPkA{U)4G+)lgULXM@Ae>Ow9_5zGUv*gI`^vWHTA1+$2#AN4u z!Aq{8Y)=gWJ9XRzy{BNB;W3!gSen**KNt)Z+!3Ch80lCM)@dLl+i_g*sv(R%Wd6>- zmy)jiP046j-enPG@Kol2EC>OBJk@MC(+5tgCwyZR@-AUu&RS}-VyG@!&s7_gkcSl? zJxB0VgmsrQ$GGhspR7Uze0j-J^f$9+(d7QkuEoyRe0`^F4={2x+wf{)vPnQD@d~># z;c^vlr$BlodVE#3cbPeUCdoTdn`M#ZwyA3sl8w)GkYv4-uvs(8w-y3qYw{@K8a4M& ziifNb%l2h8*vQhIunXD2&S$ugKhNw+4DY?^+14<)7IHekZg79Fe$%$$xjEKT7jDPS ze!0`t1xIyx>A+Y5xjEajUg<~Mu=l*RQCJ?WQ&qPedMcE2ifMi-~DNXRpHR%n%g4oJOFzgT$O&OBgoRrA1z8yU#=*iVd{6cm5dqHUe_`O+oOS) z*&LvSzf5*^s%T2(&I}dWtK_}M6=&;Vwwjwviks9&U*HgS;W!5Ur3#N>?_l@@M1uVUh#u{m%d zd)gTli0Eb(EPYN65urvi)T@VQQJqHbDHnG&23~K?Xgn}xXX8v)1{0|3G!QEezI)b@ zV-7)ZdtE+USG+;7U@*^)W+c{rc#E=R6qtz_oy-9BqLWKUyS^-E`S;<%W+aUo3XteC z?GL8+yNO)}tHJm?U9AHz2}ES==lsYAd zL=_SKmp=b11@Hm>k%qjheyVBuUEIiU#}W(SjFI=3!Xh_DRw5u1z5j#W^$;&W`Y}^n z=lKbcQ#i3U>{HsqN8@|@yGXgp(WLu}$@IF9%1 zy||Z0;ITELs-XUq!cj7v$>$wm8{afcDmOyz!u=4DOeaq$fH>)+9mupOr7y{t4+d$x zwS$bmk&s7ghY!*OORAanP{$&v9d+K-tnciYFmjBUtpPFMNJCj6*`ItJ47!t-Xjfz; zswiPW99XmFwj!M7`>^Jra(}i`;TQUCoE;zt0dzKK1TOq8?)`-ponF%kPP(t|r%=P_gH{@GOM;0_QExKE8m&%1j&;eP)1eIt7eas{G zMb;ES_Ym?{F3#!1rm@y`KN%+eGPXy58#TK@tFI<$Un|C%f@*U=&^oTN5`m&A-!u^! zuOa2P_arQ<%Q?l1&!p#0#Fal#ZNQ$1hLoKY{K9WDB$;v1(_N6i{|#J8dtRvU)XjbT z&KVBuaHU3daJCU73~^lji$}Di*Ibzr4+7DFQF-CIy>j7*7dC4+F;+yE3=gU z?)><49+;-|L-9TpL(TQduti~#T`e$eS^Gjr+>e2x{baW3){!f?FDp@>$$}qk*z$=z~U6hU566Ntg z&rL#~z}|sAEAA;>%bggdxrYhCHj0#w2|**}7AazMMcuSe76&v$m)w~*b$=OKc=*$X zD-8;I_0;c)aAqm|T)&T6D$%kAtS^<-7&;TdZ5G~%cE zbg%`;&gGlw904N&wLh@|nIA^Vm2Gq8%I{xe_=~G+ZhVSy&;P?YtC8y;NpYNj1CXs+ ztu5GT!yjwic?K__T13}J5}Y1=q~C?Ni3k8&d8|s@5xQAOA_RFy$^S zaPvC-(!|-!P*-2=+h-1jWV{qV%m%=$7)P~lL@A7)aT1Ui>mGTyNXNuADG7|NXQ545Ns ze_rnyaR!Cx<6Bi7N?SqK`NUQqCls}QX#er#l+=QilwnHqlaoA_%e}{h!1aO9q)&s2 z;q2TrE=uiUdR4_yR!*c4K6B;sK?|wC#W9>uahvz{+uL`=VvV`!>jM&jB-hB3G_r9kFfh+Y;X%xIn3-Xw7Us`_#b*Fb? zk0Ox@=)Vk`B7ADi+9^L?Ok)?!7rxMBMlY+MtBXk!)R|-CcfMwwV*uFpZ7fx8RDeuH z5uyu)%i;$=-sy% zPO0lRJ2!o^$v798Vr4hhip7v62^2`vgwm@^ zBx7#A5rr|628a0pgKTura<%u@mCsUtI=@7Fv%R4CQd;}|S~#vaS(fBio&E0evBzF@ z*e+_;zE98tdLcAd=Fzk=*8lY_kLG|}o%p%ne)axfrPHpcvAlNExP_yAzNfD8W)Fsa72U z&Vd1u%?^n|&{GVBRUyo1v)BpP6N)h&;r`IF)t)XiUCbieJ&_f9_=tL>T0Hrrar#yH z(?__f^!@yKK5}_l%8s>-)d!a~qPkeU!F9zE_TnA-KX>YnPMxJ_&AGp-DZOFGpZCVP zaH8^bPF>xqZtlaaFKv1e<1c2ODf5``|u9fF8+T1ng&leijnp)=v>_m)RJol}nX zIF;}F={QeRgdz(foixzq$E`-osk$?4jH)zny)sYD#Bh4v0a-suCUQL1R2SxCyZpg1{vOeZ{#?su<$HYP=Tb_@|j3EiW3qRAbSe;I5Ez#j* zVS7a7^MW^W3HKi|7F&ErpYreh$_$UccnW{CsPDymkHyw1atC2&c|t91cHiGOwBeZ( zYsl@j+=nA!*=F*8PdM7eDyxWD_D;a7dY8LO995cjAQ3m7MdCsH=y4U}Zt}%_#{&oF z{o3E5p1ifV@9@nPzs&9*@I*<9^%STbzQt#e^u<&T+BjlQf!_}xYL64?3u@MiKh;N%8c+zG=U)9zB zy#ar588+c&LtXU;56zl)jdDmibN^bKIbpJpf>)zD_BoN-#l^#>FH;%R+mjt#piyWVkmRo}$Zvmal73NC-MjK6g1tXeLh zUlhB5AEeGYJ9Y|-IU0@dzH0SWQF2`^i9r=NC}IaYUBBKIc`?Pm8u%#H0`cvO^#zFE^#j} z$|sd5x}LTHSWW)dyLSq72M#FMR-Kz|Z$0P_k z(E#7jI7hgnht|8gA|@$klHwQ@y06)B0`~oS`2(NTn7gDAImWB$_}!=?(xD}W>!#rW zm1!oHLNCFimfAyOgSh5u%eeup0LJZ;m;c)OA+Ytj%X>1Au+^cqrjCnHc)F1?R~bIL zWv6>?M&$|Njb*0MeeVBw{Jb3n;0XNUZzaejrw zy2hOghijEtiBiEv%fy|XR0NCieVw4a11+=xRc<2}Hxo1)JBDs3JzkeD?q!r;Bt|Ca zD}2MhylPzNnP}DUa+(?c<1`a!^KDI#wHH`O_FtFUl$21u0q#AS^7GjdY7E4ftidG~ zr@+1NlYtF4wuz8&<-LdwWaQjNTCGDqom8Txk1z7dg)`}gGN;-c{OM*lZw>RWx#=m# z@|btKI#eTjB?_^#O=P~ZT4!yk*ze!rZ=!=uk{KMQ$HZAhtKKC-StMAR|0G=?bi+;O zFgV^mFn0DP^!jN?R@LMgq(Y8-t}&Uw&8g<+c(GuKr01qTpt;c5b%jhZ)<;qE#+=5#`G*q@mL8RzIP%zFgLs>se>uT+pe^bbFN5=P(j?_TW8Ad}UqAK) zPfs4={PGCT1Z0u#ZRPN$Q?tkQVuF@J%`l@b{h4!i4$ALtR*~?($t2iJ1Vmjkqu!FI z>H3?{VJ=rXF7_AIQN40uUVTOs^9A$M_*ZoRCgL3NQ26v z@cF*kGgl|u1SazsMZMIx&)cVA7*yi516-j+oqscxTu5fZ-t7e1851aZ4k_%v5P&=v z{QfuBLXs>;-Y~yjY|g3Y*GgUzs^1Y=>3kq<4(NMZA&H$isQyVV@!=Z#g2l zAsX+v)%mlN>*yHl4gI4Tu3SsWct^U)5+d&2f$&TvL&FXMSYi38>6yWF{ZseRn~WEQ z=yVV9F8ljH)cADop%WY=$?SMquAK30gTu32b)|n(`{cInBw+?R$h_r&R3~i^z$B`c zG-rDGFIFChZP`lUPrU*wH&MwGB1{CZfaaI1;S1M}RkJ=xUT`s7a&Zh1M-_k5wlBdv zYck|8pOU!rJ?x;12po z2uJciIyVa47T9%u@8a||4rk~qB7yjZ#ejRk#7tHUUQ?A?lC4&Nt_n|3##|422~1G|(ounJQ(?c1b=vT7-bN*}_WGsQz17wM z1*IE>IvUR&0!h&b|CPSV+RSJ_^1l{Tov=~LT%$A~RS)v8G73SE~Q@PyayUU@;OeABD>0*wv zRkW^(e5_5<O+T&~0;27TYVm#W97~pQNwvL@bJE?82 zj3HA^Sk6i`1#4*+HuFK(@~TaXyziH%ZMy@GJLCY<-#c1uospg_!8;|gj%=2pysX=` zo}cJEl+pwD+)Cao;lUWF`lOe~h;K#kG)VPro;txJx-J zswkQG67o2x@PVM2&kwW#+tK1>O?f^)Pope$iG&%_8U2>~kd=N~Ei{;IAD7r)E-DL- zQofRW_G0Qea~-!&7y;GJI{rci^Bd1 znAM|YRvG*0cZ5AOMqW#{V2tDZ^CW`yFUnp_OY8)fZ*?g>x!ed{XA5ZaQ)@V&%G579 zIb{`69j-Qpil&s>WNrn7B(Wp1om#)x{FvB)4i^aQHDh945A)>GH3|Rruv1TsGodqP z5>j%g_A83x;?-f6qdV8M`7#Qg5ZaFyLwOUYhjZ@*alE^blAd(weO;+}>9|yeJ$NV+ z+DW+88`oBIxNOT3x$u^!{}m&vJPYG2Pt!8pWP68_m%MO)zzAtUo*Ksst(dIjUq0rz zC9ITc|1Au*8exO2)*gzfv{uDn!`CLe56ULrMi}9vHjZv$Hw`LFan^9d%q$T0%8Lkh zDLqWzZEx5UEjdd^+(g5E2Hp6YeyuMRRqglTYkNtQ(a3dllWSRoOdLHtj;>7 zyk63UU)PQ8+-XT7gfEw}Ax;>QFMs(NT&lW)ht7VssA-nXeBEKWWbg+}J!!o0ptI=S z_ZfkXF^Oq5tR^=phY7^qvAW4THar^O`Y%y%Aouyhp$%T4w9m>rt^Zu?DN zGpS|#-vUN|PKK$kZWt3ch@*Ts-(>wr+Cq9U2`QM{L@{UzZx;Ue=&87&o4WK08qYiJvuLLAz~nHSzauY)qnAcNfOcZ7M0D4-q=7fjd`IwZm3# ze}%v6@Hxun$77(jsW3&*J+nk7nsK()ibrD-*OSv-xZ=HRRHiC#wm6%zwus;UlE}Zm z->p`*ML{9c!=@eLl7RpLiajjt;k>tW7SH+2tMi6dp2#@c{&N58(aKiS$hF=un+oy) za|`M>(V{e(IK3O#K3=BEeW+gmX>7wIRb{-DE$6>gT=4%gXaP|srI0swSI#^vHZmll z_&t0XK_J_Z>wPzXzeBiUt_7ZXovx4QOFpPQ(_wU(wI;#u@5v2mVz!=7_kY@wA<>>E z`yC{P!$rlZkPq`usaZG&k@op_HhTq^*euMY~0pe3YP@S;og^2&hFYO zIEgFwrxdjYS({?Um=B3BHfI_6@$Nbiz2HZQ_FN${ z7<_XP0U}#uaa+xR5srO-gF?t*-MJPqDw=BYcYf?BM;ZLwVd6GRt07*_IbmE%tx8Lw z6{2|V>?~-eU0+3U_;;$zqBLFBAlP}Yg=k$iMGmC1ezJVXP_M}50y|hC?GR^G53UOG zN4dpuZ&eoIUC2nUIzsVa4+zs4+o;q8B&uFTfMKn7=xL1A3Uy2$jKtg*9`dX6 zR)n{|dxu+?IZc*3H*J+gmIcByOmL}owwkRcxBAGId@NusH2L={ zSbcRO0ok2?mm*38_H4qm9bbXiDtf1SauGm^wsgt`0NM`J09xRRcj5458^rjLUOw<% zrdP!Lt8*OZbkcS|se}?#m_}&B&Uo68+<@PZe2f1wmao!cpk^N9^qgvhLVL^^)$=b~9HQ3X4~M?;thGWT7wy zz+tN;H>5bucJ@18LI&rDXW`tgx7BavN_>+RjVK~U5RXlap1`&Xt_J)Gs}^%N6*Vu4 zH&^L&*joR_U;|G6+F-Hs?U9!WLA9Pgvb4>XB%EZH?6YwU*-+drMJt*u-o>|(izjyM zzcd7UA3VYxkDfa{cGtqD-nqnKoF$`ZxPud4bXzR$A2axkh+EXU zwDU^N%DCrm2WiDC045Kkg1D%(D)wJFbz3jTu3Bjba(675oMaP?lHE}s*txILK7yl# zv)ta1_-uah)1UL)~qlzI*o%B8}77p;CHcVrRp5)hf!k_gRd2LI*9GjKDd<}As#*Uqx;xEZ3p0)bW;5_pZL}VW% z-VI>boN{$A?HQwQ*bv!G`+|#lc54yTfvT{w`85qQQpRqIa@E&b@J7DIqO^mLfJvfP zV{JGA1^Q`R_F(-^9!M7#VU1O!+#38=zmK|O+7z1`+TtBss<;eleR?|+O+f(#uLZmCSNN(|hB5+TUKnH>}_%F33sH*Klx5$h4|X-)8?`4e>@ z+m(%`Y_K--yCrV8`&{q6y5O;a-&PW}=EObF^|Yr$EXj+d?Q4%GZU^AT!^Qqn;k^(X zwQN1*Pn$R5a@?2?V)#vvLayJMGI3Mjl9t_wMMF_2)@0ts5mg$a-lo z%9*pd#Qg|2t>We3567tCdQ~UgE`-H7k;M!KpK6xYIqW+>6opE@K+~PJlcQ23nkP{g za+J@L?V^6V;uiCVH#+1lRk?>KNcd(tp4-e>?`)pBsRpDt>DUjfKP$CUAK%V%k1g25 zn6mxKr558DrP|e2_3=gy$07$m`cL2u!E|+X6vd zv6^yMg@qNmHl5UrB{s~ZylIbvSdjN z0)b0Gr#;c2ex*B!rn2-@E#r9;|9lM_e!xl--Sa`4U>FGt_Z#Ks$cpDp8a8|3((Xlg zg?na?{}=+&EV3s)kW_gX6e=MkkkO=yvB^pn*-R2#9@zf6<|UPMAG9w6HluE``!cWv z6lw`Wcsrb2y^kg`cl4E`yuR5#5V@FRnYFcmFDbE`C!MmillFbf%m4LkVcP~j3oJYz zDm|4dK`}jqd)~?V`JbArBqXm! z%ITZIe;n@F`02hm0tLti0{_{AX-j&=F9|w}<#$!MV@Qp)OZI95RyrD!rDx>DeOp@2 z%W-TXh{Vfxi6-U;w}#JiLjvTM*8#s>fpx3F=i>I9x|&XoxHYV6OeasCJ1yW$?AK#| zDN%Rnx!z1nPd;hUSp^$DB%njpeNG->8RH^j-lSdeB@g}LdxTB? z(lRZ9U1(lyvGt+ZtC-_HhAzeS9vV4cOqCp*M0Gp*QwPryM09hnKJ%MN33s(ugvfYW zsP)c%IFmK+MT$VDqNguj&B~6hRxZE>Zpcax*>l{$)t_VUl`tF4tk+4Lknr(pAjT-T zR=&NwTO#Bh@wQ_4N@vCXO=eCKf~B)#e0!+vG<3XXqSe$4v%G$+xDdo_=T}sVVM}(B z%D^Rs1#j$f2eYS)?ff;ezt|pFlWeMLyp_=#UCPQ>8ROaX{wcft=X_$r{=l$9(OP)- zO~;*)5X;s(!AlYu>P+k^MtL*PKv%~lk%j@DjP1?`$4WDQiVAf~uR`N6HJ3`AKZyo^=y zWZ^u%DePsPWpam@1(D?QDpX1z*WBoAn4l)Fua^6a+o6uXdXA_>-1Gw?@l?Qf{2+hF9civf-7H!lXX6_ObSwB)Ty&JA&05LXtgZw4sqm{K!f$H-K_`obCac^~tb+Z5u3 z&O%LsJ)+>`WqFa4s2lve#1176P|M@F!4J&xwI$zNA%Kq6ln0{Tc@!Nw`d*ykwMdIMf;P-Eb=cvl7Ja~?zh6Vsz~0$qGlsl`lTrIPPekveg?4v(!kUr@V+wHl9=< zxE4^eEc})AD`hF3h%@xMbZ~Aiy>lbwR>c(UIm_ky!TC`g%QUETpGKqJ82n9E5FyjYmn6N zfs))U)4*7w=|hJpbcVy6cbR`@FM+wELC9UckCmH4TNi|=OTQVWsrtilDOee^HSC?p z>3F}qXP47@oKpKBZ1*bQ4PmaA!>H48<7#$|RWSUh1=Y6~_bh+0nmLaSGAav1( z3auKp3G;LtD9E#$0|@TWzapulCcKj}DcEVT79kN9x<0aXw0EE_Y3L}H9-VzzG_%N1 zhjoAj07>}WI4alO5>G(;#C@JbMm0UWcNUxcD(UW>B#GK#ZJfh6qTeZa5V+udB|ya08iaUsrP}`%|@91K+usRo)JG$1d<=B;~D={mm-c=EY|_ zLJAkzm05hTtoM?Z@1UBNb9dwZQtq_>7VQOILh)$v)1D}a zx4^2iv}@7;ri{07tD1B1*HfUo6azG$drspGNS9^hW{%8ZeAHS}RYe+^Ch7tpfRGhLoO z@H#W0^b?#ZNVm*sK;JPS2^^UK1`ELx79Uk{s2gr*wMdF z*UOi?Um)fe`icL}|M!VQeoR=PdAKF3j&z{RK)e+t@ijPlOcn=VhNS<|H-3pljcn_- zWiD*uo}}`9NPJx$PiE-=``ae~ffz^8j^;cZ5tpqfHyUYSMhj1%eE~`JKb;bs!YwSg z%+>*x{~u9A^8b+Y{6<>O ziujM(@~4wl6i5EHd!bCED!REK7Bm;o1=M5!TnW*X-2X|#+4N-_elV13alV*yv&CHQ zhSum~zWqFX?c0LsciTaZ|KzDN48utt)C09mCuF1Lh1OFUm^URRFGku3!i#u`N4hPrJK15v?4;>2;JHJHQ{t2(q`Atcg3 z;qDQRDP7ZnGs%s6{XsZWz?t)*>1JQ5sG*i*Q~y*#6W8lfCT>m%EiSBVnq7krO1S`u z^DYQ&ZImLs8o%$n?}$eh)k>vQ*3|aEggKpVL9b8i?ys`CXj#;Xf7V&J8eO%d?iD$h=N zUp!_GWPh2jsKO2;1h^^d$YBwh%8VI0UWICXnu8uyiljcwkB(FCll%wrmgi3!V-e6t z8JaKvgFBVwa$JLbtc1P94GDh9N8TUF*jVh6$s|4B?7V7900AurW7*WbV!@V$PoNc( z@^B3U8n>NYs_PTT@Gjx-w|`E*Ch*IRv;*@KPeR|{S@ z?)G8(DW^y+Y66Ofe_G~Pz<0GvP&yfprhgxt?obN6{Okmw@WosQZ*K(HoWk8M@=3YPYA?P50!hE(aF)z=qs2gC8%HyLW_b@jAWy zHu@ve>qg6Ei5P2{wL)ys+rokNFkIY&%os@d3oE8K$TE}pC5?7Xs9(^*q~vM6mb(0u zOMF;d&(=Vhw1VD>W5n$dEEW74Hg`EU(T{1xZjRSTo&FREVC7{uw2@cJ4I5_|5g~Ds zk0)XH>ex}axc#eDG@O&jat8FdqyIc=P7|-sKWwK7LcWDzuJ0KPrfTmEzFoJJhCt6|nTZ^Y?%Vh8`@R=9 zc4{O>7J9Akx8ujMOu0R&dT(iC6NifsTJB033{pRC+ej$e&?-%yEVg-B_r1JcT-)-> zmU+}DpPP#L`BX)5c+)@LckfJh^uyD^Pj0449qmk< z^KZYc7UvsPhcl0fkpoT!^xhAm2dGSoO{hX_2rGdN#@*zA?29?J^w6vL0rW{{P> zUT0o5UEFbB3?4~59phF!$?Bl`tP0aau&CB$pQaGv zJaG2iUVrkBc}S0|gWu72a*0N#8&&;G@uvCR)xzG-(oI+XzT9WT-Bni&?x#je$OB(n z&oSEFvCc7HtU)1g^?xLWWz<6G=!_6oJH%8jb4T;rn4X{^b@W}B$Msbo2r_jY&RFD= zl)qUtPIgZAHXoSgA339AbIUgh-mxqD%#!<$DV9#>57f*^*9(yF8sBoK+={^JaU0i> z40%n+58mn|oD`#d@_d<5q(;qx-s>Y$ud!+%P_C}Val^Y(jy^|2?M)QW3BXwOV81s^ zc!uB2>dfly`?Yu7 zG@3b^ifwO^wz!>OE5;y|vv(&|szDg-i(;>Hz8`T>(?>6fI`bWu&(zOWaKDUb5!3Nf z%n+POyzU9AP@8GSWC-2%YWYo73eA|ki?$#*FwB{^*C_y>=|mR(+Y`lyLm?4~KJL*EoruJL=aES&=or*?>U!Z)*{gr?Ya zC;24<TL-$r_FUTJf4dzd)bgwKJn=%@%@Ek@nVD)3D)qp-)I zvRog_@L+0x8-3EYb5xbE3_Gb{50AonYEC}kTt)Fq!!b6_e>%bH@ydm8soBlcwiEa} zIrgu39>Y=uD$Q3jQ_!Kz)dS|7S+k`|A!xVYA0aqgy~gjfjBr~wX1La`Bv&K6hD zgeR}+Xfj)?UHrs^3fVIN4|;@KjRd*P!tO{hfBL&s@6kRAcup+!y>+qs3{VeCg(zmV zt5JtL$E^|}T)3r9YwrfK@5(_2cOAFbt^G6hfx;)3BC!Jjiw}LTm%NL0(L2N_H9>(@aG+r>tg#tkt(I|Zk{w(mnMZK1h=Jvxb;cJsRK2gYzMYbPI(}BF01x#he z5AN6HWcp@17}E{H4}a$YYwN$#xQ%z|leG>qVM~B`mG$oFio2;nddTCCL}?_rs_%P_ zvLmQAh~_d@geEGAKk%PEfE0c0n&@ZxHqFuivV0lU*$;zwp@C%6=V;WXeze*gM#WoV zP_r*y(1p{AjsB1+5}&=|09g!A4~_S_TAvL%kT$N%{-Cb?<_(6;v!weH$d@-G&{+>C z3rO#dJ!;!ZRsWo4hItT@ki!eoz8=n@(VJL|@^F!AqM?E-$o6m(3dqiv{~|GvlfWxT zdH(%DBQ0PT|Ni_R&P$552TRv{{m_| z8zmFmW`+Qzfg@J^a3tjdqq#)u6hqF1}#rNq-c^#ntR<1XY-i|)p`A6rD) z)xKktdv1c>uN}^-;N?UODf;h)cH7YAzJ(XK6M_3lYfZ}MbD#5}=8PW#2({x@IX)U+ ziNQu>vZ_0+T?0=r046L-Suk84*~lmSZ4Duw&v}(br>IFDEsnj~i;CmI5P?$IX!+a` zfB$$&C8lD06#F3Zg$OeSxL%c`&fvvz!m%i+{~Ty18jX3u37QB2q*e{WP@b1PF(7oA zg&tqu;V-(_sZ%QxcbP4A@_cUt!E6HF{6z1v>Fu-Xh~?dxu54HDMSxw=2=!m=i(c{n ztvY(e|F`P@UGe__S_ni_lso}Kl_Te1TV_aaXfW$o*(r4Bqx6)a z!pA9eSv=mc&Ho=r41vhCEL-exbj{9C!IMR?jhQyfyME&>#X8={vsj%{7PK7O*^nW> zX7OuSpZj(6z?^z*>gs?74H$=@Ixh7|<`d}C&2)R5-7XYx-GIQpx%EZTLm71{EjB^$ zRBO1}w9Xy)15wBR&*M!~TO`m!O=%?`7|NQ86$&H^HF`PrOjIyVD98d-OeL385EP6v z_7|N|`P4b6mT*ZUAK)HHKYsKKtAfgFu5!_OyHF5@jFC7duGssz)r?tV2w;3y=ZKz} zv;isVRw>Sb+PcoNr=n_pp#;TWMEc=UvqG1#E_C1T7U&UTdiM{jhh-!oBDIllYUA5g z;GN!gBD0*mE)Tq{FSsu-k2ic#h5AJ|^1kGg`G&)83zu5R6sr2%52daqO*Y3z3Oigc zt`0u;(WPh7@JZJk4GeK!Ho`P$Oeq~L!cs$z1?KEYo)?)_edi$`dj?b z1XZCp7ieQwrvOXA5J>%yF-#&X$>rndT~CyGvE2U6buDk;#`rZfe<`+k+BhmfZT^=e z=CbY5@6F?ws=3jsjOlR_Y9WqEgY!2MK}#j>RpHg&KEj3oLK5I?^ODVX_(|8a+yKC4 z|L&Wwl$R=udCX_NTR57wEs*~EcM6`84pkqh>Skvj_X(l$z3PxX1>6C&ry$KAQR?)$ znmJVMi8y{&f29C$Ej>=DgJmh==l-M8ln%u^zpX^WQna!ZoUoSi9Wtk?PNQhGOFinY zSq=gt`}bSwF7IfvSg#LH+!zZ7M_R=~@c>(Z!i@di_R%4c`xZ zP%fvVOD*#)HgLrsV_7Q%1Z_*Dnj$$9=@^HX zQ`s9&NBZ9-q4ug(NkLdSu;N|P&l;g#B;JmK8jh>}(Ha;GsbHvss7uUDzQ30W0R8|5T+G=WJWh&n+QhuFNlUPTR zO(4UsPn*Z+d%kg)tnO$Q``69m8Ig1%&ZIHbDOLec3%@QpGF%l(q!k_{ihVfZACX_g zFYI+~tfJZSY5LWC#yaG3Vd3D3DN_>5I z>CEPjJm<`owJxzoOpkR0YZPYBCaJIU9oJeXqb=?olb+&nsu9gG_AmSw@Y>dNh#U`N z7#FU()kwbHhV?-#dsMGy8$bx{#|3y60@=gt^=lc*<1dX)s6D*MRVje76ql5z+`a=s z?e{SD7)NzAe#5%GisO}GWLIxbLEPu~u~G~)6z(j~mpTHOe&frCxMAHlCpZ|qebaMN@LhOGI zT9~*yBK-e!cIDA*<$IhuHMHY-V``}yIuuV^6-G-Hol#l@HI`VD@FKRfqH1YEglea@ zR-b)PZIRl7+R~tuGCZ|!RZ9dVEfpc65kcNB?dyAI{&@4wnfu>8_uTut_j`Ze&-Od_ zT+%lpu8G|jV>3C7)Cz1%t?hx7-H-)TEw<<;zLt>T;$N3^1=H2KZx@ zDUyGYSes+Xfk&+ZC^IAxqM)Cb$6X(Qv25>t7|4d zJ1%wYuR#Ho&|qHkDof}~T&Hig?sDf$0g;K`u{zTpU1t#^~sSTs`&Z*+=o8UFW>?Cz&$GnxbHC zc>Qn?95;|;46_x}Hs06RIGOvEKl5g^8(7|wJ|aW-ko^H*oy;6+HMyKjP8-O`LHAI^ zBbJWt=bhE3SUOt|_Z%VJPtTqx2Hsr5MiJt>GJiNtybl-18B)_^Z}gz+oB5vn{&OCq z?6LZ@X~l|a#IZ6CNG719Lx@PitL~cRlq^=NiTIv^P;+Re(h~&PwBCKWXLdY>?T{OQ zncitr%X#Qt&AH>Oj8oJOiZOGjHi=Wacn!du1{9V)ZawZM14jZ*$_M@QJq?rKw-h`; zC6+93Zw0Wx-x$SM-zllA_dY+MC7sBE;pgk{Q2NX`55WBGxU(ei`AqgL!sQbp{%+Gw z;)d;QD`qI7(c@L2>hM_SjUx;I%Y$B)|Q<`idsqgt~4m)Y{6x@k#1!SqVIx zpRl&vmE)wCAB*I_Ryw2`vasoJzxnRg9E}ul>h^Nu#$}V{GDkn+M8dBoCy&_655P54?2=v>4gQV5eo~XeVW4j)RECVTmdvzu@~S$ge()0(`--zmt+q(&mfI z--ZRsjM<)Q0HBo0-OkZ`_?!^=%CXat!3q*Qc^U%BSyLwUfkAfTLAwJ=)5FT{wTwas zz`qzCt69L?#keawG{VRo=p|2wJpQC;N?Sv4s} zkEH$W`R7d>eEnDfu7}ewo~})gCkwsEETPiEZ+eIipiqZ<}k3Nz_yT%9xQhmV{bbL zu;6vUHTWc$7K>CG`#SFWoWHDf4+eo)k$7KIq%L@a z%8GNc^&pOP+pg@)dhpQD4Gq7=dXsSit8|Edbq@0ZjjFr1nasblYNfOFcHS1eCiLQ@ zJrm>?44)0qf_Tmf`^|;Ikb8&LwS~r8a`c~QO0V_sv2qtG2KiVqlmLL?k_ykVTv~6- zd9`BfmtcC`96d0UvtNe{V%QF#T`p(?K+J-uUOb?MWW0CDeTdw%npbvX=7)+QjlezT z-=`D#Bl1i~^j5S{X9l5Ki?rWDH zn0HK{B7ja#TpObinbHD%KfVjOuMusd6wxGF@z<={HnH94y&HEf=8!#^s@YgZ?-Ah? ztYS>7E)w_$>b9>=C8J6zJh)pQ(~E6p3dEr<=rGkEqjQv$H%VD(yx~|_{LsX#UGL!s zOoNnUy^YW?3mmg3a^|(!&)ciDtQT!Njx^vEgjmerz65SqY+n>t#i#|;1z%=2P#)s% z`pBH$mM2qcrSMG}8-4Fewo!C6q{*HLLquX<4py?Aq#BIskT=HT`a%i9$kiY~ z>c#>}^fCa-z7*9XGCKhRtv_X>zDR;r3(v6ic?)-7a`FFDAqeg7?&uvuBynOB;5-TW8%L-aua literal 0 HcmV?d00001 diff --git a/windows/threat-protection/images/dn168167.measure_boot(en-us,MSDN.10).png b/windows/threat-protection/images/dn168167.measure_boot(en-us,MSDN.10).png new file mode 100644 index 0000000000000000000000000000000000000000..321f23ea7e22e7fab8a279162327a7a17abb54ff GIT binary patch literal 13801 zcmb_@cT|(nmM;jRpn#%?fb=FEq<0VyLazxOrS~3s6Ho+2AT;SnCqR%AdQ*B0y*KH- zw@}~5oqOlanlg=J@?I)-k{mRMVIS;7e@vmuzx+?b3h8z!$(WzQcuJtEL=JVFz$iRG_ zFAoo?=`?PdcqGKWw{Q{Q2{vCs``V!WiSy__CyO71^RE3@{o0oODF^p3nuD(cl`$}= z3;%7H5o2Kda|9OM!?+t!+8F;n%7C@_=a2+rV%&{R7L0!%y7w_K{yF~NCmdk)GA?+) zzay-nt7hbr5kHmb5>y zR>{jK8;M3_+^bdV4hkD>Th0ACT7aRu0#?_)>gs2XR5Go@GVBphBY| zm+-ZQmMK!K6G+hoss2#?MIi|`T|QL+ED3#avB z`$BxYI+TWoXZ1lYiT*1&ZfNv6%nk}^UnKqdLPakP>4l!I8B&Tb@(vihs!LETuSj$* z6FoXPDWkVE3{#pep|uZJRDMJLGQVg3_(yGz|6hH_8#ezUbqgM2{Sr#O;@8ip%t#tf zPFLa5(7zv~NWbPmDBuZlgK5R02ya+*5cmoufHGe_zr;UhJiG1MPQU%NfvjrODp!>_ z7=){O6j<~G1fa61-WB*f>jxb47W6 z7v0I^FE}oMPY8$W2jT6v7Qr4zx#`v+WEit!ovR@Vueu)NK2CH9aI7OLmYtH9K=cTr zNvSMjpT{m*5B||gjJq*!LvATR%t^X8;mx(TYcbiSyi0ydiQlBJnyya+m3$kJZ*xU# z7@7G3RNfAE4Np?pA=`VY({oqBxR2w^I7UWOD=N>`OBEG+3 zIf;3$>M?KcCvtuGmsvyBen#u!jIc3UNh9%WuPKE^mCY7CUY``0XE~ago~J+t;&Z*l z3ec2VG@mvmNjOh=F3d!xM-Snc3M+cOQ+#>cKPpy+V2k$OPVV{>%gjkga2zMRVP}X8Wa>>PBS$l%wqCIG-P99Qn)C$UHB=PH+~7@!iH{~XWb(;WQM~k<)TOz&3;IxtNdhT$R5#N9vAM2lZq%WQ1Ci&Z zQbg~#fIOCU`(-;1sKMkhWyRThLybS3->2loL7VxeibQ%E76pGgtp*Bl-q3ukLT_QY z#Nd=>p_&LC6TMPrR@CGtW9k~`^tgS(j|%1ZD=Tv6og3&UFZcB4RXA@QijUn}@YP*n z9>8>U&o^1ecx19kOBmmyo}sXcgta(tPrE~eIpQGi#qRw)on_Y(WHvo`TvBd{qZj#p z&C#39^uP`DR96;>{rO?j2uyA_y{NnF^E37#*D<(bj#~^4hspuQMP8w|%deh4 zar(=aL#YOjUhXzhWh?h|jg4F~mez2voRuW|;TZX~h;`ZF9gF#ry!^*0eRon{@H_Hj zVxSTrYW_g_^`MtOKr^}YxHd(uIbsD+#MeT-1WvRo3II=MeOk`{f zIk`Zbdrr2i#Ke!4=i3!dH?ADU{Q7%QQ4^rn0OGO!wb}C4-uKmxP-n<>aJSq0j1sax z?^1bEAWo90Dck1cWzB65MKTcg2F90*Shb(ASdSdHF3X=>3lW>zj>qLoS!!jo2Z%uM zCti&G<`S?uk(E##ZR{)X)(l?KqJR%;bolp@g+4$MG98R1OK5t46rO6C5eNFqEJ_8f z8Cb=2+CA_B!_XSFBdTz_!!o}k4aUWeTC%;|pQYx%%1g33v+}>#{2Dc*h}dEzP6Jzi zEV?%k08&v>`VM;y!)y2drIx5|YE>W;o!qJcguJc&5{7(O40_6YM-P9eVDzh^l1*f$ zT0?;_v%N*ih>{KU0J@4vs3?b0OIB}2hc5UNOdI1pg_ieDtwtCtGFYVt7b();Q<~?p5!p%{;VMQEF427Pr=#^9Nl2Tf>vR-Y7X)K*KOd@pTfFnreZ}<_xJ2I5SGgC zaN4bX0mn6k$z|_evVx;+Lhqlp&Xm-FbFKbzGc~>}kjuq*_Efr+Xm}_+MC(eP@ou}x z0+rubkM#;dbJKZanujyZ$9hZO6pv{)Sl3~j8|n@==9dMig}u8hQ|;z7%GzyysaS3D z(zL*qyPfEQ>lE|ezi^-Ae0vQshUljnXJcz+2ia@)L_~i1&4?G_8*G^^C=FdO5p8h$ z78IwF2mptWz?@>{z4xd5nko%BwX=qOEEScB;xXxT!R@MF4X7n1tpNOaoKluF6RBVn ztK^bbx(o&zel{DeuVxt0xyI`##4spzQP8ky`#xVws&yK6k{4wBJke$1^N2RaK!a2q zlCNc^;#LFVcvHR1kSNcaTgqKfh|#-h_p~w@cwDb%LVmN`!kW64M z?9ygBsj=Aqs>5|7n_9IetB;sCh<$Ejrvt#<+Om9?Jl)m>=l0)Ov)0zuw*4YM`aUxh zVr1Ap7rG?Uet_#%w&E6?Ji7`p*VH?)PkHb#V{O^E2xG|WvK>b`e8AY_`b*85%Pr6z ziFR>8{(Maxq8VzDsUn>mHNr zEMM0aM?oolMYqk7*#~oJ=S!7J3YtOycvsu4P^A1yu)A`8JF$HcW05HCWcO9i>XoQo z(B^rUv`q~cc6+CCd{bgTfZvvLs0#gkc6()E$AC&6U?URxXR1*fhuky*iK^Sz^RTrY zl6D-1`PAdO@xvE_TJM_@4^a~fBlm`x`Y+~DY9Gyr2TmGAT&GSFOjT0EcbD1%x_52F zXBWDR`CTq%9{WFyA6EYSo7+3xcDs5B5&d8nEz5~Q{9|E20u=f4C$fJfe8ycHozLs-<-~`#J~I+FiRJm$Y_;Ql zD4(CaSdZ)wr+oTy{w9BPJdSl`HL+=Rq|+x)mVJTUyGziLqM11B=rn>yWzwj;vH3W% zbzcZU-hsoAthyaHrC7$!U`MGRS&O$`a5k@v#o-e8Vc|(7>=Fn4_;eYIf3^LZU_OXU z;#f{r+qS-lDYYv02Y&>Wu(V5I)~M#Yna0v9!^9|l&8$7>gyn0*0Y3f+{z<-ZO=H{k z>RFd0_;;{`egoDEM)O)LwQ5Vno-QzdY;q<}$9$AqdWU!ev53DuIL1fn>f2S9h(49} z@O0sLAKCSLIbDXX>@yy#%j-&t3pd}+zGOJZ#M0SP>FxM%=EYa6y?oy`a}z4+KuVK+ zs+A`aXySlz8@f1YoTi6)TLfdI5*+@ZBbvBlpB8Q{E~9tn4v`2t^Y+X;$9#})O)3#k_$Cu{VBbh`jwv(8D_x&*}c1nzF`)Y zVB?SvYOzW(*zM`Rer)PT_868pG>Y(B!Hfh(hQ{ja_{aaY;^FAf-ldGvt7wFI9POuA zu;PXvBJq{8V~TV5UZ5m$xslu`A-zMDvb*Hm=i^4q_x}2*%!!J0Xc%j>}V)qf_R~oWPA0;A?)&mlgZ8VZ=rRxZ(lsH0=4}W`S;EFYId5STJzp+ zZIw9*13yEk9^56(x`MFdZC$%qvi6S;*0z<#4%W8L-lc@&k8iRpBK^M_K9N-A z!InXN^{Ib!aX^LKzfh`V0#atyq<3J%c=p`#QgcGY)@;BNmxV*;uA-cQAx#Q5JvkIM zNn~Dof9QkYRDV5*16kjd@W?L%#fhKNv!jpOD2F;(>_X~uK0uB$9AEbYmJnZt}@07+hUaM8U5UAMWLkY}%)9Pa;v zn*TTS{9n}kzoF;3Kmw+e2HcWeP67^19&?^GlCjL4@@Rp+OhC8s}J%xQn0XC2TyyFiaUeEFi8iUtGK z&2swz^XB@dyr35~v@s1Zqek%g0$d-}L68IB!sSBZtX=oY4Yj!=Q*jL;>U zWM(<#9vMwrifQci7U!I6N0xv+`}uT>WHpFaE%s91T6e+l+6_vWTnpz`{d1tY9c_kV zl!PTZ%l({Z{AM2+c`r&k&B|zI=^r<0P#gm#;;GWX5;1^*jp1uws7g zYx}YU-+Y4o^~np@!RQq6Q$^Va^8+K^GxKX?4gLFVA3ZK690k~Iq~`nJsdC@OPtH)e z6B*dzKZ^DqOuue7Bks4*Ry=7x^tfCu85_|XXKG3vvMleu`0ZwBHI(}7ygcOf@zkGp z7z+g7A^%(F0b=t%YdqJ)<0bbl>b$>B&Q#C4{go|@z#Ift!#nlk4pv!r4M5=pcy%f! zwf8ua0?u6cC?v*ypf$YvYlnKr$M0Y{m)hAnY`Z=P>&>;4``@y)@qB)3o~7)MW5Kw%Mg(rD;l32dlj3uHlIcx0kAE9|A^&8JQi!ZN9O#dpi0pY zr5@>g2V54XARB}DKL~o+wMNjd1aHW zQ%1?MjB^-hNO0!1HA!) zS?a~%cvgqk?gX%$%leOorgl|YfcSKKeE<5t4J>k@hxT3*UMa(0{vNKxz+2>*38 z3P(oIMp{i3@Q2S^dfl=S3|sM|%Vng%?aODr_Ae@J1vg?(E&dHDJ|3i9{(hW&r5p)r zo}eml>EuBYsulZ-w~(~L0?2EL>1kTfd=5b9f?KfoLw#kbtTebZlNtSCUle^g z?5d4&SBwfin(>z`1SUaWh+3Xu!m~6FHFE)kUv0PX3Tl)7&RZq%(B*ue8k%rraN~~P z6?e;5NhQr!IjXz;*aYH9jQdm{v(Uw6ugvN$3LUf%cAPg`GVp*GM%KPQ`=Y^ySx#o6I7CGgdOnDpFKHY8l7cmqpIb3wP zt(~-77!{a_*{&d(vbfmJ6q8q*B|6)ZSedmH*Yz4~*ZAVLWB!4Gr3{b9lfoxDtw;vV z!8OnUYFkiI3!6pOFf#=#0)Jh>x5Ma$d~SRovlr;|;|tRI52DXZ*)aVK=6-K~tsK0= zybQN)Gp^(3pV(jCn#jDrl7*C3@R0x*z5b2_-mk1tian6F{6;Fw-7l!DPsC>yG^3{? z03fa%@%XAbL`F+mF3<|G2h~ym|m7%ogc9vgS#t{hu&*zm84g6 zRg_m|Cv%V;61Xet&Be}Q_h*yKm8O*acbyqlc^##|v4b4`J#UEoj9~2=YmhBT;>)Yb+N_*If@Z7jetWqxGaNrxo|wWFs;{~w+eZ7i z36JO4jU5ZX(=xfk%c3`vpqNLcX<)-Phbf@SHKauZ3ia9M@$#xV5 zusNA L4OH?hDpperJk(fF|`APi?5SGM6r$ zLuIhA=Mn29qFI@nM(lq7C7j;l8TsC7V4-#rF+9e)S!G*yxt)i+C9fY5=q0e|L0!Dy zf&9uw+TJi+p7Uf0z)T)G|9%pu4$$3>XJ!rhJ4ww;i17SXjmXr zV(9cxC`#vItLm%fpVbWIm)SCHRg@A==)E4QuD+=LCSap=1dU{Yyu8 zZ`~&V!&Y5N5ZYdUMx^JG{2V&IipA>EoglKq&v1oj@T9eeKZLr3S@(VhVG@uCK=hn4 zecJM0(08tvcSuDwMF9n^0NFq5q52t8?>KM&?UuBxI32oUA7%rtX(8|Uo z2;wX$!PW~M^MQ09ER-k04iq8hS*rD zf!zV*@v2~v?6g5e)u<(H?;h6mC+u%z`_ov#cuo<1fs(i3tj3PFfTB?!f*EmK8wK!> zp7EbfvT6{_>z*G!3nFtHOAN)kl{M-1uC))1AF=>%tkZ02eFgIWkif!`XQev7bY#Wh zne_0nFxE6apc17q9`N`aOS|w0?6Q{3I|$91IZQcP+roTdb;pf3S+}q8n1Rg_4Z1! z)MbF}rVLE^ZXVql^n7H+2u!}?T-g;#M}LZq8*kcfZ!Uc_Oz+DP98kSz?irBaqp){d z8+Aljv)xw0`d0csAL0&|11=*}*Wh|xpxmY>Qu~G0wr*20;HUB!k#E*YHUA2v6CorH zFjy8sp|ysY6=R?!f&BpslD8izkz!c*PwNYS%NYvtmsg=ooR|h-iIl7Yk=_b`0s6dn zhW44MWjn*H(8uwI>zMzPm;L_C;nx|?XzTlbQ^tSM&1iDb=_YKzD0WN9v6WTExSP7*irS4uU*%%}qx_j*cq5MC%Qz(^OKGIFMk4H|L} zn{r;ras#gn?9fN0v}?=tU`A;N%C+86rN{lnfpWIOQxoeTl4xKlxOPulDX8>1eDM?? zCltNeIm}QjyZ`vn`#|L=ZAsPX@(*WoCv{>wM;`l5*Va87m1BE&5YGXxK-d>WS1C&9@%}@(xX3X0ji?=KEvT=wgp}s8lVCzAGJ2E1{tKZHEdv?0Ml-DzT6$2Y;|eamJNBR;*TBcCw`}S8!>A7~tmIH>ZCo&sEtvd+XtJ36gKuZ{ z@J(Hx@+Inq)q8Xl;P2vdjrC#(!G@BL5t87a^Ca3ijG*WC#s)_IH6pq>J6O*FHVF`p z*iw3tBjm}Q`S*yfPcMJ=wt2pPRA)uSwxk&&m3?9p^$rp&3on$^Z(~f;6O1qYZU2b?O8 zerPqXxL3G6N@-z&qb{zFewksXa2Cq`n}Q%SflR1+7QG_-mn#hA_C?P>N|`r9O4 z!RumIlF*`T>PO@V)x^U?ppRglMtf@UQLSEu6Kq+R&<=kQ&kuFiG4g@6*|cEmflG0l z;siLplF@a^f5)i7@rzLh&9h_hD?kQdEIL1 z^cSe4K9=Lzl+`l+ID?M$I~*ubV#53 z=E(k?3XrDX!jIj_lHv0YJX+UJ83V(W!iP+?Ow$l+B!+mY?tw08>9> zWRz3*kd62~IPhL*aA2rll;m2J&(hGE@NwWs9j(pY=h-;)N->juD*yh$QJ8$#w?s0`+Gq^QeRq<1m#Y_E4OHRt(u3mgk=p|iUieNX zur2II02ehLLn2RC80c@PMO-rXv+t()Y%}ob&E*_3 zQes8*#k+Zuao>uzW7OfEej{r?vvZ#1#_3eeI22w1%jjn5U69?7O-mefH3rca2Hq5w zW&CN(Ka3m=a76DW;nL)eu1vk{%DZSdQTEw-KtT2~i7bs*0`wwH99Y*%c)Tf-VJvva ztM_=qJyNI9_C&>=-+Yk1-R7R|{bu4}#3L0Af$Yy<{|bpi#NcQnL{TR7`rAJFll_Ky z{HFRjuJ#OM%EdmfErXT?$7Owm%hAWmn7mZ?Iq^bT7#%}Pg{IKW$?~SYQFUB3Fk{A2 z(Ug~X;T0{GN~)C@bb0w86&c)df1LQ0^7Y9vx29a3j^R)b+55^Fmg#Dyvr&8ssDtC7 ziLDPYM8p3nprK$?4{5pjA0Pi7$1j*R7wgzNuNqbN=uiO58b~ZIbx0J=`W;`beVPxX zYOlu1P68U{b>9siy_aM;sk%3^48JQarc9_fwg#& z9lFGn3nIOoT&vs2xUI&bF*Ko_ppJ1hoXbSREpgUsXGc~koaM$X;lka?X`Aa(xYtkI zUwnzG#vP?@ga=>*>E`L8$_~EfBz$dWV!_xb!g6}BvOyjQDmMrAIx3B%6Z@)6{-qVK~FA>a> zS&8t7Qk~4Jd#6e@tWJ2b|K2*I??pf@>xG=@w1@v-hRdyx@mn=r9zJS4@G@~8Ajn+i zJFW_|Jtnn%Ma1WJUj26p7X6G?cvC8AvT6iPSizgBarrps=yZqmQ8#%ZIsSnqr)L1} z64>Can&E0V5JCo%MP!ryABG3paXk#21`16SbH1v)g0TUu2!?JPn5(=kK+|BLt9UR@ zyHX^y+H>><huhV6r*=^VcCwmu#vtRmoyzG+WgZIC1M*W~EZs`L(R2@3-DHMN2I zArO!2QMbPW&-FWMUhdEex=)O>4QtC-n}HonbH5`b4ASeaSVP~(5aj4rvft5DT|J;6 za+8Qq+3;^)JUz*MW@E*W_qLsEr@Z?Km4Z4@sU^pg(K1s>Oc0<9+6RoEo{4ZbFYwU? z=de~X-OYfq9B3BeoS9NLsG-st0tJZYyj>G}%^=#4>F*;udm1gZB)5qojH>R7jd?Gc zzIgJYykaoEv*9Fu6M&KUH(65xV2W5fKATk41o0%atMOPALERj%V#{WsjAhCwWYf{MAw2LM0z zyhP>~VjOo@C)IoE$sBfGtt1;7_;mw;9T+Pcb3PXPQsg+)OMCKYF6vA^;qp9|Y2nW1$~4 zQop`k%hk^*1bF_ul5T1M*R)>Ze(ax0~?uNSOaf zqj;RJ9_|Ss@s`U;yiOcf6ySssV=$TIc61jb(XrO!(Nl+0xmghrqhkuJ)bz~(I+9Li zzYeC<8h5syFd0?;#XD)Fc~k0+qMFs++Bo52ACdh)`{krS^2;;?`2wfMM*a1( zx5L7l2HFYa-G~uTC#P5v0Jv4@xci^H^I*`K#W5IvAv`ZPpzv&-$iVnYSNi?M0yX z6L1h&@4m?1Xiq%*k}^&t!|h0qDw-rsd2p>tyCKIrnRzXIBA9V@!HMT|;&7$wPQSd~M7o=$wJkh<9-$1hYSeV;#qTBI-wfK%SNS(O*2HTM zNrDq_Ldg`mZTJ->fX9Y_g{+mt$_~}!N{VPI^-%>pLCFcFvp_^aD%UD`*1c-tx5eFE`Jnn(bn13iahjE_K*Pd3OjpTw6 zQ~*Q>U|RtFBvkrYRdhfUP8Mlgc6-mB84Xgdfic#TkA++QWGnGeV(SC0C6Zeau7EzX}tG$tk!`PZGygti~$B?r{5 z;Y&B?%Pg@aBFcXp5n9x_Dtwr47nj6XzgKPtDmUrS+~k!2I8!2L_q@94yKj%lIEQoi zi~(bKMp(!AtI)xW73i5IU{63}c3YVC)p3@XVOXM0pdodEDsv*7-09{I- zEh_Zhjv57uRE|Z`3$K!HcqX0D>AZOSTdv#;QD`gAD8QaqEpF`pa$pGQ*CBD#sSft(UXnvZaRv1Bkkz3Nbxa?EyXX- z3$*I=o1o($-qm0UOE&s%6gmx0^FMuWgyOp!84eayJiFC)fm)(x(e8;8iyIUlb_0BRQQ zsMwM}U=k6jt=h0M-ONlbqtctaL2y@n9}b6yv&UUZ%oooxP`sm;b3dyp8Tp(3m4B=2 z2tx`uJYN8a-pP3{+Fo0eD(!_hbD51R`aabwe=OK4Q^7|3yPn)$)U?NRv92~arp~0p zan{avyxMXSAJACWi?i+EZ29Z!bEJxvkY%dZ)75M3J}}i+@VdWqVK(T$6k~=#jhMoG zbu_Mq(_O;^TMAV}UT1!CIwg;ygSt{{yB8$7{pBCt37DOLw$ucGEc;WrCXj6a^F?=% z3yIjblqWw02yRvzf&h?9Nbm?|jT|oV?EAh!%A=jkPGz^TZWZrFDdAxtaP9s%a2+^T z`U+H!9SXs@sC5V@Q+n)V1aUTy$ZcfU1*%)=)Wz$f1oUI{d5 zLYw2YK}RvCen#Fq^)g5`yrN%Qa@e1--7DhV<_d=3jgyN;o4j=a;QIj3pag#Kz#aO* z(!*DWzN%-t(*11kqUGe`uXjNveMP+;Q^7c7wBO4cp;WDNV5}(OCBGrziU0RiM`2*& z()#W$Swx*+UaMZtWDq=OungU&41h#_LEyA^)9XFv4#gw1308YNfM3n{<{VDtcFtK) zGcoJu2B6@aIRTJzz)7AmdxuJGc|1+yGviWWXzmI%Ck?=XQFT*mn*jW&UF{lWL8$1f zq&o=hn7B3G;rqTchLm1&i4fp{R^{`>!B4sBtU&B&3UBY)P5@`qKoiiT zp z9bOh*^t$i}F!|p~5C?2k{~^|&AV3f!W=y^io=~~hSRTvL%iSC|?QM+QNLsTM?%T7t z6&CiV2(^F%Lm`iC(+nt{5Iq4{x_(PRchF(OmIulQdb45~cWp6W_rXKfUslevRFU_) z5-GD(8*>14VPJWBvWCD2WxlzlAcItz+gb?6W0nUyXTM!?seo9;;AsAD)YN}!>UTQ& zzXp)+|Jg>k6XyRl?xy?K_&=K&|HXuXa~rphxG-kTz3-Jiqx%c|ObY`ft0IGV`#$J@ E0VsdMn*aa+ literal 0 HcmV?d00001 diff --git a/windows/threat-protection/secure-the-windows-10-boot-process.md b/windows/threat-protection/secure-the-windows-10-boot-process.md new file mode 100644 index 0000000000..069d8b1578 --- /dev/null +++ b/windows/threat-protection/secure-the-windows-10-boot-process.md @@ -0,0 +1,129 @@ +--- +title: Secure the Windows 10 boot process +description: This article describes how Windows 10 security features helps protect your PC from malware, including rootkits and other applications +keywords: trusted boot, windows 10 boot proces +ms.prod: w10 +ms.mktglfcycl: Explore +ms.pagetype: security +ms.sitesec: library +localizationpriority: medium +author: brianlic-msft +--- + +# Secure the Windows 10 boot process + +**Applies to:** +- Windows 10 +- Windows 8.1 + +The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Windows Store apps must meet a series of requirements to be certified and included in the Windows Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Windows Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Windows Store apps are sandboxed and lack the privileges necessary to access user data or change system settings. + +Windows 10 has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. The SmartScreen Filter warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. + +Those are just some of the ways that Windows 10 protects you from malware. However, those security features protect you only after Windows 10 starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden. + +When you run Windows 10 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows 10 provides even better startup security than previous versions of Windows. + +First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows 10 can protect you. + + +## The threat: rootkits + +*Rootkits* are a sophisticated and dangerous type of malware that run in kernel mode, using the same privileges as the operating system. Because rootkits have the same rights as the operating system and start before it, they can completely hide themselves and other applications. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data. + +Different types of rootkits load during different phases of the startup process: + +- **Firmware rootkits.** These kits overwrite the firmware of the PC’s basic input/output system or other hardware so the rootkit can start before Windows. +- **Bootkits.** These kits replace the operating system’s bootloader (the small piece of software that starts the operating system) so that the PC loads the bootkit before the operating system. +- **Kernel rootkits.** These kits replace a portion of the operating system kernel so the rootkit can start automatically when the operating system loads. +- **Driver rootkits.** These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware. + +## The countermeasures +Windows 10 supports four features to help prevent rootkits and bootkits from loading during the startup process: +- **Secure Boot.** PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted operating system bootloaders. +- **Trusted Boot.** Windows checks the integrity of every component of the startup process before loading it. +- **Early Launch Anti-Malware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading. +- **Measured Boot.** The PC’s firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC’s health. + +Figure 1 shows the Windows 10 startup process. + + +![Windows 10 startup process](./images/dn168167.boot_process(en-us,MSDN.10).png) + +**Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage** + +Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well. + +The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot. + +## Secure Boot +When a PC starts, it first finds the operating system bootloader. PCs without Secure Boot simply run whatever bootloader is on the PC’s hard drive. There’s no way for the PC to tell whether it’s a trusted operating system or a rootkit. + +When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true: + +- **The bootloader was signed using a trusted certificate.** In the case of PCs certified for Windows 10, the Microsoft® certificate is trusted. +- **The user has manually approved the bootloader’s digital signature.** This allows the user to load non-Microsoft operating systems. + +All x86-based Certified For Windows 10 PCs must meet several requirements related to Secure Boot: + +- They must have Secure Boot enabled by default. +- They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed). +- They must allow the user to configure Secure Boot to trust other bootloaders. +- They must allow the user to completely disable Secure Boot. + +These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems: + +- **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to . +- **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems. +- **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however. + +To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. For more information about Secure Boot, read the blog, [Protecting the pre-OS environment with UEFI](http://blogs.msdn.com/b/b8/archive/2011/09/22/protecting-the-pre-os-environment-with-uefi.aspx). + +Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems. + +## Trusted Boot +Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows 10 can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. + +## Early Launch Anti-Malware +Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don’t start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. + +Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it. + +An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows 10) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](https://www.microsoft.com/en-us/server-cloud/system-center/endpoint-protection-2012.aspx) and several non-Microsoft anti-malware apps. + +## Measured Boot +If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn’t work with rootkits that hide their presence. In other words, you can’t trust the client to tell you whether it’s healthy. + +As a result, PCs infected with rootkits appear to be healthy, even with anti-malware running. Infected PCs continue to connect to the enterprise network, giving the rootkit access to vast amounts of confidential data and potentially allowing the rootkit to spread across the internal network. + +Working with the TPM and non-Microsoft software, Measured Boot in Windows 10 allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process: + +1. The PC’s UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app. +2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key. +3. The TPM uses the unique key to digitally sign the log recorded by the UEFI. +4. The client sends the log to the server, possibly with other security information. + +Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network. + +Figure 2 illustrates the Measured Boot and remote attestation process. + + +![Measured Boot and remote attestation process](./images/dn168167.measure_boot(en-us,MSDN.10).png) + + +**Figure 2. Measured Boot proves the PC’s health to a remote server** + + +Windows 10 includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For an example of such a tool, download the [TPM Platform Crypto-Provider Toolkit](http://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/) from Microsoft Research or Microsoft Enterprise Security MVP Dan Griffin’s [Measured Boot Tool](http://mbt.codeplex.com/). + +Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to confidently assess the trustworthiness of a client PC across the network. + +## Summary +Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system. + +For more information: + +- Watch a [video demonstration of Secure Boot](https://technet.microsoft.com/en-us/windows/jj737995.aspx) + +## Additional resources +- [Windows 10 Enterprise Evaluation](https://technet.microsoft.com/evalcenter/hh699156.aspx?ocid=wc-tn-wctc) diff --git a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 194b3e9cfb..e31e53a2bb 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -17,7 +17,7 @@ author: iaanw **Applies to:** -- Windows 10, version 1703 +- Windows 10 (some instructions are only applicable for Windows 10, version 1703) **Audience** @@ -130,6 +130,7 @@ Used by Windows to send client telemetry, Windows Defender Antivirus uses this f This update uses SSL (TCP Port 443) to download manifests and upload telemetry to Microsoft that uses the following DNS endpoints:

      • vortex-win.data.microsoft.com
      • settings-win.data.microsoft.com
      + @@ -147,7 +148,7 @@ Use the following argument with the Windows Defender AV command line utility (*m MpCmdRun - ValidateMapsConnection ``` > [!NOTE] -> You may need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. +> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703. See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender Antivirus](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility. @@ -185,6 +186,9 @@ You will also see a detection under **Quarantined threats** in the **Scan histor ![Screenshot of quarantined items in the Windows Defender Security Center app](images/defender/wdav-quarantined-history-wdsc.png) +>[!NOTE] +>Versions of Windows 10 before version 1703 have a different user interface. See the [Windows Defender Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) topic for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces. + The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md). >[!IMPORTANT] diff --git a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md index d1da91abab..5ba96c2e65 100644 --- a/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md +++ b/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features.md @@ -48,7 +48,7 @@ Topic | Description :---|:--- [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) | Cloud-delivered protection provides an advanced level of fast, robust antivirus detection [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)|Enable behavior-based, heuristic, and real-time protection in Windows Defender AV -[Configure end-user interaction with WDAM](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings +[Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md)|Configure how end-users interact with Windows Defender AV, what notifications they see, and if they can override settings From 7cb4e903314179fdaa66e06a7cb05754768604a8 Mon Sep 17 00:00:00 2001 From: Elizabeth Ross Date: Mon, 26 Jun 2017 20:22:05 +0000 Subject: [PATCH 32/34] Merged PR 1937: Merge master to live --- .../change-history-ms-edu-get-started.md | 1 + .../get-started-with-microsoft-education.md | 1 + education/index.md | 2 + education/windows/change-history-edu.md | 1 + .../configure-windows-for-education.md | 1 + .../windows/edu-deployment-recommendations.md | 1 + .../windows/use-set-up-school-pcs-app.md | 1 + ...a-structures-windows-store-for-business.md | 431 ++++++++---------- ...ew-in-windows-mdm-enrollment-management.md | 1 + .../policy-configuration-service-provider.md | 8 +- 10 files changed, 213 insertions(+), 235 deletions(-) diff --git a/education/get-started/change-history-ms-edu-get-started.md b/education/get-started/change-history-ms-edu-get-started.md index b478b4ccb1..484ed4a299 100644 --- a/education/get-started/change-history-ms-edu-get-started.md +++ b/education/get-started/change-history-ms-edu-get-started.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu author: CelesteDG ms.author: celested +ms.date: 06/26/2017 --- # Change history for Microsoft Education Get started diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index f1ca238f88..78b9e46ccf 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -10,6 +10,7 @@ localizationpriority: high ms.pagetype: edu author: CelesteDG ms.author: celested +ms.date: 06/26/2017 --- # Get started: Deploy and manage a full cloud IT solution with Microsoft Education diff --git a/education/index.md b/education/index.md index 1ab087f682..4033cef903 100644 --- a/education/index.md +++ b/education/index.md @@ -4,6 +4,8 @@ hide_bc: true title: Microsoft Education documentation and resources | Microsoft Docs description: Learn about product documentation and resources available for school IT administrators, teachers, students, and education app developers. author: CelesteDG +ms.author: celested +ms.date: ms.date: 06/12/2017 ---
      diff --git a/education/windows/change-history-edu.md b/education/windows/change-history-edu.md index 1a84521c52..8cce637c8d 100644 --- a/education/windows/change-history-edu.md +++ b/education/windows/change-history-edu.md @@ -8,6 +8,7 @@ ms.sitesec: library ms.pagetype: edu author: CelesteDG ms.author: celested +ms.date: 06/19/2017 --- # Change history for Windows 10 for Education diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md index d9f1da2caf..4cbabcfdff 100644 --- a/education/windows/configure-windows-for-education.md +++ b/education/windows/configure-windows-for-education.md @@ -7,6 +7,7 @@ ms.sitesec: library localizationpriority: high author: CelesteDG ms.author: celested +ms.date: 06/19/2017 --- # Windows 10 configuration recommendations for education customers diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md index d5450ff204..7d76300a59 100644 --- a/education/windows/edu-deployment-recommendations.md +++ b/education/windows/edu-deployment-recommendations.md @@ -7,6 +7,7 @@ ms.sitesec: library localizationpriority: high author: CelesteDG ms.author: celested +ms.date: 06/19/2017 ms.prod: W10 --- diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md index 849a932793..bfc4179cfa 100644 --- a/education/windows/use-set-up-school-pcs-app.md +++ b/education/windows/use-set-up-school-pcs-app.md @@ -9,6 +9,7 @@ ms.pagetype: edu localizationpriority: high author: CelesteDG ms.author: celested +ms.date: 06/26/2017 --- # Use the Set up School PCs app diff --git a/windows/client-management/mdm/data-structures-windows-store-for-business.md b/windows/client-management/mdm/data-structures-windows-store-for-business.md index 18b093df38..38f80513d0 100644 --- a/windows/client-management/mdm/data-structures-windows-store-for-business.md +++ b/windows/client-management/mdm/data-structures-windows-store-for-business.md @@ -28,6 +28,7 @@ Here's the list of data structures used in the Windows Store for Business REST A - [LicenseType](#licensetype) - [LocalizedProductDetail](#localizedproductdetail) - [OfflineLicense](#offlinelicense) +- [PackageContentInfo](#packagecontentinfo) - [PackageLocation](#packagelocation) - [ProductArchitectures](#productarchitectures) - [ProductDetails](#productdetails) @@ -85,26 +86,22 @@ Specifies the properties of the alternate identifier. --+ - - - + - - +
      Name TypeDescription

      seatDetails

      Collection of [SeatDetails](#seatdetails)

      collection of [SeatDetails](#seatdetails)

      failedSeatOperations

      Collection of [FailedSeatRequest](#failedseatrequest)

      collection of [FailedSeatRequest](#failedseatrequest)
      @@ -117,31 +114,26 @@ Specifies the properties of the alternate identifier. --+ - - - -
      Name TypeDescription

      failureReason

      string

      productKey

      [ProductKey](#productkey)

      userName

      string
      @@ -173,7 +165,7 @@ Specifies the properties of the alternate identifier.

      contentId

      string

      -

      Identifies a specific application

      +

      Identifies a specific application.

      location

      @@ -207,12 +199,12 @@ Specifies the properties of the alternate identifier.

      fileSize

      -

      integer -64

      -

      +

      integer-64

      +

      Size of the file.

      packageRank

      -

      integer-3232

      +

      integer-32

      Optional

      @@ -225,26 +217,22 @@ Specifies the properties of the alternate identifier. --+ - - - @@ -277,7 +265,7 @@ Specifies the properties of the alternate identifier. - + @@ -296,12 +284,12 @@ Specifies the properties of the alternate identifier. - + - + @@ -329,11 +317,11 @@ Specifies the properties of the alternate identifier. - + - + @@ -346,27 +334,23 @@ Specifies the properties of the alternate identifier.
      NameType Description

      open

      Open distribution policy - licenses/seats can be assigned/consumed without limit

      restricted

      Restricted distribution policy - licenses/seats must be assigned/consumed according to the available count

      seatCapacity

      integer-64

      Total number of seats that have been purchased for an application

      Total number of seats that have been purchased for an application.

      availableSeats

      distributionPolicy

      InventoryDistributionPolicy

      [InventoryDistributionPolicy](#inventorydistributionpolicy)

      status

      InventoryStatus

      [InventoryStatus](#inventorystatus)

      continuationToken

      string

      continuationToken is only available if there is a next page

      Only available if there is a next page.

      inventoryEntries

      collection of

      collection of [InventoryEntryDetails](#inventoryentrydetails)

      --+ - - - + - - +
      NameType Description

      active

      Entry is available in the organization’s inventory

      Entry is available in the organization’s inventory.

      removed

      Entry has been removed from the organization’s inventory

      Entry has been removed from the organization’s inventory.
      @@ -378,8 +362,8 @@ Specifies the properties of the alternate identifier. --++ @@ -497,43 +481,13 @@ Specifies the properties of the localized product.   -## ProductArchitectures - - -
      --- - - - - - - - - - - - - - - - - - - - -
      Name

      neutral

      arm

      x86

      x64

      - -  - ## PackageContentInfo --++ @@ -582,6 +536,36 @@ Specifies the properties of the localized product.   +## ProductArchitectures + + +
      +++ + + + + + + + + + + + + + + + + + + + +
      Name

      neutral

      arm

      x86

      x64

      + +  + ## ProductDetails @@ -611,7 +595,7 @@ Specifies the properties of the localized product.

      supportedLanguages

      -

      collection of strings

      +

      collection of string

      The set of localized languages for an application.

      @@ -644,10 +628,74 @@ Specifies the properties of the localized product.   +## ProductImage + + +Specifies the properties of the product image. + + +++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
      NameTypeDescription

      location

      URI

      Location of the download image.

      purpose

      string

      Tag for the purpose of the image, e.g. "screenshot" or "logo".

      height

      string

      Height of the image in pixels.

      width

      string

      Width of the image in pixels.

      caption

      string

      Unlimited length.

      backgroundColor

      string

      Format "#RRGGBB"

      foregroundColor

      string

      Format "#RRGGBB"

      fileSize

      integer-64

      Size of the file.

      + +  + ## ProductKey -Specifies the proerties of the product key. +Specifies the properties of the product key. @@ -678,104 +726,6 @@ Specifies the proerties of the product key.   -## ProductImage - - -Specifies the proerties of the product image. - -
      ----- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      NameTypeDescription

      location

      URI

      Location of the download images.

      purpose

      string

      App screenshots and icons

      height

      string

      Height of the image in pixels.

      width

      string

      Width of the image in pixels.

      caption

      string

      Unlimited

      backgroundColor

      string

      Format #RRGGBB

      foregroundColor

      string

      Format #RRGGBB

      fileSize

      long

      Size of the file.

      - -  - -## PublisherDetails - - -Specifies the proerties of the publisher details. - - ----- - - - - - - - - - - - - - - - - - - - -
      NameTypeDescription

      publisherName

      string

      Name of the publisher.

      publisherWebsite

      string

      Website of the publisher.

      - -  - ## ProductPackageDetails @@ -799,15 +749,15 @@ Specifies the proerties of the publisher details.

      -

      contentId

      -

      string

      -

      Identifies a specific application.

      - -

      packageId

      string

      + +

      contentId

      +

      string

      +

      Identifies a specific application.

      +

      location

      [PackageLocation](#packagelocation)

      @@ -831,7 +781,7 @@ Specifies the proerties of the publisher details.

      packageFormat

      [ProductPackageFormat](#productpackageformat)

      -

      appx, appxbundle, xap

      +

      Extension of the package file.

      platforms

      @@ -839,19 +789,41 @@ Specifies the proerties of the publisher details.

      -

      packageId

      -

      string

      -

      - -

      fileSize

      integer-64

      -

      +

      Size of the file.

      - +

      packageRank

      integer-32

      -

      optional

      +

      Optional

      + + + + +  + +## ProductPackageFormat + + + +++ + + + + + + + + + + + + + +
      Name

      appx

      appxBundle

      xap
      @@ -890,40 +862,13 @@ Specifies the proerties of the publisher details.   -## ProductPackageFormat - - - --- - - - - - - - - - - - - - - - - -
      Name

      appx

      appxBundle

      xap

      - -  - ## ProductPlatform --++ @@ -949,6 +894,40 @@ Specifies the proerties of the publisher details.   +## PublisherDetails + + +Specifies the properties of the publisher details. + +
      +++++ + + + + + + + + + + + + + + + + + + + +
      NameTypeDescription

      publisherName

      string

      Name of the publisher.

      publisherWebsite

      string

      Website of the publisher.

      + +  + ## SeatAction @@ -1020,8 +999,8 @@ Specifies the proerties of the publisher details. --++ @@ -1032,7 +1011,7 @@ Specifies the proerties of the publisher details. - + @@ -1096,7 +1075,7 @@ Specifies the proerties of the publisher details. - +

      seats

      Collection of [SeatDetails](#seatdetails)

      collection of [SeatDetails](#seatdetails)

      continuationToken

      architectures

      collection of ProductArchitectures

      collection of [ProductArchitecture](#productarchitecture)
      @@ -1108,8 +1087,8 @@ Specifies the proerties of the publisher details. --++ @@ -1120,29 +1099,19 @@ Specifies the proerties of the publisher details. - + - + - + - +

      major

      integer-23

      integer-32

      minor

      integer-23

      integer-32

      build

      integer-23

      integer-32

      revision

      integer-23

      integer-32
      - -  - -  - - - - - - diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index db651bb315..f539aee173 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1246,6 +1246,7 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).
    • DeviceGuard/RequirePlatformSecurityFeatures
    • DeviceGuard/LsaCfgFlags
    +

    EnterpriseCloudPrint/DiscoveryMaxPrinterLimit is only supported in Windows 10 Mobile and Mobile Enterprise.

    [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index fab8135598..0290c198bb 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -6897,10 +6897,10 @@ ADMX Info: cross mark - check mark2 - check mark2 - check mark2 - check mark2 + cross mark + cross mark + cross mark + cross mark check mark2 check mark2 From 8707890d3029e3e362299c8b5e47b6b8f475d54d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 13 Jul 2017 23:12:16 +0000 Subject: [PATCH 33/34] Revert "Merged PR 2233: Merge master to live" --- microsoft-365/index.md | 1 - .../hello-deployment-key-trust.md | 39 -- .../hello-key-trust-adfs.md | 512 ----------------- .../hello-key-trust-deploy-mfa.md | 542 ------------------ .../hello-key-trust-policy-settings.md | 154 ----- .../hello-key-trust-validate-ad-prereq.md | 77 --- .../hello-key-trust-validate-deploy-mfa.md | 48 -- .../hello-key-trust-validate-pki.md | 196 ------- .../hello-for-business/toc.md | 2 +- ...change-history-for-configure-windows-10.md | 5 +- ...system-components-to-microsoft-services.md | 11 +- .../block-untrusted-fonts-in-enterprise.md | 1 - ...defender-smartscreen-available-settings.md | 1 - .../windows-defender-smartscreen-overview.md | 1 - ...ender-smartscreen-set-individual-device.md | 1 - .../app-behavior-with-wip.md | 1 - .../collect-wip-audit-event-logs.md | 1 - ...reate-and-verify-an-efs-dra-certificate.md | 1 - ...e-vpn-and-wip-policy-using-intune-azure.md | 1 - .../create-vpn-and-wip-policy-using-intune.md | 1 - .../create-wip-policy-using-intune-azure.md | 1 - .../create-wip-policy-using-intune.md | 1 - .../create-wip-policy-using-sccm.md | 1 - .../deploy-wip-policy-using-intune-azure.md | 1 - .../deploy-wip-policy-using-intune.md | 1 - .../enlightened-microsoft-apps-and-wip.md | 1 - .../guidance-and-best-practices-wip.md | 1 - .../limitations-with-wip.md | 1 - .../mandatory-settings-for-wip.md | 1 - .../overview-create-wip-policy.md | 1 - .../protect-enterprise-data-using-wip.md | 1 - ...recommended-network-definitions-for-wip.md | 1 - .../testing-scenarios-for-wip.md | 1 - .../using-owa-with-wip.md | 1 - .../wip-app-enterprise-context.md | 1 - 35 files changed, 8 insertions(+), 1603 deletions(-) delete mode 100644 microsoft-365/index.md delete mode 100644 windows/access-protection/hello-for-business/hello-deployment-key-trust.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-adfs.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md delete mode 100644 windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md diff --git a/microsoft-365/index.md b/microsoft-365/index.md deleted file mode 100644 index 867e2c8492..0000000000 --- a/microsoft-365/index.md +++ /dev/null @@ -1 +0,0 @@ -# Placeholder \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md b/windows/access-protection/hello-for-business/hello-deployment-key-trust.md deleted file mode 100644 index e900f105a0..0000000000 --- a/windows/access-protection/hello-for-business/hello-deployment-key-trust.md +++ /dev/null @@ -1,39 +0,0 @@ ---- -title: Windows Hello for Business Deployment Guide - On Premises Key Trust Deployment -description: A guide to an On Premises, Key trust Windows Hello for Business deployment -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# On Premises Key Trust Deployment - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment. - -Below, you can find all the infromation you will need to deploy Windows Hello for Business in a Certificate Trust Model in your on-premises environment: -1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) - - - - - - - - - - - - diff --git a/windows/access-protection/hello-for-business/hello-key-trust-adfs.md b/windows/access-protection/hello-for-business/hello-key-trust-adfs.md deleted file mode 100644 index b419b20f58..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-adfs.md +++ /dev/null @@ -1,512 +0,0 @@ ---- -title: Prepare and Deploy Windows Server 2016 Active Directory Federation Services (Windows Hello for Business) -description: How toPrepare and Deploy Windows Server 2016 Active Directory Federation Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-prem certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority. - -The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts. - -If your environment exceeds either of these factors or needs to provide SAML artifact resolution, token replay detection, or needs Active Directory Federation Services to operate in a federated provider role, then your deployment needs to use a SQL for your configuration database. To deploy the Active Directory Federation Services using SQL as its configuration database, please review the [Deploying a Federation Server Farm](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) checklist. - -If your environment has an existing instance of Active Directory Federation Services, then you’ll need to upgrade all nodes in the farm to Windows Server 2016 along with the Windows Server 2016 update. If your environment uses Windows Internal Database (WID) for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 using a WID database](https://docs.microsoft.com/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016) to upgrade your environment. If your environment uses SQL for the configuration database, please read [Upgrading to AD FS in Windows Server 2016 with SQL Server](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016-sql) to upgrade your environment. - -Ensure you apply the Windows Server 2016 Update to all nodes in the farm after you have successfully completed the upgrade. - -A new Active Directory Federation Services farm should have a minimum of two federation servers for proper load balancing, which can be accomplished with an external networking peripherals, or with using the Network Load Balancing Role included in Windows Server. - -Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. - -## Update Windows Server 2016 - -Sign-in the federation server with _local admin_ equivalent credentials. -1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. -2. Ensure the latest server updates to the federation server includes those referenced in following article https://aka.ms/whfbadfs1703. - ->[!IMPORTANT] ->The above referenced updates are mandatory for Windows Hello for Business all on-premises deployment and hybrid certificate trust deployments for domain joined computers. - -## Enroll for a TLS Server Authentication Certificate - -Windows Hello for Business on-prem deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-prem deployment of Windows Hello for Business does not need Internet connectivity. - -The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm: -* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS) -* Subject Alternate Name: Your federation service name, such as *fs.corp.contoso.com* (or an appropriate wildcard entry such as *.corp.contoso.com) - -You configure your federation service name when you configure the AD FS role. You can choose any name, but that name must be different than the name of the server or host. For example, you can name the host server **adfs** and the federation service **fs**. The FQDN of the host is adfs.corp.contoso.com and the FQDN of the federation service is fs.corp.contoso.com. - -You can; however, issue one certificate for all hosts in the farm. If you chose this option, then leave the subject name blank, and include all the names in the subject alternate name when creating the certificate request. All names should include the FQDN of each host in the farm and the federation service name. - -It’s recommended that you mark the private key as exportable so that the same certificate can be deployed across each federation server and web application proxy within your AD FS farm. Note that the certificate must be trusted (chain to a trusted root CA). Once you have successfully requested and enrolled the server authentication certificate on one node, you can export the certificate and private key to a PFX file using the Certificate Manager console. You can then import the certificate on the remaining nodes in the AD FS farm. - -Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate. - -### Internal Server Authentication Certificate Enrollment - -Sign-in the federation server with domain admin equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link - ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. -9. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -## Deploy the Active Directory Federation Service Role - -The Active Directory Federation Service (AD FS) role provides the following services to support Windows Hello for Business on-premises deployments. -* Device registration -* Key registration -* Certificate registration authority (certificate trust deployments) - ->[!IMPORTANT] -> Finish the entire AD FS configuration on the first server in the farm before adding the second server to the AD FS farm. Once complete, the second server receives the configuration through the shared configuration database when it is added the AD FS farm. - -Windows Hello for Business depends on proper device registration. For on-premises deployments, Windows Server 2016 AD FS handles device registration. - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. -1. Start **Server Manager**. Click **Local Server** in the navigation pane. -2. Click **Manage** and then click **Add Roles and Features**. -3. Click **Next** on the **Before you begin** page. -4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. -5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. -6. On the **Select server roles** page, select **Active Directory Federation Services**. Click **Next**. -7. Click **Next** on the **Select features** page. -8. Click **Next** on the **Active Directory Federation Service** page. -9. Click **Install** to start the role installation. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the AD FS farm uses the correct database configuration. -* Confirm the AD FS farm has an adequate number of nodes and is properly load balanced for the anticipated load. -* Confirm **all** AD FS servers in the farm have the latest updates. -* Confirm all AD FS servers have a valid server authentication certificate - * The subject of the certificate is the common name (FQDN) of the host or a wildcard name. - * The alternate name of the certificate contains a wildcard or the FQDN of the federation service - -## Device Registration Service Account Prerequisite - -The service account used for the device registration server depends on the domain controllers in the environment. - ->[!NOTE] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. - -### Windows Server 2012 or later Domain Controllers - -Windows Server 2012 or later domain controllers support Group Managed Service Accounts—the preferred way to deploy service accounts for services that support them. Group Managed Service Accounts, or GMSA have security advantages over normal user accounts because Windows handles password management. This means the password is long, complex, and changes periodically. The best part of GMSA is all this happens automatically. AD FS supports GMSA and should be configured using them for additional defense in depth security. - -GSMA uses the Microsoft Key Distribution Service that is located on Windows Server 2012 or later domain controllers. Windows uses the Microsoft Key Distribution Service to protect secrets stored and used by the GSMA. Before you can create a GSMA, you must first create a root key for the service. You can skip this if your environment already uses GSMA. - -#### Create KDS Root Key - -Sign-in a domain controller with _Enterprise Admin_ equivalent credentials. -1. Start an elevated Windows PowerShell console. -2. Type `Add-KdsRootKey -EffectiveTime (Get-Date).AddHours(-10)` - -### Windows Server 2008 or 2008 R2 Domain Controllers - -Windows Server 2008 and 2008 R2 domain controllers do not host the Microsoft Key Distribution Service, nor do they support Group Managed Service Accounts. Therefore, you must use create a normal user account as a service account where you are responsible for changing the password on a regular basis. - -#### Create an AD FS Service Account - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Right-click the **Users** container, Click **New**. Click **User**. -3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**. -4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox. -5. Click **Next** and then click **Finish**. - -## Configure the Active Directory Federation Service Role - ->[!IMPORTANT] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. - -### Windows Server 2012 or later Domain Controllers - -Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section. - -Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm. -1. Start **Server Manager**. -2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) - -3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. -4. Click **Next** on the **Connect to Active Directory Domain Services** page. -5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*. -6. Select the federation service name from the **Federation Service Name** list. -7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. -8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**. -9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. -10. On the **Review Options** page, click **Next**. -11. On the **Pre-requisite Checks** page, click **Configure**. -12. When the process completes, click **Close**. - -### Windows Server 2008 or 2008 R2 Domain Controllers - -Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section. - -Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. -1. Start **Server Manager**. -2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**. - ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png) - -3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**. -4. Click **Next** on the **Connect to Active Directory Domain Services** page. -5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net. -6. Select the federation service name from the **Federation Service Name** list. -7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**. -8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. - * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**. -9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**. -10. On the **Review Options** page, click **Next**. -11. On the **Pre-requisite Checks** page, click **Configure**. -12. When the process completes, click **Close**. -13. Do not restart the AD FS server. You will do this later. - - -### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group - -The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user. - -Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Click the **Users** container in the navigation pane. -3. Right-click **KeyCredential Admins** in the details pane and click **Properties**. -4. Click the **Members** tab and click **Add…** -5. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -6. Click **OK** to return to **Active Directory Users and Computers**. -7. Right-click **Windows Hello for Business Users** group -8. Click the **Members** tab and click **Add…** -9. In the **Enter the object names to select** text box, type **adfssvc**. Click **OK**. -10. Click **OK** to return to **Active Directory Users and Computers**. -11. Change to server hosting the AD FS role and restart it. - -### Configure Permissions for Key Registration - -Key Registration stores the Windows Hello for Business public key in Active Directory. In on-prem deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory. - -The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. -1. Open **Active Directory Users and Computers**. -2. Right-click your domain name from the navigation pane and click **Properties**. -3. Click **Security** (if the Security tab is missing, turn on Advanced Features from the View menu). -4. Click **Advanced**. Click **Add**. Click **Select a principal**. -5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**. -6. In the **Applies to** list box, select **Descendant User objects**. -7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**. -8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**. -9. Click **OK** three times to complete the task. - -## Configure the Device Registration Service - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm. -1. Open the **AD FS management** console. -2. In the navigation pane, expand **Service**. Click **Device Registration**. -3. In the details pane, click **Configure Device Registration**. -4. In the **Configure Device Registration** dialog, click **OK**. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you followed the correct procedures based on the domain controllers used in your deployment - * Windows Server 2012 or Windows Server 2012 R2 - * Windows Server 2008 or Windows Server 2008 R2 -* Confirm you have the correct service account based on your domain controller version. -* Confirm you properly installed the AD FS role on your Windows Server 2016 based on the proper sizing of your federation, the number of relying parties, and database needs. -* Confirm you used a certificate with the correct names as the server authentication certificate - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) -* Confirm you granted the AD FS service allow read and write permissions to the ms-DSKeyCredentialLink Active Directory attribute. -* Confirm you enabled the Device Registration service. - -## Prepare and Deploy AD FS Registration Authority - -A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-prem certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority. - -### Configure Registration Authority template - -The certificate registration authority enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority. The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate. The certificate authority only issues a certificate for that template if the registration authority signs the certificate request. - -The registration authority template you configure depends on the AD FS service configuration, which depends on the domain controllers the environment uses for authentication. - ->[!IMPORTANT] ->Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business. - -#### Windows 2012 or later domain controllers - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority Management** console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. -6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. - **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate. - -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. -9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**. -10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**. -11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -12. Close the console. - -#### Windows 2008 or 2008R2 domain controllers - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -8. On the **Security** tab, click **Add**. Type **adfssvc** in the **Enter the object names to select text box** and click **OK**. -9. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check boxes for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**. -10. Close the console. - -### Configure the Windows Hello for Business Authentication Certificate template - -During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring. - -Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the deployment. -6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. -7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**. -8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box. - * Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option. -9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. -10. On the **Request Handling** tab, select the **Renew with same key** check box. -11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. -13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. -14. Click on the **Apply** to save changes and close the console. - -#### Mark the template as the Windows Hello Sign-in template - -Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials. -1. Open an elevated command prompt. -2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY` - ->[!NOTE] ->If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority. - -### Publish Enrollment Agent and Windows Hello For Business Authentication templates to the Certificate Authority - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template to issue**. -5. In the **Enable Certificates Templates** window, select the **WHFB Enrollment Agent** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. Publish the **WHFB Authentication** certificate template using step 5. -7. Close the console. - -### Configure the Registration Authority - -Sign-in the AD FS server with Domain Admin equivalent credentials. - -1. Open a **Windows PowerShell** prompt. -2. Type the following command - - ```PowerShell - Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication - ``` - - -The `Set-AdfsCertificateAuthority` cmdlet should show the following warning: ->WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured. These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured. - -This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates. Windows 10, version 1703 clients check this configuration during prerequisite checks. If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in. - ->[!NOTE] -> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates. It’s important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority. - -### Enrollment Agent Certificate Enrollment - -Active Directory Federation Server used for Windows Hello for Business certificate enrollment perform their own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts. - -Approximately 60 days prior to enrollment agent certificate’s expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate. - -## Additional Federation Servers - -Organizations should deploy more than one federation server in their federation farm for high-availability. You should have a minimum of two federation services in your AD FS farm, however most organizations are likely to have more. This largely depends on the number of devices and users using the services provided by the AD FS farm. - -### Server Authentication Certificate - -Each server you add to the AD FS farm must have a proper server authentication certificate. Refer to the [Enroll for a TLS Server Authentication Certificate](#enroll-for-a-tls-server-authentication-certificate) section of this document to determine the requirements for your server authentication certificate. As previously stated, AD FS servers used exclusively for on-premises deployments of Windows Hello for Business can use enterprise server authentication certificates rather than server authentication certificates issued by public certificate authorities. - -### Install Additional Servers - -Adding federation servers to the existing AD FS farm begins with ensuring the server are fully patched, to include Windows Server 2016 Update needed to support Windows Hello for Business deployments (https://aka.ms/whfbadfs1703). Next, install the Active Directory Federation Service role on the additional servers and then configure the server as an additional server in an existing farm. - -## Load Balance AD FS Federation Servers - -Many environments load balance using hardware devices. Environments without hardware load-balancing capabilities can take advantage the network load-balancing feature included in Windows Server to load balance the AD FS servers in the federation farm. Install the Windows Network Load Balancing feature on all nodes participating in the AD FS farm that should be load balanced. - -### Install Network Load Balancing Feature on AD FS Servers - -Sign-in the federation server with _Enterprise Admin_ equivalent credentials. -1. Start **Server Manager**. Click **Local Server** in the navigation pane. -2. Click **Manage** and then click **Add Roles and Features**. -3. Click **Next** On the **Before you begin** page. -4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**. -5. On the **Select destination server** page, chosoe **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**. -6. On the **Select server roles** page, click **Next**. -7. Select **Network Load Balancing** on the **Select features** page. -8. Click **Install** to start the feature installation - ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png) - -### Configure Network Load Balancing for AD FS - -Before you can load balance all the nodes in the AD FS farm, you must first create a new load balance cluster. Once you have created the cluster, then you can add new nodes to that cluster. - -Sign-in a node of the federation farm with _Admin_ equivalent credentials. -1. Open **Network Load Balancing Manager** from **Administrative Tools**. - ![NLB Manager user interface](images/hello-nlb-manager.png) -2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**. -3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**. - ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png) -4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.) -5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**. -6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**. - ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png) -7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster. - ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png) -8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**. -9. In Port Rules, click Edit to modify the default port rules to use port 443. - ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png) - -### Additional AD FS Servers - -1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**. -2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same. - ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png) - -## Configure DNS for Device Registration - -Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server. -1. Open the **DNS Management** console. -2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. -3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. -4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. -6. Close the DNS Management console - -## Configure the Intranet Zone to include the federation service - -The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. - -### Create an Intranet Zone Group Policy - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type **Intranet Zone Settings** in the name box and click **OK**. -5. In the content pane, right-click the **Intranet Zone Settings** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Administrative Templates > Windows Component > Internet Explorer > Internet Control Panel**, and select **Security Page**. -8. In the content pane, double-click **Site to Zone Assignment List**. Click **Enable**. -9. Click **Show**. In the **Value Name** column, type the url of the federation service beginning with https. In the **Value** column, type the number **1**. Click OK twice, then close the Group Policy Management Editor. - -### Deploy the Intranet Zone Group Policy object - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Intranet Zone Settings** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you configured the correct enrollment agent certificate template based on the type of AD FS service account. -* Confirm only the AD FS service account has the allow enroll permission for the enrollment agent certificate template. -* Consider using an HSM to protect the enrollment agent certificate; however, understand the frequency and quantity of signature operations the enrollment agent server makes and understand the impact it has on overall performance. -* Confirm you properly configured the Windows Hello for Business authentication certificate template—to include: - * Issuance requirements of an authorized signature from a certificate request agent. - * The certificate template was properly marked as a Windows Hello for Business certificate template using certutil.exe - * The Windows Hello for Business Users group, or equivalent has the allow enroll and allow auto enroll permissions -* Confirm all certificate templates were properly published to the appropriate issuing certificate authorities. -* Confirm the AD FS service account has the allow enroll permission for the Windows Hello Business authentication certificate template. -* Confirm the AD FS certificate registration authority is properly configured using the `Get-AdfsCertificateAuthority` Windows PowerShell cmdlet. -* Confirm you restarted the AD FS service. -* Confirm you properly configured load-balancing (hardware or software). -* Confirm you created a DNS A Record for the federation service and the IP address used is the load-balanced IP address -* Confirm you created and deployed the Intranet Zone settings to prevent double authentication to the federation server. - -## Validating your work - -You need to verify the AD FS service has properly enrolled for an enrollment agent certificate template. You can verify this is a variety ways, depending on if your service account is a normal user account or if the service account is a group managed service account. - -### Event Logs - -Use the event logs on the AD FS service to confirm the service account enrolled for an enrollment agent certificate. First, look for the AD FS event ID 443 that confirms certificate enrollment cycle has finished. Once confirmed the AD FS certificate enrollment cycle completed review the CertificateLifecycle-User event log. In this event log, look for event ID 1006, which indicates a new certificate was installed. Details of the event log should show - -* The account name under which the certificate was enrolled. -* The action, which should read enroll. -* The thumbprint of the certificate -* The certificate template used to issue the certificate. - -### Normal Service Account - -When using a normal service account, use the Microsoft Management Console (mmc.exe) and load the Certificate Manager snap-in for the service account and verify. - -### Group Managed Service Account - -You cannot use the Certificate Manager to view enrolled certificates for group managed service accounts. Use the event log information to confirm the AD FS service account enrolled a certificate. Use certutil.exe to view the details of the certificate now shown in the event log. - -Group managed service accounts use user profiles to store user information, which included enrolled certificates. On the AD FS server, use a command prompt and navigate to `%systemdrive%\users\\appdata\roaming\Microsoft\systemcertificates\my\certificates` . - -Each file in this folder represents a certificate in the service account’s Personal store (You may need to use DIR /A to view the files in the folder). Match the thumbprint of the certificate from the event log to one of the files in this folder. That file is the certificate. Use the `Certutil -q ` to view the basic information about the certificate. - -For detailed information about the certificate, use `Certutil -q -v ` . - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) - - - - - - - - - diff --git a/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md deleted file mode 100644 index 8ec43f5e54..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-deploy-mfa.md +++ /dev/null @@ -1,542 +0,0 @@ ---- -title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business) -description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Configure or Deploy Multifactor Authentication Services - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. - ->[!TIP] ->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. - -## Prerequisites - -The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet. - -### Primary MFA Server - -The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers. - -For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server. - -The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched. - -#### Enroll for Server Authentication - -The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. - -Sign-in the primary MFA server with _domain admin_ equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished. -9. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -#### Install the Web Server Role - -The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role. - -To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use. - -The following services are required: -* Common Parameters > Default Document. -* Common Parameters > Directory Browsing. -* Common Parameters > HTTP Errors. -* Common Parameters > Static Content. -* Health and Diagnostics > HTTP Logging. -* Performance > Static Content Compression. -* Security > Request Filtering. -* Security > Basic Authentication. -* Management Tools > IIS Management Console. -* Management Tools > IIS 6 Management Compatibility. -* Application Development > ASP.NET 4.5. - -#### Update the Server - -Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. - -#### Configure the IIS Server’s Certificate - -The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. - -Sign in the primary MFA server with _administrator_ equivalent credentials. -1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console -2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**. -3. In the **Actions** pane, click **Bindings**. -4. In the **Site Bindings** dialog, Click **Add**. -5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer. -6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**. - -#### Configure the Web Service’s Security - -The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group. - -Sign in the domain controller with _domain administrator_ equivalent credentials. - -##### Create Phonefactor Admin group - -1. Open **Active Directory Users and Computers** -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**. -3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. -4. Click **OK**. - -##### Add accounts to the Phonefactor Admins group - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactors Admin** security group and select **Properties**. -3. Click the **Members** tab. -4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**. - * The computer account for the primary MFA Server - * Group or user account that will manage the User Portal server. - - -#### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) - -* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc). -* Confirm the host has all the available updates from Windows Update. -* Confirm you bound the server authentication certificate to the IIS web site. -* Confirm you created the Phonefactor Admins group. -* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal. - -### User Portal Server - -The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users. - -The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design. - -#### Enroll for Server Authentication - -Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers. - -For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server. - -Sign-in the User Portal server with _domain admin_ equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com). -9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com). -10. Click **Add**. Click **OK** when finished. -11. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -#### Install the Web Server Role - -To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. - -#### Update the Server - -Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. - -#### Configure the IIS Server’s Certificate - -To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section. - -#### Create WebServices SDK user account - -The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server. - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**. -3. In the **New Object – User** dialog box, type **PFWSDK_** in the **First name** and **User logon name** boxes, where ** is the name of the primary MFA server running the Web Services SDK. Click **Next**. -4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account. - -#### Add the MFA SDK user account to the Phonefactor Admins group - -Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK. - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties. -3. Click the Members tab. -4. Click **Add**. Click **Object Types..** Type the PFWSDK_ user name in the **Enter the object names to select** box and then click **OK**. - * The computer account for the primary MFA Server - * The Webservices SDK user account - * Group or user account that will manage the User Portal server. - - -#### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -* Confirm the hosts of the user portal are properly configure for load balancing and high-availability. -* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) - -* Confirm the Web Server Role was properly configured on all servers. -* Confirm all the hosts have the latest updates from Windows Update. -* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. - -## Installing Primary Azure MFA Server - -When you install Azure Multi-Factor Authentication Server, you have the following options: -1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS -2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments) - -See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options. - -Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server. - ->[!IMPORTANT] ->Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article. - -### Configuring Company Settings - -You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory. - -Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. -1. Start the **Multi-Factor Server** application -2. Click **Company Settings**. -3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list. -4. In **User defaults**, select **Phone Call** or **Text Message** - **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help. -5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge. -6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration. -7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal. -8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists. -9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal. -10. Configure the minimum length for the PIN. -11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN. -12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid. -13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. - -![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png) - -### Configuring Email Settings and Content - -If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings. - -Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication. - -With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on. - -The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. - -If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal. - -#### Settings - -By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box. - -#### Content - -On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you. - -##### Edit the Content Settings - -The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab. - -Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. Click **Email** from the list of icons and click the **Email Content** tab. -3. Select an email template from the list of templates. Click **Edit**. -4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email. - ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png) - -5. Optionally, customize other options in the email template. -6. When finished editing the template, Click **Apply**. -7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes. -8. Click **Close** when you are done editing the email templates. - -### Configuring Directory Integration Settings and Synchronization - -Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory. - -It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names). - -#### MultiFactorAuthAdSync Service - -The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server. - -The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges. - -#### Settings - -Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. -3. Click the **Synchronization** tab. -4. Select **Use Active Directory**. -5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance. - -#### Synchronization - -The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers. - -You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting. - -See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details. - -##### To add a synchronization item - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. -3. Select the **Synchronization** tab. -4. On the **Synchronization** tab, click **Add**. - ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png) - -5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list. -6. Select the group you are using for replication from the list of groups -7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups. -8. Select **Add new users and Update existing users**. -9. Select **Disable/Remove users no longer a member** and select **Disable** from the list. -10. Select the attributes appropriate for your environment for **Import phone** and **Backup**. -11. Select **Enabled** and select **Only New Users with Phone Number** from the list. -12. Select **Send email** and select **New and Updated Users**. - -##### Configure synchronization item defaults - -1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab. -2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN). - -##### Configure synchronization language defaults - -1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab. -2. Select the appropriate default language for these groups of users synchronized by these synchronization item. -3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**. - ->[!TIP] ->For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint). - -### Installing the MFA Web Services SDK - -The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store. - -Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. - -Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK. - -## Install Secondary MFA Servers - -Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit. - -Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated. - -Sign in the secondary MFA server with _domain administrator_ equivalent credentials. -1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**. - **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server. -2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**. -3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**. -4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group. -5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you downloaded the latest Azure MFA Server from the Azure Portal. -* Confirm the server has Internet connectivity. -* Confirm you installed and activated the Azure MFA Server. -* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc). -* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server. - * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups. - -* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account. -* Confirm you installed the Web Service SDK on the primary MFA server. -* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. - - -## Installing the User Portal Server - -You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users. - -### Copying the User Portal Installation file - -Sign in the primary MFA server with _local administrator_ equivalent credentials. -1. Open Windows Explorer. -2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder. -3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server. - -### Configure Virtual Directory name - -Sign in the User Portal server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step. -2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**. -3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time. -4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**. -5. Click **Close**. - -### Edit MFA User Portal config file - -Sign in the User Portal server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file. -2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. -3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. -4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. -5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made. - -### Create a DNS entry for the User Portal web site - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials. -1. Open the **DNS Management** console. -2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. -3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. -4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. -6. Close the **DNS Management** console. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the user portal application is properly installed on all user portal hosts -* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. -* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME -* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. -* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. -* Confirm you saved the changes to the web.config file. - -### Validating your work - -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal. - -### Configuring the User Portal - -The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. -User Portal Administrators may be set up and granted permission to add new users and update existing users. - -#### Settings - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the Multi-Factor Authentication Server console. -2. From the Multi-Factor Authentication Server window, click the User Portal icon. - ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png) - -3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. -The Multi-Factor Authentication Server uses this information when sending emails to users. -4. Select Allow users to log in and Allow user enrollment check boxes. -5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service). Select Automatically trigger user’s default method. -6. Select Allow users to select language. -7. Select Use security questions for fallback and select 4 from the Questions to answer list. - ->[!TIP] ->For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal). - -#### Administrators - -The User Portal Settings tab allows the administrator to install and configure the User Portal. -1. Open the Multi-Factor Authentication Server console. -2. From the Multi-Factor Authentication Server window, click the User Portal icon. -3. On the Administrators tab, Click Add -4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions. -5. Click Add. - ->[!TIP] ->For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**. - -#### Security Questions - -[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions. - -#### Trusted IPs - -The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry. - -## Configure the AD FS Server to use the MFA for multifactor authentication - -You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server. - -### Install the MFA AD FS Adapter - -Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server. - -### Edit the MFA AD FS Adapter config file on all ADFS Servers - -Sign in the primary AD FS server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file. -2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. -3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. -4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. -5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made. - -### Edit the AD FS Adapter Windows PowerShell cmdlet - -Sign in the primary AD FS server with _local administrator_ equivalent credentials. - -Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file. - -### Run the AD FS Adapter PowerShell cmdlet - -Sign in the primary AD FS server with local administrator equivalent credentials. - -Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**. - ->[!NOTE] ->You must restart the AD FS service for the registration to take effect. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the user portal application is properly installed on all user portal hosts -* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. -* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME -* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. -* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. -* Confirm you saved the changes to the web.config file. -* Confirm you restarted the AD FS Service after completing the configuration. - -## Test AD FS with the Multifactor Authentication connector - -Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete. - -1. In the **Multi-Factor Authentication** server, on the left, click **Users**. -2. In the list of users, select a user that is enabled and has a valid phone number to which you have access. -3. Click **Test**. -4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory. - -The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md deleted file mode 100644 index 0e85b5a485..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-policy-settings.md +++ /dev/null @@ -1,154 +0,0 @@ ---- -title: Configure Windows Hello for Business Policy settings (Windows Hello for Business) -description: Configure Windows Hello for Business Policy settings for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Configure Windows Hello for Business Policy settings - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. - -Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. - -On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: -* Enable Windows Hello for Business -* Use certificate for on-premises authentication -* Enable automatic enrollment of certificates - -## Enable Windows Hello for Business Group Policy - -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. - -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. - -## Use certificate for on-premises authentication - -The Use certificate for on-premises authentication Group Policy setting determines if the on-premises deployment uses the key-trust or certificate trust on-premises authentication model. You must configure this Group Policy setting to configure Windows to enroll for a Windows Hello for Business authentication certificate. If you do not configure this policy setting, Windows considers the deployment to use key-trust on-premises authentication, which requires a sufficient number of Windows Server 2016 domain controllers to handle the Windows Hello for Business key-trust authentication requests. - -You can configure this Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users requesting a Windows Hello for Business authentication certificate. Deploying this policy setting to a user results in only that user requesting a Windows Hello for Business authentication certificate. Additionally, you can deploy the policy setting to a group of users so only those users request a Windows Hello for Business authentication certificate. If both user and computer policy settings are deployed, the user policy setting has precedence. - -## Enable automatic enrollment of certificates - -Windows Hello for Business provisioning performs the initial enrollment of the Windows Hello for Business authentication certificate. This certificate expires based on the duration configured in the Windows Hello for Business authentication certificate template. The Windows 10, version 1703 certificate auto enrollment was updated to renew these certificates before they expire, which significantly reduces user authentication failures from expired user certificates. - -The process requires no user interaction provided the user signs-in using Windows Hello for Business. The certificate is renewed in the background before it expires. - -## Create the Windows Hello for Business Group Policy object - -The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New**. -4. Type *Enable Windows Hello for Business* in the name box and click **OK**. -5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration**. -7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. -8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. -9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. - -## Configure Automatic Certificate Enrollment - -1. Start the **Group Policy Management Console** (gpmc.msc). -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration**. -5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -7. Select **Enabled** from the **Configuration Model** list. -8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -9. Select the **Update certificates that use certificate templates** check box. -10. Click **OK**. Close the **Group Policy Management Editor**. - -## Configure Security in the Windows Hello for Business Group Policy object - -The best way to deploy the Windows Hello for Business Group Policy object is to use security group filtering. The enables you to easily manage the users that should receive Windows Hello for Business by simply adding them to a group. This enables you to deploy Windows Hello for Business in phases. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Double-click the **Enable Windows Hello for Business** Group Policy object. -4. In the **Security Filtering** section of the content pane, click **Add**. Type *Windows Hello for Business Users* or the name of the security group you previously created and click **OK**. -5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**. -6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**. - -## Deploy the Windows Hello for Business Group Policy object - -The application of the Windows Hello for Business Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all users. However, the security group filtering ensures only the users included in the *Windows Hello for Business Users* global group receive and apply the Group Policy object, which results in the provisioning of Windows Hello for Business. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**. - -Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object. - -## Other Related Group Policy settings - -### Windows Hello for Business - -There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings. - -### Use a hardware security device - -The default configuration for Windows Hello for Business is to prefer hardware protected credentials; however, not all computers are able to create hardware protected credentials. When Windows Hello for Business enrollment encounters a computer that cannot create a hardware protected credential, it will create a software-based credential. - -You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. - -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. - -### Use biometrics - -Windows Hello for Business provides a great user experience when combined with the use of biometrics. Rather than providing a PIN to sign-in, a user can use a fingerprint or facial recognition to sign-in to Windows, without sacrificing security. - -The default Windows Hello for Business enables users to enroll and use biometrics. However, some organization may want more time before using biometrics and want to disable their use until they are ready. To not allow users to use biometrics, configure the **Use biometrics** Group Policy setting to disabled and apply it to your computers. The policy setting disabled all biometrics. Currently, Windows does not provide granular policy setting that enable you to disable specific modalities of biometrics such as allow facial recognition, but disallow fingerprint. - -### PIN Complexity - -PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. - -Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: -* Require digits -* Require lowercase letters -* Maximum PIN length -* Minimum PIN length -* Expiration -* History -* Require special characters -* Require uppercase letters - -In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor. - -## Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions) -* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User) -* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting. -* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User) -* Confirm you configured the proper security settings for the Group Policy object - * Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions) - * Add the Windows Hello for Business Users group to the Group Policy object and gave the group the allow permission for Apply Group Policy - -* Linked the Group Policy object to the correct locations within Active Directory -* Deploy any additional Windows Hello for Business Group Policy setting is a policy separate from the one that enables it for users - - -## Add users to the Windows Hello for Business Users group - -Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the WHFB Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups that are not members of this group will not attempt to enroll for Windows Hello for Business. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. Configure Windows Hello for Business Policy settings (*You are here*) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md deleted file mode 100644 index 3716c6dbe3..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: Validate Active Directory prerequisites (Windows Hello for Business) -description: How to Validate Active Directory prerequisites for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Validate Active Directory prerequisites - -**Applies to** -- Windows 10 - -> This guide only applies to Windows 10, version 1703 or higher. - -The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step. - -Manually updating Active Directory uses the command-line utility **adprep.exe** located at **:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. - -## Discovering schema role - -To locate the schema master role holder, open and command prompt and type: - -```Netdom query fsmo | findstr -i “schema”``` - -![Netdom example output](images\hello-cmd-netdom.png) - -The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role. - -## Updating the Schema - -Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory. - -Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials. - -1. Open an elevated command prompt. -2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO. -3. To update the schema, type ```adprep /forestprep```. -4. Read the Adprep Warning. Type the letter **C*** and press **Enter** to update the schema. -5. Close the Command Prompt and sign-out. - -## Create the KeyCredential Admins Security Global Group - -The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow. - -Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advance Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **KeyCredential Admins** in the **Group Name** text box. -6. Click **OK**. - -## Create the Windows Hello for Business Users Security Global Group - -The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate. - -Sign-in a domain controller or management workstation with Domain Admin equivalent credentials. - -1. Open **Active Directory Users and Computers**. -2. Click **View** and click **Advanced Features**. -3. Expand the domain node from the navigation pane. -4. Right-click the **Users** container. Click **New**. Click **Group**. -5. Type **Windows Hello for Business Users** in the **Group Name** text box. -6. Click **OK**. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. Validate Active Directory prerequisites (*You are here*) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md deleted file mode 100644 index 82e38e2728..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ /dev/null @@ -1,48 +0,0 @@ ---- -title: Validate and Deploy Multifactor Authentication Services (MFA) (Windows Hello for Business) -description: How to Validate and Deploy Multifactor Authentication Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Validate and Deploy Multifactor Authentication Services (MFA) - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. - -Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected. -* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks. -* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios. -* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards. -* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification. - -## On-Premises Azure MFA Server - -On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. - -### Infrastructure - -A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. - -Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. - ->[!IMPORTANT] ->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) beofre proceeding. Do not use instllation instructions provided in the article. - -Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md). - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. Validate and Deploy Multifactor Authentication Services (MFA) (*You are here*) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md deleted file mode 100644 index f0faf69798..0000000000 --- a/windows/access-protection/hello-for-business/hello-key-trust-validate-pki.md +++ /dev/null @@ -1,196 +0,0 @@ ---- -title: Validate Public Key Infrastructure (Windows Hello for Business) -description: How to Validate Public Key Infrastructure for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -author: DaniHalfin -localizationpriority: high ---- -# Validate and Configure Public Key Infrastructure - -**Applies to** -- Windows 10 -- Windows 10 Mobile - -> This guide only applies to Windows 10, version 1703 or higher. - -Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. Secondary certificates, such as VPN and SMIME (future feature) may also be deployed. - -## Deploy an enterprise certificate authority - -This guide assumes most enterprise have an existing public key infrastructure. Windows Hello for Business depends on a Windows enterprise public key infrastructure running the Active Directory Certificate Services role from Windows Server 2012 or later. - -### Lab-based public key infrastructure - -The following instructions may be used to deploy simple public key infrastructure that is suitable for a lab environment. - -Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 or later server where you want the certificate authority installed. - ->[!NOTE] ->Never install a certificate authority on a domain controller in a production environment. - -1. Open an elevated Windows PowerShell prompt. -2. Use the following command to install the Active Directory Certificate Services role. - ```PowerShell - Add-WindowsFeature Adcs-Cert-Authority -IncludeManageTools - ``` - -3. Use the following command to configure the Certificate Authority using a basic certificate authority configuration. - ```PowerShell - Install-AdcsCertificateAuthority - ``` - -## Configure a Production Public Key Infrastructure - -If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session. - -### Configure Domain Controller Certificates - -Clients need to trust domain controllers and the best way to do this is to ensure each domain controller has a Kerberos Authentication certificate. Installing a certificate on the domain controller enables the Key Distribution Center (KDC) to prove its identity to other members of the domain. This provides clients a root of trust external to the domain—namely the enterprise certificate authority. - -Domain controllers automatically request a domain controller certificate (if published) when they discover an enterprise certificate authority is added to Active Directory. However, certificates based on the Domain Controller and Domain Controller Authentication certificate templates do not include the KDC Authentication object identifier (OID), which was later added to the Kerberos RFC. Therefore, domain controllers need to request a certificate based on the Kerberos Authentication certificate template. - -By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template a baseline to create an updated domain controller certificate template. - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. -6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. -7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. -8. Close the console. - -### Superseding the existing Domain Controller certificate - -Many domain controllers may have an existing domain controller certificate. The Active Directory Certificate Services provides a default certificate template from domain controllers—the domain controller certificate template. Later releases provided a new certificate template—the domain controller authentication certificate template. These certificate templates were provided prior to update of the Kerberos specification that stated Key Distribution Centers (KDCs) performing certificate authentication needed to include the KDC Authentication extension. - -The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. - -Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. -4. Click the **Superseded Templates** tab. Click **Add**. -5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. -6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. -7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. -8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. -9. Click **OK** and close the **Certificate Templates** console. - -The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. - -### Configure an Internal Web Server Certificate template - -Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. - -Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. -4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. -6. On the **Request Handling** tab, select **Allow private key to be exported**. -7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. -8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. -9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. -10. Close the console. - -### Unpublish Superseded Certificate Templates - -The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates. - -The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. - -Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. -5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. - -### Publish Certificate Templates to the Certificate Authority - -The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. - -Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. -1. Open the **Certificate Authority** management console. -2. Expand the parent node from the navigation pane. -3. Click **Certificate Templates** in the navigation pane. -4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. -5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. -6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. - * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. - -7. Close the console. - -### Configure Domain Controllers for Automatic Certificate Enrollment - -Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. - -1. Start the **Group Policy Management Console** (gpmc.msc) -2. Expand the domain and select the **Group Policy Object** node in the navigation pane. -3. Right-click **Group Policy object** and select **New** -4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. -5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **Computer Configuration**. -7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. -8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. -9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. -11. Select the **Update certificates that use certificate templates** check box. -12. Click **OK**. Close the **Group Policy Management Editor**. - -### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object - -Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** -3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. - -### Validating your work - -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -You want to confirm your domain controllers enroll the correct certificates and not any unnecessary (superseded) certificate templates. You need to check each domain controller that autoenrollment for the computer occurred. - -#### Use the Event Logs - -Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows. - -Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. - -Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event. The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate. - - -#### Certificate Manager - -You can use the Certificate Manager console to validate the domain controller has the properly enrolled certificate based on the correct certificate template with the proper EKUs. Use **certlm.msc** to view certificate in the local computers certificate stores. Expand the **Personal** store and view the certificates enrolled for the computer. Archived certificates do not appear in Certificate Manager. - -#### Certutil.exe - -You can use **certutil.exe** to view enrolled certificates in the local computer. Certutil shows enrolled and archived certificates for the local computer. From an elevated command prompt, run `certutil -q -store my` to view locally enrolled certificates. - -To view detailed information about each certificate in the store, use `certutil -q -v -store my` to validate automatic certificate enrollment enrolled the proper certificates. - -#### Troubleshooting - -Windows triggers automatic certificate enrollment for the computer during boot, and when Group Policy updates. You can refresh Group Policy from an elevated command prompt using `gpupdate /force`. - -Alternatively, you can forcefully trigger automatic certificate enrollment using `certreq -autoenroll -q` from an elevated command prompt. - -Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. Validate and Configure Public Key Infrastructure (*You are here*) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) \ No newline at end of file diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index e99fabcb82..d6542a7d8f 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -1,6 +1,6 @@ # [Windows Hello for Business](hello-identity-verification.md) -## [Windows Hello for Business Overview](hello-overview.md) +## [Winodws Hello for Business Overview](hello-overview.md) ## [How Windows Hello for Business works](hello-how-it-works.md) ## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md) ## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md index 8c5ee7fae7..d479183398 100644 --- a/windows/configuration/change-history-for-configure-windows-10.md +++ b/windows/configuration/change-history-for-configure-windows-10.md @@ -8,8 +8,6 @@ ms.sitesec: library ms.pagetype: security localizationpriority: high author: jdeckerms -ms.author: jdecker -ms.date: 07/13/2017 --- # Change history for Configure Windows 10 @@ -19,8 +17,7 @@ This topic lists new and updated topics in the [Configure Windows 10](index.md) ## July 2017 | New or changed topic | Description | | --- | --- | -| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Fixed Group Policy settings that were not correct. | -|[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Updated several Appraiser events and added Census.Speech. | +|[Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)|Updated several Appraiser events and added Census.Speech. ## June 2017 diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 9624ac975a..51841c4ad0 100644 --- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -296,7 +296,7 @@ After that, configure the following: - Disable the Group Policy: **Computer Configuration** > **Administrative Templates** > **System** > **Enable Windows NTP Server** > **Windows Time Service** > **Configure Windows NTP Client** > [!NOTE] - > This is only available on Windows 10, version 1703 and later. If you're using a previous version of Windows 10, the Group Policy setting is **Computer Configuration\\Administrative Templates\\System\\Windows Time Service\\Time Providers\\Enable Windows NTP Client** + > This is only available on Windows 10, version 1703 and later. -or - @@ -1423,7 +1423,7 @@ In the **Background Apps** area, you can choose which apps can run in the backgr To turn off **Let apps run in the background**: -- For Windows 10, version 1607 and earlier, you must turn off the feature in the UI for each app. +- Turn off the feature in the UI for each app. -or- @@ -1690,11 +1690,12 @@ If you're running Windows 10, version 1607 or later, you only need to enable the - **User Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off all Windows spotlight features** - > [!NOTE] - > This must be done within 15 minutes after Windows 10 is installed. Alternatively, you can create an image with this setting. - -or- +- Create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one). + + -and- + - Create a new REG\_DWORD registry setting in **HKEY\_CURRENT\_USER\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent!DisableWindowsSpotlightFeatures**, with a value of 1 (one). If you're not running Windows 10, version 1607 or later, you can use the other options in this section. diff --git a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md index e3dec62c04..8343d2c59e 100644 --- a/windows/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -8,7 +8,6 @@ ms.mktglfcycl: deploy ms.pagetype: security ms.sitesec: library author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md index 73cb6d1ceb..506e512699 100644 --- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md +++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md index 6153892270..9b1db90c72 100644 --- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md +++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md index e3d0e608ce..e611009fcf 100644 --- a/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md +++ b/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md index 260e34c58a..6f41240d2b 100644 --- a/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md +++ b/windows/threat-protection/windows-information-protection/app-behavior-with-wip.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.pagetype: security ms.sitesec: library author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md index ac47c979e8..9316b2ab60 100644 --- a/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md +++ b/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md @@ -6,7 +6,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index c17b171c47..76d9d3a63c 100644 --- a/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md index cc7aa3ad12..15e17ff463 100644 --- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md +++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md index ea1c3f1dc4..043f638474 100644 --- a/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md @@ -8,7 +8,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index a1fc6c8d4d..5726426cf1 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -6,7 +6,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md index 98e02c6d36..17cfdf7f54 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md index 0d5d4521d5..d8a879c4d2 100644 --- a/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -8,7 +8,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md index 4ee8a1f240..60eb44c676 100644 --- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md +++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md index 1a6321e555..a3b19da3c4 100644 --- a/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md +++ b/windows/threat-protection/windows-information-protection/deploy-wip-policy-using-intune.md @@ -8,7 +8,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index 8ec71d77c4..159440b9aa 100644 --- a/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/threat-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -8,7 +8,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md index af7dd6bf07..af85cdebaf 100644 --- a/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md +++ b/windows/threat-protection/windows-information-protection/guidance-and-best-practices-wip.md @@ -8,7 +8,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/limitations-with-wip.md b/windows/threat-protection/windows-information-protection/limitations-with-wip.md index 1523c56b92..18971e3fe1 100644 --- a/windows/threat-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/threat-protection/windows-information-protection/limitations-with-wip.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md index c6a2edc0ac..dfd5630dc2 100644 --- a/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md +++ b/windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md index b7f974c22c..caf17860ce 100644 --- a/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md +++ b/windows/threat-protection/windows-information-protection/overview-create-wip-policy.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md index 0793815fff..19071542aa 100644 --- a/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md +++ b/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md @@ -8,7 +8,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md index 3058a9ea2f..f07d6ab555 100644 --- a/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md +++ b/windows/threat-protection/windows-information-protection/recommended-network-definitions-for-wip.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md index 3d0ec7ebfa..a46e4231ad 100644 --- a/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/threat-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -8,7 +8,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md index a55be79204..d60d0bf4ad 100644 --- a/windows/threat-protection/windows-information-protection/using-owa-with-wip.md +++ b/windows/threat-protection/windows-information-protection/using-owa-with-wip.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- diff --git a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md index bd99bf2acf..c3c1f07f56 100644 --- a/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md +++ b/windows/threat-protection/windows-information-protection/wip-app-enterprise-context.md @@ -7,7 +7,6 @@ ms.mktglfcycl: explore ms.sitesec: library ms.pagetype: security author: eross-msft -ms.author: lizross localizationpriority: high --- From b18b4d7daf39efd97035e5647f72197878a03a54 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 13 Jul 2017 16:35:27 -0700 Subject: [PATCH 34/34] changing url --- .openpublishing.publish.config.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.openpublishing.publish.config.json b/.openpublishing.publish.config.json index fd21609f09..6dbc487f58 100644 --- a/.openpublishing.publish.config.json +++ b/.openpublishing.publish.config.json @@ -410,8 +410,7 @@ "branches_to_filter": [ "" ], - "git_repository_url_open_to_public_contributors": "https://github.com/Microsoft/windows-itpro-docs", - "git_repository_branch_open_to_public_contributors": "master", + "git_repository_url_open_to_public_contributors": "https://cpubwin.visualstudio.com/_git/it-client", "skip_source_output_uploading": false, "need_preview_pull_request": true, "dependent_repositories": [