deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-28 05:07:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/rs2' into 11142714

Browse Source
This commit is contained in:
Trudy Hakala 2017-03-22 15:07:22 -07:00
commit 2537e8ea57
27 changed files with 83 additions and 193 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.openpublishing.redirection.json
View File

@ -386,6 +386,11 @@
"redirect_document_id": true
},
{
"source_path": "windows/keep-secure/hello-enable-phone-signin.md",
"redirect_url": "/itpro/windows/keep-secure/hello-identity-verification",
"redirect_document_id": false
},
{
"source_path": "windows/keep-secure/deploy-edp-policy-using-intune.md",
"redirect_url": "/itpro/windows/keep-secure/deploy-wip-policy-using-intune",
"redirect_document_id": true

BIN
devices/surface-hub/images/sh-55-rpc-ports.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/deploy/images/ur-overview.PNG
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/deploy/images/ur-settings.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 76 KiB

12
windows/deploy/resolve-windows-10-upgrade-errors.md
View File

@ -1,6 +1,6 @@
---
title: Resolve Windows 10 upgrade errors
description: Resolve Windows 10 upgrade errors
title: Resolve Windows 10 upgrade errors - Windows IT Pro
description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback
ms.prod: w10
@ -11,7 +11,7 @@ author: greg-lindsay
localizationpriority: high
---
# Resolve Windows 10 upgrade errors
# Resolve Windows 10 upgrade errors : Technical information for IT Pros
**Applies to**
- Windows 10
@ -251,13 +251,15 @@ See the following example:
### Analyze log files
>The following instructions are meant for IT professionals. Also see the [Upgrade error codes](#upgrade-error-codes) section in this guide to familiarize yourself with [result codes](#result-codes) and [extend codes](#extend-codes).
<P>To analyze Windows Setup log files:
<OL>
<LI>Determine the Windows Setup error code.
<LI>Determine the Windows Setup error code. This code should be returned by Windows Setup if it is not successful with the upgrade process.
<LI>Based on the [extend code](#extend-codes) portion of the error code, determine the type and location of a [log files](#log-files) to investigate.
<LI>Open the log file in a text editor, such as notepad.
<LI>Using the result code portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
<LI>Using the [result code](#result-codes) portion of the Windows Setup error code, search for the result code in the file and find the last occurrence of the code. Alternatively search for the "abort" and abandoning" text strings described in step 7 below.
<LI>To find the last occurrence of the result code:
<OL type="a">
<LI>Scroll to the bottom of the file and click after the last character.

2
windows/deploy/troubleshoot-upgrade-readiness.md
View File

@ -11,7 +11,7 @@ If youre having issues seeing data in Upgrade Readiness after running the Upg
If you still dont see data in Upgrade Readiness, follow these steps:
1. Download and extract UpgradeAnalytics.zip. Ensure the “Diagnostics” folder is included.
1. Download and extract the [Upgrade Readiness Deployment Script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). Ensure the “Pilot/Diagnostics” folder is included .
2. Edit the script as described in [Upgrade Readiness deployment script](upgrade-readiness-deployment-script.md).

2
windows/deploy/upgrade-readiness-deployment-script.md
View File

@ -31,7 +31,7 @@ The Upgrade Readiness deployment script does the following:
To run the Upgrade Readiness deployment script:
1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
1. Download the [Upgrade Readiness deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract the .zip file. Inside, there are two folders: **Pilot** and **Deployment**. The **Pilot** folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The **Deployment** folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization.
2. Edit the following parameters in RunConfig.bat:

2
windows/deploy/upgrade-readiness-resolve-issues.md
View File

@ -53,7 +53,7 @@ For applications assessed as **Attention needed**, review the table below for de
| Upgrade Assessment | Action required prior to upgrade? | Issue | What it means | Guidance |
|--------------------|-----------------------------------|-----------|-----------------|------------|
| Attention needed | No | Application is removed during upgrade | Compatibility issues were detected and the application will not migrate to the new operating system. <br> | No action is required for the upgrade to proceed. |
| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Analytics is not able to remove the application during upgrade. <br><br>The application may work on the new operating system.<br> | Remove the application before upgrading, and reinstall and test on new operating system. |
| Attention needed | Yes | Blocking upgrade | Blocking issues were detected and Upgrade Readiness is not able to remove the application during upgrade. <br><br>The application may work on the new operating system.<br> | Remove the application before upgrading, and reinstall and test on new operating system. |
| Attention needed | No | Evaluate application on new OS | The application will migrate, but issues were detected that may impact its performance on the new operating system. | No action is required for the upgrade to proceed, but be sure to test the application on the new operating system.<br> |
| Attention needed | No | Does not work with new OS, but wont block upgrade | The application is not compatible with the new operating system, but wont block the upgrade. | No action is required for the upgrade to proceed, however, youll have to install a compatible version of the application on the new operating system.<br> |
| Attention needed | Yes | Does not work with new OS, and will block upgrade | The application is not compatible with the new operating system and will block the upgrade. | Remove the application before upgrading. <br><br>A compatible version of the application may be available.<br> |

8
windows/deploy/upgrade-readiness-upgrade-overview.md
View File

@ -17,9 +17,13 @@ The following color-coded status changes are reflected on the upgrade overview b
- No delay in processing device inventory data = "Last updated" banner is displayed in green.
- Delay processing device inventory data = "Last updated" banner is displayed in amber.
- Computers with incomplete data:
- Less than 4% = Count is displayed in black.
- Less than 4% = Count is displayed in green.
- 4% - 10% = Count is displayed in amber.
- Greater than 10% = Count is displayed in red.
- Computers with outdated KB:
- Less than 10% = Count is displayed in green.
- 10% - 30% = Count is displayed in amber.
- Greater than 30% = Count is displayed in red.
- User changes:
- Pending user changes = User changes count displays "Data refresh pending" in amber.
- No pending user changes = User changes count displays "Up to date" in green.
@ -28,6 +32,8 @@ The following color-coded status changes are reflected on the upgrade overview b
- If the current value is an older OS version than the recommended value, but not deprecated, the version is displayed in amber.
- If the current value is a deprecated OS version, the version is displayed in red.
Click on a row to drill down and see details about individual computers. If KBs are missing, see [Deploy the compatibility update and related KBs](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#deploy-the-compatibility-update-and-related-kbs) for information on required KBs.
In the following example, there is no delay in data processing, less than 4% of computers (6k\294k) have incomplete data, there are no pending user changes, and the currently selected target OS version is the same as the recommended version:
![Upgrade overview](images/ur-overview.png)

2
windows/deploy/use-upgrade-readiness-to-manage-windows-upgrades.md
View File

@ -51,4 +51,4 @@ To change the target version setting, click on **Solutions Settings**, which app
On the **Upgrade Readiness Settings** page, choose one of the options in the drop down box and click **Save**. The changes in the target version setting are reflected in evaluations when a new snapshot is uploaded to your workspace.
![Target version](images/ua-cg-09.png)
![Target version](images/ur-settings.png)

3
windows/keep-secure/TOC.md
View File

@ -3,7 +3,6 @@
## [Windows Hello for Business](hello-identity-verification.md)
### [How Windows Hello for Business works](hello-how-it-works.md)
### [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
### [Windows Hello and password changes](hello-and-password-changes.md)
@ -575,7 +574,7 @@
###### [Domain member: Maximum machine account password age](domain-member-maximum-machine-account-password-age.md)
###### [Domain member: Require strong (Windows 2000 or later) session key](domain-member-require-strong-windows-2000-or-later-session-key.md)
###### [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md)
###### [Interactive logon: Don\'t display last signed-in](interactive-logon-do-not-display-last-user-name.md)
###### [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md)
###### [Interactive logon: Do not require CTRL+ALT+DEL](interactive-logon-do-not-require-ctrl-alt-del.md)
###### [Interactive logon: Machine account lockout threshold](interactive-logon-machine-account-lockout-threshold.md)
###### [Interactive logon: Machine inactivity limit](interactive-logon-machine-inactivity-limit.md)

22
windows/keep-secure/enterprise-certificate-pinning.md
View File

@ -18,8 +18,8 @@ localizationpriority: high
**Applies to**
- Windows 10
Enterprise certificate pinning is a Windows feature for remembering, or “pinning” a root, issuing certificate authority, or end entity certificate to a given domain name.
Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates to help reduce man-in-the-middle attacks.
Enterprise certificate pinning is a Windows feature for remembering, or “pinning,” a root issuing certificate authority or end entity certificate to a given domain name.
Enterprise certificate pinning helps reduce man-in-the-middle attacks by enabling you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates.
>[!NOTE]
> External domain names, where the certificate issued to these domains is issued by a public certificate authority, are not ideal for enterprise certificate pinning. Web administrators should configure their web servers to use HTTP public key pinning (HPKP) and encourage users to use web browsers that support HPKP.
@ -73,6 +73,7 @@ The PinRules element can have the following attributes.
For help with formatting Pin Rules, see [Representing a Date in XML](#representing-a-date-in-xml) or [Representing a Duration in XML](#representing-a-duration-in-xml).
- **Duration** or **NextUpdate**
Specifies when the Pin Rules will expire.
Either is required.
**NextUpdate** takes precedence if both are specified.
@ -83,6 +84,7 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi
**Required?** Yes. At least one is required.
- **LogDuration** or **LogEndDate**
Configures auditing only to extend beyond the expiration of enforcing the Pin Rules.
**LogEndDate**, represented as an XML DateTime data type in UTC, takes precedence if both are specified.
@ -94,6 +96,7 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi
**Required?** No.
- **ListIdentifier**
Provides a friendly name for the list of pin rules.
Windows does not use this attribute for certificate pinning enforcement, however it is included when the pin rules are converted to a certificate trust list (CTL).
@ -104,6 +107,7 @@ For help with formatting Pin Rules, see [Representing a Date in XML](#representi
The **PinRule** element can have the following attributes:
- **Name**
Uniquely identifies the **PinRule**.
Windows uses this attribute to identify the element for a parsing error or for verbose output.
The attribute is not included in the generated certificate trust list (CTL).
@ -111,6 +115,7 @@ The **PinRule** element can have the following attributes:
**Required?** Yes.
- **Error**
Describes the action Windows performs when it encounters a PIN mismatch.
You can choose from the following string values:
- **Revoked** - Windows reports the certificate protecting the site as if it was revoked. This typically prevents the user from accessing the site.
@ -119,7 +124,8 @@ The **PinRule** element can have the following attributes:
**Required?** No.
- **Log**
- **Log**
A Boolean value represent as string that equals **true** or **false**.
By default, logging is enabled (**true**).
@ -130,6 +136,7 @@ The **PinRule** element can have the following attributes:
The **Certificate** element can have the following attributes:
- **File**
Path to a file containing one or more certificates.
Where the certificate(s) can be encoded as:
- single certificate
@ -142,12 +149,14 @@ The **Certificate** element can have the following attributes:
**Required?** Yes (File, Directory or Base64 must be present).
- **Directory**
Path to a directory containing one or more of the above certificate files.
Skips any files not containing any certificates.
**Required?** Yes (File, Directory or Base64 must be present).
- **Base64**
Base64 encoded certificate(s).
Where the certificate(s) can be encoded as:
- single certificate
@ -161,7 +170,8 @@ The **Certificate** element can have the following attributes:
**Required?** Yes (File, Directory or Base64 must be present).
- **EndDate**
- **EndDate**
Enables you to configure an expiration date for when the certificate is no longer valid in the pin rule.
If you are in the process of switching to a new root or CA, you can set the **EndDate** to allow matching of this elements certificates.
@ -177,6 +187,7 @@ The **Certificate** element can have the following attributes:
The **Site** element can have the following attributes:
- **Domain**
Contains the DNS name to be matched for this pin rule.
When creating the certificate trust list, the parser normalizes the input name string value as follows:
- If the DNS name has a leading "*" it is removed.
@ -189,6 +200,7 @@ The **Site** element can have the following attributes:
**Required?** Yes.
- **AllSubdomains**
By default, wildcard left hand label matching is restricted to a single left hand label.
This attribute can be set to "true" to enable wildcard matching of all of the left hand labels.
@ -196,7 +208,7 @@ The **Site** element can have the following attributes:
**Required?** No.
### Create a Pin Rules Certificate Trust List
### Create a Pin Rules Certificate Trust List
The command line utility, **Certutil.exe**, includes the **generatePinRulesCTL** argument to parse the XML file and generate the encoded certificate trust list (CTL) that you add to your reference Windows 10 version 1703 computer and subsequently deploy.
The usage syntax is:

1
windows/keep-secure/hello-and-password-changes.md
View File

@ -41,7 +41,6 @@ Suppose instead that you sign in on **Device B** and change your password for yo
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)

1
windows/keep-secure/hello-biometrics-in-enterprise.md
View File

@ -79,7 +79,6 @@ To allow facial recognition, you must have devices with integrated special infra
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)

84
windows/keep-secure/hello-enable-phone-signin.md
View File

@ -1,84 +0,0 @@
---
title: Enable phone sign-in to PC or VPN (Windows 10)
description: You can set policies to allow your users to sign in to a PC or VPN using their Windows 10 phone.
keywords: ["identity", "PIN", "biometric", "Hello"]
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: DaniHalfin
localizationpriority: high
---
# Enable phone sign-in to PC or VPN
**Applies to**
- Windows 10
- Windows 10 Mobile
In Windows 10, version 1607, your network users can use Windows Phone with Windows Hello to sign in to a PC, connect to VPN, and sign in to Office 365 in a browser. Phone sign-in uses Bluetooth, which means no need to wait for a phone call -- just unlock the phone and tap the app.
![Sign in to a device](images/phone-signin-menu.png)
> [!NOTE]
> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
You can create a Group Policy or mobile device management (MDM) policy that will allow users to sign in to a work PC or their company's VPN using the credentials stored on their Windows 10 phone.
## Prerequisites
- Both phone and PC must be running Windows 10, version 1607.
- The PC must be running Windows 10 Pro, Enterprise, or Education
- Both phone and PC must have Bluetooth.
- The **Microsoft Authenticator** app must be installed on the phone.
- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
- The phone must be joined to Azure AD or have a work account added.
- The VPN configuration profile must use certificate-based authentication.
## Set policies
To enable phone sign-in, you must enable the following policies using Group Policy or MDM.
- Group Policy: **Computer Configuration** or **User Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**
- Enable **Use Windows Hello for Business**
- Enable **Phone Sign-in**
- MDM:
- Set **UsePassportForWork** to **True**
- Set **Remote\UseRemotePassport** to **True**
## Configure VPN
To enable phone sign-in to VPN, you must enable the [policy](#set-policies) for phone sign-in and ensure that VPN is configured as follows:
- For inbox VPN, set up the VPN profile with Extensible Authentication Protocol (EAP) with the **Smart card or other certificate (TLS)** EAP type, also known as EAP-Transport Level Security (EAP-TLS). To exclusively access the VPN certificates on the phone, in the EAP filtering XML, add either **EKU** or **Issuer** (or both) filtering to make sure it picks only the Remote NGC certificate.
- For a Universal Windows Platform (UWP) VPN plug-in, add filtering criteria based on the 3rd party mechanism for the Remote NGC Certificate.
## Get the app
If you want to distribute the **Microsoft Authenticator** app, your organization must have set up Windows Store for Business, with Microsoft added as a [Line of Business (LOB) publisher](../manage/working-with-line-of-business-apps.md).
[Tell people how to sign in using their phone.](hello-prepare-people-to-use.md#bmk-remote)
## Related topics
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
 
 

1
windows/keep-secure/hello-errors-during-pin-creation.md
View File

@ -225,7 +225,6 @@ For errors listed in this table, contact Microsoft Support for assistance.
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)

1
windows/keep-secure/hello-event-300.md
View File

@ -37,7 +37,6 @@ This is a normal condition. No further action is required.
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)

1
windows/keep-secure/hello-how-it-works.md
View File

@ -112,7 +112,6 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
- [Windows Hello for Business](hello-identity-verification.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)

5
windows/keep-secure/hello-identity-verification.md
View File

@ -72,10 +72,6 @@ Imagine that someone is looking over your shoulder as you get money from an ATM
Windows Hello helps protect user identities and user credentials. Because the user doesn't enter a password (except during provisioning), it helps circumvent phishing and brute force attacks. It also helps prevent server breaches because Windows Hello credentials are an asymmetric key pair, which helps prevent replay attacks when these keys are protected by TPMs.
For customers using a hybrid Active Directory and Azure Active Directory environment, Windows Hello also enables Windows 10 Mobile devices to be used as [a remote credential](hello-prepare-people-to-use.md#bmk-remote) when signing into Windows 10 PCs. During the sign-in process, the Windows 10 PC can connect using Bluetooth to access Windows Hello on the users Windows 10 Mobile device. Because users carry their phone with them, Windows Hello makes implementing two-factor authentication across the enterprise less costly and complex than other solutions.
> [!NOTE]
>  Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
## How Windows Hello for Business works: key points
@ -119,7 +115,6 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)

14
windows/keep-secure/hello-manage-in-organization.md
View File

@ -131,16 +131,12 @@ The following table lists the Group Policy settings that you can configure for W
</td>
</tr>
<tr>
<td><a href="hello-prepare-people-to-use.md#bmk-remote">Phone Sign-in</a></td>
<td>>Phone Sign-in</td>
<td>
<p>Use Phone Sign-in</p>
<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
<div> </div>
</td>
<td>
<p><b>Not configured</b>: Phone sign-in is disabled.</p>
<p><b>Enabled</b>: Users can use a portable, registered device as a companion device for desktop authentication.</p>
<p><b>Disabled</b>: Phone sign-in is disabled.</p>
<p>Not currently supported.</p>
</td>
</tr>
</table>
@ -283,14 +279,11 @@ The following table lists the MDM policy settings that you can configure for Win
<td>Remote</td>
<td>
<p>UseRemotePassport</p>
<div class="alert"><b>Note</b>  Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.</div>
<div> </div>
</td>
<td>Device or user</td>
<td>False</td>
<td>
<p>True: <a href="hello-prepare-people-to-use.md#bmk-remote">Phone sign-in</a> is enabled.</p>
<p>False: <a href="hello-prepare-people-to-use.md#bmk-remote">Phone sign-in</a> is disabled.</p>
<p>Not currently supported.</p>
</td>
</tr>
</table>
@ -381,7 +374,6 @@ If you want to use Windows Hello for Business with certificates, youll need a
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)

43
windows/keep-secure/hello-prepare-people-to-use.md
View File

@ -51,56 +51,13 @@ If your policy allows it, people can use biometrics (fingerprint, iris, and faci
![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
## <a href="" id="bmk-remote"></a>Use a phone to sign in to a PC or VPN
If your enterprise enables phone sign-in, users can pair a phone running Windows 10 Mobile to a PC running Windows 10 and then use an app on the phone to sign in to the PC using their Windows Hello credentials.
> [!NOTE]
> Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
 
**Prerequisites:**
- Both phone and PC must be running Windows 10, version 1607.
- The PC must be running Windows 10 Pro, Enterprise, or Education
- Both phone and PC must have Bluetooth.
- The **Microsoft Authenticator** app must be installed on the phone.
- The PC must be joined to an Active Directory domain that is connected to an Azure Active Directory (Azure AD) domain, or the PC must be joined to Azure AD.
- The phone must be joined to Azure AD or have a work account added.
- The VPN configuration profile must use certificate-based authentication.
**Pair the PC and phone**
1. On the PC, go to **Settings** &gt; **Devices** &gt; **Bluetooth**. Tap the name of the phone and then tap **Pair** to begin pairing.
![bluetooth pairing](images/btpair.png)
2. On the phone, go to **Settings** &gt; **Devices** &gt; **Bluetooth**, and verify that the passcode for **Pairing accessory** on the phone matches the passcode displayed on the PC, and then tap **ok**.
![bluetooth pairing passcode](images/bt-passcode.png)
3. On the PC, tap **Yes**.
**Sign in to PC using the phone**
1. Open the **Microsoft Authenticator** app, choose your account, and tap the name of the PC to sign in to.
> **Note: **  The first time that you run the **Microsoft Authenticator** app, you must add an account.
![select a device](images/phone-signin-device-select.png)
 
2. Enter the work PIN that you set up when you joined the phone to the cloud domain or added a work account.
**Connect to VPN**
You simply connect to VPN as you normally would. If the phone's certificates are being used, a notification will be pushed to the phone asking if you approve. If you click **allow** in the notification, you will be prompted for your PIN. After you enter your PIN, the VPN session will connect.
## Related topics
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)

1
windows/keep-secure/hello-why-pin-is-better-than-password.md
View File

@ -75,7 +75,6 @@ If you only had a biometric sign-in configured and, for any reason, were unable
- [Windows Hello for Business](hello-identity-verification.md)
- [How Windows Hello for Business works](hello-how-it-works.md)
- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
- [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)

BIN
windows/keep-secure/images/enterprise-certificate-pinning-converting-an-xml-date.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

5
windows/keep-secure/interactive-logon-display-user-information-when-the-session-is-locked.md
View File

@ -21,7 +21,7 @@ This security setting controls whether details such as email address or domain\u
For clients that run Windows 10 version 1511 and 1507 (RTM), this setting works similarly to previous versions of Windows.
However, because of a new **Privacy** setting introduced in Windows 10 version 1607, this security setting affects those clients differently.
### Changes in Windows 10 version 1607
### Changes beginning with Windows 10 version 1607
Beginning with Windows 10 version 1607, new functionality was added to Windows 10 to hide username details such as email address by default, with the ability to change the default to show the details.
This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
@ -65,7 +65,8 @@ Clients that run Windows 10 version 1607 will not show details on the sign-in sc
If the **Privacy** setting is turned on, details will show.
The **Privacy** setting cannot be changed for clients in bulk.
Instead, apply [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
Instead, apply [KB 4013429](http://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows.
Clients that run later versions of Windows 10 do not require a hotfix.
There are related Group Policy settings:

8
windows/manage/windows-store-for-business-overview.md
View File

@ -254,6 +254,7 @@ Store for Business is currently available in these markets.
<li>Luxembourg</li>
<li>Malaysia</li>
<li>Malta</li>
<li>Mauritius</li>
<li>Mexico</li>
<li>Mongolia</li>
<li>Montenegro</li>
@ -275,12 +276,12 @@ Store for Business is currently available in these markets.
<li>Portugal</li>
<li>Puerto Rico</li>
<li>Qatar</li>
<li>Romania</li>
<li>Rwanda</li>
<li>Romania</li>
</ul>
</td>
<td>
<ul>
<li>Rwanda</li>
<li>Saint Kitts and Nevis</li>
<li>Saudi Arabia</li>
<li>Senegal</li>
@ -305,8 +306,7 @@ Store for Business is currently available in these markets.
<li>Viet Nam</li>
<li>Virgin Islands, U.S.</li>
<li>Zambia</li>
<li>Zimbabwe<br>&nbsp;<br>&nbsp;<br>&nbsp;<br>&nbsp;</li>
<li>Zimbabwe<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</li>
</ul>
</td>
</tr>

1
windows/update/waas-optimize-windows-10-updates.md
View File

@ -49,6 +49,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
Windows 10 update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
### How Microsoft supports Express
- **Express on System Center Configuration Manager** starting with version 1702 of Configuration Manager.
- **Express on WSUS Standalone**
Express update delivery is available on [all support versions of WSUS](https://technet.microsoft.com/library/cc708456(v=ws.10).aspx).

52
windows/whats-new/whats-new-windows-10-version-1703.md
View File

@ -1,5 +1,5 @@
---
title: What's new in Windows 10, version 1607 (Windows 10)
title: What's new in Windows 10, version 1703 (Windows 10)
description: This topic lists new and updated topics in the What's new in Windows 10 documentation for Windows 10 and Windows 10 Mobile.
keywords: ["What's new in Windows 10", "Windows 10", "creators update"]
ms.prod: w10
@ -7,6 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
author: TrudyHa
localizationpriority: high
ms.assetid: dca7c655-c4f6-45f8-aa02-64187b202617
---
# What's new in Windows 10, version 1703
@ -20,7 +21,7 @@ Below is a list of some of the new and updated features in Windows 10, version 1
### Windows Configuration Designer
Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in Windows Store as an app. To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the Windows Assessment and Deployment Kit (ADK).
Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool for creating provisioning packages is renamed **Windows Configuration Designer**. The new Windows Configuration Designer is available in [Windows Store as an app](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on earlier versions of Windows, you can still install Windows Configuration Designer from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.
@ -28,14 +29,6 @@ Windows Configuration Designer in Windows 10, version 1703, includes several new
[Learn more about Windows Configuration Designer.](../configure/provisioning-packages.md)
### Lockdown Designer app
The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md).
![Lockdown Designer app in Store](images/ldstore.png)
[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
### Windows Spotlight
The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences:
@ -46,25 +39,35 @@ The following new Group Policy and mobile device management (MDM) settings are a
[Learn more about Windows Spotlight.](../configure/windows-spotlight.md)
### Kiosk mode for Windows 10 Mobile
In Windows 10 Mobile, version 1703, [Apps Corner](https://support.microsoft.com/instantanswers/7959c547-aa80-5ff1-9097-1784b6894845/set-up-apps-corner) is removed. Enterprises can use [Enterprise Assigned Access to configure kiosk experiences](../configure/set-up-a-kiosk-for-windows-10-for-mobile-edition.md) on devices running Windows 10 Mobile.
### Start and taskbar layout
Enterprises can apply a customized Start and tasbkar layout to devices running Windows 10 Pro, version 1703.
Enterprises can apply a customized Start and taskbar layout to devices running Windows 10 Pro, version 1703.
Additional MDM policy settings are available for Start and taskbar layout. For details, see [Manage Windows 10 Start and taskbar layout](../configure/windows-10-start-layout-options-and-policies.md).
Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10, version 1703, adds support for customized taskbars to [MDM](../configure/customize-windows-10-start-screens-by-using-mobile-device-management.md).
### Lockdown Designer for Windows 10 Mobile lockdown files
The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](../configure/lockdown-xml.md).
![Lockdown Designer app in Store](images/ldstore.png)
[Learn more about the Lockdown Designer app.](../configure/mobile-lockdown-designer.md)
## Deployment
### MBR2GPT.EXE
MBR2GPT.EXE is a new command-line tool available in Windows 10 version 1703 and later versions. MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS).
The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability and supports additional partition types. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk.
Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock.
For details, see [MBR2GPT.EXE](../deploy/mbr-to-gpt.md).
@ -76,7 +79,9 @@ Using Azure AD also means that you can remove an employees profile (for examp
## Security
### Windows Defender Advanced Threat Protection (Windows Defender ATP)
### Windows Defender Advanced Threat Protection
New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10, version 1703 include:
- **Detection**<br>
Enhancements to the detection capabilities include:
- [Use the threat intelligence API to create custom alerts](../keep-secure/use-custom-ti-windows-defender-advanced-threat-protection.md) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization.
@ -103,8 +108,8 @@ Using Azure AD also means that you can remove an employees profile (for examp
### Windows Defender Antivirus (Windows Defender AV)
New features for Windows Defender AV in Windows 10, version 1703 include:
### Windows Defender Antivirus
New features for Windows Defender Antivirus (AV) in Windows 10, version 1703 include:
- [Updates to how the Block at First Sight feature can be configured](../keep-secure/configure-block-at-first-sight-windows-defender-antivirus.md)
- [The ability to specify the level of cloud-protection](../keep-secure/specify-cloud-protection-level-windows-defender-antivirus.md)
@ -141,7 +146,9 @@ The pause feature has been changed, and now requires a start date to set up. Use
You are now able to defer feature update installation by up to 365 days. In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](../update/waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](../update/waas-configure-wufb.md#configure-when-devices-receive-quality-updates) for details.
### Delivery Optimization
### Optimize update delivery
[Express updates](../update/waas-optimize-windows-10-updates.md#express-update-delivery) are now supported on System Center Configuration Manager, starting with version 1702 of Configuration Manager, in addition to current Express support on Windows Update, Windows Update for Business and WSUS.
Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios.
@ -154,6 +161,9 @@ Added policies include:
To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](../update/waas-delivery-optimization.md)
## Learn more
## Related topics
- [Windows 10 release information](https://technet.microsoft.com/en-us/windows/release-info)
- [Features that are removed or deprecated in Windows 10 Creators Update](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update)
- [Windows 10 release information](https://technet.microsoft.com/windows/release-info)
- [What's new in MDM in Windows 10, version 1703](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10)
- [Manage Windows upgrades with Upgrade Readiness](../deploy/manage-windows-upgrades-with-upgrade-readiness.md)