From eb305abc4fb5839491be690429c9c729fc5329c9 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Mon, 6 Nov 2017 23:33:36 +0000 Subject: [PATCH 01/27] Merged PR 4338: Merge ms-whfb-staging to whfb-staging Corrections for Hybrid Cert trust deployment guide --- .../hello-for-business/hello-deployment-guide.md | 2 +- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- .../hello-hybrid-cert-whfb-settings-policy.md | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-deployment-guide.md b/windows/access-protection/hello-for-business/hello-deployment-guide.md index c202596cd4..35ca37be84 100644 --- a/windows/access-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/access-protection/hello-for-business/hello-deployment-guide.md @@ -28,7 +28,7 @@ This deployment guide is to guide you through deploying Windows Hello for Busine This guide assumes a baseline infrastructure exists that meets the requirements for your deployment. For either hybrid or on-premises deployments, it is expected that you have: * A well-connected, working network * Internet access - * Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning +* Multifactor Authentication Server to support MFA during Windows Hello for Business provisioning * Proper name resolution, both internal and external names * Active Directory and an adequate number of domain controllers per site to support authentication * Active Directory Certificate Services 2012 or later diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 7c56e7ded8..0aafbf488a 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -23,7 +23,7 @@ Hybrid environments are distributed systems that enable organizations to use on- The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include: * [Directories](#directories) -* [Public Key Infrastucture](#public-key-infastructure) +* [Public Key Infrastucture](#public-key-infrastructure) * [Directory Synchronization](#directory-synchronization) * [Federation](#federation) * [MultiFactor Authetication](#multifactor-authentication) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index d7f825257f..6c59f37b66 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -133,7 +133,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq 9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. 10. On the **Request Handling** tab, select the **Renew with same key** check box. 11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. -12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Enroll** permission. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. +12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. 13. If you previously issued Windows Hello for Business sign-in certificates using Configuration Manger and are switching to an AD FS registration authority, then on the **Superseded Templates** tab, add the previously used **Windows Hello for Business Authentication** template(s), so they will be superseded by this template for the users that have Enroll permission for this template. 14. Click on the **Apply** to save changes and close the console. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 342e42b0d0..5b1f2a3188 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -108,7 +108,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. 4. In the navigation pane, expand **Policies** under **User Configuration**. 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. -6. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**. +6. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. 8. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. 9. Select the **Update certificates that use certificate templates** check box. From 0e266d600e3579503c3edad71f4bc7d3461153d5 Mon Sep 17 00:00:00 2001 From: lmasieri <32968351+lmasieri@users.noreply.github.com> Date: Fri, 10 Nov 2017 11:25:18 -0800 Subject: [PATCH 02/27] Update manage-orders-microsoft-store-for-business.md --- .../manage-orders-microsoft-store-for-business.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index 08da797130..5ff6a0ebc6 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -43,7 +43,7 @@ Refunds work a little differently for free apps, and apps that have a price. In There are a few requirements for apps that have a price: - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30. - - **Avaialable licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. + - **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. **To refund an order** From 05ceee53de2ed82268817fbc854756e75275cb3f Mon Sep 17 00:00:00 2001 From: Jan Pilar Date: Sun, 12 Nov 2017 09:46:43 +0100 Subject: [PATCH 03/27] Update response-actions-windows-defender-advanced-threat-protection.md Sentence "These response actions are only available for machines on Windows 10, version 1703" is no longer valid since these functions and many more can be used with Windows 10 1709. I suggest to add "or higher" into sentence. Thanks! --- ...ponse-actions-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md index 6f30bcb438..b43fb54643 100644 --- a/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md @@ -31,7 +31,7 @@ ms.date: 10/17/2017 You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization. >[!NOTE] -> These response actions are only available for machines on Windows 10, version 1703. +> These response actions are only available for machines on Windows 10, version 1703 or higher. ## In this section Topic | Description From 8a7b99b26494f0d2709a03593cd7f7b0c86e97d7 Mon Sep 17 00:00:00 2001 From: joscon <33638761+joscon@users.noreply.github.com> Date: Mon, 13 Nov 2017 12:45:53 -0800 Subject: [PATCH 04/27] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index ed973594ca..5ccfa7b0e4 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -42,6 +42,9 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which Supported operation is Exec. +**doWipePersistUserData** +Added in Windows 10 Fall Creators Edition. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + ## The Remote Wipe Process From 0cafdd362fd6068fc6596784706802b61d0c4b9d Mon Sep 17 00:00:00 2001 From: joscon <33638761+joscon@users.noreply.github.com> Date: Mon, 13 Nov 2017 15:25:01 -0800 Subject: [PATCH 05/27] Update remotewipe-csp.md --- windows/client-management/mdm/remotewipe-csp.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/remotewipe-csp.md b/windows/client-management/mdm/remotewipe-csp.md index 5ccfa7b0e4..2a5bad77e5 100644 --- a/windows/client-management/mdm/remotewipe-csp.md +++ b/windows/client-management/mdm/remotewipe-csp.md @@ -43,7 +43,7 @@ The doWipeProtected is functionally similar to doWipe. But unlike doWipe, which Supported operation is Exec. **doWipePersistUserData** -Added in Windows 10 Fall Creators Edition. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. +Added in Windows 10, version 1709. Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. ## The Remote Wipe Process From a914b58b9bb5accf09141024cb5885443695e0f4 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 13 Nov 2017 16:52:51 -0800 Subject: [PATCH 06/27] typo --- windows/threat-protection/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/TOC.md b/windows/threat-protection/TOC.md index cc891f0d7d..e1120ad955 100644 --- a/windows/threat-protection/TOC.md +++ b/windows/threat-protection/TOC.md @@ -25,7 +25,7 @@ ### [Onboard endpoints and set up access](windows-defender-atp\onboard-configure-windows-defender-advanced-threat-protection.md) #### [Configure client endpoints](windows-defender-atp\configure-endpoints-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints using Group Policy](windows-defender-atp\configure-endpoints-gp-windows-defender-advanced-threat-protection.md) -##### [Configure endpoints using System Security Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) +##### [Configure endpoints using System Center Configuration Manager](windows-defender-atp\configure-endpoints-sccm-windows-defender-advanced-threat-protection.md) ##### [Configure endpoints using Mobile Device Management tools](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md) ###### [Configure endpoints using Microsoft Intune](windows-defender-atp\configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#configure-endpoints-using-microsoft-intune) ##### [Configure endpoints using a local script](windows-defender-atp\configure-endpoints-script-windows-defender-advanced-threat-protection.md) From 390d696b42009bfca3f5594eb56d37e203d0b10d Mon Sep 17 00:00:00 2001 From: jcaparas Date: Mon, 13 Nov 2017 22:57:08 -0800 Subject: [PATCH 07/27] fix product name --- .../windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md index ec8c9e2244..56df91f582 100644 --- a/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md @@ -106,7 +106,7 @@ Topic | Description [Windows Defender ATP service health](service-status-windows-defender-advanced-threat-protection.md) | Verify that the service health is running properly or if there are current issues. [Troubleshoot Windows Defender Advanced Threat Protection](troubleshoot-windows-defender-advanced-threat-protection.md) | This topic contains information to help IT Pros find workarounds for the known issues and troubleshoot issues in Windows Defender ATP. [Review events and errors on endpoints with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)| Review events and errors associated with event IDs to determine if further troubleshooting steps are required. -[Windows Defender compatibility](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender works in conjunction with Windows Defender ATP. +[Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md) | Learn about how Windows Defender Antivirus works in conjunction with Windows Defender ATP. ## Related topic [Windows Defender ATP helps detect sophisticated threats](https://www.microsoft.com/itshowcase/Article/Content/854/Windows-Defender-ATP-helps-detect-sophisticated-threats) From 289e3c6fadf04a8b8d64a8dab7b478338b0ac819 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 14 Nov 2017 12:42:56 -0800 Subject: [PATCH 08/27] updates --- ...indows-defender-advanced-threat-protection.md | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 17f7fa36ee..761f4e11dc 100644 --- a/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Windows Defender ATP data storage and privacy description: Learn about how Windows Defender ATP handles privacy and data that it collects. -keywords: Windows Defender ATP data storage and privacy, storage, privacy +keywords: Windows Defender ATP data storage and privacy, storage, privacy, licensing, geolocation, data retention, data search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -17,23 +17,19 @@ ms.date: 10/17/2017 **Applies to:** -- Windows 10 Enterprise -- Windows 10 Education -- Windows 10 Pro -- Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) This section covers some of the most frequently asked questions regarding privacy and data handling for Windows Defender ATP. > [!NOTE] -> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. +> This document explains the data storage and privacy details related to Windows Defender ATP. For more information related to Windows Defender ATP and other products and services like Windows Defender Antivirus and Windows 10, see [Microsoft Privacy Statement](https://go.microsoft.com/fwlink/?linkid=827576). See also [Windows 10 privacy FAQ](https://go.microsoft.com/fwlink/?linkid=827577) for more information. ## What data does Windows Defender ATP collect? Microsoft will collect and store information from your configured endpoints in a database specific to the service for administration, tracking, and reporting purposes. -Information collected includes code file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as GUIDs, names, and the operating system version). +Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). Microsoft stores this data securely in Microsoft Azure and maintains it in accordance with Microsoft privacy practices and [Microsoft Trust Center policies](https://go.microsoft.com/fwlink/?linkid=827578). @@ -42,11 +38,11 @@ Microsoft uses this data to: - Generate alerts if a possible attack was detected - Provide your security operations with a view into machines, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network. -Microsoft does not mine your data for advertising or for any other purpose other than providing you the service. +Microsoft does not use your data for advertising or for any other purpose other than providing you the service. ## Do I have the flexibility to select where to store my data? -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not under any circumstance, transfer the data from the specified geolocation into another geolocation. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. @@ -69,7 +65,7 @@ No. Customer data is isolated from other customers and is not shared. However, i You can choose the data retention policy for your data. This determines how long Window Defender ATP will store your data. There’s a flexibility of choosing in the range of 1 month to six months to meet your company’s regulatory compliance needs. **At contract termination or expiration**
-Your data will be kept for a period of at least 90 days, during which it will be available to you. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. +Your data will be kept and will be available to you while the licence is under grace period or suspended mode. At the end of this period, that data will be erased from Microsoft’s systems to make it unrecoverable, no later than 180 days from contract termination or expiration. ## Can Microsoft help us maintain regulatory compliance? From 79360b257dabaa55fa2a2b6e1325ce9f93bf7b19 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Tue, 14 Nov 2017 20:51:39 +0000 Subject: [PATCH 09/27] Merged PR 4480: Added activation detail to VDA topic Added activation detail to VDA topic --- windows/deployment/vda-subscription-activation.md | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md index fc38a3df22..25d0f04961 100644 --- a/windows/deployment/vda-subscription-activation.md +++ b/windows/deployment/vda-subscription-activation.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library ms.pagetype: mdt -ms.date: 09/05/2017 +ms.date: 11/14/2017 author: greg-lindsay --- @@ -25,7 +25,15 @@ Deployment instructions are provided for the following scenarios: - VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later. - VMs must be Active Directory-joined or Azure Active Directory-joined. - VMs must be generation 1. -- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx). +- VMs must hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH). + +## Activation + +The underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. + +Procedures in this topic provide a Windows 10 Pro Generic Volume License Key (GVLK). Activation with this key is accomplished using a Volume License KMS activation server provided by the QMTH. Alternatively, a KMS activation server on your corporate network can be used if you have configured a private connection, such as [ExpressRoute](https://azure.microsoft.com/services/expressroute/) or [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/). + +For examples of activation issues, see [Troubleshoot the user experience](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#troubleshoot-the-user-experience). ## Active Directory-joined VMs From 449f2e1b61fe4b625af1b122ddd182007ec38f91 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 15 Nov 2017 00:14:48 +0000 Subject: [PATCH 10/27] Merged PR 4525: Device update management article - updated link Server Sync Web Service --- windows/client-management/mdm/device-update-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 68de7f9bb2..f5b94518b9 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -54,7 +54,7 @@ This section describes how this is done. The following diagram shows the server- MSDN provides much information about the Server-Server sync protocol. In particular: - It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development. -- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://sws.update.microsoft.com/ServerSyncWebService/serversyncwebservice.asmx. +- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although it’s even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx. Some important highlights: From 5540fcbe7fa5df06d2a2bd0f037ae61c6ea94db3 Mon Sep 17 00:00:00 2001 From: nirb-ms Date: Tue, 14 Nov 2017 18:00:05 -0800 Subject: [PATCH 11/27] Added a reference to Windows Server 2016 --- windows/deployment/update/device-health-get-started.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 7c8f74f2cc..5f985c13da 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -22,7 +22,7 @@ Steps are provided in sections that follow the recommended setup process: ## Device Health prerequisites Device Health has the following requirements: -1. Device Health is currently only compatible with Windows 10 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). +1. Device Health is currently only compatible with Windows 10 and Windows Server 2016 devices. The solution is intended to be used with desktop devices (Windows 10 workstations and laptops). 2. The solution requires that at least the [enhanced level of telemetry](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#basic-level) is enabled on all devices that are intended to be displayed in the solution. To learn more about Windows telemetry, see [Configure Windows telemetry in your organization](/windows/configuration/configure-windows-telemetry-in-your-organization). 3. The telemetry of your organization’s Windows devices must be successfully transmitted to Microsoft. Microsoft has specified [endpoints for each of the telemetry services](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization#endpoints), which must be whitelisted by your organization so the data can be transmitted. The following table is taken from the article on telemetry endpoints and summarizes the use of each endpoint: @@ -178,4 +178,4 @@ As in the other example, if this is successful, `TcpTestSucceeded` should return ## Related topics [Use Device Health to monitor frequency and causes of device crashes](device-health-using.md)
-For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) \ No newline at end of file +For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) From cc1f9a01522eca8e0b022a916c3bcfe915166556 Mon Sep 17 00:00:00 2001 From: nirb-ms Date: Tue, 14 Nov 2017 18:01:45 -0800 Subject: [PATCH 12/27] Added a reference to Windows Server 2016 --- windows/deployment/update/device-health-monitor.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/device-health-monitor.md b/windows/deployment/update/device-health-monitor.md index 9833ec58dc..551585a40a 100644 --- a/windows/deployment/update/device-health-monitor.md +++ b/windows/deployment/update/device-health-monitor.md @@ -44,6 +44,7 @@ Use of Windows Analytics Device Health requires one of the following licenses: - Windows 10 Enterprise E3 or E5 per-device or per-user subscription (including Microsoft 365 F1, E3, or E5) - Windows 10 Education A3 or A5 (including Microsoft 365 Education A3 or A5) - Windows VDA E3 or E5 per-device or per-user subscription +- Windows Server 2016 and on You don't have to install Windows 10 Enterprise on a per-device basis--you just need enough of the above licenses for the number of devices using Device Health. @@ -77,4 +78,4 @@ These steps are illustrated in following diagram: [Use Device Health to monitor frequency and causes of device crashes](device-health-using.md) -For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) \ No newline at end of file +For the latest information on Windows Analytics, including new features and usage tips, see the [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics) From 25d8e138a802f1ae9859842b92ae8114a52b58a6 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 15 Nov 2017 17:49:12 +0000 Subject: [PATCH 13/27] Merged PR 4524: Add wired authentication to Surface Hub --- devices/surface-hub/TOC.md | 1 + .../surface-hub/change-history-surface-hub.md | 7 +++ .../enable-8021x-wired-authentication.md | 61 +++++++++++++++++++ ...anage-settings-with-mdm-for-surface-hub.md | 2 + devices/surface-hub/manage-surface-hub.md | 1 + ...repare-your-environment-for-surface-hub.md | 2 +- 6 files changed, 73 insertions(+), 1 deletion(-) create mode 100644 devices/surface-hub/enable-8021x-wired-authentication.md diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 82f4db6262..69c603b84d 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -37,6 +37,7 @@ ### [Save your BitLocker key](save-bitlocker-key-surface-hub.md) ### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) ### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) +### [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) ### [Using a room control system](use-room-control-system-with-surface-hub.md) ## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md) diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index 6643499b80..4f7d71f0d7 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -16,6 +16,13 @@ ms.localizationpriority: medium This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md). +## November 2017 + +New or changed topic | Description +--- | --- +[Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | New +[Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md) | Added settings for 802.1x wired authentication. + ## October 2017 New or changed topic | Description | diff --git a/devices/surface-hub/enable-8021x-wired-authentication.md b/devices/surface-hub/enable-8021x-wired-authentication.md new file mode 100644 index 0000000000..c7a55bf866 --- /dev/null +++ b/devices/surface-hub/enable-8021x-wired-authentication.md @@ -0,0 +1,61 @@ +--- +title: Enable 802.1x wired authentication +description: 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. +ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library +ms.pagetype: surfacehub +author: jdeckerms +ms.author: jdecker +ms.date: 11/14/2017 +ms.localizationpriority: medium +--- + +# Enable 802.1x wired authentication + +The [November 14, 2017 update to Windows 10](https://support.microsoft.com/help/4048954/windows-10-update-kb4048954) (build 15063.726) enables 802.1x wired authentication MDM policies on Surface Hub devices. The feature allows organizations to enforce standardized wired network authentication using the [IEEE 802.1x authentication protocol](http://www.ieee802.org/1/pages/802.1x-2010.html). This is already available for wireless authentication using WLAN profiles via MDM. This topic explains how to configure a Surface Hub for use with wired authentication. + +Enforcement and enablement of 802.1x wired authentication on Surface Hub can be done through MDM [OMA-URI definition](https://docs.microsoft.com/intune-classic/deploy-use/windows-10-policy-settings-in-microsoft-intune#oma-uri-settings). + +The primary configuration to set is the **LanProfile** policy. Depending on the authentication method selected, other policies may be required, either the **EapUserData** policy or through MDM policies for adding user or machine certificates (such as [ClientCertificateInstall](https://docs.microsoft.com/windows/client-management/mdm/clientcertificateinstall-csp) for user/device certificates or [RootCATrustedCertificates](https://docs.microsoft.com/windows/client-management/mdm/rootcacertificates-csp) for device certificates). + +## LanProfile policy element + +To configure Surface Hub to use one of the supported 802.1x authentication methods, utilize the following OMA-URI. + +``` +./Vendor/MSFT/SurfaceHub/Dot3/LanProfile +``` + +This OMA-URI node takes a text string of XML as a parameter. The XML provided as a parameter should conform to the [Wired LAN Profile Schema](https://msdn.microsoft.com/library/cc233002.aspx) including elements from the [802.1X schema](https://msdn.microsoft.com/library/cc233003.aspx). + +In most instances, an administrator or user can export the LanProfile XML from an existing PC that is already configured on the network for 802.1X using this following NETSH command. + +``` +netsh lan export profile folder=. +``` + +Running this command will give the following output and place a file titled **Ethernet.xml** in the current directory. + +``` +Interface: Ethernet +Profile File Name: .\Ethernet.xml +1 profile(s) were exported successfully. +``` + +## EapUserData policy element + +If your selected authentication method requires a username and password as opposed to a certificate, you can use the **EapUserData** element to specify credentials for the device to use to authenticate to the network. + +``` +./Vendor/MSFT/SurfaceHub/Dot3/EapUserData +``` + +This OMA-URI node takes a text string of XML as a parameter. The XML provided as a parameter should conform to the [PEAP MS-CHAPv2 User Properties example](https://msdn.microsoft.com/library/windows/desktop/bb891979). In the example, you will need to replace all instances of *test* and *ias-domain* with your information. + + + +## Adding certificates + +If your selected authentication method is certificate-based, you will will need to [create a provisioning package](provisioning-packages-for-surface-hub.md), [utilize MDM](https://docs.microsoft.com/windows/client-management/mdm/clientcertificateinstall-csp), or import a certificate from settings (**Settings** > **Update and Security** > **Certificates**) to deploy those certificates to your Surface Hub device in the appropriate Certificate Store. When adding certificates, each PFX must contain only one certificate (a PFX cannot have multiple certificates). + diff --git a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md index 12a1d052f8..a1a99dd250 100644 --- a/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md +++ b/devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md @@ -87,6 +87,8 @@ For more information, see [SurfaceHub configuration service provider](https://ms | Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | | Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes
| Yes.
[Use a custom setting.](#example-sccm) | Yes | \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. +| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | +| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes
[Use a custom policy.](#example-intune) | Yes.
[Use a custom setting.](#example-sccm) | Yes | ### Supported Windows 10 settings diff --git a/devices/surface-hub/manage-surface-hub.md b/devices/surface-hub/manage-surface-hub.md index bd66726afe..ec0bfbb284 100644 --- a/devices/surface-hub/manage-surface-hub.md +++ b/devices/surface-hub/manage-surface-hub.md @@ -38,6 +38,7 @@ Learn about managing and updating Surface Hub. | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.| | [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.| | [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. | + [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. | [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.| ## Related topics diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index d5fdb07a74..613ec77311 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -29,7 +29,7 @@ Review these dependencies to make sure Surface Hub features will work in your IT | Skype for Business (Lync Server 2013 or later, or Skype for Business Online) | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.

If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. | | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. | | Microsoft Operations Managmement Suite (OMS) | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. | -| Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.


**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.
**Note:** Surface Hub supports 802.1X using PEAP-MSCHAPv2. We currently do not support additional EAP methods such as 802.1X using PEAP-TLS or PEAP-EAP-TLS.

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. | +| Network and Internet access | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.


**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.
**Note:** For more information on enabling 802.1X wired authentication on Surface Hub, see [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md).

**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.

**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. | Additionally, note that Surface Hub requires the following open ports: - HTTPS: 443 From badd69bcd45e1475fa50c1a188355a841d53834a Mon Sep 17 00:00:00 2001 From: Nicholas Brower Date: Wed, 15 Nov 2017 17:49:37 +0000 Subject: [PATCH 14/27] Merged PR 4513: RemoteWipe CSP updated with new 1709 node: doWipePersisUserData; image + ddf RemoteWipe CSP updated with new 1709 node: doWipePersisUserData; image + ddf (text added via external contribution) --- .../provisioning-csp-remotewipe-dmandcp.png | Bin 6785 -> 22533 bytes .../mdm/remotewipe-ddf-file.md | 23 ++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png index 2fc6da33fcceb32d083ecde96781ca81c8710235..fdbeb278abe4ce801f674ee5c5fe60c3081f193e 100644 GIT binary patch literal 22533 zcmag_b8s$Q^eqaeq z!M2pw?swm6N3pj>i2z`8O`QWcX=q;Q_%*zANn zY-FIlJ6=NdxB-(r7hXCnP_J)ZVC^90jZFC+tR)MLm`BtcOt>(SYGeK}H!V!G)X?06 zWHAMrrmPz3BQvsbGOv>sk!FYzqC7fo@b{9tg+_Lvkg4 z^f&b2uqaG6#d*~RUWykkN7&8mu>8*7_O_UY{IlHA=iU8wN39eecewNqYf+f5$@rck zW$JVYpq+UUoNxN6_isy*CuI_jn*E z;YxynvmQzd_3l&Rdz6~_R7bwTnM3J^!**npKkHj%vmcDB9zciW&)50R2r+Da3hQ7@ zvK|0I2#sevPo#6t0>*@t@pfjQirwg!gzrV>jiF|+Y8k^fn`ca~kunmz2Q6@D0VcP^of*U z%3H;9`@w;7;MJ*63ORH|RP2I@#nwZQ)wg1W?ONkt3& zR!Cv)(h1=@O*c=smCc%AiZ1KclVs%D<`+k-nF_X&Rvm^aJRmY_=T9#Z&s&4wfeV3k zb2*u$C~de&HhiiBtJf&pPqkNpY{bPAxje**Q*!O1w;sv){cU2x*I#@229~bSNqwcH z>rY|PUmqWKjvLg(>mcIuRlO|}obJW-WiR$ff0iOhffBhmyoV7iO`XVAdXI}%gPoqS z=9t9jzD&UZ1oVxf4&0LT`+ALv6bb(0;la_0pl`VU4c3FDLKC)-8e9Sm@;J_AFf?*; z|5UE(i<8H`5!=6d_zoBQEsG}!#Ed0Xw;%6F4gpJ=;;eN|9%r9j^^c7+VrX86UVJKAQ(@SED8M6Ze;L*oqYW3F2dl&KZAtRCiZ2Ff z34>aeFqAgKf+620muY$-ehH7BS6L%EK68d{64b0N#d_#@95$oC_W&z3MEe;g_PdV) zM8-+#8r=g^J$5B}%l3VS&@T9wIoQvB_(gDY&?7OyEHVg65 zA*}8G_fmHwKIAn$Un+oY0o_KX-u$sgFUyU^WjzK_z8>Ct73sH4%Y?SWcPMU!0>4hj z>ryd=+%G6cm+k19?eFzS9z3=RThA|rvbxF=oasw{ zxQkw2xqON$$@AJbHakPPO?J%A?};q7@7s}{$C^7b(A6U`#lKnj>_LFGN7%v?HBC@QD%bE5aTh|5( zb&btOa5ikHj-GzrDX|7sD|#n}L^Ni6EZf%ZVvk~-q1c~){8K!Lp<9?#DzMS055k+_ zNbBx?O}zWE^D@ju-M71p8b;52zo<(%(4tABA9;8mV>2rRrLj;;y3a{s z?QK#{QCGH}v82D&f1JS{=jaigKhOCtQGe&1aB+Mv=R*Sl@iWr}%Q_f9Dw`t(&VQB&hv18Ud24;r7*@r>0UKMyKdf*c}wmd99{6h_ULwHyQhtRS# zNv`Y0+|UmCmHxb-M%b%FSw}YBm)F7!Eya|&ng4K@5+S`cZ~IKs z`>W89xIqA(W;`f%J&#tm0{lmiqoaK2lho7FC~W&`P> z`p)tP!_g#1J^6-4@x1tmq#9i3$Fvdj;#io-;go{YZzyb;0mCpllHo*KLIZ4L6Vt%K zfOKl056HF9Dl<_MB`vW!MY_cBul-fm(7RG;bhdt>u+NKei>@%iKIIWrSQT0t^o3fW zot}ra+Q&mpuTI50RU16>$alMa3?LwVh?xmsAi;6JT5ur0WMD&BARv0s{+|ol5JB`n zK#g!v03aZ9Y@}u&pcxh-Yha*U6Tuabp9h?oqzR_tB>(9UwB)kL5bb>)11xlD*p2J_wWuGQ|mD^-v{U!aV^RUyT1>%Yvh7xa;7 zTFo(LkZGb%tG4;(+H&~Uk^X}?P96l!XE^2GQd?=$60VsLTfy{`Zn4vB(S7fi;6DJY zC&+cQ%gl)Ud2*imDumF0`l zr|UuvJ?~6kSUDh|8!aNkin6j(rAc!1hictx+o#Bup`7)F>xUzsV+>b-q44YSI=35~ zL1wD-HbJ$1 zz6bnDMXHgVE#-1F^Pvu6(y&ystY0y{mOKET1biXeK|Tj|IUAW2g`Aqy+7UPG4ubvY*DJf zTdAJ4jXVlP5K2$M3Mg6bmil7Na>1*j6Q92DAyXzC<;ZOqbqC4XGp{!G3lt#=`A|Di z_`C?Dcfs5L;GBRuL6oS-AJR#$?rA43!!$6=j&mu+vcjAYoiqKTN2VnN-UH1)q!ReP z65I=kL|)o4p6S82^m@V#p&gTkQI{Pe5>$}P?Wr6--9&vKs^zP45H&5FMUR6zj zwMh*X%^2#J$GeAt81--USTi}|FZa)L&=}4ODIQrv(K%?O@!Vr5r@iisf@ccf=jE#1 z;Yh~-yrDAHh>A1`TJrph&T9n9Z*7tQYu)CC*Kh0A=9ij->u!Y=vBhgCQltn=0$OTU zJQV!=wT?ZH)%eWHbW431yO&U$I-SBt4S-&mC`(zqZ?)X&(?JJ)i+b|z#TypUBZu#C zQIyztcSqORG~~9eEbqA`K^gT&bWntP@ZM*6#g8$WD);y@LUCZkOyn0o9lOJ5j$uT3 zxgZ1UW{DFz@s_79+l_6P3IAkh&BJfZa%jp}2BTH~rHV|CcMfq2n$7ycgs-%E=H{er68f2MN!WVL;f@ z7{VyfRNIakr$5g3DbufrhkI!7xR3QRj$oAII@f=EV6-K5ql29SPUwHjh0?Q$+K z`U|mpuBnt~TK>c6$zha+%-4Keg4LxSn$AaFcS8Wj5~1q2Gh4bB&vob9-G?g9xaD@* zz$3j?T2)LR)->S&e{)GzMfkwJ5p))|TM#a~#KenP9k27rn&WJOBw7qX#m%aK3#efz z+UCewex=f&yK@yNcb*WvOxnDcIRJ#J;fQ-{Iruh*myMM6TYht7OuDC!5WeR&=cXX}dW-iLNdi`s%@ zYg}ifh+xcE%8alvW5vH8(@gz?3M185f)Hh#D&;<~($T=M>pyPJB!_F{km`g3AAgOS zNJ(ldCg$Z1a}VCOdPv@>{q@tMu!o1upB?Z@o#d2`Br0VtXkQv97T%nUVKUJ!khmU- zH4h)?F)V}t0wP3BmM`+GGujFBH|?ZM+i|T!I=4cGC_5-&LB!Rr)Wq)amOo&WDOdt@ z16JbMwpUWJ);8U~<3}!?{t&PPWM_|am;6f5NI1asGMArdw$}{QcU~pmCOP}SG&ez1+KjI%vp0;~C930fwCyaU( zI;5wxG$XMZSZw4tk+@Z!ewslIE2})=d(^ehTTGMC{KS3?7D{GPo=f|!w<#uXoB~$c zEKU!LetEV}W<~o6!zUSDo!H|a9l{Gja(-yFZ!!tLTnhAhJQ)3A&yOSOhgibJ)&>vk z_FKPU$8Ob_6ej&PS%tsmB;1*NkUBEt`0VQk`~VO>{njH3pF97*Nib@V3b%d;hC~;d zEp~i(A2Vz}YZ$z*CD$0amuZ+fx~Rf9wsQ32WFlFAaLK$dfL`JP_nW@-SeYxWtoG9M zI<6v-lbV)V(Dt)T@yh`W**wLC1vN~ygQUBhrSNgl z2=xciWATByhmqoBHcnht$mlp`0!W%4V6%NfWNp#=N)jhYhfa(3?T~eTGoW1rgF|2t zHt4gnQy&8otwKhUCYL)ADCti;_t52{?d6txQ5{^7syj^7DJsT2*JBof;1dN=rBo! z>3%6i2;%{$UowcH%=<3B=_AkV`pfE&Oy%yTeC0L!{i;txv3i4sSXI9m$Q1=C^%3R zc>fY+{(;YsAUwwQZ-vKMD(j5?J&5UE_{+sNjUG(M_opoE4*a39KM!eI4_@iSk~ zIkqdG1})+DN_V&5xuC1Y`!p z+?Q^=#Q1W)4w9e+^7doJS5#CY%0KoQ*!1P?X#~!fy>e*0aL9>_Iurgq|2pegvwi-Z z3obzB$l2t2?Z0twy7^>MEZatU)xbSszPU&*T@f`d*O0vV4$44?+c@57GR^pl+TP|o zBee{YQGq@VY8SCUW~ZC#VzSEO8B_E-@#VKELnfpU!_vIS&9OSU?q@u1l7XYb@q&~U zfQ7s;sQbXolAA5Qva$|Cj_-J~SS^Ju4?0*GxaZ;YC{{XEZ`mOKT)J2Lyga*j$tfuS zRW8WZhfcdNOTtkL<}C!1+Jv4a_)SuMK~s!m#sSNl7vl{3W}s5?0Nwc1ujr&}fg9Y9 z5j0i$(79x)NVZ z;o>kZ-&(2{eE&{p=y!xw_l`B^Q%uEe8!xiXSJ9gKLr_kQtX*9H@-QUC#d&l`6Z>Uf zz{w+}9h~HHHuO<$^Wrc6?kdIvsw&>mWvgz!@u>|aFGF`bkTunPvt@KJNU#0gde$Wu z1gFfuR{V(&!*r=HQfV7rsS@Tsy43Ni)N{Dfo0X7C2WfI7WTs6LOj;Zv-{Oq zpHApBw%<{iMZk7$J61`H9vmCsc{5c=V;z%*ynZA~|7dz%?Dsk1&xm49<|@s|j?#qn zGmy`1{vQTZp%P#C;pOd60aqynZ%&TX%uSwDD7KLMvG)!Mlq>T8&w>7jG@W*W63L@~ zQ>nwu{Om`2mq%dj!3EH{^CyLd70uPfbxi~Ty=y9KQDU4-N2$60bK!?(U4p;;AEfI4 zp0H5&E{PqzGkL20W8j+f620(X87{q$k$ zG19wy$s0BwNw~Wj6H-hBvT9U%?d666DJK%!^mu^$)Qz<0qB>)Q$pSj*t?^ee$Ak0( zqf{T&`{8?$m)|L}4)tU2)EowgpYvyLz?w8!QYYnekxWk{U>%ueSp#fKCj=3tr^pdX zYQh*o{g$M5zn0qhjeB1`#HGboqfEkix^8leCR%m=-GTom z1Jp|i+`p6}oF`pntG0r(Vi9j0m`mZ)6sqM%0UfugbFz^r&P*n``E1}+_9BwJL0uu$ zn(lexes+c${JeQ#8ZY1sxQdV0e=5?Mz2fr)vIzk+S)%`WDQZvNtW*}7Ww53@Du`My zFRK`{?xxl7zT+d3oiLL{%)&OG?Mji;@J^>z%Jy#I#jU1xm>5=o*IHT32jt#A2u8bz z3|vxR|6_x4GBCK(C?vMwZt3%g@nLO@DQEn(oa;w72?@q@a12{B64pI##Cepgk1=9m zJvEVL`=y>7xPJ-x{)A_dT*z=c9qMY<7Om~GN71*nm+;qUXvhFTlhU|m>P zC+H@Tef|ps*?bV5gv(Kr^q&G*XyzxzTXpO-iwVf22UIKQ#388|l3kqU>ErUf*A=I! zTKT_+7deaRx<6BjE@K(U!ukogdxw56x9w)w%C7%8wlh0ERCmrVW{NWUJ<(V{^9;r2 zT3y;rrX)-zzRY~pH*71b<7>S3CX=Cg#M-%vCTEC?;eEWC4LeP*aw^eYo77<|zv1XI zb_e+GY#nIwm(OiMzJCt71ysxFX4}^`UhQQU_K=OG8$TCcN^VSPU;xjMH1n5RjaOEwC?9Q=m zE>=!WL#&n#pGBL}Vkc$iHrl$p_%h^~son-7u_7ifevIesh|eqSt!)u;hpgsTq|9C` z-~nxcPtaI_2h5v~L>aapHFNT$Jbx(P(iT;GHeJ*HF8R%+=R&?Itb+QzoI(g+9K0wo za~7>zBVBPWVgXoRl;Vs!Na6YzZzZR3VAO~X*T#V)%$cE$uK^ ztvTawsO_}<03V$V@0L^As1CEU@|aCb?XQ~kuNn~3=!bV(i)VcuJ?v-`3l>YmXZ_uZ zK1NCVZlS+N18|RTj3-~~RNrYLpBjqfoHW6)lIr9tCr>x}+*Ae}sJ0s*y_7)NWIoFE z0dp1bj_C5E(=@AYRcsPO<#cv7ie(34hr>8QFyP{JXuNId&9n)OqT59K_h|i{cmFDv zXk0=fXv>gcB2>z+ZV%7Yam9;N?Zp_62j9g7cLxAFc~gG*A@ zUXP!r5_;Rl_0UQZMh1>&XVc|*c;WKGv0a1_EfVWIQdg3v&XEX0)48fD81-$TQiJ)W zBTzX+{hQZET1w@y2xh-Qm|GW$vMRmcKMDE8n-Z6$JRLsUH`D8(J;JeGElY_I}c`omtSlVx$8#qCx?( z5-@_Q#J-Mn{R^(;kgW7gWhew$7WCU zC+8A4)i{q@a>G+b0hZ}7IJ5sKg;|*G)f`!O^(niU*JD||940V^%_?eKdmUY`N&D=6 zs3{@j&wN^P`}_a)oHQI=Gih4)4SoejgxYhl07nk)Q~l=Ex_213zk>4Z; zoJOge{>BjHMNeBE?sBC#jyF~1fd~v_U9=-6x!&32OYlw(&9?Mq2MZDG-(}VW$wd6# zIDVD%0Fm;hCeZ809KsJd;;?)^P3j_q3;K@%?9%?LLvRO5eY{_M4h_^3@x=k&8 zviGPfpb`pIL(bgXxA=N|Mojh3cv7=Ria`9!kO9>juJYdMikrtS(^{exkX@1uzyGV} z`MEs3!6Ybe8$x1>O8iJQ)U)z!%&ZWXvalk{({)ytxa)gt2ADI_cA!L z#UI^^Jr0GWc4+eU(!`F3ZG|qsHC$ zwkBgbGVkalS8Iy5ok|F`e6mLioec2l3-|Et7{d|lEKH7KHCzLJ62KuJ+GrTECd`T8 z#A2zcp{rt1kXVKY!pLD!`N`M?hmOZ$bPv1M^-u$tuy zD|>aCDQI&}I-dtvJ@af$cY|kkVW8m&mPH97A{AL5&SL=9kvdIeh6`L)7H~@SeaYyzjf?iA+(#+^K>D_d&!=y z(?PQeSa*~2ZaQ}&da=a&eaeu^u-;AMblD7O;N<5uHY1Q2CV^MiSZ~9-t&7qqvF_q` z(g)_8V}McM_#R^?V|ChZ&R|WU^wO_NwA%VAS9hS-sme!5wZBx299m9QsRL7emEBb3FwRT; zl+T0$6VNZ1i-lGMh0Kn_jaxdQry$Jyi@JJ11+2+>P4D$6I@b=dd zPYH9B#lFQp-mqT+q8bOYl}=niBIeLstdV>lcfMjS?moUhQ`;Fji!)ALm#*E)0Ev^q zUahmvBlOd)^R3}E)~9kjv##6e7g#L@*bTFP?PDBy5krnIi|yAUG-5jU$Cq&!SEcal zT&^!jG~B54*BJdn!$a|@c84KT8a?<)8^Zj%Z=cjewF#x`sqBLTKSNvA!^hWch9f@Gll8_Nz@>Ib7PlI&o&mf7M0gW z;hk&MM?%diqB9MVwYTY9=Npc4$-otJrliznw9yu9 zq&D%xDp_gn+0ZHvY6My}0=GGX4$oLs1^bN4LZx-EhCV%J+uHd;3VUSQOZmhYkHwjW zk_xqkI*l3@7V`q;V21t4bj=qCT+}JnE*1dL-Xl(DridR^I{71N%2deGA@f_Q!W>GI zAXjPB;ZNWZlw3+uwcR&TsN6ySY4V$b3#yu~sy7fLW^lB)2!{sVp19~9M%K44V}qU2 zD4na&9?fF_4p*4&QU2wCz5O|@6}SC2ocl_S-d!>DsGkP5o4Vgccj>(K$nvT6W4vhO zh_5CgzF~Cc>b*>6{x3u|C{yZai%rixbJf=S5h`ub{_s~djBao~yYnee=$?vf04 zbY%(_;@x;hjDQ8pf9 z0Sw^nF@>7=dYjU{5|<+BFjKo(u}xBlG9ool&VmTQJ6*Q2GjFB~9C1=(Wpi)Pq;$<_ z5NjD5tp*yWN5c8ECanD}&o>1xkdD)U`d_?mxvLM$~YprzG3g5=@*d|IpMk`*6 z(pX>aBzH6YkbS{noa^iG=;*IoJ`9b~SaP8avB-|or(6a^f0jYISky6AkPm%*Q)q}f6IBxapO zi@55ZpCwjT?=ima>FEH1QTk^CJgo0yV-gOba9`Lc1f2Na<~C^)&hy; zG7@(0Zymi7bSktZM4kZ@?*cBDJH^?|0}Ogydb1nNfPhw0Ij`QFGWlEMA@{fhVGs!Z zYH!a8$e)BTcW$B#g204+r)lKbQe#Qdw8U7cDomW;^f4^?9VV_GO_^laf%M^Jx`r}y z{Pb}o+L)P{DoZ#NHC?jn3`W68)rYI`x1daGswP$JD0(_=Sm7n0;0kz?$V5mFyM5*P zHW7r=EnyXx!MwVRjw?$BAyVCrf7$IKfV|-2#y&%p1Z6zYu?(v_cc&<)IzD2tg)FYi zT}C=smP*hE5GVOJnoCjgm4vOb6pf`@Fn1wSu`K9jvmDSe?PKzKudlVgR^8*Mu+cG5 z$h+;w@P6SYa5#rZsLgKkaN^>Nha)S!?Y8IgxPJVT*7ie?jBn;Q{hP{9V$@l1HiQ1# z*gmQ!IY|5D1u-I`AtuasCSYlR1tHp@=>cznajTEg`M&IUyFGKDf$#Do9|HbvnHdrP zJJ8haI$vh{&w2+u9@oe?r_s{W_~kG{#JM;Rz{jl(E1pCCp_!1+)yU5?Mkp`uh@eix za+ZWjBxBVzBBM;~Ow`39ZnTnJA9)&|PS{r3@z1{c@fM%l;_=hu8EWS#zn8uJZ10wn zx>&0Od_=gRmd977Vm?3OVUE^?#W9EZ4v|~VjhLsMIm;k>nnRqA9x`&^AGap9mYm0X z53-iS#83;n$t^{bxrn(qZ|E(!pZWmzq?=_sb%hMp5Gjr?*T)&w;Tm)95N%r< zf}V;)QI)Zx!VIZ(jJd^uuiuY9cJgt$>cj1}#PoKmQp1aKR>sH5eR#7f zJm=j9xxzLz@9rr+BWFR*=$(y(OmWFM_Zw%M-^&c?0gQj_KSvRttM#R2y*k$%w$cT5 zA`+B0xE)6Md!#yc0W_U%RE?L((UsV7p=ozJQ~NT|F)Sz?nVS61bUJnOxO0PFTMCqM zS+l6s8x1oBgo?x6$pJlM^r5az7?+y0Y?cFrH#J`5th?ueu#ZXE1N%A44Q$foXHeE6 zyf~pZ5XC_uM=WxC@c((2Mk3|3G}*(Gn_`)&IH*P)LG>3O_Nb5Zb6%7gqc2XqKf^HR zKe%_R~#tRn5S0>SUlcFz586Dl!{rU=h!fR=e=SXO(~U0 zRL(kXxH~rnD1~^}D=wGwKPc}<|CZ34{POBedFP?q0wy!N0hb(^iV`rf;Ml*DZ>Uhu z*}tLB%WcES`}8D-)p?2oF~Lt%c0li2{r|W`RoQ3A$7`qzzFJDV9W++EY|k2w0INDZ ziw`bj={LmH$L6h=_q1M#t$dhoNUd?zsoZ z@ASCV)qHo#xc$yg$Lcq4yZ%`dDU&9f&!GOoa}Zi5xBuI2uK$jsb8tKw%NrX7t8VUw zkkh1k#?fgYH8S4bhIJlw)NSSTs=z#~hYi-0OBEXKGU8eyXzF1tV?kT>j13F?#=P2} z@XMEKBw9Q0e-hgBoHPo5DzA#;7m5lKJ5{m{*qOLCkT^?tB)&d6{0}evM5*Ot>H>l) zBx-bUIo;UgR8DMezyQg54$?StSAqZ7PZiklmDPQA%YB~;!xj`kf*zL>B5S<^;yhHB zkR7@M`eBEk4XybeRxv;?4tl)a_iaW-$H$-;ULFjavwSZW=sT`u)w6nPR*UcD0@~l% zmUU@&Nj5*`hU&Y(U9N=m(pBt$ej-h0<=I@g>Qsb39viffuIbdHq(>vGhUu!EE$>k^ zIIYo8ufO>$#W`i6Aujn`q@KFkqhHLIr}Zj#bsne(&?I$})i^7JdYq z!8UmISSIFi1KX14P@_dOhaS&5_rFla6_@9C#h#T^Y-30)z@ziWTc{zz*^kp$6g-sB z@#7<7!tSPdd)9xwTGd>g*iFVVY4wmV@Qeuf42@hNXGp)hS#3*iHd+t;ea#3m8r<%{ znAB{Ir;SY=q|>`fIW$B0h8y1k<&iU91^E~`y(fvV0i#??%1gK8dsWsv|uf~JV>b}GD+gc!pL z4Qcn(y2zuRQo7rVxhlfS8W-cNkoQ%Rg>LH8W4cq=`Tm8vYiEmq;@^6S{OsqSS52nf zi}Hzo>+ElV9lsi59P{r`C92~<+K1cHEm*Sk_;RKKA)cei_hx;!eubwvS?GQ8M%^V; z^OLs@dy*n+(NOU^H0Akz3los7G4?&vt5 zTBno5SDEiqC?(52#1kvoeo_9~dP#LsWDyzc`Pc5QYXADV@(;^VwL<_P8NQkG?Cr-B z*0cL^@6FA+He-F|_l)5z+zt*;8x`hRe+8dy2^Bl*jmOFMd4Ae->d2YCqSh4MCV_Pp zG%*zA**-oNyAjZY;|eSQ-`CpfOLf?8a}FS!92;mTJ#HqrZBl)YBLaF;5ZO=!C|Aqa z@>*N~msthI(Mm|Ss?pI$JyKX2pu)PSDCJZ9rMw^6%rYVjDcLd>T$!p3U#iqw6I2hE z##O+A?>p*M+Q9@qWz{B}1ML0gm>d}QvosQmO^-1Z#A$b=I9a}8+08IJ7{rkr4IQtNZmwY+eL!ybvaF0bCI3e2kbT;Nu_xiBN5%(xHAfipl(8SH z6aWXBbcTvRJf{wFd5Y|vp*CWKO4u2YfD@LHeNcF#4LGAJ>R|Q{ig4-SpeCjv z>(~U_8X{0%4u&R8BL9J0V$xo$_V}s57-lR-1v_zZQ{yr$oYeu2slO`%6ON^jO+;C= ztn+|{0lF?j|N8-2=t7i|7^9_E5 zr%lSOgO=yNJIThlri5Brdh*J2CYm{;o5*lj%7mV{--PujG)#`o8%sl_7T9@ z?i!_kM`xB5^~Gz>Q$cRJV^W05&-wqubPB$N^!7y(K+Ob)v@HP6igaZ|u>urPw3Gc5 zW`NZJrZ5utrAe7dCZ1?nzd8q+=-oH`^p-xcy(ZXw~KJ5myf4fm;RR2wG1m^5LO)sBjGjwwW??-hS{xs zoVRBcG96rl{{Xmx9i=E3_tRB7Mi=j%j{Dy68ICD zZ0_#^r)!b7XJI2jz)Hx4oI^-P^kMQ|={qEVKtRL29Kz$uc$fl%ZB*ZyEZ!w8;|=HX zt%OOUluV^;dkCP{8t>Tw-od?9P0`{g0fU$yfBe|wjKUruPI6;sE<~)lwG#DUtR>HaGcGT@xuy)1g>Y%S^^xN`}fZ)gQ#pzu@jw z>QAnBYEV*eN>3h#1^W)DxiUE=wbb;eyINhWcRJfm1t&b24Fk)(a3IEEt46;+vG*fx zhTTpDGNaIozK+z{cK0Jq@*C8ggC620OOlS?2>M5-DWvkQ#{>z>ts5Txz#g#8KBtiq z9b5@Nf(D`#TIn8Jqjw}o)t&OKw1+-ZW+Ab{@*Bk$%kp{N{ypZgenv$=;1#PD>m*65 znu!;>W~XJ4sZ|_y7!HLcSjgiS;Gj1z&KwTk$BLUUT5Q7-cyK{F`V(dw7A+| z>~ET?Si*HE)OI3h(isam`)kJ2CZA;nudy(+2T_9KjmE_7<_E(_(4+<>{ZvNL>=oxX zYRVg>fJYBC7MDZymmS*VWN$uvu~De4`NZ;Q#K1dmKQIQ zHz;1zi%78h6eT`U>$o_IE>S`J5W(9IzUlMeaPW*Q^Ca$^W^qk|QE60L8e$n<)#(h~ zF^$b2W|xxr766<)WfwY0rfR5dZNWl_R{cc_LnM#Avh;5 z{Bz_AM30Wkk9Er~%w!(F>PY`eN?a#nw$KD|bCY(iBH-nNhO*a35?8cQcRdy{ykdH+ z)LD3a1!|L-OOrd+5qK72jwj1IJ9AuE$+Ww7Jy0V;1Acp}>vPgX$~7e1TqWIPZOTHn zo@k!M_2WP6dq32}WSqIfBxm{PL$>25;9;1fiNBwPfeZqlQkY2(7X zE!S}n{Q;c7BeIxN+0mhvj)+eH6VP!4vi0Wd=LZtgkmbsJfi5m_%$}ZE1Z3f0wLD%M zPE@*lYPr{mdXdXu?aKP54h9ckOe`o4PbY>AQsJHjBhrXY!TKeGSblIv1imlehtv8fuGn4M&?70|8zU`7C)kd-<7Ks+laL4b=J|$Ws3# z0r)uB@uMcx9-Y#S{GqVUv+Tsi#C0E1QdVj0HaKVHW`Y4Q_vv%5GrqfL1``9>cvmG7sLS}|x09h3>dUGhJ*ZIq4&$lk#vzdswv77u&4o{U; zj|K9Hb{FNN?cINFmV5Zs2?v4>52GRx$Zhbhwlkd#4j$+|X!3chwrt+&MFixHgcawm z0o|{L60FI(tD5L*Ze!Jx;}50ZmWAJtKWW$TVral{ggbr}6{H_!__fp@ulDWC@#N^@ z$6vY}jloqZjlZ+a+Ti))wAY67i8ubSo^||dV*Ma0C0Uy4Gxu2gVtxvJwsVTeIvwzD z9rbk-KKe{bN4_pi(|maKi-rJtX?&u;;(5fXKY$f3%4DuQpLUBSm&&-ip2j)>#qBxK zaMl)+xm&IiIlotcyFQ)wd<7>4%lh`9Q0_N7*{T?f6>fBJ-hRY{Wj6tL8QhM>2F;0# zIP+{#{nTeyI!xT@1;os8OyPhXPYb-A1w7C+bZ?uPX8rZ>F75HQ6gX(3>fg*I;kgZ; zu-LJmx7t^B>b12Fr!u<)z*8#`^QKGzUgGUG6WFu@#J${Evv&TXKj>P(ibD-xvfdQH4r-?2OGb6`sf4LKKGg z`Zz}onomNi@l~sLdm|h8r}M9>D8To8<%~Q7WBOD(KFwz-)}4PK%v+Bd(X}TJ$Ua zcPLBA?``CbohyEO*cvW{$CDWHYMkBuyP!RoNo|im+(IV>!h3#lW+b`y^0q$2`t3s@{JY>?NI)R;BvZcZbOi|J%?`h*$EH`c6; zM-cqs=7DgV#;^J`V!utuu=FzoT$kw^|CxdP5J4{^u0Zsjs?LY=@PCvoXL9}h8+1fr zx#L3*nePDha;d?|>-^`jb|2Y$JH(Ajd0u>)b~fubZZ=f^hR0k^PRv|tNp)?-{ommX zI`@4z@yh}z;&M1Ul~ODZvdk;Ek0(QdigWu$`1cHjm`mN9Y>(&5Sx$#}rXqi*VSXfn zmxB=kC!L@kI&Dvuvy4xUkvpxz+3yVRubsTgAqxJS?TroR=Z`*(r&8etwhAwAi~{rMZg7s}9b=dm$#P_RrOufrb7{bF6$&8r7#a_J^L)!p@|oH+zRUY@vX+3Wp0tA_MqM#ZlG-H_-5G^?8@UGIL~ z{Keq*`b5uC4Ei`4DQuvl4}OIM!WJ9Rr)GnFerU9h+xnna|B3{ZnCPCrJHo%OFIryS zCyv$Fm%H7QO`GREv$yp>q22+Ig<5L!|LfxUf2zj*Yx|k^=r~|J949{+&=&*@{!#(i zVDESa&XS~r2mI9gQh6PBwfZrlhl}RVpPGaGFD?G356IKM`~PSY%4)Q$DE;X*Q7?Vb z%peE(MwUQWoLU3W}Lu2 zu#Xq((WeyZL-g0S$EwR_pwQN)!&h|r>z7QK1?4Q=xtBRm8{6=zn)|&=X!E^}A`94K_6fheLC>)I5k2lF*UbVlKm%|7INO4noK!sG)T&3nq{tPjcuDAT* zf{s~tseqgG&;8o~=*PRv^!BDNo!am2xnX#Q{$FA}_4ob?X^syl!8AbcONrylSAttT zcyUAbJ5n^E=9q9%La&{%0c;a+JhdpBpZ{=-N}ob1pVn9}lI+b4=u<}F(WUwJxZqFuOt{o|T^>z{<_i0uNci30vv%WMcGH(e&zh1=)7|Mw?A152 zx_+L+X>#tX&oMeZ?K`tJ5M_>#zt>mi&&+JU%WSN!Zk1ji)AAnmsqPKtkdu9Pj+3Gh z`5_pb>!7-QBch<4$TIq6x3}8@1}4{?yj@7WDqiQfyc(1sL&a##_ZIXgiFl>POH0i&z(Mp zPPN)FmDG7X@K=Y5ROIpZH2?QXJN@y3Slm>N+~=lzqNgmN)7?GSTu}7l^H1w(*&3f! zZ+>7BEG9idJlSM=ZOP}Jl(fg}e4}MGnDVF$%lz?Fc0v@qF0X^pTCu~vJYP&UloZlnKlNa_Q`x^t^E_BBn6mB*5?$3bCt@5-=I^;9NBT8=Y*i8 zkWbxT*dBs1QJ4eX&esFIy+;%>JXnv_aBNvb%CSju!}SE4U44%)Dup-Lj)XF1zOK!+ z!$T9*84H5n@qfU`LoW8jY%R*way(G~3s2|~@lBB`W-(y_M9Mjb;UuE=*t3BKQR{$^;&*`XJvTe(tVZ&B$Kd^aTZ=@&$72Q6# zHnDZ}>N)Yz(PNf>H_*6c$LSQ6O7iEK`xAfOGkEZzMVoj0wQmx-SN&`Bp1Nk++9`u3 zPo6u>|NL)PUhelH^;x#?$zNxyAV_>_o2p9}UwfZOLQQ&pm8zj~Yk|nivx7Z#F!oda z{AJ0YF=MuUKlSPH>u?~I3Y-7DkT!k$&Ow6*FWvIXuRngJE~q^8)8emB-Cs9r>Yx$h zcOH4{!Q1`&JvheNx_DzY@4Kynp!3)7jU3r$=b?v6xVCv_OSNB5H=5*Wa;|63m_fbz z4Vf`5$m;F;?6-KD<{jwBGZwR2w&ge?GQuP!C=D5T0bbL6}4zWe@ooleWK zHGk*9`Smq?13gc|%Ugp<#MLsXyMvW3nr_2wZW6aP#sxbgTs`+C6$q;9RH{+|&(_bw z5H0jJy80~50h^_#Id~D)dZ?A~%&mOUpSuqY?Gp}BO~>@cpS^mowkk_3j*JTIV8d5} zjk%@@hBvp+^mZu~WkP|2r;ENi^-NCseUr%G=gm2$u0cX_I(*Q#TX^%OQ#^U?(@OS) zMS~g-oh*TPC;q&=aC|geYU;te#B=|1^9+if{Zn)M#}ysWV=yGy&pHofHI*_Qh7p>2 zJrK44puLMnel-ahEN(3;LDbk=StcJmpin^+8c`-|YBwDYkEdaA^`cjXJdnr~s;=LI zJapq}u~>F;c@GT4BoJHpA8C964sQ_bYI5k0KQ~`hdfQvUL220Bd6^HBpWZudwqU6f z87=l^7%Y=OXntkUOfzfOri|=oP1sf*SLkJjZ1NZy7bh(|S91IJYCZ2TGk*uh#j{5) z@5^8fKz7@PNG9%kuH>Zsvt2J~TND^y4JsI!Z?N$pLM|I*&K-lUS z7K^13KgJwL4E%rpF);D+{V2=Moy=Zw;NT9_&ixz4XJudKOBJErdspNoKB%e}^7(fT zuesjX3K!QibTriC{e9wwP#|c@*t_DVOPb5Lc!fcdtgBBl`F!{cFZ<@9DP_kzLp>SCF=^SeT9xPv9qVub>~HqSmabNjik`nju1yd8;b zYHdx}zyGvQDCFk;J$?Qmbv84mZ}j@mN!e9Ap@5%yYRN@u+^k+mjgsct{VNOZs-HJF z`bFaC`con~`{r)s8;rL$r9x2Y|GLd6spXUG-Fw^A@P+NGTVjz=C=$bAUn&s^MI!h= z08#x0wB+CYE3=3%{GR2dICO!mtJo;N$%dh7 zehl-+|q@Q?nf%oq8|GUbP+F{<{0Dy$3e5Mu%BC+Pja~DLH%O2NTT+ zh&^~l-1(E-z;GY<%{>Q1WmG@uwSKnx%VIcoFso;vyQ7`g7Qx1?)4Qt6KT|z8*wHbl zPpd$>`l|>>-|kPFg^)wPN0*oU6%}IZXd66j`}Y^0#=XPt+F%8Uj&UrFHv~a*{;qya z_aJfMC>!qWykE*RTAm zvFtSm3ya=yj5$~VqO$_Et(Rc27(5Pxevx~p@$KdkBSF)Nwdq zKQG*N1vm%3nkFC4gZ~HrAfyZyNka9_`;(eAF$+$^q5s(_O?k~5-}>*M{bgUdng()= z(PU~el#jBS;a}vR`_*et7YOxq2fH#fCy)!m#gLB_c{lPdRNU)TqBHjVZZS0__wNS>mOG`GUZDbG&Er?i#3a|W5#;0-1JC#1lh$* zK3p@zBfx{x--QVWf&u{q*Mq`6m=B(|@RgWuLB{gD20n*DE^R6ht5_`B zKo{Eihjn#I!lEH|x;%bfivnV@H^v%SS?G*%W5swFL|al)%XtDhWa?nNq6ep&B_l4B z6Q~O%7YpI4hP}0}IZm2TD1@tSEG9k5fpjaau|Wp0Ee)3UG>)}q#&j_XHzXt%BDWV2 zU^&5#9NooikcUo9MoV~v<%B>ze;b_vE~KPvzKCV8JBD#K7a6t_7i>Nw)F8l$+1Hht zQzo6z&BTgDGS{aCI?yXBT17Z&vFLq zN7;NK1PzL?oD!@LU#-8dzL8RrUN2Ko=o^PxS(-4v3N((ff^O%^BYfzY$<3Nk&nl%# zqQi(X!e7YcK`iR@9_9nRbh0%$33uUh~4E#)R7Mut?Tf&Yv>*T=^|USGfZWbxdS<+*L&5F8P|Ak?5J zuX6U8l2u1@PUK66^s+R>L8bKq35H^>i-+)pP!n8wL+hPlS*#oKOj%clPHb)|;J5#h z(RE0;lG^zvi)WuHSLrk2j7elBeNm{+u}j4Z&XmmBUnpSf_pm^_I>;ovgAv8moF3!H zZY-=T5khz}ac-F2{rhEe&Xmmgtso!I9OZyMpEj|iA3B>q`Cwr>fgE5({PRrVs?){) zJ5lrUAZ%iY9p%`Wf|X}VW*@IA5lA*)sH~L8FD8_%I#ZGV#%Ei294XL>co4qqnUb06 z%j#L1hU-d}9YU_Q?oO+pn;}hoF9b5qTG+DqVAibD^{;N|R@5M2YKBOwaD{2r3lGB| zX~D4y%;Z33b$QdzcbgO{$==H)TNCOfN=Vf#-g7c<<>`{;m+P&pSS$+ow+f)ZKZR!q z7A)xYqZVXbp;VTTF3>#UArnYUiXu4={SH24QLb~Q31Le|D; zPb$ZVy|j<@;xH3QUgeUTEpV+$hekFeV%_Zw;li`J89PxR8*8R!3=X%j_9+j!Ux{2& z%fpQCV`|oZ6cJ2X(x@8U*W6zJy(_J9rKF}6Gp>)RIXa36+tr(i!BD!iQ5}F492rUR(3Z<$^ zAm4ncY~#h!kM%m4hiTVB)Ohvz1QvtEVieLBC)27sk|0QS_>m~Yfu^rZ#Z)&{N})T`u?xGO2E8@n%S^r5`Ja^a@r zGxFRjwD6hK+JjH|?I-yvls{f5*_AAeiL~F;*VOLiuls@PCEFhIg1Xpl>2K!J@t__Y zMH2|sbg6j0SRK8Us-G_v?|dwXj&RuA*VJBpSuRhgxs%7G&Aac^RJ1kWUik>0!FZaH zYmf*GnOYib8)$9Ekiu`zX>I>YXpHV|yCIa7UB!P~E$Zlb0?>JBLD(V@u<$pbv{78r z@X=n?d`SJs??ti(KGxQRfCMuf&elME06}88m@gsOo1o9`?G303iL_aWe3|Q>)=La% z-OXtCGg{zpo>U;qm8yK5*le-1THaCEBH&$FNSy>vAO;#?^6I3G0vQH_FRA9;E8xPf zN9BUjX7wzRjtHePnF8O?#McylSjsP`QwP5n;IMcGMxK`6{M(rVK80cb(g+T`ECmwC0AmIZ3CeN5*|-X^0Pr#3ZOCRJ*_cMYmocFV(?6?BCVk1_tW_; zWQL=zGNW2f#wZ@C?*x9OR*89v*T*Xu7Gr2kk1-~s6(f%=ZOm!>2Ht@*_`R(aBJ_<) zCH&i9+a7ul>^ZoT*Q;*jbCatjZ@e_n>1e?K2$@2qRH-_s8vP5Y8QJ?%+Yf;7@iLk1 z!$>LTv-PM(3Mr(LF8l`>0O1p8J%aZ)hh3rdp$N-370)OR|hIUaYDBOOsEv~qM*T5%uTas^I%lWec ziVU>uPiUNd7wL4Tkaaf==Tz77ctnOjg}>lPMZK=UFX6aJr)waH`Tf@>E%m%696gXG zT5`CoN(D{s=jch3WbmP++a-@%APaZ%wf=OWOj*xUnXquO#`-yD8{nuyBP{}{GwLDD>dZK6}IG} z@0ZP2d5&2yA^^?#K+S(_{4UdB%%*tFG#X{f(Ji~LzqA@+j|ofS{gDy3HxF$*a;q4E ztVYb86yd0OXv4bIuFO6DSIVDEZO<%*)=EAzUgCs zVSeb8v!=tRMM|!mIgq0|mvkk>ko3>$fn)!uT`;y!b!p;-zaRdYlo8?FZW{I{2g26p z0>aiO02+z!sd%bMaMam^-0fq2;cRFNTQ4cNxx+r{Kt}Te!-|VG-hKW^Y8c=R*QXR4 zhK8KsEWY!TZ>(k5kZbu9>#`n)lzjCp2?h+jA>=?54cpB31Znzy{V!eJsZ$}G^b+?~*MVEU9 zc-sdD2Rnw$`Smd*7fcVdn|3HueI@A9?s@K}rar;JUY5H3$IdS0LXe<1nns>AeP)Dr zNU)uqebl6s_H)y$H|ORJ_H`sZUy!Dq)<3`B)MeE#4!YR-%1nu(pQrlS4FusloGk0^ zT^7j;>dI&w1N9RsEY2-7EbaWw7Z*hRJV4k2fKMy5XWz0v*OaKcJDUzID-4-D!IRc< zcmDU+8Mh0v?22`OqLoRo+bS&Au<6M4WVcye}r%!URX+<3@E&Yjs zumu30mYsj3voQH|QXT}=uAP2%!r*QYBs{X}Ckm_lhh>Og?>5v{*A@uXQ_S@&&-^q- zJp+}{e|Wz;2e(hz^iYbRZ(7cpyzT^h=GyzTdZ7F3tS=R>ipG z6EsPtu?bdEiA<4IE6l86GQvqji0v45DKnGL0^z?%i z^R5x37XpT``N6X3mnIJmM$?}W2wMQ~$&tw6_HISrE!Ph_3PDc)XojgTk3>zGy#P9_IrL%MF>WvEwXe6Y23Cjow4Wba>_&|yr8cTq<^*l`I(2Xmn zM!=OZr4q9933BAnAOfY=(6J1LK-i+>xDDTVXq&qM@^nxE5j?{qO>~hNrz)jF-_||A z$?%1L<)V`Nw~AYpX3lPbCi+UHQqRW6Mcp^mQeOeF&A%Qpkp65^Di-e(Kh>Eo<+ez4 zx^~~YX_YAh`4MIu!NB{r;nX;0c4gi3ci2MKj z2L9zY%}Wm451yNjqAcKD&)pT=0fFsP^``(pbsXvG3qss6@jpsNZUDfoua_UZcIQ$n z0Dyr;S?;Nxx7m8uy7OIq_?silA<^R3K%x`(bdW{pn{QLv z;LPTy~Ea7mFK<0l};B*kc!;mEVV-D%!JY#>4G| zrh!-qF-de&lT#HhAeZF{Y$~le;8b?AIq+DM-1c2wCP8H8=e-Z8ohBoSMs?! zFu^-KF|Vs=-{b>?AXl~$Jrw)gYIagJ=dAXdxZIJJSCoj8naC(TK#QpYlx)C_k!uo) zXj?8o^ncBN|Ak9Bu*ATScS!vptj*|jf(4-e6pI}jql1~)?ST+qcOh|$e#=X*rn8aU zW&;{Y@L0%opkonlnXPAR=h5*SUt0Z$*tFLm#k*GSko8T~{=M$@4@vvMLmK@JXdwHuSUC_O8q= zUB5TBFGkZ-HhY=0Im&{?$ZG%z416VV|Vl-nnR{V4djm+XrQnfy+lUN73zbTccv=*WaCBK7tHMf9nOh~sC z7oqZ~*3UPhIwwJx9EulM{uF3z)xG9>Qlo<0OBrXT? z02z8Ehy!izK0Zsgp%y-75*)#>Su)$Fyb+N4iKf`v<24$oyY|DgWO418z7tnsSQeK& zq=VYEzV8uZBs3~^%E4ZLB<~|8Jd>O05I_K+mc=^kyXY1py2z4xe72QukW7g*Jd1vu zR0Oi+nM#b!LhISNrG+n~_JOe^lJyVomEFOBc!VN9sQbWv9{2%D?+n0aCpO<*^wM?@ z@}I!VA^D^RrRPBp2Snd&h5&N8E78ItBJKRKk53Ndf>MTJ`eS(fFS?pC>YP%4-2`yO z4Z|%wJoeTOnVTFdu!p;!Hu(Z1?fD-8a!D*;4+2fh81DXRA05@B?lhW9QNXdp+8!Z5 zFQf$2Iu&&4j&>oLVKEm-I-Zd@%W=pdw8hgB(}9q9)QJiSK6>owf6*~D=7VCWV)8pa z6FgDm?3p<}FK)~Q1gj|b!(UiiFRY??<|r*~+cdbtJoHb?oafDNnI6rrE#>>STUwo- z&KGUh*Gr69;q{3LpccFjxAJrh4YpNg>NJ6;i?em#_dh~EmD~l4T~CKrkov5*z={wR z(x;BScmNN4EIxqXI+74@LCNOrj`5*11&F3cBS=zJ?_V)HLShtx3K*m;Sbfm4VEhb~M zowMzATkJgs|GBKsqh`|Ej<|-J7iaYcacA3yyZQb^bKN1d!(qpEhd;vFw&vaErW^hC zb?^b@9P*IeD7OO2r5PYL${AtLzt0q8^L*YCMF?qk24CyLD@4DW%3N>W!VA@x8lrKu z+PRw@b35$-t=Uzgt9kEjfbKhJHSZqcd_g=-X+}b7^GGYZIevIrqDJ- z=s;GJ6L4~*cjV-P0^8mLtA z#tw)?9QUY(_3Toq(>+M-s(bm+G}Z27lOCTxmA-ZFP6jPQfi}Oxvy;jXq1Rm`_{|{> zd{7>Sn3#AeRi5pY`U7}MO1C@_ASnbXBqi2RvZjCU6gsqOOUxMG}aikJ` zHA8tHc$K%Zhyi4r%uPP=?gKq=$&SYjKD*t&^|`2s{V(IHcdLC2oHfFY`~_ngTu8_|1%w-u+(mZyP2fMgkL!}>##L2;C z4#SyRp;5ve?7*rEBc&xCZFOS0{deJ7;L#yB%iiHTm(O+f*{==gETO{b3@q z35U-vbYr3{|7sX^a`J8lolpHHae|`|X#q&vQ2j20?;K`gCY=YT0L1pH)$bq9`0c}R zm!mZ7RnIPD&dl+0ga|J=jOy)ROk;Zv`2&NJYP<~p)4UbWVWBd|~$fnjlCKNRNmW`7n_ z*V%%zAxv~fbSJz3@sJ_-mnUf3LYIwiDMZ*4ItSRZDT__%`jeq$Tb#Ms{;2~Hmy1N- z{PpWsR8*9%Amv=-bxEH}KZ_ry)#tTmB??wYx7zC4=o_>s3k<4E>w_+u8p8p>x8ln{ zJ&TKrDk9sTk2cN3clM5)Y1VvbgEc>0dk>=;0M~8zY<Kj0?X<0tG6Nhd@#de*eHC=>?d~3L7Sm$P1w{WL73vsA|< zxx7x!zAL%dAAijJj)W%{;foJbemMgp+v9WUCc9Oin4N||C`M46F+=P~35b#G#1|Y1 zR!Gs4Ovzyyh+5LaD8jpaU`b*fNF${*Hw<{P%IRnJz_bKZ6OH9t0S@wx!l!x0%eyeL z4Yrw^kEGQ>Kt)vlRK7U4;6X|nA}yO|-*{0@g6XOc#S(ZjdYV4F`S@#Za(hR0)KnoT z@Sbg^Ma$>!sDKYzv+DFh1pzb@#bs?yOAAm{G7DJiH1jUUZ0E1n!RS@xc&zW<7^n!* z)4F@lpJl+ZU3Rih?Bp9p{=hR?RG+BWuO?L1j>kGQ$*c2l!!{%5TE&JO{@sXhBDJf?mVqSlou{<)e|29IHo}^4=uC4QJZ@1rWCGPsxLR^Z zG;Ar1jpOEsTY{Ct~Z9m7zAwx^=Je0weS zu!%nynej>dugP7e1vmuv|8PJ5GLtxwMFo25~yxrTPuOPWfV^))L;e1_O9ykw# zPUU*gEVjcwt2g#J7%iiZOL8QNT3XlF=^r>$byM9@f6?^*`m061E=^t4c5M)42!nck z<%(d@Ttp2j8EYn#%IKInN`mv`&Dy~=}iNtDpx34MKA5Qajd>RyNPz^Bv_WSCT8zKx01^&Bf zpRP7cp8j2Wb$7y;XKVMes3OEfld9OLK~7+T6J<^6!B{LSQCztL<@pc5#$e-^+OMm& zNlP6R)M;4P-Oef9yW?0DSWY>DYk5JdD(O)Hx5rIbNcjyzh-6Ms(B7LIp15;T+6(Vf zp9H4$>(-b?(;7y4OP)sh2-nmdF|7Xh`oXRkbvG1s2cNat;^(9k zBXL}?6ou&Xx!uiVv^Z_^88k;JZl864%qKKU(w}xk;F66g9UpKF6^qlovsKy-ZGy?-n3l&G- z^uxJM_by9fYZ_iS+Y5u~%0O}zWFQoFJh@k;L#zuCBE!LipbXIgxt)YQhc3rTR#9DD z$I(Xvj(AicRaqZky*z|i60WOU=OTh}%*ojYC-}EhD#S;sNmCS82(?DaH&0Pqn2}zP zWeDU2O>peeTHqFdq!@G|R6eGh_4E(ilZL@ocg{|_l2a>AkgdgoG|(LZ`4p0Ce+DV! zh6x>wguZ8iK+tRl6~J7O7N`$icnzyV6v1yHf?>OmQe6yUBXu_9juu~SJ1>0jHT_HU z=9~AZ2)v7rr0E@9nx;sE%f1_c?NIs^DQ7 zp$sJxwr_hsLXKulZg>6N@SZ_FxZ>1Z1JM{ikHD)%CXaMMwRo>m?+Jz^;FC-$ z^fR+X4PY%W+_d>m3?OQHx0D&nZ!Px}2iDioTCDASP<`-HtFGJlHU$ooWpTTNAcYr&O36%FtC- z7WpN5MKfL8F&6EJU>uwYmuGkHLQ;#sqe>8O5d#QmyPf{*!ZjD{~_EPI*{+TN0QNI z%Z*O|@7o{ckx&nk&$~mg0GKjgpvO@W zt9ivX`P99W6aJr!%nmq@fr~dX)(-l7)G}_J;XS96n0^@&8+fvEPF;)#Q^p}b9|+UV zUo3WLM|oJz%*nq|7B0GfZ^r9uHo0RWjRG2Z9ElBEOrTsDHa3P_yXsFES+rw2`fk#s zyJH^w_DN#^k82)!Qb+uZlD+@=R2it&CQO7pS)uCHJzBg!zD52!Hvc2I!}3Cjlk+V^ zeFr>I^21LxM>3ns{{9>xb>(|vu(Ab9^%{*i;nfIWl>B&}TRYHjd2;KpDWHQu6%ol3 ziHeKR8LNER<9LGnh_bJWQzzQhrCp{Nsp|WtN1rU>Cx3qE58AfscL|lw2onK^54QM7 zT@|(Q5M0^DYk5Gmqyq8qXi0#pA~I$7v+L`~2vXBPk7Hsv&)@?6k`c`%Ab0aBz!9W;*-xFYg$O13?B_=M0^jw*q`K)N z$*FaJeGo5rR1t2Y{GeKndYsi35np$I(r5B1a0QrY-&T^_HZ7ibIHzmtEM8s7am8JB z$`EmVf3^JZ=!Fs^{RfsSk(qgP+K+lqyV^(~1?S-c6HFWpa)jfoQG6SEx2SUzEz6`= zZtK73rC1lD-yxr~)ifZmQ^ki7QX%Yk66lh=#oH%CLPWaCDHdY?^n{A75Ma93hI7!Tx3fBsLAlPC`{oK7VB}iiL+`var_D;c?hk1 zLRbeDnrFWqVUV0 z>H}Jbl2rp3P^j$4CQva;qOO-Ms3(V{YZmAC>drMGDwad@KdxC(38&VPh;n8Ms%aUj z%z3GQC$Q)XS(cco?#m%~zO(PqkNSHp3T260s0r?P@8%pcO4zMQtgm~}(Lw(F$fPcj z^Y0lEA{YJb+^1-h%Do^KMt4(p9mtPSxl-)v-J&mg8 zR1Xd7|-t2^28+vt~nJjvs~p2Q6j^}6xt zqIy!^lO{lu5@nj|0;`oK8zw{2^jE-JQs`ekL)feSG0rEzx^eQ7)lcr4aIN?AB{wzc zpH6GHO`(EKKD2&_$p2V zz2kW-3(2L!Nnq;%nyX_SqMa1#aPI|0T&L-@&Mid@HzT_GVS;&LA9(Np?M*cd-q$&^ zwpE``uHdWQNk8ar@Rk27tn#qdhP8B972nt|w&G6#ULX@;mGJUyNCt*fKC~>CEqxfWrye z6{Fue1($X@a-bMo9rS@^`l+2eAf}I!$0!2U5;A`4DL2k4)YMDxSAn?q;9Mh_dlWlM zSiZjjg`wT~PRw=Hlyl%y^~(3sUJB(u8x7H@R91mT#Zdo5h;0-`&b>COf?{xGblEvO zcEE^l$H>+@x=fX;#XVXH+G2coyp`cyz;Iek{VoU|ptH2ouDpV}_BVVQSjalzzwVg1 zU}u{h50Y<(Z^RXpaONQxaQVf(SJC4L)-p6TMFqL#3jf>V$A5cHspSYelkP55SNy^7 T@c{SQ2%s#lA@@%9`OE(TfyM&L diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md index e9e79fbfaa..51f0a550f0 100644 --- a/windows/client-management/mdm/remotewipe-ddf-file.md +++ b/windows/client-management/mdm/remotewipe-ddf-file.md @@ -17,6 +17,8 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip). +The XML below is the DDF for Windows 10, version 1709. + ``` syntax Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command. + + doWipePersistUserData + + + + + + + + + + + + + + + text/plain + + Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command. + + ``` From b64f62d2754cab063e219af551c3873c84e76faa Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 15 Nov 2017 19:30:15 +0000 Subject: [PATCH 15/27] Merged PR 4537: Added Connectivity/DisallowNetworkConnectivityActiveTests to Policy CSP --- windows/client-management/mdm/euiccs-csp.md | 2 +- .../policy-configuration-service-provider.md | 3 ++ .../mdm/policy-csp-connectivity.md | 38 +++++++++++++++++++ 3 files changed, 42 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 127aa77257..1ea5fdf102 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -12,7 +12,7 @@ ms.date: 11/01/2017 # eUICCs CSP -The eUICCs configuration service provider... This CSP was added in windows 10, version 1709. +The eUICCs configuration service provider is used to support eUICC enterprise use cases and enables the IT admin to manage (assign, re-assign, remove) subscriptions to employees. This CSP was added in windows 10, version 1709. The following diagram shows the eUICCs configuration service provider in tree format. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index c44db4c35b..7a0a83df92 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -573,6 +573,9 @@ The following diagram shows the Policy configuration service provider in tree fo
Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards
+
+ Connectivity/DisallowNetworkConnectivityActiveTests +
Connectivity/HardenedUNCPaths
diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 8eeb5e4585..a0ecb34a40 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -52,6 +52,9 @@ ms.date: 11/01/2017
Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards
+
+ Connectivity/DisallowNetworkConnectivityActiveTests +
Connectivity/HardenedUNCPaths
@@ -634,6 +637,41 @@ ADMX Info:
+**Connectivity/DisallowNetworkConnectivityActiveTests** + + + + + + + + + + + + + + + + + + + + + +
HomeProBusinessEnterpriseEducationMobileMobile Enterprise
cross markcheck mark2check mark2check mark2check mark2cross markcross mark
+ + + + +Added in Windows 10, version 1703. Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. This policy disables the NCSI active probe, preventing network connectivity to www.msftconnecttest.com. + +Value type is integer. + + + +
+ **Connectivity/HardenedUNCPaths** From 7017a895043ff3219dd88ad226ebe55ead9b6c17 Mon Sep 17 00:00:00 2001 From: Tanvir Ahmed <33667980+tanviramsft@users.noreply.github.com> Date: Wed, 15 Nov 2017 12:02:15 -0800 Subject: [PATCH 16/27] Update mdm-enrollment-of-windows-devices.md --- .../mdm/mdm-enrollment-of-windows-devices.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index 583f8d769c..bd7b747f13 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -296,14 +296,16 @@ The deep link used for connecting your device to work will always use the follow | Parameter | Description | Supported Value for Windows 10| |-----------|--------------------------------------------------------------|----------------------------------------------| -| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm” | +| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm”, "awa", "aadj" | |username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | | servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | | deviceidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to pass in a unique device identifier. Added in Windows 10, version 1703. | GUID | | tenantidentifier | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to identify which tenant the device or user belongs to. Added in Windows 10, version 1703. | GUID or string | | ownership | Custom parameter for MDM servers to use as they see fit. Typically, this can be used to determine whether the device is BYOD or Corp Owned. Added in Windows 10, version 1703. | 1, 2, or 3 | -  + +> **Note** "awa" and "aadj" values for mode are only supported on Windows 10, version 1709 and later. + ### Connecting to MDM using a deep link @@ -359,8 +361,7 @@ Starting in Windows 10, version 1709, clicking the **Info** button will show a l ![work or school info](images/unifiedenrollment-rs1-35-b.png) -> [!Note] -> Starting in Windows 10, version 1709, the **Manage** button is no longer available. +> [Note] Starting in Windows 10, version 1709, the **Manage** button is no longer available. ### Disconnect From 57735ecc03ef763ff1b1996c775fd2b4cab2f0e4 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 15 Nov 2017 20:44:44 +0000 Subject: [PATCH 17/27] Merged PR 4538: Fixed broken link --- .../customize-windows-10-start-screens-by-using-group-policy.md | 2 +- ...indows-10-start-screens-by-using-mobile-device-management.md | 2 +- ...s-10-start-screens-by-using-provisioning-packages-and-icd.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 7c62a1cfd4..929bea684c 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -47,7 +47,7 @@ Three features enable Start and taskbar layout control: - The [Export-StartLayout](https://go.microsoft.com/fwlink/p/?LinkID=620879) cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE]   - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet. - [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md index 544462e2ea..1447c25de9 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md @@ -40,7 +40,7 @@ Two features enable Start layout control: - The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE]   - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet.   diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md index 18f215ad22..cae45faff6 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md @@ -35,7 +35,7 @@ Three features enable Start and taskbar layout control: - The **Export-StartLayout** cmdlet in Windows PowerShell exports a description of the current Start layout in .xml file format. >[!NOTE]   - >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://go.microsoft.com/fwlink/p/?LinkId=623707) cmdlet. + >To import the layout of Start to a mounted Windows image, use the [Import-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/import-startlayout) cmdlet. - [You can modify the Start .xml file](configure-windows-10-taskbar.md) to include `` or create an .xml file just for the taskbar configuration. From 4326be2928ff024ce3ca39f443f39f6e7b866517 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 16 Nov 2017 17:12:54 +0000 Subject: [PATCH 18/27] Merged PR 4541: Fixed formatting issues Fixed formatting issues --- windows/deployment/windows-10-poc.md | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md index b7d72b7783..9e55510904 100644 --- a/windows/deployment/windows-10-poc.md +++ b/windows/deployment/windows-10-poc.md @@ -92,7 +92,7 @@ Harware requirements are displayed below: **OS** - Windows 8.1/10 or Windows Server 2012/2012 R2/2016* + Windows 8.1/10 or Windows Server 2012/2012 R2/2016\* Windows 7 or a later @@ -129,7 +129,7 @@ Harware requirements are displayed below: -*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide. +\*The Hyper-V server role can also be installed on a computer running Windows Server 2008 R2. However, the Windows PowerShell module for Hyper-V is not available on Windows Server 2008 R2, therefore you cannot use many of the steps provided in this guide to configure Hyper-V. To manage Hyper-V on Windows Server 2008 R2, you can use Hyper-V WMI, or you can use the Hyper-V Manager console. Providing all steps in this guide as Hyper-V WMI or as 2008 R2 Hyper-V Manager procedures is beyond the scope of the guide.

The Hyper-V role cannot be installed on Windows 7 or earlier versions of Windows. @@ -229,7 +229,7 @@ When you have completed installation of Hyper-V on the host computer, begin conf After completing registration you will be able to download the 7.47 GB Windows Server 2012 R2 evaluation VHD. An example of the download offering is shown below. - +
![VHD](images/download_vhd.png)
@@ -262,7 +262,7 @@ w10-enterprise.iso >Important: Do not attempt to use the VM resulting from the following procedure as a reference image. Also, to avoid conflicts with existing clients, do not start the VM outside the PoC network. -
+
If you do not have a PC available to convert to VM, perform the following steps to download an evaluation VM:
    @@ -292,7 +292,7 @@ When creating a VM in Hyper-V, you must specify either generation 1 or generatio
    - +
    @@ -363,7 +363,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS
    -
    Architecture
    +
    @@ -372,8 +372,8 @@ The following table displays the Hyper-V VM generation to choose based on the OS - - + + @@ -384,7 +384,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS - + @@ -395,8 +395,8 @@ The following table displays the Hyper-V VM generation to choose based on the OS - - + + @@ -407,7 +407,7 @@ The following table displays the Hyper-V VM generation to choose based on the OS - + @@ -513,7 +513,7 @@ Notes:
    ### Resize VHD -
    +
    **Enhanced session mode** **Important**: Before proceeding, verify that you can take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer. @@ -524,7 +524,7 @@ To ensure that enhanced session mode is enabled on the Hyper-V host, type the fo >If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. -
    +
    The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to 100GB to support installing imaging tools and storing OS images. From 21e8dfc8ba86c1351bc654c965926e899b7e9099 Mon Sep 17 00:00:00 2001 From: jmunck <33725928+jmunck@users.noreply.github.com> Date: Thu, 16 Nov 2017 11:29:34 -0800 Subject: [PATCH 19/27] Update index.md Added Tip to note that skipping a version (1511 - 1709) is indeed possible. --- windows/deployment/update/index.md | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 2295a1f28e..11e535e768 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -47,6 +47,4 @@ Windows as a service provides a new way to think about building, deploying, and >[!TIP] >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. ->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). - -Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=index.md). \ No newline at end of file +>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709) From 7f77d0c6e87bc35cc09433220668a8f166b8e6f1 Mon Sep 17 00:00:00 2001 From: Kaushik Ainapure Date: Fri, 17 Nov 2017 16:22:28 +0530 Subject: [PATCH 20/27] Typo error fixed "Upgrade and migration monsiderations" considerations --- .../upgrade/windows-upgrade-and-migration-considerations.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md index 28539a5108..f0d196dfd1 100644 --- a/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md +++ b/windows/deployment/upgrade/windows-upgrade-and-migration-considerations.md @@ -29,7 +29,7 @@ With Windows Easy Transfer, files and settings can be transferred using a netwo ### Migrate with the User State Migration Tool You can use USMT to automate migration during large deployments of the Windows operating system. USMT uses configurable migration rule (.xml) files to control exactly which user accounts, user files, operating system settings, and application settings are migrated and how they are migrated. You can use USMT for both *side-by-side* migrations, where one piece of hardware is being replaced, or *wipe-and-load* (or *refresh*) migrations, when only the operating system is being upgraded. -## Upgrade and migration monsiderations +## Upgrade and migration considerations Whether you are upgrading or migrating to a new version of Windows, you must be aware of the following issues and considerations: ### Application compatibility From 5f52f37a6f059948b4cea538feca3a627aacca24 Mon Sep 17 00:00:00 2001 From: Wael Jendli <33766257+wjendli@users.noreply.github.com> Date: Fri, 17 Nov 2017 14:05:31 -0800 Subject: [PATCH 21/27] Update policy-csp-connectivity.md Changed the description to reflect the code behavior --- windows/client-management/mdm/policy-csp-connectivity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-connectivity.md b/windows/client-management/mdm/policy-csp-connectivity.md index 8eeb5e4585..037f8a9a52 100644 --- a/windows/client-management/mdm/policy-csp-connectivity.md +++ b/windows/client-management/mdm/policy-csp-connectivity.md @@ -156,7 +156,7 @@ ms.date: 11/01/2017

    The following list shows the supported values: -- 0 – Do not allow the cellular data channel. The user can turn it on. This value is not supported in Windows 10, version 1511. +- 0 – Do not allow the cellular data channel. The user cannot turn it on. This value is not supported in Windows 10, version 1511. - 1 (default) – Allow the cellular data channel. The user can turn it off. - 2 - Allow the cellular data channel. The user cannot turn it off. @@ -203,7 +203,7 @@ ms.date: 11/01/2017

    The following list shows the supported values: -- 0 – Do not allow cellular data roaming. The user can turn it on. This value is not supported in Windows 10, version 1511. +- 0 – Do not allow cellular data roaming. The user cannot turn it on. This value is not supported in Windows 10, version 1511. - 1 (default) – Allow cellular data roaming. - 2 - Allow cellular data roaming on. The user cannot turn it off. From 7a861511ec1d51f3205f096f37823cbd6f2ed7c7 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Fri, 17 Nov 2017 17:12:01 -0600 Subject: [PATCH 22/27] Update index.md Fixed several punctuations errors in original submission and inadvertently deleted a line. --- windows/deployment/update/index.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/index.md b/windows/deployment/update/index.md index 11e535e768..4fa6463ca0 100644 --- a/windows/deployment/update/index.md +++ b/windows/deployment/update/index.md @@ -47,4 +47,6 @@ Windows as a service provides a new way to think about building, deploying, and >[!TIP] >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. ->With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709) +>With each release of a new feature update for CB, Microsoft makes available new .iso files for use in updating your custom images. Each Windows 10 build has a finite servicing lifetime, so it’s important that images stay up to date with the latest build. For detailed information about how to deploy Windows 10 to bare-metal machines or to upgrade to Windows 10 from previous builds of Windows, see [Deploy Windows 10 with System Center 2012 R2 Configuration Manager](../deploy-windows-sccm/deploy-windows-10-with-system-center-2012-r2-configuration-manager.md). Additionally, Windows 10 clients can move from any supported version of Windows 10 (i.e. Version 1511) to the latest version directly (i.e 1709). + +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=index.md). From c747cb2cbd24f202492274dc8eecb15fd65b9b1a Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Fri, 17 Nov 2017 15:17:39 -0800 Subject: [PATCH 23/27] minor updates --- ...requirements-windows-defender-advanced-threat-protection.md | 2 +- ...cs-dashboard-windows-defender-advanced-threat-protection.md | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index 283ce4a02b..e8200e9584 100644 --- a/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -66,7 +66,7 @@ The hardware requirements for Windows Defender ATP on endpoints is the same as t > Endpoints that are running mobile versions of Windows are not supported. #### Internet connectivity -Internet connectivity on endpoints is required. +Internet connectivity on endpoints is required either directly or through proxy. The Windows Defender ATP sensor can utilize up to 5MB daily of bandwidth to communicate with the Windows Defender ATP cloud service and report cyber data. diff --git a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md index 7eaf489912..f8b9b55c33 100644 --- a/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md @@ -29,6 +29,9 @@ ms.date: 10/17/2017 The Security Analytics dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. +>[!IMPORTANT] +> This feature is available for machines on Windows 10, version 1703 or later. + The **Security analytics dashboard** displays a snapshot of: - Organizational security score - Security coverage From 5691d0bd08fb3b3c11fb4b17bc40f26dd3b6a7dd Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 17 Nov 2017 23:20:02 +0000 Subject: [PATCH 24/27] Merged PR 4582: Experience/AllowManualMDMUnenrollment in Policy CSP --- windows/client-management/mdm/policy-csp-experience.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-experience.md b/windows/client-management/mdm/policy-csp-experience.md index 646d49acd0..df796d96ca 100644 --- a/windows/client-management/mdm/policy-csp-experience.md +++ b/windows/client-management/mdm/policy-csp-experience.md @@ -314,7 +314,7 @@ ms.date: 11/01/2017 -

    Specifies whether to allow the user to delete the workplace account using the workplace control panel. +

    Specifies whether to allow the user to delete the workplace account using the workplace control panel. If the device is Azure Active Directory joined and MDM enrolled (e.g. auto-enrolled), which is majority of the case for Intune, then disabling the MDM unenrollment has no effect. > [!NOTE] > The MDM server can always remotely delete the account. From b6b450b02fbe7bd578d22c4cf6105ae6f895e3a6 Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Fri, 17 Nov 2017 23:20:56 +0000 Subject: [PATCH 25/27] Merged PR 4581: Updated Policy CSP --- ...ew-in-windows-mdm-enrollment-management.md | 51 +++++- .../policy-configuration-service-provider.md | 15 ++ .../mdm/policy-csp-authentication.md | 9 +- .../mdm/policy-csp-cellular.md | 167 +++++++++++++++++- .../client-management/mdm/policy-csp-start.md | 38 ++++ 5 files changed, 267 insertions(+), 13 deletions(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index b3c6da87b5..c74bbd6838 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1029,6 +1029,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s

  1. Authentication/AllowFidoDeviceSignon
  2. Browser/LockdownFavorites
  3. Browser/ProvisionFavorites
    4. +
  4. Cellular/LetAppsAccessCellularData
    5. +
  5. Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
    6. +
  6. Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
    7. +
  7. Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
  8. CredentialProviders/DisableAutomaticReDeploymentCredentials
  9. DeviceGuard/EnableVirtualizationBasedSecurity
  10. DeviceGuard/RequirePlatformSecurityFeatures
    11. @@ -1081,6 +1085,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
  11. Education/PrinterNames
  12. Search/AllowCloudSearch
  13. Security/ClearTPMIfNotReady
    14. +
  14. Start/HidePeopleBar
  15. Storage/AllowDiskHealthModelUpdates
  16. System/LimitEnhancedDiagnosticDataWindowsAnalytics
  17. Update/AllowAutoWindowsUpdateDownloadOverMeteredNetwork
    18. @@ -1377,6 +1382,44 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware ## Change history in MDM documentation +### November 2017 + +
    OS Partition styleProcedure
    Windows 7MBRWindows 7MBR 32 1 [Prepare a generation 1 VM](#prepare-a-generation-1-vm)[Prepare a generation 1 VM](#prepare-a-generation-1-vm)
    GPTGPT 32 N/A N/A[Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)
    Windows 8 or laterMBRWindows 8 or laterMBR 32 1 [Prepare a generation 1 VM](#prepare-a-generation-1-vm)[Prepare a generation 1 VM](#prepare-a-generation-1-vm)
    GPTGPT 32 1 [Prepare a generation 1 VM from a GPT disk](#prepare-a-generation-1-vm-from-a-gpt-disk)
    ++++ + + + + + + + + + + + +
    New or updated topicDescription
    [Policy CSP](policy-configuration-service-provider.md)

    Added the following policies for Windows 10, version 1709:

    +
      +
    • Authentication/AllowFidoDeviceSignon
      • +
    • Cellular/LetAppsAccessCellularData
      • +
    • Cellular/LetAppsAccessCellularData_ForceAllowTheseApps
      • +
    • Cellular/LetAppsAccessCellularData_ForceDenyTheseApps
      • +
    • Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps
      • +
    • Start/HidePeopleBar
      • +
    • Storage/EnhancedStorageDevices
      • +
    • Update/ManagePreviewBuilds
      • +
    • WirelessDisplay/AllowMdnsAdvertisement
      • +
    • WirelessDisplay/AllowMdnsDiscovery
      • +
    +

    Added missing policies from previous releases:

    +
      +
    • Connectivity/DisallowNetworkConnectivityActiveTest
      • +
    • Search/AllowWindowsIndexer
      • +
    +
    + ### October 2017 @@ -1402,14 +1445,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
  18. Defender/ControlledFolderAccessAllowedApplications - string separator is |.
  19. Defender/ControlledFolderAccessProtectedFolders - string separator is |.
    20. -

    Added the following policies for Windows 10, version 1709:

    -
      -
    • Authentication/AllowFidoDeviceSignon
      • -
    • Storage/EnhancedStorageDevices
      • -
    • Update/ManagePreviewBuilds
      • -
    • WirelessDisplay/AllowMdnsAdvertisement
      • -
    • WirelessDisplay/AllowMdnsDiscovery
      • -
    diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 7a0a83df92..4c4c7bab91 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -532,6 +532,18 @@ The following diagram shows the Policy configuration service provider in tree fo ### Cellular policies
    +
    + Cellular/LetAppsAccessCellularData +
    +
    + Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +
    Cellular/ShowAppCellularAccessUI
    @@ -2584,6 +2596,9 @@ The following diagram shows the Policy configuration service provider in tree fo
    Start/HideLock
    +
    + Start/HidePeopleBar +
    Start/HidePowerButton
    diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md index 14c360f83a..6a21929f0c 100644 --- a/windows/client-management/mdm/policy-csp-authentication.md +++ b/windows/client-management/mdm/policy-csp-authentication.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/01/2017 +ms.date: 11/16/2017 --- # Policy CSP - Authentication @@ -204,16 +204,17 @@ ms.date: 11/01/2017 -

    Added in Windows 10, version 1709. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. +

    Preview release in Windows 10, version 1709. Supported in the next release. Specifies whether Fast Identity Online (FIDO) device can be used to sign on. This policy enables the Windows logon credential provider for FIDO 2.0 +

    Value type is integer. + +

    Here is an example scenario: At Contoso, there are a lot of shared devices and kiosks that employees throughout the day using as many as 20 different devices. To minimize the loss in productivity when employees have to login with username and password everytime they pick up a device, the IT admin deploys SharePC CSP and Authentication/AllowFidoDeviceSignon policy to shared devices. The IT admin provisions and distributes FIDO 2.0 devices to employees, which allows them to authenticate to various shared devices and PCs.

    The following list shows the supported values: - 0 - Do not allow. The FIDO device credential provider disabled.  - 1 - Allow. The FIDO device credential provider is enabled and allows usage of FIDO devices to sign into an Windows. -

    Value type is integer. -

    diff --git a/windows/client-management/mdm/policy-csp-cellular.md b/windows/client-management/mdm/policy-csp-cellular.md index 250e605bc9..b070a9305e 100644 --- a/windows/client-management/mdm/policy-csp-cellular.md +++ b/windows/client-management/mdm/policy-csp-cellular.md @@ -6,7 +6,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 11/01/2017 +ms.date: 11/16/2017 --- # Policy CSP - Cellular @@ -19,11 +19,166 @@ ms.date: 11/01/2017 ## Cellular policies
    +
    + Cellular/LetAppsAccessCellularData +
    +
    + Cellular/LetAppsAccessCellularData_ForceAllowTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_ForceDenyTheseApps +
    +
    + Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps +
    Cellular/ShowAppCellularAccessUI
    +
    + +**Cellular/LetAppsAccessCellularData** + + +
    [eUICCs CSP](euiccs-csp.md)
    + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. This policy setting specifies whether Windows apps can access cellular data. + +You can specify either a default setting for all apps or a per-app setting by specifying a Package Family Name. You can get the Package Family Name for an app by using the Get-AppPackage Windows PowerShell cmdlet. A per-app setting overrides the default setting. + +If you choose the "User is in control" option, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. + +If you choose the "Force Allow" option, Windows apps are allowed to access cellular data and employees in your organization cannot change it. + +If you choose the "Force Deny" option, Windows apps are not allowed to access cellular data and employees in your organization cannot change it. + +If you disable or do not configure this policy setting, employees in your organization can decide whether Windows apps can access cellular data by using Settings > Network - Internet > Cellular on the device. + +If an app is open when this Group Policy object is applied on a device, employees must restart the app or device for the policy changes to be applied to the app.” + +Suported values: + +- 0 - User is in control +- 1 - Force Allow +- 2 - Force Deny + + + +
    + +**Cellular/LetAppsAccessCellularData_ForceAllowTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are allowed access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + + +
    + +**Cellular/LetAppsAccessCellularData_ForceDenyTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Microsoft Store Apps. Listed apps are denied access to cellular data. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + + +
    + +**Cellular/LetAppsAccessCellularData_UserInControlOfTheseApps** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    check mark3check mark3check mark3check mark3check mark3cross markcross mark
    + + + +Added in Windows 10, version 1709. List of semi-colon delimited Package Family Names of Windows Store Apps. The user is able to control the cellular data access setting for the listed apps. This setting overrides the default LetAppsAccessCellularData policy setting for the specified apps. Value type is string. + +
    **Cellular/ShowAppCellularAccessUI** @@ -61,6 +216,16 @@ ms.date: 11/01/2017 +This policy setting configures the visibility of the link to the per-application cellular access control page in the cellular setting UX. + +If this policy setting is enabled, a drop-down list box presenting possible values will be active. Select "Hide" or "Show" to hide or show the link to the per-application cellular access control page. + +If this policy setting is disabled or is not configured, the link to the per-application cellular access control page is showed by default.” + +Supported values: + +- 0 - Hide +- 1 - Show > [!TIP] > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). diff --git a/windows/client-management/mdm/policy-csp-start.md b/windows/client-management/mdm/policy-csp-start.md index 8ab24a2ad2..d3392ef73f 100644 --- a/windows/client-management/mdm/policy-csp-start.md +++ b/windows/client-management/mdm/policy-csp-start.md @@ -67,6 +67,9 @@ ms.date: 11/01/2017
    Start/HideLock
    +
    + Start/HidePeopleBar +
    Start/HidePowerButton
    @@ -901,6 +904,41 @@ ms.date: 11/01/2017 1. Enable policy. 2. Open Start, click on the user tile, and verify "Lock" is not available. + + +
    + +**Start/HidePeopleBar** + + + + + + + + + + + + + + + + + + + + + +
    HomeProBusinessEnterpriseEducationMobileMobile Enterprise
    cross markcheck mark3check mark3check mark3check mark3cross markcross mark
    + + + + +

    Added in Windows 10, version 1709. Enabling this policy removes the people icon from the taskbar as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. + +

    Value type is integer. +

    From 9dc799cdab92c2a9364a3bdee644b0aa27f82463 Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 17 Nov 2017 23:24:26 +0000 Subject: [PATCH 26/27] Merged PR 4397: Merge ms-whfb-staging to whfb-staging Updates and then please push to master --- .../access-protection/hello-for-business/hello-features.md | 6 +++--- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 4 ++-- windows/access-protection/hello-for-business/toc.md | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-features.md b/windows/access-protection/hello-for-business/hello-features.md index 2e4ae4c446..af73b147d6 100644 --- a/windows/access-protection/hello-for-business/hello-features.md +++ b/windows/access-protection/hello-for-business/hello-features.md @@ -19,7 +19,7 @@ Consider these additional features you can use after your organization deploys W * [Conditional access](#conditional-access) * [Dynamic lock](#dynamic-lock) * [PIN reset](#PIN-reset) -* [Privileged workstation](#Priveleged-workstation) +* [Privileged credentials](#Priveleged-crednetials) * [Mulitfactor Unlock](#Multifactor-unlock) @@ -142,14 +142,14 @@ On-premises deployments provide users with the ability to reset forgotton PINs e >[!NOTE] > Visit the [Frequently Asked Questions](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification#frequently-asked-questions) section of the Windows Hello for Business page and watch the **What happens when the user forgets their PIN?** video. -## Privileged Workstation +## Privileged Credentials **Requirements** * Hybrid and On-premises Windows Hello for Business deployments * Domain Joined or Hybird Azure joined devices * Windows 10, version 1709 -The privileged workstation scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device. +The privileged credentials scenario enables administrators to perform elevated, admistrative funcions by enrolling both their non-privileged and privileged credentials on their device. By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices. diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 0bd7c0a3b1..552c519832 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -81,7 +81,7 @@ Organizations using older directory synchronization technology, such as DirSync
    ## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated envionments, key trust deployments work in environments that have deployed [Password Syncrhonization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated envirnonments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. ### Section Review ### > [!div class="checklist"] @@ -91,7 +91,7 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
    ## Multifactor Authentication ## -Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor. but needs a second factor of authentication. +Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor, but needs a second factor of authentication. Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS. diff --git a/windows/access-protection/hello-for-business/toc.md b/windows/access-protection/hello-for-business/toc.md index 5a8d5dd5c3..81267549c1 100644 --- a/windows/access-protection/hello-for-business/toc.md +++ b/windows/access-protection/hello-for-business/toc.md @@ -43,4 +43,4 @@ ##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md) #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) -## [Windows Hello for Businesss Feature](hello-features.md) \ No newline at end of file +## [Windows Hello for Business Features](hello-features.md) \ No newline at end of file From c226b91256714c385208eab9af2e55fa6a4d39da Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 21 Nov 2017 09:42:33 -0800 Subject: [PATCH 27/27] change token --- ...m-integration-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md index 6947c9cd8a..978f65a2d7 100644 --- a/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md @@ -53,7 +53,7 @@ Enable security information and event management (SIEM) integration so you can p 5. Select **Generate tokens** to get an access and refresh token. > [!NOTE] - > You'll need to generate a new Access token every 90 days. + > You'll need to generate a new Refresh token every 90 days. You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from the Windows Defender ATP portal.