diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
index f74f2297fa..9295d1d8ac 100644
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@@ -16,7 +16,6 @@ ms.localizationpriority: medium
# PowerShell for Surface Hub
-
PowerShell scripts to help set up and manage your Microsoft Surface Hub.
- [PowerShell scripts for Surface Hub admins](#scripts-for-admins)
@@ -30,7 +29,6 @@ PowerShell scripts to help set up and manage your Microsoft Surface Hub.
- [Auto-accepting and declining meeting requests](#auto-accept-meetings-cmdlet)
- [Accepting external meeting requests](#accept-ext-meetings-cmdlet)
-
## Prerequisites
To successfully execute these PowerShell scripts, you will need to install the following prerequisites:
@@ -41,7 +39,6 @@ To successfully execute these PowerShell scripts, you will need to install the f
## PowerShell scripts for Surface Hub administrators
-
What do the scripts do?
- Create device accounts for setups using pure single-forest on-premises (Microsoft Exchange and Skype 2013 and later only) or online (Microsoft Office 365), that are configured correctly for your Surface Hub.
@@ -56,11 +53,8 @@ What do you need in order to run the scripts?
>[!NOTE]
>Whether you’re creating a new account or modifying an already-existing account, the validation script will verify that your device account is configured correctly. You should always run the validation script before adding a device account to Surface Hub.
-
-
## Running the scripts
-
The account creation scripts will:
- Ask for administrator credentials
@@ -178,11 +172,8 @@ These are the attributes that are set by the scripts:
-
-
## Account creation scripts
-
These scripts will create a device account for you. You can use the [Account verification script](#acct-verification-ps-scripts) to make sure they ran correctly.
The account creation scripts cannot modify an already existing account, but can be used to help you understand which cmdlets need to be run to configure the existing account correctly.
@@ -257,7 +248,6 @@ if (!$credNewAccount -Or [System.String]::IsNullOrEmpty($strDisplayName) -Or [Sy
exit 1
}
-
## Sign in to remote powershell for exchange and lync online ##
$credExchange = $null
@@ -307,7 +297,8 @@ Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue
Import-PSSession $sessLync -AllowClobber -WarningAction SilentlyContinue
## Create the Exchange mailbox ##
-# Note: These exchange commandlets do not always throw their errors as exceptions
+>[!Note]
+>These exchange commandlets do not always throw their errors as exceptions
# Because Get-Mailbox will throw an error if the mailbox is not found
$Error.Clear()
@@ -324,7 +315,6 @@ $status["Mailbox Setup"] = "Successfully created a mailbox for the new account"
$strEmail = $mailbox.WindowsEmailAddress
PrintSuccess "The following mailbox has been created for this room: $strEmail"
-
## Create or retrieve a policy that will be applied to surface hub devices ##
# The policy disables requiring a device password so that the SurfaceHub does not need to be lockable to use Active Sync
$strPolicy = Read-Host 'Please enter the name for a new Surface Hub ActiveSync policy that will be created and applied to this account.
@@ -674,7 +664,8 @@ Import-PSSession $sessExchange -AllowClobber -WarningAction SilentlyContinue
Import-PSSession $sessCS -AllowClobber -WarningAction SilentlyContinue
## Create the Exchange mailbox ##
-# Note: These exchange commandlets do not always throw their errors as exceptions
+>[!Note]
+>These exchange commandlets do not always throw their errors as exceptions
# Because Get-Mailbox will throw an error if the mailbox is not found
$Error.Clear()
@@ -994,7 +985,6 @@ else
## Account verification script
-
This script will validate the previously-created device account on a Surface Hub, no matter which method was used to create it. This script is basically pass/fail. If one of the test errors out, it will show a detailed error message, but if all tests pass, the end result will be a summary report. For example, you might see:
``` syntax
@@ -1446,7 +1436,6 @@ Cleanup
## Enable Skype for Business
-
This script will enable Skype for Business on a device account. Use it only if Skype for Business wasn't previously enabled during account creation.
```PowerShell
@@ -1607,7 +1596,6 @@ Cleanup
## Useful cmdlets
-
### Creating a Surface Hub-compatible ActiveSync policy
For Surface Hub to use Exchange services, a device account configured with a compatible ActiveSync policy must be provisioned on the device. This policy has the following requirements:
@@ -1674,19 +1662,9 @@ Set-CalendarProcessing $strRoomUpn -AutomateProcessing AutoAccept
For a device account to accept external meeting requests (a meeting request from an account not in the same tenant/domain), the device account must be set to allow processing of external meeting requests. Once set, the device account will automatically accept or decline meeting requests from external accounts as well as local accounts.
->**Note** If the **AutomateProcessing** attribute is not set to **AutoAccept**, then setting this will have no effect.
-
-
+>[!Note]
+>If the **AutomateProcessing** attribute is not set to **AutoAccept**, then setting this will have no effect.
```PowerShell
Set-CalendarProcessing $strRoomUpn -ProcessExternalMeetingMessages $true
```
-
-
-
-
-
-
-
-
-
diff --git a/mdop/appv-v5/app-v-50-prerequisites.md b/mdop/appv-v5/app-v-50-prerequisites.md
index e90a62583c..ace08aceef 100644
--- a/mdop/appv-v5/app-v-50-prerequisites.md
+++ b/mdop/appv-v5/app-v-50-prerequisites.md
@@ -16,11 +16,10 @@ ms.date: 08/30/2016
# App-V 5.0 Prerequisites
-
Before you begin the Microsoft Application Virtualization (App-V) 5.0 Setup, you should make sure that you have met the prerequisites to install the product. This topic contains information to help you successfully plan for preparing your computing environment before you deploy the App-V 5.0 features.
-**Important**
-**The prerequisites in this article apply only to App-V 5.0**. For additional prerequisites that apply to App-V 5.0 Service Packs, see the following web pages:
+>[!Important]
+>**The prerequisites in this article apply only to App-V 5.0**. For additional prerequisites that apply to App-V 5.0 Service Packs, see the following web pages:
- [What's new in App-V 5.0 SP1](whats-new-in-app-v-50-sp1.md)
@@ -28,8 +27,6 @@ Before you begin the Microsoft Application Virtualization (App-V) 5.0 Setup, you
- [App-V 5.0 SP3 Prerequisites](app-v-50-sp3-prerequisites.md)
-
-
The following table lists prerequisite information that pertains to specific operating systems.
@@ -69,15 +66,10 @@ The following table lists prerequisite information that pertains to specific ope
-
-
## Installation prerequisites for App-V 5.0
-
-**Note**
-The following prerequisites are already installed for computers that run Windows 8.
-
-
+>[!Note]
+>The following prerequisites are already installed for computers that run Windows 8.
Each of the App-V 5.0 features have specific prerequisites that must be met before the App-V 5.0 features can be successfully installed.
@@ -100,8 +92,8 @@ The following table lists the installation prerequisites for the App-V 5.0 clien
Software requirements |
|
-
-
### Prerequisites for the App-V 5.0 Remote Desktop Services client
-**Note**
-The following prerequisites are already installed for computers that run Windows Server 2012.
-
-
+>[!Note]
+>The following prerequisites are already installed for computers that run Windows Server 2012.
The following table lists the installation prerequisites for the App-V 5.0 Remote Desktop Services client:
@@ -158,8 +146,8 @@ The following table lists the installation prerequisites for the App-V 5.0 Remot
Software requirements |
|
-
-
### Prerequisites for the App-V 5.0 Sequencer
-**Note**
-The following prerequisites are already installed for computers that run Windows 8 and Windows Server 2012.
-
-
+>[!Note]
+>The following prerequisites are already installed for computers that run Windows 8 and Windows Server 2012.
The following table lists the installation prerequisites for the App-V 5.0 Sequencer. If possible, the computer that runs the Sequencer should have the same hardware and software configurations as the computers that will run the virtual applications.
-**Note**
-If the system requirements of a locally installed application exceed the requirements of the Sequencer, you must meet the requirements of that application. Additionally, because the sequencing process is system resource-intensive, we recommend that the computer that runs the Sequencer has plenty of memory, a fast processor, and a fast hard drive. For more information see [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md).
-
-
+>[!Note]
+>If the system requirements of a locally installed application exceed the requirements of the Sequencer, you must meet the requirements of that application. Additionally, because the sequencing process is system resource-intensive, we recommend that the computer that runs the Sequencer has plenty of memory, a fast processor, and a fast hard drive. For more information see [App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md).
@@ -221,16 +203,16 @@ If the system requirements of a locally installed application exceed the require
Software requirements |
|
-
-
### Prerequisites for the App-V 5.0 server
-**Note**
-The following prerequisites are already installed for computers that run Windows Server 2012:
+>[!Note]
+>The following prerequisites are already installed for computers that run Windows Server 2012:
- Microsoft .NET Framework 4.5. This eliminates the Microsoft .NET Framework 4 requirement.
@@ -256,26 +236,18 @@ The following prerequisites are already installed for computers that run Windows
- Download and install [KB2533623](https://support.microsoft.com/kb/2533623) (https://support.microsoft.com/kb/2533623)
- **Important**
- You can still download install the previous KB. However, it may have been replaced with a more recent version.
-
-
-
-
+ >[!Important]
+ >You can still download install the previous KB. However, it may have been replaced with a more recent version.
The following table lists the installation prerequisites for the App-V 5.0 server. The account that you use to install the server components must have administrative rights on the computer that you are installing on. This account must also have the ability to query Active Directory Directory Services. Before you install and configure the App-V 5.0 servers, you must specify a port where each component will be hosted. You must also add the associated firewall rules to allow incoming requests to the specified ports.
-**Note**
-Web Distributed Authoring and Versioning (WebDAV) is automatically disabled for the Management Service.
-
-
+>[!Note]
+>Web Distributed Authoring and Versioning (WebDAV) is automatically disabled for the Management Service.
The App-V 5.0 server is supported for a standalone deployment, where all the components are deployed on the same server, and a distributed deployment. Depending on the topology that you use to deploy the App-V 5.0 server, the data that you will need for each component will slightly change.
-**Important**
-The installation of the App-V 5.0 server on a computer that runs any previous version or component of App-V is not supported. Additionally, the installation of the server components on a computer that runs Server Core or a Domain Controller is also not supported.
-
-
+>[!Important]
+>The installation of the App-V 5.0 server on a computer that runs any previous version or component of App-V is not supported. Additionally, the installation of the server components on a computer that runs Server Core or a Domain Controller is also not supported.
@@ -292,8 +264,8 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
Management Server |
-Microsoft .NET Framework 4 (Full Package) (https://www.microsoft.com/download/details.aspx?id=17718)
-Windows PowerShell 3.0 (https://www.microsoft.com/download/details.aspx?id=34595)
+Microsoft .NET Framework 4 (Full Package)
+Windows PowerShell 3.0
NoteInstalling PowerShell 3.0 requires a restart.
@@ -301,7 +273,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
Windows Web Server with the IIS role enabled and the following features: Common HTTP Features (static content and default document), Application Development (ASP.NET, .NET Extensibility, ISAPI Extensions and ISAPI Filters), Security (Windows Authentication, Request Filtering), Management Tools (IIS Management Console).
-Download and install KB2533623 (https://support.microsoft.com/kb/2533623)
+Download and install KB2533623
The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 management database.
@@ -349,14 +321,14 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
Custom App-V 5.0 database name (if applicable) – you must specify a unique database name. The default value for the management database is AppVManagement.
App-V 5.0 management server location – specifies the machine account on which the management server is deployed. This should be specified in the following format Domain\MachineAccount.
App-V 5.0 management server installation administrator - specifies the account that will be used to install the App-V 5.0 management server. You should use the following format: Domain\AdministratorLoginName.
-Microsoft SQL Server Service Agent - configure the computer running the App-V 5.0 Management Database so that Microsoft SQL Server Agent service is restarted automatically. For more information see Configure SQL Server Agent to Restart Services Automatically (https://go.microsoft.com/fwlink/?LinkId=273725).
+Microsoft SQL Server Service Agent - configure the computer running the App-V 5.0 Management Database so that Microsoft SQL Server Agent service is restarted automatically. For more information see Configure SQL Server Agent to Restart Services Automatically
|
Reporting Server |
|
-
-
-
-
-
-
-
## Related topics
-
[Planning to Deploy App-V](planning-to-deploy-app-v.md)
[App-V 5.0 Supported Configurations](app-v-50-supported-configurations.md)
-
-
-
-
-
-
-
-
-
diff --git a/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md b/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md
index d365a7ce2c..19ad1f3d57 100644
--- a/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md
+++ b/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md
@@ -16,12 +16,10 @@ ms.date: 08/30/2016
# Known Issues in the MBAM International Release
-
This section contains known issues for Microsoft BitLocker Administration and Monitoring (MBAM) International Release.
## Known Issues in the MBAM International Release
-
### The Installation Process Does Not Specify Update
Upon updating the Microsoft BitLocker Administration and Monitoring server or servers, the Setup program does not state that an update is being installed.
@@ -36,13 +34,12 @@ If you are using a certificate for authentication between MBAM servers, after up
### MBAM Svclog File Filling Disk Space
-If you have followed Knowledge Base article 2668170, [https://support.microsoft.com/kb/2668170](https://go.microsoft.com/fwlink/?LinkID=247277), you might have to repeat the KB steps after you install this update.
+If you have followed [Knowledge Base article 2668170](https://go.microsoft.com/fwlink/?LinkID=247277), you might have to repeat the KB steps after you install this update.
**Workaround**: None.
## Related topics
-
[Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)
diff --git a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md
index 1d8f677dab..d2e12fb643 100644
--- a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md
@@ -16,10 +16,8 @@ ms.date: 08/30/2016
# MBAM 2.0 Privacy Statement
-
## Microsoft BitLocker Administration and Monitoring (MBAM) v2 Privacy Statement
-
Microsoft is committed to protecting your privacy, while delivering software that brings you the performance, power, and convenience you desire in your personal computing. This privacy statement explains many of the data collection and use practices of Microsoft BitLocker Administration and Monitoring v2 (MBAM). This is a preliminary disclosure that focuses on features that communicate with the Internet and is not intended to be an exhaustive list.
Microsoft BitLocker Administration and Monitoring (MBAM) enhances BitLocker by simplifying deployment and key recovery, centralizing provisioning, monitoring and reporting of encryption status for fixed and removable drives, and minimizing support costs. This release provides support for Windows 8 as well as improvements on Configuration Manager Integration and key recovery functionality.
@@ -86,13 +84,12 @@ Microsoft Error Reporting is not turned on or off by MBAM. MBAM will utilize wha
"HKLM\\Software\\Wow6432Node\\Microsoft\\Microsoft Standalone System Sweeper Tool" (for the 64-bit version)
-**Warning**
-
-Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the PC. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
+>[!Warning]
+>Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the PC. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
Important Information: Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their PCs. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available on [TechNet](https://technet.microsoft.com/library/cc709644.aspx).
-Additional information on how to modify enable and disable error reporting is available at this support article: [(https://support.microsoft.com/kb/188296)](https://support.microsoft.com/kb/188296).
+Additional information on how to modify enable and disable error reporting is available at this support article: [How to disable or enable Dr. Watson for Windows](https://support.microsoft.com/kb/188296).
### Microsoft Update
@@ -102,15 +99,15 @@ Microsoft Update is a service that provides Windows updates as well as updates f
**Information Collected, Processed, or Transmitted:**
-For details about what information is collected and how it is used, see the Update Services Privacy Statement at .
+For details about what information is collected and how it is used, see the [Update Services Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=244400).
**Use of Information:**
-For details about what information is collected and how it is used, see the Update Services Privacy Statement at .
+For details about what information is collected and how it is used, see the [Update Services Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=244400).
**Choice/Control:**
-For details about controlling this feature, see the Update Services Privacy Statement at .
+For details about controlling this feature, see the [Update Services Privacy Statement](https://go.microsoft.com/fwlink/?LinkId=244000).
### Customer Experience Improvement Program
@@ -120,7 +117,7 @@ The Customer Experience Improvement Program (“CEIP”) collects basic informat
**Information Collected, Processed, or Transmitted:**
-For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at .
+For more information about the information collected, processed, or transmitted by CEIP, see the [CEIP privacy statement](https://go.microsoft.com/fwlink/?LinkID=52097).
**Use of Information:**
@@ -132,14 +129,4 @@ CEIP is off by default. You're offered the opportunity to participate in CEIP du
## Related topics
-
[Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md)
-
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/certificate-authentication-device-enrollment.md b/windows/client-management/mdm/certificate-authentication-device-enrollment.md
index dd72081354..1441d87c96 100644
--- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md
@@ -14,15 +14,13 @@ ms.date: 06/26/2017
# Certificate authentication device enrollment
-
This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
-> **Note** To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).
-
+>[!Note]
+>To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).
## In this topic
-
- [Discovery service](#discovery-service)
- [Enrollment policy web service](#enrollment-policy-web-service)
- [Enrollment web service](#enrollment-web-service)
@@ -507,10 +505,3 @@ The following example shows the encoded provisioning XML.
protocol. This configuration service provider is being deprecated for Windows 10. -->
```
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/federated-authentication-device-enrollment.md b/windows/client-management/mdm/federated-authentication-device-enrollment.md
index e8ad3c9cd8..8af297cb56 100644
--- a/windows/client-management/mdm/federated-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md
@@ -14,7 +14,6 @@ ms.date: 07/28/2017
# Federated authentication device enrollment
-
This section provides an example of the mobile device enrollment protocol using federated authentication policy. When the authentication policy is set to Federated, the web authentication broker is leveraged by the enrollment client to get a security token. The enrollment client calls the web authentication broker API within the response message to start the process. The server should build the web authentication broker pages to fit the device screen and should be consistent with the existing enrollment UI. The opaque security token that is returned from the broker as an end page is used by the enrollment client as the device security secret during the client certificate request call.
The <AuthenticationServiceURL> element the discovery response message specifies web authentication broker page start URL.
@@ -23,7 +22,6 @@ For details about the Microsoft mobile device enrollment protocol for Windows 1
## In this topic
-
[Discovery service](#discovery-service)
[Enrollment policy web service](#enrollment-policy-web-service)
[Enrollment web service](#enrollment-web-service)
@@ -32,12 +30,10 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme
## Discovery service
-
The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service. The service is a restful web service over HTTPS (server authentication only).
-> **Note** The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
-
-
+>[!Note]
+>The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
The automatic discovery flow of the device uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
@@ -131,24 +127,21 @@ The discovery response is in the XML format and includes the following fields:
- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- In Windows, Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
-> **Note** The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
-
-
+>[!Note]
+>The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be leveraged by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response message. The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the device screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.
-> **Note** Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
+>[!Note]
+>Instead of relying on the user agent string that is passed during authentication to get information, such as the OS version, use the following guidance:
> - Parse the OS version from the data sent up during the discovery request.
> - Append the OS version as a parameter in the AuthenticationServiceURL.
> - Parse out the OS version from the AuthenticiationServiceURL when the OS sends the response for authentication.
-
-
A new XML tag, AuthenticationServiceUrl, is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL. For Federated authentication, this XML tag must exist.
-> **Note** The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
-
-
+>[!Note]
+>The enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token. While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service, the enrollment client is agnostic to all of this. To remain agnostic, all protocol flows pertaining to authentication that involve the enrollment client are passive, that is, browser-implemented.
The following are the explicit requirements for the server.
@@ -237,7 +230,6 @@ The following example shows a response received from the discovery web service w
## Enrollment policy web service
-
Policy service is optional. By default, if no policies are specified, the minimum key length is 2k and the hash algorithm is SHA-1.
This web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.
@@ -302,9 +294,8 @@ After the user is authenticated, the web service retrieves the certificate templ
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. For Windows device, we will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
-> **Note** The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
-
-
+>[!Note]
+>The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
The following snippet shows the policy web service response.
@@ -387,7 +378,6 @@ The following snippet shows the policy web service response.
## Enrollment web service
-
This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client, requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client. Besides the issued certificate, the response also contains configurations needed to provision the DM client.
The RequestSecurityToken (RST) must have the user credential and a certificate request. The user credential in an RST SOAP envelope is the same as in GetPolicies, and can vary depending on whether the authentication policy is OnPremise or Federated. The BinarySecurityToken in an RST SOAP body contains a Base64-encoded PKCS\#10 certificate request, which is generated by the client based on the enrollment policy. The client could have requested an enrollment policy by using MS-XCEP before requesting a certificate using MS-WSTEP. If the PKCS\#10 certificate request is accepted by the certification authority (CA) (the key length, hashing algorithm, and so on match the certificate template), the client can enroll successfully.
@@ -396,9 +386,8 @@ Note that the RequestSecurityToken will use a custom TokenType (http: **Note** The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
-
-
+>[!Note]
+>The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
The following example shows the enrollment web service request for federated authentication.
@@ -487,9 +476,8 @@ The following example shows the enrollment web service request for federated aut
After validating the request, the web service looks up the assigned certificate template for the client, update it if needed, sends the PKCS\#10 requests to the CA, processes the response from the CA, constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse (RSTR).
-> **Note** The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
-
-
+>[!Note]
+>The HTTP server response must not set Transfer-Encoding to Chunked; it must be sent as one message.
Similar to the TokenType in the RST, the RSTR will use a custom ValueType in the BinarySecurityToken (http://schemas.microsoft.com/ConfigurationManager/Enrollment/DeviceEnrollmentProvisionDoc), because the token is more than an X.509 v3 certificate.
@@ -640,11 +628,3 @@ The following code shows sample provisioning XML (presented in the preceding pac
- The **PrivateKeyContainer** characteristic is required and must be present in the Enrollment provisioning XML by the enrollment. Other important settings are the **PROVIDER-ID**, **NAME**, and **ADDR** parameter elements, which need to contain the unique ID and NAME of your DM provider and the address where the device can connect for configuration provisioning. The ID and NAME can be arbitrary values, but they must be unique.
- Also important is SSLCLIENTCERTSEARCHCRITERIA, which is used for selecting the certificate to be used for client authentication. The search is based on the subject attribute of the signed user certificate.
- CertificateStore/WSTEP enables certificate renewal. If the server does not support it, do not set it.
-
-
-
-
-
-
-
-
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 1d91d3ec3b..1b6590f392 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -14,7 +14,6 @@ ms.date: 08/11/2017
# Mobile device enrollment
-
Mobile device enrollment is the first phase of enterprise management. The device is configured to communicate with the MDM server using security precautions during the enrollment process. The enrollment service verifies that only authenticated and authorized devices can be managed by their enterprise.
The enrollment process includes the following steps:
@@ -33,21 +32,20 @@ The enrollment process includes the following steps:
## Enrollment protocol
-
There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
The enrollment process involves the following steps:
-**Discovery request**
+### Discovery request
The discovery request is a simple HTTP post call that returns XML over HTTP. The returned XML includes the authentication URL, the management service URL, and the user credential type.
-**Certificate enrollment policy**
+### Certificate enrollment policy
The certificate enrollment policy configuration is an implementation of the MS-XCEP protocol, which is described in \[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol Specification. Section 4 of the specification provides an example of the policy request and response. The X.509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message (GetPolicies) with a matching server response message (GetPoliciesResponse). For more information, see [\[MS-XCEP\]: X.509 Certificate Enrollment Policy Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619345)
-**Certificate enrollment**
+### Certificate enrollment
The certificate enrollment is an implementation of the MS-WSTEP protocol.
-**Management configuration**
+### Management configuration
The server sends provisioning XML that contains a server certificate (for SSL server authentication), a client certificate issued by enterprise CA, DM client bootstrap information (for the client to communicate with the management server), an enterprise application token (for the user to install enterprise applications), and the link to download the Company Hub application.
The following topics describe the end-to-end enrollment process using various authentication methods:
@@ -56,19 +54,18 @@ The following topics describe the end-to-end enrollment process using various au
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
- [On-premise authentication device enrollment](on-premise-authentication-device-enrollment.md)
-> **Note** As a best practice, do not use hardcoded server-side checks on values such as:
+>[!Note]
+>As a best practice, do not use hardcoded server-side checks on values such as:
> - User agent string
> - Any fixed URIs that are passed during enrollment
> - Specific formatting of any value unless otherwise noted, such as the format of the device ID.
-
## Enrollment support for domain-joined devices
-
+
Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in **Settings**. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
## Disable MDM enrollments
-
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.

@@ -89,7 +86,6 @@ The following scenarios do not allow MDM enrollments:
## Enrollment migration
-
**Desktop:** After the MDM client upgrade from Windows 8.1 to Windows 10, enrollment migration starts at the first client-initiated sync with the MDM service. The enrollment migration start time depends on the MDM server configuration. For example, for Intune it runs every 6 hours.
Until the enrollment migration is completed, the user interface will show no enrollment and server push will not work.
@@ -100,7 +96,6 @@ To manually trigger enrollment migration, you can run MDMMaintenenceTask.
## Enrollment error messages
-
The enrollment server can decline enrollment messages using the SOAP Fault format. Errors created can be sent as follows:
```xml
@@ -196,8 +191,6 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
-
-
In Windows 10, version 1507, we added the deviceenrollmentserviceerror element. Here is an example:
```xml
@@ -291,13 +284,10 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
-
-
TraceID is a freeform text node which is logged. It should identify the server side state for this enrollment attempt. This information may be used by support to look up why the server declined the enrollment.
## Related topics
-
- [MDM enrollment of Windows-based devices](mdm-enrollment-of-windows-devices.md)
- [Federated authentication device enrollment](federated-authentication-device-enrollment.md)
- [Certificate authentication device enrollment](certificate-authentication-device-enrollment.md)
diff --git a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md
index 22c3ac4fbe..8b8510e448 100644
--- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md
@@ -30,7 +30,7 @@ For the list of enrollment scenarios not supported in Windows 10, see [Enrollme
The discovery web service provides the configuration information necessary for a user to enroll a device with a management service. The service is a restful web service over HTTPS (server authentication only).
-> [!NOTE]
+>[!NOTE]
>The administrator of the discovery service must create a host with the address enterpriseenrollment.*domain\_name*.com.
The device’s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in. The automatic discovery system constructs a URI that uses this hostname by appending the subdomain “enterpriseenrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “sample@contoso.com”, the resulting URI for first Get request would be: http://enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc
@@ -78,7 +78,7 @@ The following logic is applied:
- If the device is not redirected, it prompts the user for the server address.
- If the device is redirected, it prompts the user to allow the redirect.
-The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address
+The following example shows a request via an HTTP POST command to the discovery web service given user@contoso.com as the email address:
```
https://EnterpriseEnrollment.Contoso.com/EnrollmentServer/Discovery.svc
@@ -129,7 +129,7 @@ The discovery response is in the XML format and includes the following fields:
- Authentication policy (AuthPolicy) – Indicates what type of authentication is required. For the MDM server, OnPremise is the supported value, which means that the user will be authenticated when calling the management service URL. This field is mandatory.
- Federated is added as another supported value. This allows the server to leverage the Web Authentication Broker to perform customized user authentication, and term of usage acceptance.
-> [!NOTE]
+>[!NOTE]
>The HTTP server response must not be chunked; it must be sent as one message.
The following example shows a response received from the discovery web service for OnPremise authentication:
@@ -214,7 +214,7 @@ After the user is authenticated, the web service retrieves the certificate templ
MS-XCEP supports very flexible enrollment policies using various Complex Types and Attributes. We will first support the minimalKeyLength, the hashAlgorithmOIDReference policies, and the CryptoProviders. The hashAlgorithmOIDReference has related OID and OIDReferenceID and policySchema in the GetPolicesResponse. The policySchema refers to the certificate template version. Version 3 of MS-XCEP supports hashing algorithms.
-> [!NOTE]
+>[!NOTE]
>The HTTP server response must not be chunked; it must be sent as one message.
The following snippet shows the policy web service response.
@@ -306,7 +306,7 @@ The RequestSecurityToken will use a custom TokenType (http://schema
The RST may also specify a number of AdditionalContext items, such as DeviceType and Version. Based on these values, for example, the web service can return device-specific and version-specific DM configuration.
-> [!NOTE]
+>[!NOTE]
>The policy service and the enrollment service must be on the same server; that is, they must have the same host name.
The following example shows the enrollment web service request for OnPremise authentication.
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
index c2d53844a7..4d8b9d2e78 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@@ -26,11 +26,13 @@ In Windows 10, version 1703 and later, the Windows Defender app is part of the W
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
-> [!IMPORTANT]
-> Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
->It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
->This will significantly lower the protection of your device and could lead to malware infection.
+>[!IMPORTANT]
+>Disabling the Windows Security Center service will not disable Microsoft Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
+>If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+>It may also prevent Microsoft Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
+
+>This will significantly lower the protection of your device and could lead to malware infection.
See the [Windows Security article](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
@@ -46,7 +48,7 @@ The Windows Security app is a client interface on Windows 10, version 1703 and l
## Comparison of settings and functions of the old app and the new app
-All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
+All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
The following diagrams compare the location of settings and functions between the old and new apps:
@@ -66,8 +68,8 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | De
This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Microsoft Defender Antivirus in the Windows Security app.
-> [!NOTE]
-> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) topic describes how local policy override settings can be configured.
+>[!NOTE]
+>If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Microsoft Defender Antivirus](configure-end-user-interaction-microsoft-defender-antivirus.md) topic describes how local policy override settings can be configured.
@@ -95,7 +97,6 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Check for updates** to download new protection updates (if there are any).
-
### Ensure Microsoft Defender Antivirus is enabled in the Windows Security app
1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@@ -110,7 +111,6 @@ This section describes how to perform some of the most common tasks when reviewi
>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
>If you install another antivirus product, Microsoft Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-microsoft-defender-antivirus.md).
-
### Add exclusions for Microsoft Defender Antivirus in the Windows Security app
@@ -135,21 +135,19 @@ The following table summarizes exclusion types and what happens:
|**File type** |File extension
Example: `.test` |All files with the `.test` extension anywhere on your device are skipped by Microsoft Defender Antivirus. |
|**Process** |Executable file path
Example: `c:\test\process.exe` |The specific process and any files that are opened by that process are skipped by Microsoft Defender Antivirus. |
-To learn more, see:
+To learn more, see:
- [Configure and validate exclusions based on file extension and folder location](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus)
- [Configure exclusions for files opened by processes](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus)
### Review threat detection history in the Windows Defender Security Center app
- 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or
- searching the start menu for **Defender**.
-
- 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
- 3. Click **Threat history**
+ 1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
- 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**,
- **Allowed threats**).
+ 2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
+
+ 3. Click **Threat history**
+
+ 4. Click **See full history** under each of the categories (**Current threats**, **Quarantined threats**, **Allowed threats**).
@@ -167,6 +165,4 @@ To learn more, see:
## Related articles
-- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
-
-
+- [Microsoft Defender Antivirus](microsoft-defender-antivirus-in-windows-10.md)
\ No newline at end of file