From 9dc17a174aad221c380d0b06d1bbac83cb59f096 Mon Sep 17 00:00:00 2001 From: Seth Moore Date: Thu, 22 Sep 2016 08:26:49 -0700 Subject: [PATCH 1/5] Make protocol limitations more explicit Previously, the doc incorrectly stated some things were not allowed at all. These are allowed, just not with sign-on credentials. --- windows/keep-secure/credential-guard.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 55180bcbe5..068f9e099f 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -30,7 +30,9 @@ Credential Guard isolates secrets that previous versions of Windows stored in th For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment. -Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption. +Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases. + +Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used. Here's a high-level overview on how the LSA is isolated by using virtualization-based security: From 7e032436e2dc83835eef46b9182c38dd959b1319 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 09:02:28 -0700 Subject: [PATCH 2/5] Removed Azure AD reference --- windows/manage/manage-cortana-in-enterprise.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md index 36b77add2e..ff1aec9da2 100644 --- a/windows/manage/manage-cortana-in-enterprise.md +++ b/windows/manage/manage-cortana-in-enterprise.md @@ -56,7 +56,7 @@ Set up and manage Cortana by using the following Group Policy and mobile device |Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.

**Note**
This setting only applies to Windows 10 for desktop devices. | |Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). | |None |System/AllowLocation |Specifies whether to allow app access to the Location service.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). | -|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

Use this setting if you only want to support Azure AD in your organization. | +|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps. | |Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. | |Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.

**Note**
This setting only applies to Windows 10 Mobile. | |User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. | From 240f2c57dca0f0ebc8d8941e705d4cf78e64ae1d Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 22 Sep 2016 09:06:13 -0700 Subject: [PATCH 3/5] removed extra ) --- devices/surface-hub/prepare-your-environment-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 1e0440958f..7008921d95 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -63,7 +63,7 @@ There are a few more item to consider before you start the [first-run program](f You can use provisioning packages to add certificates, customize settings and install apps. See [Create provisioning packages](provisioning-packages-for-certificates-surface-hub.md) for details. You can [install provisioning packages at first-run](first-run-program-surface-hub.md#first-page). ### Set up admin groups -Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins)). +Every Surface Hub can be configured locally using the Settings app on the device. To prevent unauthorized users from changing settings, the Settings app requires admin credentials to open the app. See [Admin group management](admin-group-management-for-surface-hub.md) for details on how admin groups are set up and managed. You will [set up admins for the device at first run](first-run-program-surface-hub.md#setup-admins). ### Review and complete Surface Hub setup worksheet (optional) When you go through the first-run program for your Surface Hub, there's some information that you'll need to supply. The setup worksheet summarizes that info, and provides lists of environment-specific info that you'll need when you go through the first-run program. For more information, see [Setup worksheet](setup-worksheet-surface-hub.md). From c1b4c901aecddd485be14430b484c3a2297598d5 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 22 Sep 2016 09:07:04 -0700 Subject: [PATCH 4/5] typo in link causing build errors --- devices/surface-hub/prepare-your-environment-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 7008921d95..0872e5b054 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -52,7 +52,7 @@ Surface Hub interacts with a few different products and services. Depending on t A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. After you've created your device account, there are a couple of ways to verify that it's setup correctly. -- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scipts-for-surface-hub.md) later in this guide. +- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. - Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. From a7082a06081020ae8c80c3a7571426d6c4145980 Mon Sep 17 00:00:00 2001 From: Trudy Hakala Date: Thu, 22 Sep 2016 09:13:15 -0700 Subject: [PATCH 5/5] fixing link --- .../surface-hub/prepare-your-environment-for-surface-hub.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 1e0440958f..128c83e930 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -52,8 +52,8 @@ Surface Hub interacts with a few different products and services. Depending on t A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, and send email. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. After you've created your device account, there are a couple of ways to verify that it's setup correctly. -- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scipts-for-surface-hub.md) later in this guide. -- Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. +- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. +- Use the account with the [Lync Windows Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. ## Prepare for first-run program