diff --git a/.gitignore b/.gitignore index f774b7e22a..4d2ce285a9 100644 --- a/.gitignore +++ b/.gitignore @@ -5,7 +5,8 @@ obj/ _site/ Tools/NuGet/ .optemp/ - +Thumbs.db +.DS_Store .openpublishing.build.mdproj .openpublishing.buildcore.ps1 diff --git a/education/trial-in-a-box/images/Thumbs.db b/education/trial-in-a-box/images/Thumbs.db deleted file mode 100644 index d36fc0c985..0000000000 Binary files a/education/trial-in-a-box/images/Thumbs.db and /dev/null differ diff --git a/windows/client-management/mdm/rootcacertificates-csp.md b/windows/client-management/mdm/rootcacertificates-csp.md index 453649322c..132e196cc0 100644 --- a/windows/client-management/mdm/rootcacertificates-csp.md +++ b/windows/client-management/mdm/rootcacertificates-csp.md @@ -23,7 +23,9 @@ The RootCATrustedCertificates configuration service provider enables the enterpr   The following image shows the RootCATrustedCertificates configuration service provider in tree format. -![roocacertificate](images/provisioning-csp-rootcacertificate.png) +Detailed specification of the principal root nodes: + +![rootcacertificate](images/provisioning-csp-rootcacertificate.png) **Device or User** For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path. @@ -37,7 +39,6 @@ Defines the certificate store that contains root, or self-signed certificates, i > [!Note] > The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**. -  **RootCATrustedCertificates/CA** Node for CA certificates. @@ -48,42 +49,30 @@ Node for trusted publisher certificates. Node for trusted people certificates. **RootCATrustedCertificates/UntrustedCertificates** -Addeded in Windows 10, version 1803. Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. +Added in Windows 10, version 1803. Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable. **_CertHash_** -Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. +Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. This node is common for all the principal root nodes. The supported operations are Get and Delete. -The supported operations are Get and Delete. +The following nodes are all common to the **_CertHash_** node: **/EncodedCertificate** -Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. - -The supported operations are Add, Get, and Replace. +Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc. The supported operations are Add, Get, and Replace. **/IssuedBy** -Returns the name of the certificate issuer. This is equivalent to the **Issuer** member in the CERT\_INFO data structure. - -The only supported operation is Get. +Returns the name of the certificate issuer. This is equivalent to the **Issuer** member in the CERT\_INFO data structure. The only supported operation is Get. **/IssuedTo** -Returns the name of the certificate subject. This is equivalent to the **Subject** member in the CERT\_INFO data structure. - -The only supported operation is Get. +Returns the name of the certificate subject. This is equivalent to the **Subject** member in the CERT\_INFO data structure. The only supported operation is Get. **/ValidFrom** -Returns the starting date of the certificate's validity. This is equivalent to the **NotBefore** member in the CERT\_INFO data structure. - -The only supported operation is Get. +Returns the starting date of the certificate's validity. This is equivalent to the **NotBefore** member in the CERT\_INFO data structure. The only supported operation is Get. **/ValidTo** -Returns the expiration date of the certificate. This is equivalent to the **NotAfter** member in the CERT\_INFO data structure. - -The only supported operation is Get. +Returns the expiration date of the certificate. This is equivalent to the **NotAfter** member in the CERT\_INFO data structure. The only supported operation is Get. **/TemplateName** -Returns the certificate template name. - -The only supported operation is Get. +Returns the certificate template name. The only supported operation is Get. ## Related topics diff --git a/windows/deployment/update/device-health-using.md b/windows/deployment/update/device-health-using.md index 72d8385c62..d2d9086345 100644 --- a/windows/deployment/update/device-health-using.md +++ b/windows/deployment/update/device-health-using.md @@ -2,7 +2,7 @@ title: Using Device Health ms.reviewer: manager: laurawi -description: Explains how to begin usihg Device Health. +description: Explains how to begin using Device Health. ms.prod: w10 ms.mktglfcycl: deploy keywords: oms, operations management suite, wdav, health, log analytics @@ -93,7 +93,7 @@ Clicking a listed driver on the Driver-Induced OS Crashes blade opens a driver p ![Driver detail and history](images/driver-detail-1-sterile.png) ![Driver detail and history scrolldown](images/driver-detail-2-sterile.png) -The driver version table can help you determine whether deploying a newer version of the driver might help you reduce the crash rate. In the example shown above, the most commonly installed driver version (19.15.1.5) has a crash rate of about one-half of one percent--this is low, so this driver is probably fine. However, driver version 19.40.0.3 has a crash rate of almost 20%. If that driver had been widely deployed, updating it would substantially reduce the overal number of crashes in your organization. +The driver version table can help you determine whether deploying a newer version of the driver might help you reduce the crash rate. In the example shown above, the most commonly installed driver version (19.15.1.5) has a crash rate of about one-half of one percent--this is low, so this driver is probably fine. However, driver version 19.40.0.3 has a crash rate of almost 20%. If that driver had been widely deployed, updating it would substantially reduce the overall number of crashes in your organization. ## App Reliability @@ -194,7 +194,8 @@ For example: *DHAppReliability | where AppFileDisplayName == "Microsoft Outlook"* - +#### Why does the computer name show up as Unknown? +Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics.](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates. ## Login Health @@ -206,7 +207,7 @@ The Login Health blades appear in the Device Health dashboard: ![Main Login health view](images/login-health.png) ### Login Errors -The **Login errors** blade displays data on the frequency and type of errors, with statistics on specific errors. They are generally categorized into user-generated (caused by bad input) or non-user-generated (might need IT intervention) errors. Click any individual error to see all instances of the error's occurence for the specified time period. +The **Login errors** blade displays data on the frequency and type of errors, with statistics on specific errors. They are generally categorized into user-generated (caused by bad input) or non-user-generated (might need IT intervention) errors. Click any individual error to see all instances of the error's occurrence for the specified time period. ### Login Metrics by Type The **Login metrics by type** blade shows the success rate for your devices, as well as the success rate for other environments with a mix of operating system versions and device models similar to yours (the **Commercial average success rate**). @@ -303,7 +304,7 @@ You can run these queries from the Azure Portal **Log Search** interface (availa ### Exporting data and configuring alerts -Azure Portal enables you to export data to other tools. To do this, in any view that shows **Log Search** just click the **Export** button. Similarly, clicking the **Alert** button will enable you to run a query automaticlaly on a schedule and receive email alerts for particular query results that you set. If you have a PowerBI account, then you will also see a **PowerBI** button that enables you to run a query on a schedule and have the results automatically saved as a PowerBI data set. +Azure Portal enables you to export data to other tools. To do this, in any view that shows **Log Search** just click the **Export** button. Similarly, clicking the **Alert** button will enable you to run a query automatically on a schedule and receive email alerts for particular query results that you set. If you have a PowerBI account, then you will also see a **PowerBI** button that enables you to run a query on a schedule and have the results automatically saved as a PowerBI data set. diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md index b39238347d..049bedc236 100644 --- a/windows/deployment/update/windows-update-errors.md +++ b/windows/deployment/update/windows-update-errors.md @@ -27,7 +27,7 @@ The following table provides information about common errors you might run into | 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS. | | 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.

If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). | | 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com


Additionally , you can take a network trace and see what is timing out. \ | -| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME OUT ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | +| 0x80072EFD
0x80072EFE 
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \ | | 0X8007000D | ERROR_INVALID_DATA | Indicates invalid data downloaded or corruption occurred. | Attempt to re-download the update and initiate installation. | | 0x8024A10A | USO_E_SERVICE_SHUTTING_DOWN | Indicates that the WU Service is shutting down. | This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. | | 0x80240020 | WU_E_NO_INTERACTIVE_USER | Operation did not complete because there is no logged-on interactive user. | Please login to the system to initiate the installation and allow the system to be rebooted. | diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md index 2ab639a904..2ca4a9039b 100644 --- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md +++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md @@ -10,7 +10,8 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: activation -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.localizationpriority: medium ms.date: 07/27/2017 ms.topic: article @@ -24,6 +25,7 @@ ms.topic: article - Windows Server 2012 R2 - Windows Server 2012 - Windows Server 2016 +- Windows Server 2019 **Looking for retail activation?** - [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644) @@ -44,7 +46,7 @@ The process proceeds as follows: For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment. If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office. -Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180day period. By default, this reactivation event occurs every seven days. +Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days. When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS. ## Step-by-step configuration: Active Directory-based activation **Note**   diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index c9b80af1e6..b353c305a2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -23,12 +23,9 @@ ms.reviewer: - On-premises deployment - Certificate trust - You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. -Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. - On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: * Enable Windows Hello for Business * Use certificate for on-premises authentication @@ -38,7 +35,7 @@ On-premises certificate-based deployments of Windows Hello for Business needs th The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. -If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. +If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business . ## Use certificate for on-premises authentication diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md index 38e7cefb70..2d9a9c0ce6 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md @@ -400,7 +400,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p **Reference** -This policy setting is only enforced when BitLocker or device encyption is enabled. As explained in the [Microoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105/windows-10-update-kb4093105). +This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105/windows-10-update-kb4093105). ### Disallow standard users from changing the PIN or password @@ -2435,7 +2435,7 @@ You can configure the Federal Information Processing Standard (FIPS) setting for

When enabled

-

Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup izard to create a recovery password.

+

Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.

When disabled or not configured

diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md index a919bff814..04299aa29c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md @@ -80,5 +80,5 @@ You can specify the file names that you want to be excluded in a specific direct ## Related topics -- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md) +- [Manage automation allowed/blocked lists](manage-indicators.md) - [Manage automation file uploads](manage-automation-file-uploads.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index e0c0cb658f..1c46616481 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -44,16 +44,16 @@ Rules wizard and the **Audit only** enforcement configuration to assist you with Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is very useful when creating rules from a reference computer, and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer. -Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules -initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. +Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully. ->**Tip:**  If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker. +> [!TIP] +> If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker. You can create an inventory of Universal Windows apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console. -The following topics in the [AppLocker Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=160261) describe how to perform each method: +The following topics describe how to perform each method: -- [Automatically generating executable rules from a reference computer](https://go.microsoft.com/fwlink/p/?LinkId=160264) -- [Using auditing to track which apps are used](https://go.microsoft.com/fwlink/p/?LinkId=160281) +- [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md) +- [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) ### Prerequisites to completing the inventory diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index 9d03415f49..d0aa573b21 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -61,18 +61,23 @@ For both event subscriptions and local events, you can use the **Get-AppLockerFi Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. ->**Note:**  If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file. +> [!NOTE] +> If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file. **To review AppLocker events with Get-AppLockerFileInformation** 1. At the command prompt, type **PowerShell**, and then press ENTER. 2. Run the following command to review how many times a file would have been blocked from running if rules were enforced: - `Get-AppLockerFileInformation –EventLog –EventType Audited –Statistics` + ```powershell + Get-AppLockerFileInformation –EventLog –EventType Audited –Statistics + ``` 3. Run the following command to review how many times a file has been allowed to run or prevented from running: - `Get-AppLockerFileInformation –EventLog –EventType Allowed –Statistics` + ```powershell + Get-AppLockerFileInformation –EventLog –EventType Allowed –Statistics + ``` ### View the AppLocker Log in Event Viewer