Merge pull request #1228 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
2025-06-16 10:53:43 +00:00 · 2019-09-27 16:49:50 -07:00
parent c670bbfecd 8604d3989b
commit 3a2766350e
11 changed files with 43 additions and 48 deletions
--- a/.gitignore
+++ b/.gitignore
@ -5,7 +5,8 @@ obj/
 _site/
 Tools/NuGet/
 .optemp/
-
+Thumbs.db
 .DS_Store
 .openpublishing.build.mdproj
 .openpublishing.buildcore.ps1
--- a/education/trial-in-a-box/images/Thumbs.db
+++ b/education/trial-in-a-box/images/Thumbs.db
--- a/windows/client-management/mdm/rootcacertificates-csp.md
+++ b/windows/client-management/mdm/rootcacertificates-csp.md
@ -23,7 +23,9 @@ The RootCATrustedCertificates configuration service provider enables the enterpr
 The following image shows the RootCATrustedCertificates configuration service provider in tree format.
-![roocacertificate](images/provisioning-csp-rootcacertificate.png)
+Detailed specification of the principal root nodes:
 ![rootcacertificate](images/provisioning-csp-rootcacertificate.png)
 <a href="" id="device-or-user"></a>**Device or User**  
 For device certificates, use **./Device/Vendor/MSFT** path and for user certificates use **./User/Vendor/MSFT** path.
@ -37,7 +39,6 @@ Defines the certificate store that contains root, or self-signed certificates, i
 > [!Note]
 > The **./User/** configuration is not supported for **RootCATrustedCertificates/Root/**.
 <a href="" id="rootcatrustedcertificates-ca"></a>**RootCATrustedCertificates/CA**  
 Node for CA certificates.
@ -48,42 +49,30 @@ Node for trusted publisher certificates.
 Node for trusted people certificates.
 <a href="" id="rootcatrustedcertificates-untrustedcertificates"></a>**RootCATrustedCertificates/UntrustedCertificates**  
-Addeded in Windows 10, version 1803. Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable.
+Added in Windows 10, version 1803. Node for certificates that are not trusted. IT admin can use this node to immediately flag certificates that have been compromised and no longer usable.
 <a href="" id="certhash"></a>**_CertHash_**  
-Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value.
+Defines the SHA1 hash for the certificate. The 20-byte value of the SHA1 certificate hash is specified as a hexadecimal string value. This node is common for all the principal root nodes.  The supported operations are Get and Delete.
-The supported operations are Get and Delete.
+The following nodes are all common to the **_CertHash_** node:
 <a href="" id="-encodedcertificate"></a>**/EncodedCertificate**  
-Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.
+Specifies the X.509 certificate as a Base64-encoded string. The Base-64 string value cannot include extra formatting characters such as embedded linefeeds, etc.  The supported operations are Add, Get, and Replace.
 The supported operations are Add, Get, and Replace.
 <a href="" id="-issuedby"></a>**/IssuedBy**  
-Returns the name of the certificate issuer. This is equivalent to the **Issuer** member in the CERT\_INFO data structure.
+Returns the name of the certificate issuer. This is equivalent to the **Issuer** member in the CERT\_INFO data structure.  The only supported operation is Get.
 The only supported operation is Get.
 <a href="" id="-issuedto"></a>**/IssuedTo**  
-Returns the name of the certificate subject. This is equivalent to the **Subject** member in the CERT\_INFO data structure.
+Returns the name of the certificate subject. This is equivalent to the **Subject** member in the CERT\_INFO data structure.  The only supported operation is Get.
 The only supported operation is Get.
 <a href="" id="-validfrom"></a>**/ValidFrom**  
-Returns the starting date of the certificate's validity. This is equivalent to the **NotBefore** member in the CERT\_INFO data structure.
+Returns the starting date of the certificate's validity. This is equivalent to the **NotBefore** member in the CERT\_INFO data structure.  The only supported operation is Get.
 The only supported operation is Get.
 <a href="" id="-validto"></a>**/ValidTo**  
-Returns the expiration date of the certificate. This is equivalent to the **NotAfter** member in the CERT\_INFO data structure.
+Returns the expiration date of the certificate. This is equivalent to the **NotAfter** member in the CERT\_INFO data structure.  The only supported operation is Get.
 The only supported operation is Get.
 <a href="" id="-templatename"></a>**/TemplateName**  
-Returns the certificate template name.
+Returns the certificate template name.  The only supported operation is Get.
 The only supported operation is Get.
 ## Related topics
--- a/windows/deployment/update/device-health-using.md
+++ b/windows/deployment/update/device-health-using.md
@ -2,7 +2,7 @@
 title: Using Device Health
 ms.reviewer: 
 manager: laurawi
-description: Explains how to begin usihg Device Health.
+description: Explains how to begin using Device Health.
 ms.prod: w10
 ms.mktglfcycl: deploy
 keywords: oms, operations management suite, wdav, health, log analytics
@ -93,7 +93,7 @@ Clicking a listed driver on the Driver-Induced OS Crashes blade opens a driver p
 ![Driver detail and history](images/driver-detail-1-sterile.png)
 ![Driver detail and history scrolldown](images/driver-detail-2-sterile.png)
-The driver version table can help you determine whether deploying a newer version of the driver might help you reduce the crash rate. In the example shown above, the most commonly installed driver version (19.15.1.5) has a crash rate of about one-half of one percent--this is low, so this driver is probably fine. However, driver version 19.40.0.3 has a crash rate of almost 20%. If that driver had been widely deployed, updating it would substantially reduce the overal number of crashes in your organization.
+The driver version table can help you determine whether deploying a newer version of the driver might help you reduce the crash rate. In the example shown above, the most commonly installed driver version (19.15.1.5) has a crash rate of about one-half of one percent--this is low, so this driver is probably fine. However, driver version 19.40.0.3 has a crash rate of almost 20%. If that driver had been widely deployed, updating it would substantially reduce the overall number of crashes in your organization.
 ## App Reliability
@ -194,7 +194,8 @@ For example:
 *DHAppReliability | where AppFileDisplayName == "Microsoft Outlook"*
-
+#### Why does the computer name show up as Unknown?
 Starting with Windows 10, version 1803, the device name is no longer collected by default and requires a separate opt-in. For more information, see [Enrolling devices in Windows Analytics.](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) Allowing device names to be collected can make it easier for you to identify individual devices that report problems. Without the device name, Windows Analytics can only label devices by a GUID that it generates.
 ## Login Health
@ -206,7 +207,7 @@ The Login Health blades appear in the Device Health dashboard:
 ![Main Login health view](images/login-health.png)
 ### Login Errors
-The **Login errors** blade displays data on the frequency and type of errors, with statistics on specific errors. They are generally categorized into user-generated (caused by bad input) or non-user-generated (might need IT intervention) errors. Click any individual error to see all instances of the error's occurence for the specified time period.
+The **Login errors** blade displays data on the frequency and type of errors, with statistics on specific errors. They are generally categorized into user-generated (caused by bad input) or non-user-generated (might need IT intervention) errors. Click any individual error to see all instances of the error's occurrence for the specified time period.
 ### Login Metrics by Type
 The **Login metrics by type** blade shows the success rate for your devices, as well as the success rate for other environments with a mix of operating system versions and device models similar to yours (the **Commercial average success rate**).
@ -303,7 +304,7 @@ You can run these queries from the Azure Portal **Log Search** interface (availa
 ### Exporting data and configuring alerts
-Azure Portal enables you to export data to other tools. To do this, in any view that shows **Log Search** just click the **Export** button. Similarly, clicking the **Alert** button will enable you to run a query automaticlaly on a schedule and receive email alerts for particular query results that you set. If you have a PowerBI account, then you will also see a **PowerBI** button that enables you to run a query on a schedule and have the results automatically saved as a PowerBI data set.
+Azure Portal enables you to export data to other tools. To do this, in any view that shows **Log Search** just click the **Export** button. Similarly, clicking the **Alert** button will enable you to run a query automatically on a schedule and receive email alerts for particular query results that you set. If you have a PowerBI account, then you will also see a **PowerBI** button that enables you to run a query on a schedule and have the results automatically saved as a PowerBI data set.
--- a/windows/deployment/update/windows-update-errors.md
+++ b/windows/deployment/update/windows-update-errors.md
@ -27,7 +27,7 @@ The following table provides information about common errors you might run into
 |                0x8024402F                | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS |                    External cab file processing completed with some errors                    |                                                                                               One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering. <br>The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed                                                                                               |
 |                0x80242006                |      WU_E_UH_INVALIDMETADATA      |   A handler operation could not be completed because the update contains invalid metadata.    | Rename Software Redistribution Folder and attempt to download the updates again: <br>Rename the following folders to \*.BAK: <br>- %systemroot%\system32\catroot2 <br><br>To do this, type the following commands at a command prompt. Press ENTER after you type each command.<br>- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak<br>- Ren %systemroot%\SoftwareDistribution\Download \*.bak<br>Ren %systemroot%\system32\catroot2 \*.bak |
 |                0x80070BC9                |    ERROR_FAIL_REBOOT_REQUIRED     |    The requested operation failed. A system reboot is required to roll back changes made.     |                                                                                                                          Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS.                                                                                                                          |
-|                0x80200053                |      BG_E_VALIDATION_FAILED       |                                              NA                                               |                                                                  Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.<br><br>If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).                                                                  |
+|                0x80200053                |      BG_E_VALIDATION_FAILED       |                                              NA                                               |                                                                  Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.<br><br>If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).                                                                  |
 |                0x80072EE2                |         WININET_E_TIMEOUT         |                                    The operation timed out                                    |                   This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked: <br> http://<em>.update.microsoft.com<br>https://</em>.update.microsoft.com <br><http://download.windowsupdate.com>  <br><br>Additionally , you can take a network trace and see what is timing out. \<Refer to Firewall Troubleshooting scenario>                   |
 | 0x80072EFD <br>0x80072EFE <br>0x80D02002 |          TIME_OUT_ERRORS          |                                    The operation timed out                                    |                                                                                                                                Make sure there are no firewall rules or proxy to block Microsoft download URLs. <br>Take a network monitor trace to understand better. \<Refer to Firewall Troubleshooting scenario>                                                                                                                                 |
 |                0X8007000D                |        ERROR_INVALID_DATA         |                   Indicates invalid data downloaded or corruption occurred.                   |                                                                                                                                                                                            Attempt to re-download the update and initiate installation.                                                                                                                                                                                             |
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@ -10,7 +10,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
-audience: itpro
+audience: itpro
 author: greg-lindsay
 ms.localizationpriority: medium
 ms.date: 07/27/2017
 ms.topic: article
@ -24,6 +25,7 @@ ms.topic: article
 -   Windows Server 2012 R2
 -   Windows Server 2012
 -   Windows Server 2016
 -   Windows Server 2019
 **Looking for retail activation?**
 -   [Get Help Activating Microsoft Windows](https://go.microsoft.com/fwlink/p/?LinkId=618644)
@ -44,7 +46,7 @@ The process proceeds as follows:
 For environments in which all computers are running Windows 10, Windows 8.1, Windows 8, Windows Server 2012, or Windows Server 2012 R2, and they are joined to a domain, Active Directory-based activation is the best option for activating all client computers and servers, and you may be able to remove any KMS hosts from your environment.
 If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
-If an environment will continue to contain earlier volume licensing operating systems and applications or if you have workgroup computers outside the domain, you need to maintain a KMS host to maintain activation status for earlier volume licensing editions of Windows and Office.
+Clients that are activated with Active Directory-based activation will maintain their activated state for up to 180 days since the last contact with the domain, but they will periodically attempt to reactivate before then and at the end of the 180 day period. By default, this reactivation event occurs every seven days.
 When a reactivation event occurs, the client queries AD DS for the activation object. Client computers examine the activation object and compare it to the local edition as defined by the GVLK. If the object and GVLK match, reactivation occurs. If the AD DS object cannot be retrieved, client computers use KMS activation. If the computer is removed from the domain, when the computer or the Software Protection service is restarted, the operating system will change the status from activated to not activated, and the computer will try to activate with KMS.
 ## Step-by-step configuration: Active Directory-based activation
 **Note**  
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@ -23,12 +23,9 @@ ms.reviewer:
 -   On-premises deployment
 -   Certificate trust
 You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings.  To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
 Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
 Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
 On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
 * Enable Windows Hello for Business
 * Use certificate for on-premises authentication
@ -38,7 +35,7 @@ On-premises certificate-based deployments of Windows Hello for Business needs th
 The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
-If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business.
+If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business .
 ## Use certificate for on-premises authentication
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@ -400,7 +400,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p
 **Reference**
-This policy setting is only enforced when BitLocker or device encyption is enabled. As explained in the [Microoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105/windows-10-update-kb4093105).
+This policy setting is only enforced when BitLocker or device encryption is enabled. As explained in the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105/windows-10-update-kb4093105).
 ### <a href="" id="bkmk-dpinchange"></a>Disallow standard users from changing the PIN or password
@ -2435,7 +2435,7 @@ You can configure the Federal Information Processing Standard (FIPS) setting for
 </tr>
 <tr class="even">
 <td align="left"><p><strong>When enabled</strong></p></td>
-<td align="left"><p>Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup izard to create a recovery password.</p></td>
+<td align="left"><p>Users will be unable to save a recovery password to any location. This includes AD DS and network folders. In addition, you cannot use WMI or the BitLocker Drive Encryption Setup wizard to create a recovery password.</p></td>
 </tr>
 <tr class="odd">
 <td align="left"><p><strong>When disabled or not configured</strong></p></td>
--- a/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/manage-automation-folder-exclusions.md
@ -80,5 +80,5 @@ You can specify the file names that you want to be excluded in a specific direct
 ## Related topics
- [Manage automation allowed/blocked lists](manage-automation-allowed-blocked-list.md)
+- [Manage automation allowed/blocked lists](manage-indicators.md)
 - [Manage automation file uploads](manage-automation-file-uploads.md)
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
@ -44,16 +44,16 @@ Rules wizard and the **Audit only** enforcement configuration to assist you with
 Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is very useful when creating rules from a reference computer, and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer.
-Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules 
+Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully.
 initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully.
->**Tip:**  If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker.
+> [!TIP]
 > If you run Application Verifier against a custom application with any AppLocker policies enabled, it might prevent the application from running. You should either disable Application Verifier or AppLocker.  
 You can create an inventory of Universal Windows apps on a device by using two methods: the **Get-AppxPackage** Windows PowerShell cmdlet or the AppLocker console.
-The following topics in the [AppLocker Step-by-Step Guide](https://go.microsoft.com/fwlink/p/?LinkId=160261) describe how to perform each method:
+The following topics describe how to perform each method:
-   [Automatically generating executable rules from a reference computer](https://go.microsoft.com/fwlink/p/?LinkId=160264)
+-   [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
-   [Using auditing to track which apps are used](https://go.microsoft.com/fwlink/p/?LinkId=160281)
+-   [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
 ### Prerequisites to completing the inventory
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
@ -61,18 +61,23 @@ For both event subscriptions and local events, you can use the **Get-AppLockerFi
 Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure.
->**Note:**  If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file.
+> [!NOTE]
 > If the AppLocker logs are not on your local device, you will need permission to view the logs. If the output is saved to a file, you will need permission to read that file.
 **To review AppLocker events with Get-AppLockerFileInformation**
 1.  At the command prompt, type **PowerShell**, and then press ENTER.
 2.  Run the following command to review how many times a file would have been blocked from running if rules were enforced:
-    `Get-AppLockerFileInformation –EventLog –EventType Audited –Statistics`
+    ```powershell
    Get-AppLockerFileInformation –EventLog –EventType Audited –Statistics
    ```
 3.  Run the following command to review how many times a file has been allowed to run or prevented from running:
-    `Get-AppLockerFileInformation –EventLog –EventType Allowed –Statistics`
+    ```powershell
    Get-AppLockerFileInformation –EventLog –EventType Allowed –Statistics
    ```
 ### <a href="" id="bkmk-applkr-view-log"></a>View the AppLocker Log in Event Viewer