From 2424a85c9d48e37cb3ae9209e20b3fdf7b525f14 Mon Sep 17 00:00:00 2001 From: Mitch Lindgren Date: Wed, 6 Feb 2019 14:30:21 -0800 Subject: [PATCH 01/13] Fix incorrect information about PIN complexity policy PIN complexity group policy is only supported in Computer Configuration, not User Configuration. --- .../hello-for-business/hello-cert-trust-policy-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index f33d7bbf02..4c008a5f24 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -126,7 +126,7 @@ Windows 10 provides eight PIN Complexity Group Policy settings that give you gra * Require special characters * Require uppercase letters -In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Administrative Templates\System\PIN Complexity under both the Computer and User Configuration nodes of the Group Policy editor. +In the Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under Computer Configuration\Administrative Templates\System\PIN Complexity in the Group Policy editor. ## Review @@ -153,4 +153,4 @@ Users must receive the Windows Hello for Business group policy settings and have 2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. Configure Windows Hello for Business Policy settings (*You are here*) \ No newline at end of file +5. Configure Windows Hello for Business Policy settings (*You are here*) From 15061e5e1dea159deb2f5ac359784b0b12e00a78 Mon Sep 17 00:00:00 2001 From: Lexy2 <38648992+Lexy2@users.noreply.github.com> Date: Wed, 20 Feb 2019 12:20:01 +0300 Subject: [PATCH 02/13] Update bitlocker-how-to-enable-network-unlock.md - Corrected certificate store name from FVENKP to FVE_NKP - Added the requirement to reboot the clients after applying the policy - Added the requirement for the clients to have a TPM protector - Removed duplicate steps of adding a TPM protector (require TPM+PIN vs allow TPM+PIN) - Fixed linking within the document --- .../bitlocker-how-to-enable-network-unlock.md | 59 +++++++++---------- 1 file changed, 27 insertions(+), 32 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 4643595543..8d2dd4d8dc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security author: brianlic-msft -ms.date: 06/18/2018 +ms.date: 02/20/2019 --- # BitLocker: How to enable Network Unlock @@ -39,6 +39,7 @@ Network Unlock must meet mandatory hardware and software requirements before the - You must be running at least Windows 8 or Windows Server 2012. - Any supported operating system with UEFI DHCP drivers can be Network Unlock clients. +- Network Unlock clients must have a TPM chip and at least one TPM protector. - A server running the Windows Deployment Services (WDS) role on any supported server operating system. - BitLocker Network Unlock optional feature installed on any supported server operating system. - A DHCP server, separate from the WDS server. @@ -83,7 +84,7 @@ The server side configuration to enable Network Unlock also requires provisionin The following steps allow an administrator to configure Network Unlock in a domain where the Domain Functional Level is at least Windows Server 2012. -### Install the WDS Server role +### Install the WDS Server role The BitLocker Network Unlock feature will install the WDS role if it is not already installed. If you want to install it separately before you install BitLocker Network Unlock you can use Server Manager or Windows PowerShell. To install the role using Server Manager, select the **Windows Deployment Services** role in Server Manager. @@ -95,7 +96,7 @@ Install-WindowsFeature WDS-Deployment You must configure the WDS server so that it can communicate with DHCP (and optionally Active Directory Doman Services) and the client computer. You can do using the WDS management tool, wdsmgmt.msc, which starts the Windows Deployment Services Configuration Wizard. -### Confirm the WDS Service is running +### Confirm the WDS Service is running To confirm the WDS service is running, use the Services Management Console or Windows PowerShell. To confirm the service is running in Services Management Console, open the console using **services.msc** and check the status of the Windows Deployment Services service. @@ -104,7 +105,7 @@ To confirm the service is running using Windows PowerShell, use the following co ``` syntax Get-Service WDSServer ``` -### Install the Network Unlock feature +### Install the Network Unlock feature To install the Network Unlock feature, use Server Manager or Windows PowerShell. To install the feature using Server Manager, select the **BitLocker Network Unlock** feature in the Server Manager console. @@ -113,7 +114,7 @@ To install the feature using Windows PowerShell, use the following command: ``` syntax Install-WindowsFeature BitLocker-NetworkUnlock ``` -### Create the certificate template for Network Unlock +### Create the certificate template for Network Unlock A properly configured Active Directory Services Certification Authority can use this certificate template to create and issue Network Unlock certificates. @@ -143,7 +144,7 @@ To add the Network Unlock template to the Certification Authority, open the Cert After adding the Network Unlock template to the Certification Authority, this certificate can be used to configure BitLocker Network Unlock. -### Create the Network Unlock certificate +### Create the Network Unlock certificate Network Unlock can use imported certificates from an existing PKI infrastructure, or you can use a self-signed certificate. @@ -214,7 +215,7 @@ Certreq example: 5. Launch Certificates - Local Machine by running **certlm.msc**. 6. Create a .pfx file by opening the **Certificates – Local Computer\\Personal\\Certificates** path in the navigation pane, right-clicking the previously imported certificate, selecting **All Tasks**, then **Export**. Follow through the wizard to create the .pfx file. -### Deploy the private key and certificate to the WDS server +### Deploy the private key and certificate to the WDS server With the certificate and key created, deploy them to the infrastructure to properly unlock systems. To deploy the certificates, do the following: @@ -230,7 +231,7 @@ With certificate and key deployed to the WDS server for Network Unlock, the fina The following steps describe how to enable the Group Policy setting that is a requirement for configuring Network Unlock. 1. Open Group Policy Management Console (gpmc.msc). -2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option. +2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** or **Allow startup PIN with TPM** option. 3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. The following steps describe how to deploy the required Group Policy setting: @@ -247,15 +248,10 @@ The following steps describe how to deploy the required Group Policy setting: 3. Follow the wizard steps and import the .cer file that was copied earlier. >**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer. + +5. Reboot the clients after deploying the group policy. +>**Note:** The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store.   -### Require TPM+PIN protectors at startup - -An additional step is for enterprises to use TPM+PIN protectors for an extra level of security. To require TPM+PIN protectors in an environment, do the following: - -1. Open Group Policy Management Console (gpmc.msc). -2. Enable the policy **Require additional authentication at startup** and select the **Require startup PIN with TPM** option. -3. Turn on BitLocker with TPM+PIN protectors on all domain-joined computers. - ### Subnet policy configuration files on WDS Server (Optional) By default, all clients with the correct Network Unlock Certificate and valid Network Unlock protectors that have wired access to a Network Unlock-enabled WDS server via DHCP are unlocked by the server. A subnet policy configuration file on the WDS server can be created to limit which subnet(s) Network Unlock clients can use to unlock. @@ -285,13 +281,13 @@ The subnet policy configuration file must use a “\[SUBNETS\]” section to ide To disallow the use of a certificate altogether, its subnet list may contain the line “DISABLED". -## Turning off Network Unlock +## Turning off Network Unlock To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. ->**Note:**  Removing the FVENKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. +>**Note:**  Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the server’s ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.   -## Update Network Unlock certificates +## Update Network Unlock certificates To update the certificates used by Network Unlock, administrators need to import or generate the new certificate for the server and then update the Network Unlock certificate Group Policy setting on the domain controller. @@ -302,12 +298,13 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many - Verify client hardware is UEFI-based and is on firmware version is 2.3.1 and that the UEFI firmware is in native mode without a Compatibility Support Module (CSM) for BIOS mode enabled. Do this by checking that the firmware does not have an option enabled such as "Legacy mode" or "Compatibility mode" or that the firmware does not appear to be in a BIOS-like mode. - All required roles and services are installed and started - Public and private certificates have been published and are in the proper certificate containers. The presence of the Network Unlock certificate can be verified in the Microsoft Management Console (MMC.exe) on the WDS server with the certificate snap-ins for the local computer enabled. The client certificate can be verified by checking the registry key **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** on the client computer. -- Group policy for Network Unlock is enabled and linked to the appropriate domains +- Group policy for Network Unlock is enabled and linked to the appropriate domains. - Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities. +- Verify the clients were rebooted after applying the policy. - Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer: ``` syntax - Manage-bde –protectors –get C: + manage-bde –protectors –get C: ``` >**Note:**  Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock   @@ -343,14 +340,14 @@ Network Unlock and the accompanying Group Policy settings were introduced in Win The following steps can be used to configure Network Unlock on these older systems. -1. [Step One: Install the WDS Server role](#bkmk-stepone) -2. [Step Two: Confirm the WDS Service is running](#bkmk-steptwo) -3. [Step Three: Install the Network Unlock feature](#bkmk-stepthree) -4. [Step Four: Create the Network Unlock certificate](#bkmk-stepfour) -5. [Step Five: Deploy the private key and certificate to the WDS server](#bkmk-stepfive) -6. [Step Six: Configure registry settings for Network Unlock](#bkmk-stepsix) +1. [Install the WDS Server role](#bkmk-installwdsrole) +2. [Confirm the WDS Service is running](#bkmk-confirmwdsrunning) +3. [Install the Network Unlock feature](#bkmk-installnufeature) +4. [Create the Network Unlock certificate](bkmk-createcert) +5. [Deploy the private key and certificate to the WDS server](#bkmk-deploycert) +6. Configure registry settings for Network Unlock: - Apply the registry settings by running the following certutil script on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. + Apply the registry settings by running the following certutil script (assuming your network unlock certificate file is called **BitLocker-NetworkUnlock.cer**) on each computer running any of the client operating systems designated in the **Applies To** list at the beginning of this topic. certutil -f -grouppolicy -addstore FVE_NKP BitLocker-NetworkUnlock.cer reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v OSManageNKP /t REG_DWORD /d 1 /f @@ -361,10 +358,8 @@ The following steps can be used to configure Network Unlock on these older syste reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKey /t REG_DWORD /d 2 /f reg add "HKLM\SOFTWARE\Policies\Microsoft\FVE" /v UseTPMKeyPIN /t REG_DWORD /d 2 /f -7. [Create the Network Unlock certificate](#bkmk-stepfour) -8. [Deploy the private key and certificate to the WDS server](#bkmk-stepfive) -9. [Create the certificate template for Network Unlock](#bkmk-createcerttmpl) -10. [Require TPM+PIN protectors at startup](#bkmk-stepseven) +7. Set up a TPM protector on the clients +8. Reboot the clients to add the Network (Certificate Based) protector ## See also From a5fe41f3bc0120518eed39e86d3b278da19e5576 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Feb 2019 17:13:45 -0800 Subject: [PATCH 03/13] Update deploy-the-latest-firmware-and-drivers-for-surface-devices.md added surface go with lte and formatting changes --- ...irmware-and-drivers-for-surface-devices.md | 22 ++++++++++--------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 1d736b1ece..9ef498cb51 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -27,31 +27,33 @@ Driver and firmware updates for Surface devices are **cumulative updates** which Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices and are detailed here in this article. >[!NOTE] ->To simplify the process of locating drivers for your device, downloads for Surface devices have been reorganized to separate pages for each model. Bookmark the Microsoft Download Center page for your device from the links provided on this page. Many of the filenames contain a placeholder denoted with *xxxxxx*, which identifies the current version number or date of the file. +>Many of the filenames contain a placeholder denoted with *xxxxxx*, which identifies the current version number or date of the file.   -Recent additions to the downloads for Surface devices provide you with options to install Windows 10 on your Surface devices and update LTE devices with the latest Windows 10 drivers and firmware. - - - >[!NOTE] >A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. ## Surface Laptop 2 Download the following updates for [Surface Laptop 2 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57515). -* SurfaceLaptop2_Win10_XXXXX_XXXXXXX_X.msi – Cumulative firmware and driver update package for Windows 10 +* SurfaceLaptop2_Win10_xxxxx_xxxxxxx_x.msi – Cumulative firmware and driver update package for Windows 10 ## Surface Pro 6 Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57514). -* SurfacePro6_Win10_XXXXX_XXXXXXX_X.msi – Cumulative firmware and driver update package for Windows 10 +* SurfacePro6_Win10_xxxxx_xxxxxxx_x.msi – Cumulative firmware and driver update package for Windows 10 -## Surface GO +## Surface Go Download the following updates for [Surface GO from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57439). -* SurfaceGO_Win10_17134_1802010_6.msi - Cumulative firmware and driver update package for Windows 10 +* SurfaceGO_Win10_xxxxx_xxxxxxx_x.msi - Cumulative firmware and driver update package for Windows 10 + +## Surface Go with LTE Advanced + +Download the following updates for [Surface GO with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57601). + +* SurfaceGo_Win10_xxxxx_xxxxxxx_LTE_1.msi - Cumulative firmware and driver update package for Windows 10 including optional WinTab drivers. ## Surface Book 2 @@ -79,7 +81,7 @@ Download the following updates for [Surface Pro with LTE Advanced from the Micro Download the following updates for [Surface Pro 6 from the Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=57514). -* SurfacePro6_Win10_17134_xxxxx_xxxxxx.msi +* SurfacePro6_Win10_xxxxx_xxxxxxx_x.msi ## Surface Studio From 46cb46ccdbb0ad169d38c912c9b2cc3d8c774bdd Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Feb 2019 17:36:52 -0800 Subject: [PATCH 04/13] Update deploy-the-latest-firmware-and-drivers-for-surface-devices.md combined notes --- ...y-the-latest-firmware-and-drivers-for-surface-devices.md | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 9ef498cb51..94d8bd322d 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -27,11 +27,7 @@ Driver and firmware updates for Surface devices are **cumulative updates** which Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices and are detailed here in this article. >[!NOTE] ->Many of the filenames contain a placeholder denoted with *xxxxxx*, which identifies the current version number or date of the file. -  - ->[!NOTE] ->A battery charge of 40% or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. +>Many of the filenames contain a placeholder denoted with *xxxxxx*, which identifies the current version number or date of the file. A battery charge of 40 percent or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. ## Surface Laptop 2 From f83f6e19fd5096c576ac8ce851837ec1453ec120 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Feb 2019 17:38:52 -0800 Subject: [PATCH 05/13] Update deploy-the-latest-firmware-and-drivers-for-surface-devices.md --- ...loy-the-latest-firmware-and-drivers-for-surface-devices.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 94d8bd322d..45c5f0afc6 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -42,12 +42,12 @@ Download the following updates for [Surface Pro 6 from the Microsoft Download Ce ## Surface Go -Download the following updates for [Surface GO from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57439). +Download the following updates for [Surface Go from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57439). * SurfaceGO_Win10_xxxxx_xxxxxxx_x.msi - Cumulative firmware and driver update package for Windows 10 ## Surface Go with LTE Advanced -Download the following updates for [Surface GO with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57601). +Download the following updates for [Surface Go with LTE Advanced from the Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=57601). * SurfaceGo_Win10_xxxxx_xxxxxxx_LTE_1.msi - Cumulative firmware and driver update package for Windows 10 including optional WinTab drivers. From 75a32b9cca65e9bbd596db10bf088fac3a774590 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Feb 2019 17:45:40 -0800 Subject: [PATCH 06/13] Update deploy-the-latest-firmware-and-drivers-for-surface-devices.md --- ...eploy-the-latest-firmware-and-drivers-for-surface-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 45c5f0afc6..0ef51f7bc4 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -27,7 +27,7 @@ Driver and firmware updates for Surface devices are **cumulative updates** which Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices and are detailed here in this article. >[!NOTE] ->Many of the filenames contain a placeholder denoted with *xxxxxx*, which identifies the current version number or date of the file. A battery charge of 40 percent or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. +>Many of the filenames contain a placeholder denoted with *xxxxxx*, representing the latest version number listed in the Microsoft Download Center. A battery charge of 40 percent or greater is required before you install firmware to a Surface device. See [Microsoft Support article KB2909710](https://go.microsoft.com/fwlink/p/?LinkId=618106) for more information. ## Surface Laptop 2 From f71b7461ae79936ccc08d206a0c5a1eba29fc6b7 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Feb 2019 17:52:17 -0800 Subject: [PATCH 07/13] Update deploy-the-latest-firmware-and-drivers-for-surface-devices.md minor edits --- ...eploy-the-latest-firmware-and-drivers-for-surface-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 0ef51f7bc4..88eed714d0 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -18,7 +18,7 @@ ms.topic: article This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. -As easy as it is to keep Surface device drivers and firmware up to date automatically with Windows Update, it is sometimes necessary to download and install updates manually, such as during a Windows deployment. For any situation where you need to install drivers and firmware separately from Windows Update, you can find the files available for download at the Microsoft Download Center. +Although Surface devices are typically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. If you need to install drivers and firmware separately from Windows Update, you can find the files available for download at the Microsoft Download Center. On the Microsoft Download Center page for your device, you will find several files available. These files allow you to deploy drivers and firmware in various ways. You can read more about the different deployment methods for Surface drivers and firmware in [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md). From 95c3adc83a549b291af34066d45dd6a32bcf413c Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Feb 2019 17:53:33 -0800 Subject: [PATCH 08/13] Update deploy-the-latest-firmware-and-drivers-for-surface-devices.md --- ...eploy-the-latest-firmware-and-drivers-for-surface-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 88eed714d0..07dcf17f0f 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -18,7 +18,7 @@ ms.topic: article This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. -Although Surface devices are typically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. If you need to install drivers and firmware separately from Windows Update, you can find the files available for download at the Microsoft Download Center. +Although Surface devices are typically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. If you need to install drivers and firmware separately from Windows Update, you can find the requisite files on the Microsoft Download Center. On the Microsoft Download Center page for your device, you will find several files available. These files allow you to deploy drivers and firmware in various ways. You can read more about the different deployment methods for Surface drivers and firmware in [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md). From 8826a9266826d221cc13145be1782fb9a1290e67 Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Wed, 20 Feb 2019 19:31:32 -0800 Subject: [PATCH 09/13] Update deploy-the-latest-firmware-and-drivers-for-surface-devices.md --- ...eploy-the-latest-firmware-and-drivers-for-surface-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 07dcf17f0f..7f519a64e2 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -18,7 +18,7 @@ ms.topic: article This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. -Although Surface devices are typically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. If you need to install drivers and firmware separately from Windows Update, you can find the requisite files on the Microsoft Download Center. +Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. If you need to install drivers and firmware separately from Windows Update, you can find the requisite files on the Microsoft Download Center. On the Microsoft Download Center page for your device, you will find several files available. These files allow you to deploy drivers and firmware in various ways. You can read more about the different deployment methods for Surface drivers and firmware in [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md). From c3ae78127b7f707ea2f711f1d9546bb883015195 Mon Sep 17 00:00:00 2001 From: andreiztm Date: Thu, 21 Feb 2019 09:40:30 +0200 Subject: [PATCH 10/13] Adding missing tags and older article that wasn't listed --- windows/deployment/update/windows-as-a-service.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 25472e32ba..ad022440c3 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -42,13 +42,15 @@ The latest news:
  • Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates - September 21, 2018
  • Helping customers shift to a modern desktop - September 6, 2018
  • Windows Update for Business & Windows Analytics: a real-world experience - September 5, 2018
    • -
  • What's next for Windows 10 and Windows Server quality updates - August 16, 2018 +
  • What's next for Windows 10 and Windows Server quality updates - August 16, 2018
  • Windows 10 monthly updates - August 1, 2018 (**video**)
    • -
  • Windows 10 update servicing cadence - August 1, 2018 -
  • Windows 10 quality updates explained and the end of delta updates - July 11, 2018 -
  • AI Powers Windows 10 April 2018 Update Rollout - June 14, 2018 -
  • Windows Server 2008 SP2 Servicing Changes - June 12, 2018 -
  • Windows Update for Business - Enhancements, diagnostics, configuration - June 7, 2018 +
  • Windows 10 update servicing cadence - August 1, 2018
    • +
  • Windows 10 quality updates explained and the end of delta updates - July 11, 2018
    • +
  • AI Powers Windows 10 April 2018 Update Rollout - June 14, 2018
    • +
  • Windows Server 2008 SP2 Servicing Changes - June 12, 2018
    • +
  • Windows Update for Business - Enhancements, diagnostics, configuration - June 7, 2018
    • +
  • Windows 10 and the “disappearing” SAC-T - May 31, 2018
    • + [See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog). From 4f9e2c248ba36d62c5025773d8ed21fef00d4ced Mon Sep 17 00:00:00 2001 From: Peter Lewis Date: Thu, 21 Feb 2019 11:53:01 +0000 Subject: [PATCH 11/13] Update blog URL Updated blog URL (https://aka.ms/blog/WindowsAnalytics) --- windows/deployment/upgrade/upgrade-readiness-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index af94500571..89b0ca53fe 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -22,7 +22,7 @@ You can use Upgrade Readiness to plan and manage your upgrade project end-to-end Before you begin, consider reviewing the following helpful information:
    - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.
    - - [Upgrade Readiness blog](https://blogs.technet.microsoft.com/UpgradeAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. + - [Upgrade Readiness blog](https://aka.ms/blog/WindowsAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Readiness. >If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics). From 76471f253e9504ddcbad1aa1283d80a0120bd1e6 Mon Sep 17 00:00:00 2001 From: "H. Poulsen" Date: Thu, 21 Feb 2019 10:28:28 -0800 Subject: [PATCH 12/13] Update collect-data-using-enterprise-site-discovery.md Updated info and links related to Upgrade Readiness (formerly known as Upgrade Analytics) --- .../collect-data-using-enterprise-site-discovery.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index 5d6a571e4a..424b01e58e 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -20,8 +20,8 @@ ms.date: 07/27/2017 Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. ->**Upgrade Analytics and Windows upgrades**
    ->You can use Upgrade Analytics to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Analytics to review several site discovery reports. Check out Upgrade Analytics from [here](https://technet.microsoft.com/itpro/windows/deploy/upgrade-analytics-get-started). +>**Upgrade Readiness and Windows upgrades**
    +>You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/en-us/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). ## Before you begin From 31750b696d35b6d56ce48876bc05eb0841196021 Mon Sep 17 00:00:00 2001 From: JC <47532346+Jcoetsee@users.noreply.github.com> Date: Thu, 21 Feb 2019 22:13:20 +0200 Subject: [PATCH 13/13] Grammar change A small grammar change has been made, the wording used there should be "to add" and not "to load" https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2706 --- .../windows-defender-application-guard/install-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 68919bc05b..0d185ae9bd 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -58,7 +58,7 @@ Employees can use hardware-isolated browsing sessions without any administrator Applies to: - Windows 10 Enterprise edition, version 1709 or higher -You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container. +You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container. The following diagram shows the flow between the host PC and the isolated container. ![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png)