Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into DHAppLogin

2025-05-14 14:27:22 +00:00 · 2018-03-20 15:37:04 -07:00 · 2018-03-20 15:37:04 -07:00 · 4dc8701be7
commit 4dc8701be7
parent 84eca5b265 1f6347f36c
13 changed files with 405 additions and 105 deletions
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@ -7,20 +7,20 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/01/2018
+ms.date: 03/20/2018
 ---
 # AssignedAccess CSP
-The AssignedAccess configuration service provider (CSP) is used set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device in the kiosk mode running the application specified in the CSP configuration.
+The AssignedAccess configuration service provider (CSP) is used to set the device to run in kiosk mode. Once the CSP has been executed, then the next user login that is associated with the kiosk mode puts the device into the kiosk mode running the application specified in the CSP configuration.
 For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
 In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).
 > [!Note]
-> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting in Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
+> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
 The following diagram shows the AssignedAccess configuration service provider in tree format
@ -30,10 +30,14 @@ The following diagram shows the AssignedAccess configuration service provider in
 Root node for the CSP.
 <a href="" id="assignedaccess-kioskmodeapp"></a>**./Device/Vendor/MSFT/AssignedAccess/KioskModeApp**  
-A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, follow the information in [this Microsoft website](http://go.microsoft.com/fwlink/p/?LinkId=404220).
+A JSON string that contains the user account name and Application User Model ID (AUMID) of the Kiosk mode app. For more information about how to get the AUMID, see [Find the Application User Model ID of an installed app](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app).
 For a step-by-step guide for setting up devices to run in kiosk mode, see [Set up a kiosk on Windows 10 Pro, Enterprise, or Education.](http://go.microsoft.com/fwlink/p/?LinkID=722211)
 > [!Note]  
 > You cannot set both KioskModeApp and Configuration at the same time in the device in Windows 10, version 1709.  
 >
 > You cannot set both KioskModeApp and ShellLauncher at the same time on the device.
 In Windows 10, version 1607, you can use a provisioned app to configure the kiosk mode. For more information about how to remotely provision an app, see [Enterprise app management](enterprise-app-management.md).
@ -44,9 +48,9 @@ Here's an example:
 ```
 > [!Tip]  
-> In this example the double \\\ is only required because it's in json and json escapes \ into \\\\. If MDM server uses json parser\composer, they should only ask customer to type one \\, which will be \\\ in the json. If user types \\\\, it'll be \\\\\\\ in json, which is wrong. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (require) escape \\.
+> In this example the double \\\ is required because it's in JSON and JSON escapes \ into \\\\. If an MDM server uses JSON parser\composer, they should ask customers to type only one \\, which will be \\\ in the JSON. If user types \\\\, it'll become \\\\\\\ in JSON, which will cause erroneous results. For the same reason, domain\account used in Configuration xml does not need \\\ but only one \\, because xml does not (need to) escape \\.
 >
-> This comment applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in json string. 
+> This applies to both domain\account, AzureAD\someone@contoso.onmicrosoft.com, i.e. as long as a \ used in JSON string. 
 When configuring the kiosk mode app, the account name will be used to find the target user. The account name includes domain name and user name.
@ -63,7 +67,6 @@ Added in Windows 10, version 1709. Specifies the settings that you can configure
 > [!Note]  
 > You cannot set both KioskModeApp and Configuration at the same time on the device in Windows 10, version 1709.  
 > You cannot set both ShellLauncher and Configuration at the same time on the device.
 Enterprises can use this to easily configure and manage the curated lockdown experience. 
@ -97,12 +100,14 @@ Additionally, the status payload includes a profileId, which can be used by the
 Supported operation is Get.
 <a href="" id="assignedaccess-shelllauncher"></a>**./Device/Vendor/MSFT/AssignedAccess/ShellLauncher**  
-Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema.
+Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. For more information, see [Shell Launcher](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/shell-launcher).
 > [!Note]  
-> You cannot set both ShellLauncher and Configuration at the same time on the device.
+> You cannot set both ShellLauncher and KioskModeApp at the same time on the device.
 >
-> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU.
+> Configuring Shell Launcher using the ShellLauncher node automatically enables the Shell Launcher feature if it is available within the SKU. I. Shell Launcher as a feature and the ShellLauncher node both require Windows Enterprise or Windows Education to function.  
 >  
 >The ShellLauncher node is not supported in Windows 10 Pro.
 <a href="" id="assignedaccess-statusconfiguration"></a>**./Device/Vendor/MSFT/AssignedAccess/StatusConfiguration**  
 Added in Windows 10, version 1803. This node accepts a StatusConfiguration xml as input to configure the Kiosk App Health monitoring. There are three possible values for StatusEnabled node inside StatusConfiguration xml: On, OnWithAlerts, and Off. Click [link](#statusconfiguration-xsd) to see the StatusConfiguration schema.
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -2631,6 +2631,8 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that
 - [CellularSettings CSP](cellularsettings-csp.md)
 - [CertificateStore CSP](certificatestore-csp.md)
 - [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)
 - [CMPolicy CSP](cmpolicy-csp.md)
 - [CM_ProxyEntries CSP](cm-proxyentries-csp.md)
 - [CM_CellularEntries CSP](cm-cellularentries-csp.md)
 - [Defender CSP](defender-csp.md)
 - [DevDetail CSP](devdetail-csp.md)
@ -2640,6 +2642,8 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that
 - [DiagnosticLog CSP](diagnosticlog-csp.md)
 - [DMAcc CSP](dmacc-csp.md)
 - [DMClient CSP](dmclient-csp.md)
 - [eUICCs CSP](euiccs-csp.md)
 - [Firewall CSP](firewall-csp.md)
 - [EMAIL2 CSP](email2-csp.md)
 - [EnterpriseAPN CSP](enterpriseapn-csp.md)
 - [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md)
@ -2669,4 +2673,5 @@ The CSPs supported in Windows 10 S is the same as in Windows 10 Pro except that
 - [WiFi CSP](wifi-csp.md)
 - [Win32AppInventory CSP](win32appinventory-csp.md)
 - [WindowsAdvancedThreatProtection CSP](windowsadvancedthreatprotection-csp.md)
 - [WindowsDefenderApplicationGuard CSP](windowsdefenderapplicationguard-csp.md)
 - [WindowsLicensing CSP](windowslicensing-csp.md)
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -573,6 +573,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-connectivity.md#connectivity-allownfc" id="connectivity-allownfc">Connectivity/AllowNFC</a>
  </dd>
  <dd>
    <a href="./policy-csp-connectivity.md#connectivity-allowphonepclinking" id="connectivity-allowphonepclinking">Connectivity/AllowPhonePCLinking</a>
  </dd>
  <dd>
    <a href="./policy-csp-connectivity.md#connectivity-allowusbconnection" id="connectivity-allowusbconnection">Connectivity/AllowUSBConnection</a>
  </dd>
--- a/windows/client-management/mdm/policy-csp-connectivity.md
+++ b/windows/client-management/mdm/policy-csp-connectivity.md
@ -6,11 +6,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/12/2018
+ms.date: 03/14/2018
 ---
 # Policy CSP - Connectivity
 > [!WARNING]
 > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 <hr/>
@ -34,6 +36,9 @@ ms.date: 03/12/2018
  <dd>
    <a href="#connectivity-allownfc">Connectivity/AllowNFC</a>
  </dd>
  <dd>
    <a href="#connectivity-allowphonepclinking">Connectivity/AllowPhonePCLinking</a>
  </dd>
  <dd>
    <a href="#connectivity-allowusbconnection">Connectivity/AllowUSBConnection</a>
  </dd>
@ -355,6 +360,76 @@ The following list shows the supported values:
 <hr/>
 <!--Policy-->
 <a href="" id="connectivity-allowphonepclinking"></a>**Connectivity/AllowPhonePCLinking**  
 <!--SupportedSKUs-->
 <table>
 <tr>
 	<th>Home</th>
 	<th>Pro</th>
 	<th>Business</th>
 	<th>Enterprise</th>
 	<th>Education</th>
 	<th>Mobile</th>
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
 	<td></td>
 	<td></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Added in Windows 10, version 1803. This policy allows IT admins to turn off the ability to Link a Phone with a PC to continue tasks, such as reading, email, and other tasks that require linking between Phone and PC.
 If you enable this policy setting, the Windows device will be able to enroll in Phone-PC linking functionality and participate in 'Continue on PC experiences'. If you disable this policy setting, the Windows device is not allowed to be linked to phones, will remove itself from the device list of any linked Phones, and cannot participate in 'Continue on PC experiences'.
 If you do not configure this policy setting, the default behavior depends on the Windows edition. Changes to this policy take effect on reboot.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP name: *enableMMX*
 -   GP ADMX file name: *grouppolicy.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 This setting supports a range of values between 0 and 1.  
 - 0 - Do not link
 - 1 (default) - Allow phone-PC linking
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 Validation:  
 If the Connectivity/AllowPhonePCLinking policy is configured to value 0, the add a phone button in the Phones section in settings will be greyed out and clicking it will not launch the window for a user to enter their phone number.
 Device that has previously opt-in to MMX will also stop showing on the device list.
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="connectivity-allowusbconnection"></a>**Connectivity/AllowUSBConnection**  
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@ -0,0 +1,290 @@
 ---
 title: Multifactor Unlock
 description: Multifactor Unlock
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
 ms.date: 03/20/2018
 ---
 # Multifactor Unlock
 **Requirements:**
 * Windows Hello for Business deployment (Hybrid or On-premises)
 * Hybird Azure AD joined (Hybrid deployments)
 * Domain Joined (on-premises deployments) 
 * Windows 10, version 1709
 * Bluetooth, Bluetooth capable phone - optional
 Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
 Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. 
 Which organizations can take advanage of Multifactor unlock? Those who:
 * Have expressed that PINs alone do not meet their security needs.
 * Want to prevent Information Workers from sharing credentials.
 * Want their orgs to comply with regulatory two-factor authentication policy.
 * Want to retain the familiar Windows logon UX and not settle for a custom solution.
 You enable multifactor unlock using Group Policy.  The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
 ## The Basics: How it works
 First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration.  Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider.  With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop.
 The policy setting has three components:
 * First unlock factor credential provider
 * Second unlock factor credential provider 
 * Signal rules for device unlock
 ## Configuring Unlock Factors
 The **First unlock factor credential providers** and **Second unlock factor credential providers** portion of the policy setting each contain a comma separated list of credential providers. 
 Supported credential providers include: 
 |Credential Provider| GUID|
 |:------------------|:----|
 |PIN | \{D6886603-9D2F-4EB2-B667-1971041FA96B}|  
 |Fingerprint | \{BEC09223-B018-416D-A0AC-523971B639F5}|
 |Facial Recognition | \{8AF662BF-65A0-4D0A-A540-A338A999D36F}|
 |Trusted Signal<br>(Phone proximity, Network location) | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}|
 >[!NOTE]
 >Multifactor unlock does not support third-party credential providers or credential providers not listed in the above table.
 The default credential providers for the **First unlock factor credential provider** include:
 * PIN
 * Fingerprint
 * Facial Recongition
 The default credential providers for the **Second unlock factor credential provider** include:
 * Trusted Signal
 * PIN
 Configure a comma separated list of credential provider GUIDs you want to use as first and second unlock factors. While a credential provider can appear in both lists, remember that a credential supported by that provider can only satisfy one of the unlock factors. Listed credential providers do not need to be in any specific order. 
 For example, if you include the PIN and fingerprint credential providers in both first and second factor lists, a user can use their fingerprint or PIN as the first unlock factor.  However, whichever factor they used to satisfy the first unlock factor cannot be used to satisfy the second unlock factor.  Each factor can therefore be used exactly once. The Trusted Signal provider can *only* be specified as part of the Second unlock factor credential provider list.  
 ## Configure Signal Rules for the Trusted Signal Credential Provider
 The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device.
 ### Rule element
 You represent signal rules in XML.  Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value.  The current supported scheam version is 1.0.<br>
 **Example**
 ```
 <rule schemaVersion="1.0">
 </rule>
 ```
 ### Signal element
 Each rule element has a **signal** element.  All signal elements have a **type** element and value.  Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.<br>
 |Attribute|Value|
 |---------|-----|
 | type| "bluetooth" or "ipConfig" (Windows 10, version 1709)| 
 #### Bluetooth
 You define the bluetooth signal with additional attribute in the signal elment. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
 |Attribute|Value|Required|
 |---------|-----|--------|
 |type|"bluetooth"|yes|
 |scenario|"Authentication"|yes|
 |classOfDevice|"*number*"|no|
 |rssiMin|"*number*"|no|
 |rssiMaxDelta|"*number*"|no|
 Example:
 ```
 <rule schemaVersion="1.0">
    <signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
 </rule>
 ```
 The **classofDevice** attribute defaults Phones and uses the values from the following table 
 |Description|Value|
 |:-------------|:-------:|
 |Miscellaneous|0|
 |Computer|256|
 |Phone|512|
 |LAN/Network Access Point|768|
 |Audio/Video|1024|
 |Peripheral|1280|
 |Imaging|1536|
 |Wearable|1792|
 |Toy|2048|
 |Health|2304|
 |Uncategorized|7936|
 The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range".  The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device.  The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.  
 RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
 >[!IMPORTANT]
 >Microsoft recommends using the default values for this policy settings.  Measurements are relative, based on the varying conditions of each environment.  Therefore, the same values may produce different results. Test policy settings in each environment prior to broadly deploying the setting.  Use the rssiMIN and rssiMaxDelta values from the XML file created by the Group Policy Management Editor or remove both attributes to use the default values.
 #### IP Configuration
 You define IP configuration signals using one or more ipConfiguration elements.  Each element has a string value.  IpConfiguration elements do not have attributes or nested elements.
 ##### IPv4Prefix
 The IPv4 network prefix represented in Internet standard dotted-decimal notation. A network prefix that uses the Classless Inter-Domain Routing (CIDR) notation is required as part of the network string. A network port must not be present in the network string.  A **signal** element may only contain one **ipv4Prefix** element.<br>
 **Example**
 ```
 <ipv4Prefix>192.168.100.0/24</ipv4Prefix>
 ```
 The assigned IPv4 addresses in the range of 192.168.100.1 to 192.168.100.254 match this signal configuration.
 ##### IPv4Gateway
 The IPv4 network gateway represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv4Gateway** element.<br>
 **Example**
 ```
 <ipv4Gateway>192.168.100.10</ipv4Gateway>
 ```
 ##### IPv4DhcpServer
 The IPv4 DHCP server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv4DhcpServer** element.<br>
 **Example**
 ```
 <ipv4DhcpServer>192.168.100.10</ipv4DhcpServer>
 ```
 ##### IPv4DnsServer
 The IPv4 DNS server represented in Internet standard dotted-decimal notation. A network port or prefix must not be present in the network string.The **signal** element may contain one or more **ipv4DnsServer** elements.<br>
 **Example:**
 ```
 <ipv4DnsServer>192.168.100.10</ipv4DnsServer>
 ```
 ##### IPv6Prefix
 The IPv6 network prefix represented in IPv6 network using Internet standard hexadecimal encoding. A network prefix in CIDR notation is required as part of the network string. A network port or scope ID must not be present in the network string.  A **signal** element may only contain one **ipv6Prefix** element.<br>
 **Example** 
 ```
 <ipv6Prefix>21DA:D3::/48</ipv6Prefix>
 ```
 ##### IPv6Gateway
 The IPv6 network gateway represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv6Gateway** element.<br>
 **Example** 
 ```
 <ipv6Gateway>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6Gateway>
 ```
 ##### IPv6DhcpServer
 The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string.  A **signal** element may only contain one **ipv6DhcpServer** element.<br>
 **Example**
 ```
 <ipv6DhcpServer>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6DhcpServer
 ```
 ##### IPv6DnsServer
 The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IPv6 scope ID may be present in the network string. A network port or prefix must not be present in the network string. The **signal** element may contain one or more **ipv6DnsServer** elements.<br>
 **Example**
 ```
 <ipv6DnsServer>21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2</ipv6DnsServer>
 ```
 ##### dnsSuffix
 The fully qualified domain name of your organizations internal dns suffix where any part of the fully qualified domain name in this setting exists in the computer's primary dns suffix.  The **signal** element may contain one or more **dnsSuffix** elements.<br>
 **Example**
 ```
 <dnsSuffix>corp.contoso.com</dnsSuffix>
 ```
 ### Sample Trusted Signal Congfigurations
 These examples are wrapped for readability.  Once properly formatted, the entire XML contents must be a single line.
 #### Example 1
 This example configures an IPConfig signal type using Ipv4Prefix, Ipv4DnsServer, and DnsSuffix elements.
 ```
 <rule schemaVersion="1.0"> 
    <signal type="ipConfig"> 
        <ipv4Prefix>10.10.10.0/24</ipv4Prefix>
        <ipv4DnsServer>10.10.0.1</ipv4DnsServer>
        <ipv4DnsServer>10.10.0.2</ipv4DnsServer>
        <dnsSuffix>corp.contoso.com</dnsSuffix> 
 	</signal> 
 </rule>
 ```
 #### Example 2
 This example configures an IpConfig signal type using a dnsSuffix element and a bluetooth signal for phones.  This configuration is wrapped for reading.  Once properly formatted, the entire XML contents must be a single line.  This example implies that either the ipconfig **or** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
 >[!NOTE] 
 >Separate each rule element using a comma.
 ```
 <rule schemaVersion="1.0"> 
 	<signal type="ipConfig"> 
 	    <dnsSuffix>corp.contoso.com</dnsSuffix> 
 	</signal> 
 </rule>,
 <rule schemaVersion="1.0">
 	<signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
 </rule>
 ```
 #### Example 3
 This example configures the same as example 2 using compounding And elements.  This example implies that the ipconfig **and** the Bluetooth rule must evaluate to true, for the resulting signal evaluation to be true.
 ```
 <rule schemaVersion="1.0">
 <and>
  <signal type="ipConfig">
   <dnsSuffix>corp.microsoft.com</dnsSuffix>
  </signal> 
  <signal type="bluetooth" scenario="Authentication" classOfDevice="512" rssiMin="-10" rssiMaxDelta="-10"/>
 </and>
 </rule>
 ```
 ## Deploying Multifactor Unlock
 >[!IMPORTANT]
 >You need to remove all third party credential providers to ensure users cannot unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
 ### How to configure Multifactor Unlock policy settings
 You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business  Group Policy settings, which includes muiltifactor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
 Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
 ### Create the Multifactor Unlock Group Policy object
 The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed.
 >[!IMPORTANT]
 > * PIN **must** be in at least one of the groups
 > * Trusted signals **must** be combined with another credential provider
 > * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can satisfy either category, but not both.
 1. Start the **Group Policy Management Console** (gpmc.msc)
 2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
 3. Right-click **Group Policy object** and select **New**.
 4. Type *Multifactor Unlock* in the name box and click **OK**.
 5. In the content pane, right-click the **Multifactor Unlock** Group Policy object and click **Edit**.
 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.<br>
 ![Group Policy Editor](images/multifactorUnlock/gpme.png)
 8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**.  The **Options** section populates the policy setting with default values.<br>
 ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png)
 9. Configure first and second unlock factors using the information in the [Configure Unlock Factors](#configuring-unlock-factors) section.
 10. If using trusted signals, configure the trusted signals used by the unlock factor using the information in the [Configure Signal Rules for the Trusted Signal Credential Provider](#configure-signal-rules-for-the-trusted-signal-credential-provider) section.
 11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
 ## Troubleshooting
 Mulitfactor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
 ### Events
 |Event ID|Details|
 |:------:|:------|
 |3520|Unlock attempt initiated|
 |5520|Unlock policy not configured|
 |6520|Warning event|
 |7520|Error event|
 |8520|Success event|
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@ -346,13 +346,6 @@ Sign-in the AD FS server with Domain Admin equivalent credentials.
    ```PowerShell
    Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication
    ```
 The `Set-AdfsCertificateAuthority` cmdlet may show the following warning:
 >WARNING: PS0343: Issuing Windows Hello certificates requires enabling a permitted strong authentication provider, but no usable providers are currently configured.  These authentication providers are not supported for Windows Hello certificates: CertificateAuthentication,MicrosoftPassportAuthentication. Windows Hello certificates will not be issued until a permitted strong authentication provider is configured.
 This warning indicates that you have not configured multi-factor authentication in AD FS and until it is configured, the AD FS server will not issue Windows Hello certificates.  Windows 10, version 1703 clients check this configuration during prerequisite checks.  If detected, the prerequisite check will not succeed and the user will not provision Windows Hello for Business on sign-in.
 >[!NOTE]
 > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates.  It’s important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@ -6,10 +6,10 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
-author: DaniHalfin
+author: mikestephens-MS
-ms.localizationpriority: high
+ms.author: mstephen
-ms.author: daniha
+localizationpriority: high
-ms.date: 07/27/2017
+ms.date: 03/5/2018
 ---
 # Configure or Deploy Multifactor Authentication Services
@ -523,7 +523,7 @@ Before you continue with the deployment, validate your deployment progress by re
 * Confirm you saved the changes to the web.config file.
 * Confirm you restarted the AD FS Service after completing the configuration.
-## Test AD FS with the Multifactor Authentication connector
+## Test Multifactor Authentication
 Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment.  The AD FS and Azure Multi-Factor Authentication server configurations are complete.
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@ -10,7 +10,7 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 12/04/2017
+ms.date: 3/5/2018
 ---
 # Windows Hello for Business Features
@ -20,7 +20,6 @@ Consider these additional features you can use after your organization deploys W
 * [Dynamic lock](#dynamic-lock)
 * [PIN reset](#pin-reset)
 * [Privileged credentials](#privileged-credentials)
 * [Mulitfactor Unlock](#multifactor-unlock)
 ## Conditional access 
@ -154,76 +153,3 @@ The privileged credentials scenario enables administrators to perform elevated,
 By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session.  Using the computer Group Policy setting, Allow enumeration of emulated smartd card for all users, you can configure a device to all this enumeration on selected devices.  
 With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN.  Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument.  This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads.
 ## Multifactor Unlock
 **Requirements:**
 * Windows Hello for Business deployment (Hybrid or On-premises)
 * Hybird Azure AD joined (Hybrid deployments)
 * Domain Joined (on-premises deployments) 
 * Windows 10, version 1709
 * Bluetooth, Bluetooth capable smartphone - optional
 Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
 Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. 
 Which organizations can take advanage of Multifactor unlock? Those who:
 * Have expressed that PINs alone do not meet their security needs.
 * Want to prevent Information Workers from sharing credentials.
 * Want their orgs to comply with regulatory two-factor authentication policy.
 * Want to retain the familiar Windows logon UX and not settle for a custom solution.
 >[!IMPORTANT]
 >Once the you deploy multifactor unlock policies, users are not be able to unlock their devices if they do not have the required factors. The fall back options are to use passwords or smart cards (both of which could be disabled as needed).
 You enable multifactor unlock using Group Policy.  The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
 The policy setting has three components:
 * First unlock factor credential provider
 * Second unlock factor credential provider 
 * Signal rules for device unlock 
 ### The Basics: How it works
 First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration.  Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider.  With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop.
 The credenital providers included in the default policy settings are:
 |Credential Provider| GUID|
 |:------------------|:----:|
 |PIN | \{D6886603-9D2F-4EB2-B667-1971041FA96B}|  
 |Fingerprint | \{BEC09223-B018-416D-A0AC-523971B639F5}|
 |Facial Recognition | \{8AF662BF-65A0-4D0A-A540-A338A999D36F}|
 |Trusted Signal | \{27FBDB57-B613-4AF2-9D7E-4FA7A66C21AD}|
 The default credential providers for the **First unlock factor credential provider** include:
 * PIN
 * Fingerprint
 * Facial Recongition
 The default credential providers for the **Second unlock factor credential provider** include:
 * Trusted Signal
 * PIN
 The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device. 
 The default signal rules for the policy setting include the proximity of any paired bluetooth smartphone.
 To successfully reach their desktop, the user must satisfy one credential provider from each category.  The order in which the user satisfies each credential provider does not matter.  Therefore, using the default policy setting a user can provide:
 * PIN and Fingerprint
 * PIN and Facial Recognition
 * Fingerprint and PIN
 * Facial Recognition and Trusted Signal (bluetooth paired smartphone)
 >[!IMPORTANT]
 > * PIN **must** be in at least one of the groups
 > * Trusted signals **must** be combined with another credential provider
 > * You cannot use the same unlock factor to satisfy both categories. Therefore, if you include any credential provider in both categories, it means it can be used to satisfy either category, but not both.  
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@ -9,7 +9,7 @@ ms.pagetype: security, mobile
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 10/23/2017
+ms.date: 02/23/2018
 ---
 # Configure Device Registration for Hybrid Windows Hello for Business
@ -495,8 +495,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
 ![Device Registration](images/hybridct/device8.png) 
- object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration
+- object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;  
 - Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;  
  - read/write access to the specified AD connector account name on the new object 
 - object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
 - object of type msDS-DeviceRegistrationService in the above container
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@ -71,6 +71,9 @@ The table shows the minimum requirements for each deployment.
 ## Frequently Asked Questions
 ### Can I deploy Windows Hello for Business using System Center Configuration Manager?
 Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deploymnet model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager wil no long be supported after November 2018.
 ### What is the password-less strategy?
 Watch Senior Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
--- a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png
+++ b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gp-setting.png
--- a/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png
+++ b/windows/security/identity-protection/hello-for-business/images/multifactorUnlock/gpme.png
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ b/windows/security/identity-protection/hello-for-business/toc.md
@ -44,3 +44,4 @@
 #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
 ## [Windows Hello for Business Features](hello-features.md)
 ### [Multifactor Unlock](feature-multifactor-unlock.md)