diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml
index 6e7a2ccb42..7ee2caf174 100644
--- a/browsers/edge/group-policies/index.yml
+++ b/browsers/edge/group-policies/index.yml
@@ -92,7 +92,7 @@ sections:
- href: https://docs.microsoft.com/microsoft-edge/deploy/group-policies/developer-settings-gp
- html: Learn how configure Microsoft Edge for development and testing.
+ html: Learn how to configure Microsoft Edge for development and testing.
image:
diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
index 58dfd6be9a..ce0f753466 100644
--- a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
@@ -6,4 +6,4 @@ ms.prod: edge
ms:topic: include
---
-Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off.
\ No newline at end of file
+Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns on Windows Defender SmartScreen and prevent users from turning it off. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
index 47c4caf92b..c6c5cf099e 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
@@ -43,7 +43,10 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all
Installs the npm package manager and bulk adds all the third-party libraries back into your codebase.
-6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, and then build the entire solution.
+6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution.
+
+ >[!Note]
+ >Step 3 of this topic provides the steps to create your database.
7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
@@ -105,17 +108,6 @@ Create a new Application Pool and the website, by using the IIS Manager.
>[!Note]
>You must also make sure that **Anonymous Authentication** is marked as **Enabled**.
-10. Return to the **<website_name> Home** pane, and double-click the **Connection Strings** icon.
-
-11. Open the **LOBMergedEntities Connection String** to edit:
-
- - **Data source.** Type the name of your local computer.
-
- - **Initial catalog.** The name of your database.
-
- >[!Note]
- >Step 3 of this topic provides the steps to create your database.
-
## Step 3 - Create and prep your database
Create a SQL Server database and run our custom query to create the Enterprise Mode Site List tables.
@@ -229,4 +221,4 @@ Register the EMIEScheduler tool and service for production site list changes.
- [Enterprise Mode and the Enterprise Mode Site List](what-is-enterprise-mode.md)
-- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
\ No newline at end of file
+- [Use the Enterprise Mode Site List Manager tool or page](use-the-enterprise-mode-site-list-manager.md)
diff --git a/store-for-business/microsoft-store-for-business-overview.md b/store-for-business/microsoft-store-for-business-overview.md
index 0bf1fdc2d4..f6afc25250 100644
--- a/store-for-business/microsoft-store-for-business-overview.md
+++ b/store-for-business/microsoft-store-for-business-overview.md
@@ -28,8 +28,8 @@ Organizations or schools of any size can benefit from using Microsoft Store for
- **Scales to fit the size of your business** - For smaller businesses, with Azure AD accounts or Office 365 accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate Microsoft Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
- **Bulk app acquisition** - Acquire apps in volume from Microsoft Store for Business.
- **Centralized management** – Microsoft Store provides centralized management for inventory, billing, permissions, and order history. You can use Microsoft Store to view, manage and distribute items purchased from:
- - **Microsoft Store for Business** – Apps and subscriptions
- - **Microsoft Store for Education** – Apps and subscriptions
+ - **Microsoft Store for Business** – Apps acquired from Microsoft Store for Business
+ - **Microsoft Store for Education** – Apps acquired from Microsoft Store for Education
- **Office 365** – Subscriptions
- **Volume licensing** - Apps purchased with volume licensing
- **Private store** - Create a private store for your business that’s easily available from any Windows 10 device. Your private store is available from Microsoft Store on Windows 10, or with a browser on the Web. People in your organization can download apps from your organization's private store on Windows 10 devices.
diff --git a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
index dca1b3b048..9a68fb9338 100644
--- a/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
+++ b/windows/application-management/app-v/appv-creating-and-managing-virtualized-applications.md
@@ -93,20 +93,11 @@ The following table lists the supported shell extensions:
Copy on write (CoW) file extensions allow App-V to dynamically write to specific locations contained in the virtual package while it is being used.
-The following table displays the file types that can exist in a virtual package under the VFS directory, but cannot be updated on the computer running the App-V client. All other files and directories can be modified.
+The following table displays the file types that can exist in a virtual package under the VFS directory, since App-V 5.1, but which cannot be updated on the computer running the App-V client. All other files and directories can be modified.
| File Type||||||
|---|---|---|---|---|---|
-| .acm | .asa | .asp | .aspx | .ax | .bat |
-| .cer | .chm | .clb | .cmd | .cnt | .cnv |
-| .com | .cpl | .cpx | .crt | .dll | .drv |
-| .esc | .exe | .fon | .grp | .hlp | .hta |
-| .ime | .inf | .ins | .isp | .its | .js |
-| .jse | .lnk | .msc | .msi | .msp | .mst |
-| .mui | .nls | .ocx | .pal | .pcd | .pif |
-| .reg | .scf | .scr | .sct | .shb | .shs |
-| .sys | .tlb | .tsp | .url | .vb | .vbe |
-| .vbs | .vsmacros | .ws | .wsf | .wsh | |
+| .com | .exe | .dll | .ocx | |
## Modifying an existing virtual application package
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 24e4a9039a..b79c6c1219 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -108,6 +108,15 @@ Requirements:
- Ensure that PCs belong to same computer group.
1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
+ >[!Note]
+ >If you do not see the policy, it may be caused because you don’t have the ADMX installed for Windows 10, version 1803. To fix the issue, follow these steps:
+ > 1. Download [Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)
+](https://www.microsoft.com/en-us/download/details.aspx?id=56880).
+ > 2. Install the package on the Primary Domain Controller.
+ > 3. Navigate to the folder **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**.
+ > 4. Copy policy definitions folder to **C:\Windows\SYSVOL\domain\Policies**.
+ > 5. Restart the Primary Domain Controller for the policy to be available.
+
2. Create a Security Group for the PCs.
3. Link the GPO.
4. Filter using Security Groups.
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index b1594d5d38..dc9a2c4e0c 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -24,12 +24,6 @@ ms.date: 06/26/2018
LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts
-
- LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus
-
-
- LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus
-
LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
@@ -255,131 +249,6 @@ The following list shows the supported values:
-
-**LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- Mobile Enterprise |
-
-
-  |
-  3 |
- 3 |
- 3 |
- 3 |
- |
- |
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This security setting determines whether the local Administrator account is enabled or disabled.
-
-If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
-Disabling the Administrator account can become a maintenance issue under certain circumstances.
-
-Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
-
-Default: Disabled.
-
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
-
-GP Info:
-- GP English name: *Accounts: Administrator account status*
-- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-Valid values:
-- 0 - local Administrator account is disabled
-- 1 - local Administrator account is enabled
-
-
-
-
-
-
-
-**LocalPoliciesSecurityOptions/Accounts_EnableGuestAccountStatus**
-
-
-
-
- | Home |
- Pro |
- Business |
- Enterprise |
- Education |
- Mobile |
- Mobile Enterprise |
-
-
- |
- 3 |
- 3 |
- 3 |
- 3 |
- |
- |
-
-
-
-
-
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-
-
-
-
-This security setting determines if the Guest account is enabled or disabled.
-
-Default: Disabled.
-
-Note: If the Guest account is disabled and the security option Network Access: Sharing and Security Model for local accounts is set to Guest Only, network logons, such as those performed by the Microsoft Network Server (SMB Service), will fail.
-
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
-
-
-
-GP Info:
-- GP English name: *Accounts: Guest account status*
-- GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-
-
-Valid values:
-- 0 - local Guest account is disabled
-- 1 - local Guest account is enabled
-
-
-
-
-
-
**LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly**
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index c29f399bba..bab10f57b6 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -280,7 +280,7 @@ Additionally, users may see blank tiles if logon was attempted without network c
### Symptom: Start Menu issues with Tile Data Layer corruption
-**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database.
+**Cause**: Windows 10, version 1507 through the release of version 1607 uses a database for the Tile image information. This is called the Tile Data Layer database (The feature was deprecated in [Windows 10 1703](https://support.microsoft.com/help/4014193/features-that-are-removed-or-deprecated-in-windows-10-creators-update)).
**Resolution** There are steps you can take to fix the icons, first is to confirm that is the issue that needs to be addressed.
diff --git a/windows/deployment/planning/windows-10-deployment-considerations.md b/windows/deployment/planning/windows-10-deployment-considerations.md
index bb0ad7f659..99f0aa2457 100644
--- a/windows/deployment/planning/windows-10-deployment-considerations.md
+++ b/windows/deployment/planning/windows-10-deployment-considerations.md
@@ -111,7 +111,7 @@ In either of these scenarios, you can make a variety of configuration changes to
## Stay up to date
-For computers already running Windows 10 on the Current Branch or Current Branch for Business, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:
+For computers already running Windows 10 on the Semi-Annual Channel, new upgrades will periodically be deployed, approximately two to three times per year. You can deploy these upgrades by using a variety of methods:
- Windows Update or Windows Update for Business, for devices where you want to receive updates directly from the Internet.
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index be96b68e59..19a38e1f89 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -85,13 +85,13 @@ Starting with Windows 10, version 1709, the Windows Update for Business settings
| Manage Windows Insider Preview builds | System/AllowBuildPreview | Update/ManagePreviewBuilds |
| Manage when updates are received | Select when Feature Updates are received | Select when Preview Builds and Feature Updates are received (Update/BranchReadinessLevel) |
-## Managing Windows Update for Business with Software Center Configuration Manager
+## Managing Windows Update for Business with System Center Configuration Manager
-Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within Software Center Configuration Manager.
+Starting with Windows 10, version 1709, you can assign a collection of devices to have dual scan enabled and manage that collection with Windows Update for Business policies. Starting with Windows 10, version 1809, you can set a collection of devices to receive the Windows Insider Preview Feature Updates from Windows Update from within System Center Configuration Manager.
| Action | Windows 10 versions between 1709 and 1809 | Windows 10 versions after 1809 |
| --- | --- | --- |
-| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within Software Center Configuration Manager |
+| Manage Windows Update for Business in Configuration Manager | Manage Feature or Quality Updates with Windows Update for Business via Dual Scan | Manage Insider pre-release builds with Windows Update for Business within System Center Configuration Manager |
## Managing Windows Update for Business with Windows Settings options
Windows Settings includes options to control certain Windows Update for Business features:
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 1b021674ca..3b2cb8c678 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -12,21 +12,24 @@ ms.localizationpriority: medium
ms.topic: article
---
-# Windows error reporting
+# Windows Error Reporting
**Applies to**
- Windows 10
>[!NOTE]
->This is a 300 level topic (moderately advanced).
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+> This is a 300 level topic (moderately advanced).
+> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
When Windows Setup fails, the result and extend code are recorded as an informational event in the Application log by Windows Error Reporting as event 1001. The event name is **WinSetupDiag02**. You can use Event Viewer to review this event, or you can use Windows PowerShell.
To use Windows PowerShell, type the following commands from an elevated Windows PowerShell prompt:
-```
+>[!IMPORTANT]
+>}The following source will be available only if you have updated from a previous version of Windows 10 to a new version. If you installed the current version and have not updated, the source named **WinSetupDiag02** will be unavailable.
+
+```Powershell
$events = Get-WinEvent -FilterHashtable @{LogName="Application";ID="1001";Data="WinSetupDiag02"}
$event = [xml]$events[0].ToXml()
$event.Event.EventData.Data
@@ -40,19 +43,20 @@ To use Event Viewer:
Note: For legacy operating systems, the Event Name was WinSetupDiag01.
Ten parameters are listed in the event:
-
-
-| P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) |
-| P2: Setup Mode (x=default,1=Downlevel,5=Rollback) |
-| P3: New OS Architecture (x=default,0=X86,9=AMD64) |
-| P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) |
-| P5: Result Error Code (Ex: 0xc1900101) |
-| P6: Extend Error Code (Ex: 0x20017) |
-| P7: Source OS build (Ex: 9600) |
-| P8: Source OS branch (not typically available) |
-| P9: New OS build (Ex: 16299} |
-| P10: New OS branch (Ex: rs3_release} |
-
+
+| Parameters |
+| ------------- |
+|P1: The Setup Scenario (1=Media,5=WindowsUpdate,7=Media Creation Tool) |
+|P2: Setup Mode (x=default,1=Downlevel,5=Rollback) |
+|P3: New OS Architecture (x=default,0=X86,9=AMD64) |
+|P4: Install Result (x=default,0=Success,1=Failure,2=Cancel,3=Blocked) |
+|**P5: Result Error Code** (Ex: 0xc1900101) |
+|**P6: Extend Error Code** (Ex: 0x20017) |
+|P7: Source OS build (Ex: 9600) |
+|P8: Source OS branch (not typically available) |
+|P9: New OS build (Ex: 16299} |
+|P10: New OS branch (Ex: rs3_release} |
+
The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below.
@@ -60,8 +64,8 @@ The event will also contain links to log files that can be used to perform a det
## Related topics
-[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
-
[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
-
[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
-
[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
-
[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
+[Windows 10 FAQ for IT professionals](https://technet.microsoft.com/windows/dn798755.aspx)
+[Windows 10 Enterprise system requirements](https://technet.microsoft.com/windows/dn798752.aspx)
+[Windows 10 Specifications](https://www.microsoft.com/en-us/windows/Windows-10-specifications)
+[Windows 10 IT pro forums](https://social.technet.microsoft.com/Forums/en-US/home?category=Windows10ITPro)
+[Fix Windows Update errors by using the DISM or System Update Readiness tool](https://support.microsoft.com/kb/947821)
diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md
index 3090160049..15e9ea1b2d 100644
--- a/windows/deployment/usmt/usmt-scanstate-syntax.md
+++ b/windows/deployment/usmt/usmt-scanstate-syntax.md
@@ -455,9 +455,9 @@ By default, all users are migrated. The only way to specify which users to inclu
USMT migrates all user accounts on the computer, unless you specifically exclude an account with either the /ue or /uel options. For this reason, you do not need to specify this option on the command line. However, if you choose to specify the /all option, you cannot also use the /ui, /ue or /uel options.
-/ui:<DomainName>\<UserName>
+ | /ui:<DomainName>\<UserName>
or
-/ui:<ComputerName>\<LocalUserName> |
+/ui:<ComputerName>\<LocalUserName>
(User include)
Migrates the specified users. By default, all users are included in the migration. Therefore, this option is helpful only when used with the /ue or /uel options. You can specify multiple /ui options, but you cannot use the /ui option with the /all option. DomainName and UserName can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you will need to surround it with quotation marks.
@@ -469,10 +469,10 @@ By default, all users are migrated. The only way to specify which users to inclu
For example:
-To include only User2 from the Fabrikam domain, type:
-/ue:*\* /ui:fabrikam\user2
To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30Â days, type:
-/uel:30 /ui:fabrikam\*
+To include only User2 from the Fabrikam domain, type:
+/ue:*\* /ui:fabrikam\user2
+To migrate all users from the Fabrikam domain, and only the user accounts from other domains that have been active or otherwise modified in the last 30Â days, type:
+/uel:30 /ui:fabrikam\*
In this example, a user account from the Contoso domain that was last modified 2Â months ago will not be migrated.
For more examples, see the descriptions of the /ue and /ui options in this table. |
@@ -500,17 +500,17 @@ By default, all users are migrated. The only way to specify which users to inclu
/uel:2002/1/15 migrates users who have logged on or been modified January 15, 2002 or afterwards.
For example:
-scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0
+scanstate /i:migapp.xml /i:migdocs.xml \\server\share\migration\mystore /uel:0
-/ue:<DomainName>\<UserName>
+ | /ue:<DomainName>\<UserName>
-or-
-/ue:<ComputerName>\<LocalUserName> |
+/ue:<ComputerName>\<LocalUserName>
(User exclude)
Excludes the specified users from the migration. You can specify multiple /ue options. You cannot use this option with the /all option. <DomainName> and <UserName> can contain the asterisk (*) wildcard character. When you specify a user name that contains spaces, you need to surround it with quotation marks.
For example:
-scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1
|
+scanstate /i:migdocs.xml /i:migapp.xml \\server\share\migration\mystore /ue:contoso\user1
@@ -548,15 +548,15 @@ The following examples apply to both the /**ui** and /**ue** options. You can re
Exclude all domain users. |
-/ue:Domain\*
|
+/ue:Domain\*
|
Exclude all local users. |
-/ue:%computername%\*
|
+/ue:%computername%\*
|
Exclude users in all domains named User1, User2, and so on. |
-/ue:*\user*
|
+/ue:*\user*
|
@@ -586,23 +586,23 @@ The /**uel** option takes precedence over the /**ue** option. If a user has logg
Include only User2 from the Fabrikam domain and exclude all other users. |
-/ue:*\* /ui:fabrikam\user2
|
+/ue:*\* /ui:fabrikam\user2
|
Include only the local user named User1 and exclude all other users. |
-/ue:*\* /ui:user1
|
+/ue:*\* /ui:user1
|
Include only the domain users from Contoso, except Contoso\User1. |
This behavior cannot be completed using a single command. Instead, to migrate this set of users, you will need to specify the following:
-On the ScanState command line, type: /ue:*\* /ui:contoso\* On the ScanState command line, type: /ue:*\* /ui:contoso\* On the LoadState command line, type: /ue:contoso\user1 |
Include only local (non-domain) users. |
-/ue:*\* /ui:%computername%\*
|
+/ue:*\* /ui:%computername%\*
|
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 58d06760a9..11f72817b6 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -158,7 +158,7 @@ The following table lists management options for each setting, beginning with Wi
| [24.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | |  |  |  | |
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |  | |
| [26. Microsoft Store](#bkmk-windowsstore) | |  | |  | |
-| [27.1 Apps for websites](#bkmk-apps-for-websites) | |  | | |
+| [26.1 Apps for websites](#bkmk-apps-for-websites) | |  | | |
| [27. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  |  | |
| [28. Windows Update](#bkmk-wu) |  |  |  | | |
@@ -186,7 +186,7 @@ See the following table for a summary of the management settings for Windows Ser
| [20. Teredo](#bkmk-teredo) | |  |  |  |
| [24. Windows Defender](#bkmk-defender) | |  |  | |
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  | |
-| [27.1 Apps for websites](#bkmk-apps-for-websites) | |  | | |
+| [26.1 Apps for websites](#bkmk-apps-for-websites) | |  | | |
| [28. Windows Update](#bkmk-wu) | |  |  | |
### Settings for Windows Server 2016 Server Core
@@ -268,7 +268,7 @@ See the following table for a summary of the management settings for Windows Ser
| [24.1 Windows Defender Smartscreen](#bkmk-defender-smartscreen) | |  |  |  | |
| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |  | |
| [26. Microsoft Store](#bkmk-windowsstore) | |  | |  | |
-| [27.1 Apps for websites](#bkmk-apps-for-websites) | |  | | |
+| [26.1 Apps for websites](#bkmk-apps-for-websites) | |  | | |
| [27. Windows Update Delivery Optimization](#bkmk-updates) |  |  |  |  | |
| [28. Windows Update](#bkmk-wu) |  |  |  | | |
@@ -768,7 +768,9 @@ To remove the News app:
- Right-click the app in Start, and then click **Uninstall**.
-or-
-
+>[!IMPORTANT]
+> If you have any issues with these commands, do a system reboot and try the scripts again.
+>
- Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
-and-
diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md
index 38c26d9546..18d956384e 100644
--- a/windows/security/identity-protection/access-control/microsoft-accounts.md
+++ b/windows/security/identity-protection/access-control/microsoft-accounts.md
@@ -22,7 +22,7 @@ ms.date: 10/13/2017
This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization.
-Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a mean of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
+Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a means of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password.
When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices.
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index f1d2d6408b..01b67c4951 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -252,7 +252,7 @@ Contains numeric value ranging from 0 to 100 to represent the wireless network's
80
```
-### Sample Trusted Signal Congfigurations
+### Sample Trusted Signal Configurations
These examples are wrapped for readability. Once properly formatted, the entire XML contents must be a single line.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index d0801276dd..697dd4ad39 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -66,7 +66,7 @@ Sign-in a domain controller or management workstation with domain administrator
The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate.
-Sign-in a domain controller or management workstation with domain administrator equivalent credentials.
+Sign into a domain controller or management workstation with domain administrator equivalent credentials.
1. Open **Active Directory Users and Computers**.
2. Click **View** and click **Advanced Features**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index db3e667888..36d5b85373 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -42,7 +42,7 @@ A lab or proof-of-concept environment does not need high-availability or scalabi
Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server.
>[!IMPORTANT]
->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article.
+>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use installation instructions provided in the article.
Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md).
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 23eed38ace..e47e1f7c3d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -67,7 +67,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
|D | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.|
> [!IMPORTANT]
-> The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
+> The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
@@ -87,7 +87,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|H | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning.|
|F | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.|
> [!IMPORTANT]
-> The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
+> The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
[Return to top](#windows-hello-for-business-provisioning)
@@ -104,12 +104,12 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
|G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning.|
> [!IMPORTANT]
-> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
+> Synchronous certificate enrollment does not depend on Azure AD Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
[Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
-
+
| Phase | Description |
| :----: | :----------- |
@@ -121,7 +121,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
|G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning.|
> [!IMPORTANT]
-> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
+> Synchronous certificate enrollment does not depend on Azure AD Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not shown in this flow.
[Return to top](#windows-hello-for-business-provisioning)
## Domain joined provisioning in an On-premises Key Trust deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
index 4ef877a48b..290b025714 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@@ -43,6 +43,6 @@ Provision can occur automatically through the out-of-box-experience (OOBE) on Az
## Authentication
-Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is avaiable on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
+Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index d12e00c028..99026497a4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -24,6 +24,7 @@ ms.date: 10/08/2018
- [Azure AD Registered](#azure-ad-registered)
- [Certificate Trust](#certificate-trust)
- [Cloud Deployment](#cloud-deployment)
+- [Cloud Experience Host](#cloud-experience-host)
- [Deployment Type](#deployment-type)
- [Endorsement Key](#endorsement-key)
- [Federated Environment](#federated-environment)
@@ -99,6 +100,17 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations
[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Deployment Type](#deployment-type), [Join Type](#join-type)
[Return to Top](hello-how-it-works-technology.md)
+## Cloud Experience Host
+In Windows 10, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
+
+### Related topics
+[Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification), [Managed Windows Hello in Organization](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-manage-in-organization)
+
+### More information
+- [Windows Hello for Business and Device Registration](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration)
+
+[Return to Top](hello-how-it-works-technology.md)
+
## Deployment Type
Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include:
- Cloud
@@ -316,6 +328,4 @@ In a simplified manner, the TPM is a passive component with limited resources. I
-
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index b571ee817f..130f1fba84 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -69,8 +69,8 @@ To include the on-premises distinguished name in the certificate's subject, Azur
### Verify AAD Connect version
Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
-1. Open **Syncrhonization Services** from the **Azure AD Connect** folder.
-2. In the **Syncrhonization Service Manager**, click **Help** and then click **About**.
+1. Open **Synchronization Services** from the **Azure AD Connect** folder.
+2. In the **Synchronization Service Manager**, click **Help** and then click **About**.
3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
### Verify the onPremisesDistinguishedName attribute is synchronized
@@ -172,7 +172,7 @@ You must prepare the public key infrastructure and the issuing certificate autho
When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template. If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue.
> [!NOTE]
-> Skip this step if you do not want to enable Microsoft Intune to specify the validity period of the certificate. Without this configuiration, the certificate request uses the validity period configured in the certificate template.
+> Skip this step if you do not want to enable Microsoft Intune to specify the validity period of the certificate. Without this configuration, the certificate request uses the validity period configured in the certificate template.
Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
@@ -222,7 +222,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
> [!Important]
-> Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates. You need to publish that cerificate templates to that issuing certificate authority. The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
+> Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates. You need to publish that certificate templates to that issuing certificate authority. The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
@@ -373,7 +373,7 @@ where **registryValueName** is one of the three value names from the above table
5. Close the command prompt.
> [!IMPORTANT]
-> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certifcates Templates** management console (certtmpl.msc).
+> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certificates Templates** management console (certtmpl.msc).
### Create a Web Application Proxy for the internal NDES URL.
Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
@@ -425,7 +425,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Under **MANAGE**, click **Application proxy**.
4. Click **Configure an app**.
5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
-6. Next to **Internal Url**, type the internal fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). This must match the internal DNS name of the NDES server and ensure you prefix the Url with **https**.
+6. Next to **Internal Url**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
7. Under **Internal Url**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
8. Select **Passthrough** from the **Pre Authentication** list.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 005677d027..949ab5c623 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -74,7 +74,7 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: Active Directory (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 5784150435..026d6bff2c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -73,7 +73,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: AD FS (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index 9333aeef18..26da9ec608 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -79,7 +79,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 59da54619d..0e8e0b0ee3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -203,7 +203,7 @@ Sign-in to the certificate authority or management workstation with _Enterprise
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business settings: PKI (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 621cb9ab0b..c62c048027 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -197,7 +197,7 @@ Users must receive the Windows Hello for Business group policy settings and have
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. Configure Windows Hello for Business policy settings (*You are here*)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index e7e22f7c8f..dd447eb2b1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -27,7 +27,7 @@ Hybrid environments are distributed systems that enable organizations to use on-
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
* [Directories](#directories)
-* [Public Key Infrastucture](#public-key-infastructure)
+* [Public Key Infrastructure](#public-key-infastructure)
* [Directory Synchronization](#directory-synchronization)
* [Federation](#federation)
* [MultiFactor Authentication](#multifactor-authentication)
@@ -118,9 +118,9 @@ Organizations wanting to deploy hybrid key trust need their domain joined device
### Next Steps ###
-Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**.
+Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**.
-For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Syncrhonization**.
+For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**.
For federated and non-federated environments, start with **Configure Windows Hello for Business settings**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index ce9f57fac1..7408c60b57 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -58,7 +58,7 @@ Sign-in a domain controller or management workstation with *Domain Admin* equiva
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 3f6e263084..d8aa1c79aa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -55,7 +55,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 92f7ec3365..aca13f5300 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -168,7 +168,7 @@ Users must receive the Windows Hello for Business group policy settings and have
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 5aaee3a860..f7b76f34e8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -45,7 +45,7 @@ For the most efficient deployment, configure these technologies in order beginni
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 842cb0b7bb..c40587d323 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -63,6 +63,8 @@ Detailed Tracking security policy settings and audit events can be used to monit
- [Audit Process Termination](audit-process-termination.md)
- [Audit RPC Events](audit-rpc-events.md)
+> **Note:** For more information, see [Security Monitoring](https://blogs.technet.microsoft.com/nathangau/2018/01/25/security-monitoring-a-possible-new-way-to-detect-privilege-escalation/)
+
## DS Access
DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (ADÂ DS). These audit events are logged only on domain controllers. This category includes the following subcategories:
@@ -90,7 +92,7 @@ Logon/Logoff security policy settings and audit events allow you to track attemp
## Object Access
-Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate object Aaccess auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
+Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate Object Access auditing subcategory for success and/or failure events. For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.
Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects. To address this issue, see [Global Object Access Auditing](#global-object-access-auditing).
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index b56a7a46b9..bdf572c022 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -23,7 +23,7 @@ Using configurable code integrity to restrict devices to only authorized apps ha
1. Configurable code integrity policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run.
2. Configurable code integrity allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows.
-3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privledge, or malicious software that managed to gain administrative privilege, to alter the application control policy.
+3. Customers can protect the configurable code integrity policy even from local administrator tampering by digitally signing the policy. This would mean that changing the policy would require both administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker with administrative privilege, or malicious software that managed to gain administrative privilege, to alter the application control policy.
4. The entire configurable code integrity enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable code integrity or any other application control solution.
## (Re-)Introducing Windows Defender Application Control
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 0cc19e576d..5a53eca835 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -122,7 +122,7 @@ Block at first sight is automatically enabled as long as **Cloud-based protectio
1. Open the Windows Security app by clicking the shield icon in the task bar.
-2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Virus & threat protection settings**:
+2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Manage Settings** under **Virus & threat protection settings**:
diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
index 8be213c70e..2e9c8a2adc 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md
@@ -70,3 +70,9 @@ Answering frequently asked questions about Windows Defender Application Guard (A
|**Q:** |What is the WDAGUtilityAccount local account?|
|**A:** |This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.|
+
+| | |
+|---|----------------------------|
+|**Q:** |How do I trust a subdomain in my site list?|
+|**A:** |To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com.|
+
diff --git a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
index 61d6e8a22e..7f42138a1b 100644
--- a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
@@ -33,7 +33,7 @@ You can add tags on machines using the following ways:
- By setting a registry key value
- By using the portal
-## Add machine tags by setting a registry key value
+## Add machine tags by setting a registry key value
Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
>[!NOTE]