Merge remote-tracking branch 'refs/remotes/origin/master' into jd-sandbox

mdop/appv-v5/creating-and-managing-app-v-51-virtualized-applications.md

@@ -18,6 +18,9 @@ After you have properly deployed the Microsoft Application Virtualization (App-V
 **Note**  
 For more information about configuring the App-V 5.1 sequencer, sequencing best practices, and an example of creating and updating a virtual application, see the [Microsoft Application Virtualization 5.0 Sequencing Guide](http://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V 5.0 Sequencing Guide.docx).
 
+**Note**  
+The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated.
+
 ## Sequencing an application
 
 

mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md

@@ -56,6 +56,9 @@ ms.prod: w10
 
     -   If short paths have been disabled for the virtualized package’s target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume.
 
+**Note**  
+The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated.
+
 **To sequence a new standard application**
 
 1.  On the computer that runs the sequencer, click **All Programs**, and then Click **Microsoft Application Virtualization**, and then click **Microsoft Application Virtualization Sequencer**.

mdop/appv-v5/release-notes-for-app-v-51.md

@@ -136,6 +136,13 @@ App-V 5.1 does not support Visual Studio 2012.
 
 **Workaround**: None
 
+## Application filename restrictions for App-V 5.x Sequencer
+
+
+The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_<x>" where x is any numeral. Error 0x8007139F will be generated.
+
+**Workaround**: Use a different filename
+
 ## Got a suggestion for App-V?
 
 

windows/keep-secure/bitlocker-overview.md

@@ -77,3 +77,5 @@ When installing the BitLocker optional component on a server you will also need
 | [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
 | [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
 | [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.| 
+
+If you're looking for info on how to use it with Windows 10 IoT Core, see [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/win10/SB_BL.htm).

windows/keep-secure/credential-guard.md

@@ -236,7 +236,7 @@ You can use System Information to ensure that Credential Guard is running on a P
 -   As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malwar efrom taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
 -   If you are using Wi-Fi and VPN end points that are based on MS-CHAPv2, they are subject to similar attacks as NTLMv1. We recommend that organizations use certificated-based authentication for Wi-Fi and VPN connections.
 -   Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
-    -   Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password.
+    -   Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
     -   Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
     -   You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
 
@@ -254,6 +254,10 @@ Some ways to store credentials are not protected by Credential Guard, including:
 -   Key loggers
 -   Physical attacks
 -   Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access high value assets in your organization.
+-   Third-party security packages
+-   Digest and CredSSP credentials
+    -   When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
+-   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
 
 ## Additional mitigations