Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10. Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic Enterprise when you apply the Enterprise license file to the device. |  |
Microsoft HoloLens is the first fully self-contained holographic computer running Windows 10. Microsoft HoloLens is available in the **Development Edition**, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the **Commercial Suite**, which runs Windows Holographic for Business when you apply the Enterprise license file to the device. |  |
Microsoft SQL Server 2014
Standard, Enterprise, or Datacenter
SP2
64-bit
Microsoft SQL Server 2014
Standard, Enterprise, or Datacenter
| Exit code | Meaning | Suggested fix + |
|---|---|---|
| 0 | Success | + |
| 1 | Unexpected error occurred while executing the script | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again. + |
| 2 | Error when logging to console. $logMode = 0. | Try changing the $logMode value to **1** and try again. + |
| 3 | Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. + |
| 4 | Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. + |
| 5 | Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. + |
| 6 | The commercialID parameter is set to unknown. Modify the script. | Set the value for CommercialID in runconfig.bat file. + |
| 8 | Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. | Verify that the configuration script has access to this location. + |
| 9 | Error when writing CommercialId to registry. | Verify that the configuration script has access to this location. + |
| 10 | Error when writing CommercialDataOptIn to registry. | Verify that the configuration script has access to this location. + |
| 11 | Function -SetupCommercialId: Unexpected failure. | Verify that the configuration script has access to this location. + |
| 12 | Can’t connect to Microsoft – Vortex. Check your network/proxy settings. | Verify that the required endpoints are whitelisted correctly. + |
| 13 | Can’t connect to Microsoft – setting. | Verify that the required endpoints are whitelisted correctly. + |
| 14 | Can’t connect to Microsoft – compatexchange. | Verify that the required endpoints are whitelisted. + |
| 15 | Error connecting to Microsoft:Unexpected failure. | + |
| 16 | Machine requires reboot. | The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. + |
| 17 | Function -CheckRebootRequired: Unexpected failure. | The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. + |
| 18 | Outdated compatibility update KB package. Update via Windows Update/WSUS. | +The configuration script detected a version of the Compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Analytics solution. Use the latest version of the Compatibility update for Windows 7 SP1/Windows 8.1. + |
| 19 | The compatibility update failed with unexpected exception. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again. + |
| 20 | Error writing RequestAllAppraiserVersions registry key. | This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. + |
| 21 | Function – SetRequestAllAppraiserVersions: Unexpected failure. | This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. + |
| 22 | RunAppraiser failed with unexpected exception. | Check %windir%\System32 directory for a file called CompatTelRunner.exe. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file. + |
| 23 | Error finding system variable %WINDIR%. | Make sure that this environment variable is available on the machine. + |
| 24 | SetIEDataOptIn failed when writing IEDataOptIn to registry. | Verify that the deployment script in running in a context that has access to the registry key. + |
| 25 | SetIEDataOptIn failed with unexpected exception. | The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again. + |
| 26 | The operating system is Server or LTSB SKU. | The script does not support Server or LTSB SKUs. + |
| 27 | The script is not running under System account. | The Upgrade Analytics configuration script must be run as system. + |
| 28 | Could not create log file at the specified logPath. | Make sure the deployment script has access to the location specified in the logPath parameter. + |
| 29 | Connectivity check failed for proxy authentication. | Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). + |
| 30 | Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled. | The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). + |
| 31 | There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. | Use the Windows Task Manager to check if CompatTelRunner.exe is running, and wait until it has completed to rerun the script. +**The Upgrade Analytics task is scheduled to run daily at 3 a.m.** + |
| Exit code | Meaning | Suggested fix - |
|---|---|---|
| 0 | Success | - |
| 1 | Unexpected error occurred while executing the script | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again. - |
| 2 | Error when logging to console. $logMode = 0. | Try changing the $logMode value to **1** and try again. - |
| 3 | Error when logging to console and file. $logMode = 1. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. - |
| 4 | Error when logging to file. $logMode = 2. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. - |
| 5 | Error when logging to console and file. $logMode = unknown. | Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. - |
| 6 | The commercialID parameter is set to unknown. Modify the script. | Set the value for CommercialID in runconfig.bat file. - |
| 8 | Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. | Verify that the configuration script has access to this location. - |
| 9 | Error when writing CommercialId to registry. | Verify that the configuration script has access to this location. - |
| 10 | Error when writing CommercialDataOptIn to registry. | Verify that the configuration script has access to this location. - |
| 11 | Function -SetupCommercialId: Unexpected failure. | Verify that the configuration script has access to this location. - |
| 12 | Can’t connect to Microsoft – Vortex. Check your network/proxy settings. | Verify that the required endpoints are whitelisted correctly. - |
| 13 | Can’t connect to Microsoft – setting. | Verify that the required endpoints are whitelisted correctly. - |
| 14 | Can’t connect to Microsoft – compatexchange. | Verify that the required endpoints are whitelisted. - |
| 15 | Error connecting to Microsoft:Unexpected failure. | - |
| 16 | Machine requires reboot. | The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. - |
| 17 | Function -CheckRebootRequired: Unexpected failure. | The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. - |
| 18 | Outdated compatibility update KB package. Update via Windows Update/WSUS. | -The configuration script detected a version of the Compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Analytics solution. Use the latest version of the Compatibility update for Windows 7 SP1/Windows 8.1. - |
| 19 | The compatibility update failed with unexpected exception. | The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again. - |
| 20 | Error writing RequestAllAppraiserVersions registry key. | This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. - |
| 21 | Function – SetRequestAllAppraiserVersions: Unexpected failure. | This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. - |
| 22 | RunAppraiser failed with unexpected exception. | Check %windir%\System32 directory for a file called CompatTelRunner.exe. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file. - |
| 23 | Error finding system variable %WINDIR%. | Make sure that this environment variable is available on the machine. - |
| 24 | SetIEDataOptIn failed when writing IEDataOptIn to registry. | Verify that the deployment script in running in a context that has access to the registry key. - |
| 25 | SetIEDataOptIn failed with unexpected exception. | The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again. - |
| 26 | The operating system is Server or LTSB SKU. | The script does not support Server or LTSB SKUs. - |
| 27 | The script is not running under System account. | The Upgrade Analytics configuration script must be run as system. - |
| 28 | Could not create log file at the specified logPath. | Make sure the deployment script has access to the location specified in the logPath parameter. - |
| 29 | Connectivity check failed for proxy authentication. | Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). - |
| 30 | Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled. | The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). - |
| 31 | There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. | Use the Windows Task Manager to check if CompatTelRunner.exe is running, and wait until it has completed to rerun the script. -**The Upgrade Analytics task is scheduled to run daily at 3 a.m.** - |
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V –All- This command works on all operating systems that support Hyper-V. + This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: + +
Install-WindowsFeature -Name Hyper-V -IncludeManagementToolsWhen you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt. @@ -211,7 +213,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon  -
If you choose to install Hyper-V using Server Manager, accept all default selections. +
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
### Download VHD and ISO files
@@ -505,9 +507,18 @@ Notes:
### Resize VHD
-**Important**: You should take advantage of [enhanced session mode](https://technet.microsoft.com/windows-server-docs/compute/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) when completing instructions in this guide. Enhanced session mode enables you to copy and paste the commands from the Hyper-V host to VMs, between VMs, and between RDP sessions. After copying some text, you can paste into a Windows PowerShell window by simply right-clicking. Before right-clicking, do not left click other locations as this can empty the clipboard. You can also copy and paste files directly from one computer to another by right-clicking and selecting copy on one computer, then right-clicking and selecting paste on another computer.
+
Set-VMhost -EnableEnhancedSessionMode $TRUE+ +>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex. + +
](images/ua-cg-15.png){kind=link}
+ Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
Copy-VMFile "PC1" –SourcePath "C:\VHD\pc1.ps1" –DestinationPath "C:\pc1.ps1" –CreateFullPath –FileSource Host
- >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not installed, you can try updating integration services on the VM. This can be done by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server operating systems that are running the Hyper-V role service. Otherwise, just create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. Be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
+ >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
+
+ If the copy-vmfile command does not work and you cannot properly enable or upgrade integration services on PC1, then create the file c:\pc1.ps1 on the VM by typing the commands into this file manually. The copy-vmfile command is only used in this procedure as a demonstration of automation methods that can be used in a Hyper-V environment when enhanced session mode is not available. After typing the script file manually, be sure to save the file as a Windows PowerShell script file with the .ps1 extension and not as a text (.txt) file.
21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
@@ -850,7 +864,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
>The commands in this script might take a few moments to complete. If an error is displayed, check that you typed the command correctly, paying close attention to spaces. PC1 is removed from its domain in this step while not connected to the corporate network so as to ensure the computer object in the corporate domain is unaffected. PC1 is also not renamed to "PC1" in system properties so that it maintains some of its mirrored identity. However, if desired you can also rename the computer.
22. Upon completion of the script, PC1 will automatically restart. When it has restarted, sign in to the contoso.com domain using the **Switch User** option, with the **user1** account you created in step 11 of this section.
- >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all use accounts, or only other specific accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
+ >**Important**: The settings that will be used later to migrate user data specifically select only accounts that belong to the CONTOSO domain. However, this can be changed to migrate all user accounts, or only other specified accounts. If you wish to test migration of user data and settings with accounts other than those in the CONTOSO domain, you must specify these accounts or domains when you configure the value of **ScanStateArgs** in the MDT test lab guide. This value is specifically called out when you get to that step. If you wish to only migrate CONTOSO accounts, then you can log in with the user1 account or the administrator account at this time and modify some of the files and settings for later use in migration testing.
23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
@@ -954,7 +968,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
- runas /noprofile /env /user:administrator@contoso.com "cmd slmgr -rearm"
+ runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
Restart-Computer
@@ -979,6 +993,8 @@ Set-ADUser -Identity CM_JD -PasswordNeverExpires $true
Set-ADUser -Identity CM_NAA -PasswordNeverExpires $true
+This completes configuration of the starting PoC environment. Additional services and tools are installed in subsequent guides.
+
## Appendix A: Verify the configuration
Use the following procedures to verify that the PoC environment is configured properly and working as expected.
diff --git a/windows/index.md b/windows/index.md
index d5e7f92b8a..31050c6bd6 100644
--- a/windows/index.md
+++ b/windows/index.md
@@ -3,6 +3,7 @@ title: Windows 10 and Windows 10 Mobile (Windows 10)
description: This library provides the core content that IT pros need to evaluate, plan, deploy, and manage devices running Windows 10 or Windows 10 Mobile.
ms.assetid: 345A4B4E-BC1B-4F5C-9E90-58E647D11C60
ms.prod: w10
+localizationpriority: high
author: brianlic-msft
---
diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md
index fb18c0081b..3a3d3bcda1 100644
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@@ -1,14 +1,15 @@
# [Keep Windows 10 secure](index.md)
## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
-## [Manage identity verification using Windows Hello for Business](manage-identity-verification-using-microsoft-passport.md)
-### [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md)
-### [Enable phone sign-in to PC or VPN](enable-phone-signin-to-pc-and-vpn.md)
-### [Why a PIN is better than a password](why-a-pin-is-better-than-a-password.md)
-### [Prepare people to use Windows Hello](prepare-people-to-use-microsoft-passport.md)
-### [Windows Hello and password changes](microsoft-passport-and-password-changes.md)
-### [Windows Hello errors during PIN creation](microsoft-passport-errors-during-pin-creation.md)
-### [Event ID 300 - Windows Hello successfully created](passport-event-300.md)
-### [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
+## [Windows Hello for Business](hello-identity-verification.md)
+### [How Windows Hello for Business works](hello-how-it-works.md)
+### [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+### [Enable phone sign-in to PC or VPN](hello-enable-phone-signin.md)
+### [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+### [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+### [Windows Hello and password changes](hello-and-password-changes.md)
+### [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+### [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+### [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
## [Configure S/MIME for Windows 10 and Windows 10 Mobile](configure-s-mime.md)
## [Install digital certificates on Windows 10 Mobile](installing-digital-certificates-on-windows-10-mobile.md)
## [Device Guard deployment guide](device-guard-deployment-guide.md)
@@ -31,6 +32,7 @@
##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
#### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
+#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md)
### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
@@ -196,7 +198,7 @@
###### [Monitor claim types](monitor-claim-types.md)
##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
###### [Audit Credential Validation](audit-credential-validation.md)
-####### [Event 4774 S: An account was mapped for logon.](event-4774.md)
+####### [Event 4774 S, F: An account was mapped for logon.](event-4774.md)
####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md)
####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md)
####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md)
@@ -872,7 +874,6 @@
###### [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)
## [Enterprise security guides](windows-10-enterprise-security-guides.md)
### [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
-### [Microsoft Passport guide](microsoft-passport-guide.md)
### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
### [Windows 10 security overview](windows-10-security-guide.md)
### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md)
diff --git a/windows/keep-secure/app-behavior-with-wip.md b/windows/keep-secure/app-behavior-with-wip.md
index bf932d459d..1f83aad42f 100644
--- a/windows/keep-secure/app-behavior-with-wip.md
+++ b/windows/keep-secure/app-behavior-with-wip.md
@@ -38,8 +38,8 @@ This table includes info about how unenlightened apps might behave, based on you
/*AppCompat*/ string/*AppCompat*/ string or proxy-based policies| App rule setting | -Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies |
+ Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Not required. App connects to enterprise cloud resources, using an IP address or a hostname. | diff --git a/windows/keep-secure/audit-credential-validation.md b/windows/keep-secure/audit-credential-validation.md index 5e54e23875..a6e23ecd47 100644 --- a/windows/keep-secure/audit-credential-validation.md +++ b/windows/keep-secure/audit-credential-validation.md @@ -42,7 +42,7 @@ The main reason to enable this auditing subcategory is to handle local accounts **Events List:** -- [4774](event-4774.md)(S): An account was mapped for logon. +- [4774](event-4774.md)(S, F): An account was mapped for logon. - [4775](event-4775.md)(F): An account could not be mapped for logon. diff --git a/windows/keep-secure/bitlocker-overview.md b/windows/keep-secure/bitlocker-overview.md index 2ffb869b8f..e3d23d3102 100644 --- a/windows/keep-secure/bitlocker-overview.md +++ b/windows/keep-secure/bitlocker-overview.md @@ -42,7 +42,7 @@ BitLocker control panel, and they are appropriate to use for automated deploymen ## New and changed functionality -To find out what's new in BitLocker for Windows 10, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511." +To find out what's new in BitLocker for Windows 10, such as support for the XTS-AES encryption algorithm, see the [BitLocker](https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10, versions 1507 and 1511." ## System requirements diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 900762eca3..2e7879cd8b 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -12,11 +12,15 @@ author: brianlic-msft # Change history for Keep Windows 10 secure This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). + ## January 2017 |New or changed topic |Description | |---------------------|------------| +|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |New | +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. | |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New | |[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New | +| Microsoft Passport guide | Content merged into [Windows Hello for Business](hello-identity-verification.md) topics | ## December 2016 |New or changed topic |Description | @@ -24,6 +28,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |[Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |Added filter examples for Windows 10 and Windows Server 2016. | + ## November 2016 | New or changed topic | Description | | --- | --- | @@ -31,6 +36,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) |Changed WIPModeID to EDPModeID, to match the CSP. | + ## October 2016 | New or changed topic | Description | @@ -42,6 +48,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |[VPN technical guide](vpn-guide.md) | Multiple new topics, replacing previous **VPN profile options** topic | |[Windows security baselines](windows-security-baselines.md) | Added Windows 10, version 1607 and Windows Server 2016 baseline | + ## September 2016 | New or changed topic | Description | diff --git a/windows/keep-secure/change-the-tpm-owner-password.md b/windows/keep-secure/change-the-tpm-owner-password.md index a8b0e386d3..16b63a490e 100644 --- a/windows/keep-secure/change-the-tpm-owner-password.md +++ b/windows/keep-secure/change-the-tpm-owner-password.md @@ -44,10 +44,7 @@ To change to a new TPM owner password, in TPM.msc, click **Change Owner Password ## Use the TPM cmdlets -If you are using Windows PowerShell to manage your computers, you can also manage the TPM by using Windows PowerShell. To install the TPM cmdlets, type the following command: -**dism /online /enable-feature /FeatureName:tpm-psh-cmdlets** - -For details about the individual cmdlets, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). +You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](http://technet.microsoft.com/library/jj603116.aspx). ## Related topics diff --git a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md index 0293f672ae..241eadd7f7 100644 --- a/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md +++ b/windows/keep-secure/choose-the-right-bitlocker-countermeasure.md @@ -17,20 +17,105 @@ author: brianlic-msft This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks. You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication. -Figures 2, 3, and 4 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default -settings. +Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings. - +|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| + |
+ Windows 8.1 |
+
+ Windows 8.1 Certified |
+
|
+ Bootkits and |
+Without TPM, boot integrity checking is not available |
+Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings |
+
|
+ Brute Force |
+Secure by default, and can be improved with account lockout Group Policy |
+Secure by default, and can be improved with account lockout and device lockout Group Policy settings |
+
|
+ DMA |
+If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in |
+If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in |
+
|
+ Hyberfil.sys |
+Secure by default; hyberfil.sys secured on encrypted volume |
+Secure by default; hyberfil.sys secured on encrypted volume |
+
|
+ Memory |
+Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication |
+Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication |
+
| + |
+ Windows 10 |
+
+ Windows 10 Certified |
+
|
+ Bootkits and |
+Without TPM, boot integrity checking is not available |
+Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings |
+
|
+ Brute Force |
+Secure by default, and can be improved with account lockout Group Policy |
+Secure by default, and can be improved with account lockout and device lockout Group Policy settings |
+
|
+ DMA |
+If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in |
+Secure by default; certified devices do not expose vulnerable DMA busses. |
+
|
+ Hyberfil.sys |
+Secure by default; hyberfil.sys secured on encrypted volume |
+Secure by default; hyberfil.sys secured on encrypted volume |
+
|
+ Memory |
+Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication |
+Password protect the firmware and ensure Secure Boot is enabled. |
+
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
| Hex | +Cause | +Mitigation | +
|---|---|---|
| 0x801C044D | +Authorization token does not contain device ID | +Unjoin the device from Azure AD and rejoin | +
| 0x80090036 | +User cancelled an interactive dialog | +User will be asked to try again | +
| 0x80090011 | +The container or key was not found | +Unjoin the device from Azure AD and rejoin | +
| 0x8009000F | +The container or key already exists | +Unjoin the device from Azure AD and rejoin | +
| 0x8009002A | +NTE_NO_MEMORY | +Close programs which are taking up memory and try again. | +
| 0x80090005 | +NTE_BAD_DATA | +Unjoin the device from Azure AD and rejoin | +
| 0x80090029 | +TPM is not set up. | +Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. | +
| 0x80090031 | +NTE_AUTHENTICATION_IGNORED | +Reboot the device. If the error occurs again after rebooting, [reset the TPM]( https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650) | +
| 0x80090035 | +Policy requires TPM and the device does not have TPM. | +Change the Passport policy to not require a TPM. | +
| 0x801C0003 | +User is not authorized to enroll | +Check if the user has permission to perform the operation. | +
| 0x801C000E | +Registration quota reached | +Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933). |
+
| 0x801C000F | +Operation successful but the device requires a reboot | +Reboot the device. | +
| 0x801C0010 | +The AIK certificate is not valid or trusted | +Sign out and then sign in again. | +
| 0x801C0011 | +The attestation statement of the transport key is invalid | +Sign out and then sign in again. | +
| 0x801C0012 | +Discovery request is not in a valid format | +Sign out and then sign in again. | +
| 0x801C0015 | +The device is required to be joined to an Active Directory domain | +Join the device to an Active Directory domain. | +
| 0x801C0016 | +The federation provider configuration is empty | +Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty. | +
| 0x801C0017 | +The federation provider domain is empty | +Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty. | +
| 0x801C0018 | +The federation provider client configuration URL is empty | +Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL. | +
| 0x801C03E9 | +Server response message is invalid | +Sign out and then sign in again. | +
| 0x801C03EA | +Server failed to authorize user or device. | +Check if the token is valid and user has permission to register Passport keys. | +
| 0x801C03EB | +Server response http status is not valid | +Sign out and then sign in again. | +
| 0x801C03EC | +Unhandled exception from server. | +sign out and then sign in again. | +
| 0x801C03ED | +Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed +-or- +Token was not found in the Authorization header +-or- +Failed to read one or more objects +-or- The request sent to the server was invalid. |
+Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin. | +
| 0x801C03EE | +Attestation failed | +Sign out and then sign in again. | +
| 0x801C03EF | +The AIK certificate is no longer valid | +Sign out and then sign in again. | +
| 0x801C044D | +Unable to obtain user token | +Sign out and then sign in again. Check network and credentials. | +
| 0x801C044E | +Failed to receive user creds input | +Sign out and then sign in again. | +
| Policy | +Options | +|
|---|---|---|
| Use Windows Hello for Business | ++ |
+ Not configured: Users can provision Windows Hello for Business, which encrypts their domain password. +Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. +Disabled: Device does not provision Windows Hello for Business for any user. + |
+
| Use a hardware security device | ++ |
+ Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. +Enabled: Windows Hello for Business will only be provisioned using TPM. +Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. + |
+
| Use biometrics | ++ |
+ Not configured: Biometrics can be used as a gesture in place of a PIN. +Enabled: Biometrics can be used as a gesture in place of a PIN. +Disabled: Only a PIN can be used as a gesture. + |
+
| PIN Complexity | +Require digits | +
+ Not configured: Users must include a digit in their PIN. +Enabled: Users must include a digit in their PIN. +Disabled: Users cannot use digits in their PIN. + |
+
| Require lowercase letters | +
+ Not configured: Users cannot use lowercase letters in their PIN. +Enabled: Users must include at least one lowercase letter in their PIN. +Disabled: Users cannot use lowercase letters in their PIN. + |
+|
| Maximum PIN length | +
+ Not configured: PIN length must be less than or equal to 127. +Enabled: PIN length must be less than or equal to the number you specify. +Disabled: PIN length must be less than or equal to 127. + |
+|
| Minimum PIN length | +
+ Not configured: PIN length must be greater than or equal to 4. +Enabled: PIN length must be greater than or equal to the number you specify. +Disabled: PIN length must be greater than or equal to 4. + |
+|
| Expiration | +
+ Not configured: PIN does not expire. +Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. +Disabled: PIN does not expire. + |
+|
| History | +
+ Not configured: Previous PINs are not stored. +Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. +Disabled: Previous PINs are not stored. +Note Current PIN is included in PIN history.
+ |
+|
| Require special characters | +
+ Not configured: Users cannot include a special character in their PIN. +Enabled: Users must include at least one special character in their PIN. +Disabled: Users cannot include a special character in their PIN. + |
+|
| Require uppercase letters | +
+ Not configured: Users cannot include an uppercase letter in their PIN. +Enabled: Users must include at least one uppercase letter in their PIN. +Disabled: Users cannot include an uppercase letter in their PIN. + |
+|
| Phone Sign-in | +
+ Use Phone Sign-in +Note Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+ |
+
+ Not configured: Phone sign-in is disabled. +Enabled: Users can use a portable, registered device as a companion device for desktop authentication. +Disabled: Phone sign-in is disabled. + |
+
| Policy | +Scope | +Default | +Options | +|
|---|---|---|---|---|
| UsePassportForWork | ++ | Device | +True | +
+ True: Windows Hello for Business will be provisioned for all users on the device. +False: Users will not be able to provision Windows Hello for Business. +Note If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.
+ |
+
| RequireSecurityDevice | ++ | Device | +False | +
+ True: Windows Hello for Business will only be provisioned using TPM. +False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. + |
+
| Biometrics | +
+ UseBiometrics + |
+Device | +False | +
+ True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. +False: Only a PIN can be used as a gesture for domain sign-in. + |
+
|
+ FacialFeaturesUser +EnhancedAntiSpoofing + |
+Device | +Not configured | +
+ Not configured: users can choose whether to turn on enhanced anti-spoofing. +True: Enhanced anti-spoofing is required on devices which support it. +False: Users cannot turn on enhanced anti-spoofing. + |
+|
| PINComplexity | +||||
| Digits | +Device or user | +2 | +
+ 1: Numbers are not allowed. +2: At least one number is required. + |
+|
| Lowercase letters | +Device or user | +1 | +
+ 1: Lowercase letters are not allowed. +2: At least one lowercase letter is required. + |
+|
| Maximum PIN length | +Device or user | +127 | +
+ Maximum length that can be set is 127. Maximum length cannot be less than minimum setting. + |
+|
| Minimum PIN length | +Device or user | +4 | +
+ Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting. + |
+|
| Expiration | +Device or user | +0 | +
+ Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. + + |
+|
| History | +Device or user | +0 | +
+ Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. + + |
+|
| Special characters | +Device or user | +1 | +
+ 1: Special characters are not allowed. +2: At least one special character is required. + |
+|
| Uppercase letters | +Device or user | +1 | +
+ 1: Uppercase letters are not allowed +2: At least one uppercase letter is required + |
+|
| Remote | +
+ UseRemotePassport +Note Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
+ |
+Device or user | +False | +
+ True: Phone sign-in is enabled. +False: Phone sign-in is disabled. + |
+
| Windows Hello for Business mode | +Azure AD | +Active Directory (AD) on-premises (available with production release of Windows Server 2016) | +Azure AD/AD hybrid (available with production release of Windows Server 2016) | +
|---|---|---|---|
| Key-based authentication | +Azure AD subscription | +
|
+
|
+
| Certificate-based authentication | +
|
+
|
+
|
+
| Policy | -Options | -|
|---|---|---|
| Use Windows Hello for Business | -- |
- Not configured: Users can provision Windows Hello for Business, which encrypts their domain password. -Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. -Disabled: Device does not provision Windows Hello for Business for any user. - |
-
| Use a hardware security device | -- |
- Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. -Enabled: Windows Hello for Business will only be provisioned using TPM. -Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. - |
-
| Use biometrics | -- |
- Not configured: Biometrics can be used as a gesture in place of a PIN. -Enabled: Biometrics can be used as a gesture in place of a PIN. -Disabled: Only a PIN can be used as a gesture. - |
-
| PIN Complexity | -Require digits | -
- Not configured: Users must include a digit in their PIN. -Enabled: Users must include a digit in their PIN. -Disabled: Users cannot use digits in their PIN. - |
-
| Require lowercase letters | -
- Not configured: Users cannot use lowercase letters in their PIN. -Enabled: Users must include at least one lowercase letter in their PIN. -Disabled: Users cannot use lowercase letters in their PIN. - |
-|
| Maximum PIN length | -
- Not configured: PIN length must be less than or equal to 127. -Enabled: PIN length must be less than or equal to the number you specify. -Disabled: PIN length must be less than or equal to 127. - |
-|
| Minimum PIN length | -
- Not configured: PIN length must be greater than or equal to 4. -Enabled: PIN length must be greater than or equal to the number you specify. -Disabled: PIN length must be greater than or equal to 4. - |
-|
| Expiration | -
- Not configured: PIN does not expire. -Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. -Disabled: PIN does not expire. - |
-|
| History | -
- Not configured: Previous PINs are not stored. -Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. -Disabled: Previous PINs are not stored. -Note Current PIN is included in PIN history.
- |
-|
| Require special characters | -
- Not configured: Users cannot include a special character in their PIN. -Enabled: Users must include at least one special character in their PIN. -Disabled: Users cannot include a special character in their PIN. - |
-|
| Require uppercase letters | -
- Not configured: Users cannot include an uppercase letter in their PIN. -Enabled: Users must include at least one uppercase letter in their PIN. -Disabled: Users cannot include an uppercase letter in their PIN. - |
-|
| Phone Sign-in | -
- Use Phone Sign-in -Note Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
- |
-
- Not configured: Phone sign-in is disabled. -Enabled: Users can use a portable, registered device as a companion device for desktop authentication. -Disabled: Phone sign-in is disabled. - |
-
| Policy | -Scope | -Default | -Options | -|
|---|---|---|---|---|
| UsePassportForWork | -- | Device | -True | -
- True: Windows Hello for Business will be provisioned for all users on the device. -False: Users will not be able to provision Windows Hello for Business. -Note If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.
- |
-
| RequireSecurityDevice | -- | Device | -False | -
- True: Windows Hello for Business will only be provisioned using TPM. -False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. - |
-
| Biometrics | -
- UseBiometrics - |
-Device | -False | -
- True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. -False: Only a PIN can be used as a gesture for domain sign-in. - |
-
|
- FacialFeaturesUser -EnhancedAntiSpoofing - |
-Device | -Not configured | -
- Not configured: users can choose whether to turn on enhanced anti-spoofing. -True: Enhanced anti-spoofing is required on devices which support it. -False: Users cannot turn on enhanced anti-spoofing. - |
-|
| PINComplexity | -||||
| Digits | -Device or user | -2 | -
- 1: Numbers are not allowed. -2: At least one number is required. - |
-|
| Lowercase letters | -Device or user | -1 | -
- 1: Lowercase letters are not allowed. -2: At least one lowercase letter is required. - |
-|
| Maximum PIN length | -Device or user | -127 | -
- Maximum length that can be set is 127. Maximum length cannot be less than minimum setting. - |
-|
| Minimum PIN length | -Device or user | -4 | -
- Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting. - |
-|
| Expiration | -Device or user | -0 | -
- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user’s PIN will never expire. - - |
-|
| History | -Device or user | -0 | -
- Integer value that specifies the number of past PINs that can be associated to a user account that can’t be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. - - |
-|
| Special characters | -Device or user | -1 | -
- 1: Special characters are not allowed. -2: At least one special character is required. - |
-|
| Uppercase letters | -Device or user | -1 | -
- 1: Uppercase letters are not allowed. -2: At least one uppercase letter is required - |
-|
| Remote | -
- UseRemotePassport -Note Applies to desktop only. Phone sign-in is currently limited to select Technology Adoption Program (TAP) participants.
- |
-Device or user | -False | -
- True: Phone sign-in is enabled. -False: Phone sign-in is disabled. - |
-
| Windows Hello for Business mode | -Azure AD | -Azure AD/AD hybrid (available with production release of Windows Server 2016) | -
|---|---|---|
| Key-based authentication | -[Azure AD subscription](https://docs.microsoft.com/azure/active-directory/active-directory-howto-tenant) | -
|
-
| Certificate-based authentication | -
|
-
|
-
| Hex | -Cause | -Mitigation | -
|---|---|---|
| 0x801C044D | -Authorization token does not contain device ID | -Unjoin the device from Azure AD and rejoin | -
| 0x80090036 | -User cancelled an interactive dialog | -User will be asked to try again | -
| 0x80090011 | -The container or key was not found | -Unjoin the device from Azure AD and rejoin | -
| 0x8009000F | -The container or key already exists | -Unjoin the device from Azure AD and rejoin | -
| 0x8009002A | -NTE_NO_MEMORY | -Close programs which are taking up memory and try again. | -
| 0x80090005 | -NTE_BAD_DATA | -Unjoin the device from Azure AD and rejoin | -
| 0x80090029 | -TPM is not set up. | -Sign on with an administrator account. Click **Start**, type "tpm.msc", and select **tpm.msc Microsoft Common Console Document**. In the **Actions** pane, select **Prepare the TPM**. | -
| 0x80090031 | -NTE_AUTHENTICATION_IGNORED | -Reboot the device. If the error occurs again after rebooting, [reset the TPM]( https://go.microsoft.com/fwlink/p/?LinkId=619969) or run [Clear-TPM](https://go.microsoft.com/fwlink/p/?LinkId=629650) | -
| 0x80090035 | -Policy requires TPM and the device does not have TPM. | -Change the Passport policy to not require a TPM. | -
| 0x801C0003 | -User is not authorized to enroll | -Check if the user has permission to perform the operation. | -
| 0x801C000E | -Registration quota reached | -Unjoin some other device that is currently joined using the same account or [increase the maximum number of devices per user](https://go.microsoft.com/fwlink/p/?LinkId=626933). |
-
| 0x801C000F | -Operation successful but the device requires a reboot | -Reboot the device. | -
| 0x801C0010 | -The AIK certificate is not valid or trusted | -Sign out and then sign in again. | -
| 0x801C0011 | -The attestation statement of the transport key is invalid | -Sign out and then sign in again. | -
| 0x801C0012 | -Discovery request is not in a valid format | -Sign out and then sign in again. | -
| 0x801C0015 | -The device is required to be joined to an Active Directory domain | -Join the device to an Active Directory domain. | -
| 0x801C0016 | -The federation provider configuration is empty | -Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the file is not empty. | -
| 0x801C0017 | -The federation provider domain is empty | -Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the FPDOMAINNAME element is not empty. | -
| 0x801C0018 | -The federation provider client configuration URL is empty | -Go to [http://clientconfig.microsoftonline-p.net/FPURL.xml](http://clientconfig.microsoftonline-p.net/FPURL.xml) and verify that the CLIENTCONFIG element contains a valid URL. | -
| 0x801C03E9 | -Server response message is invalid | -Sign out and then sign in again. | -
| 0x801C03EA | -Server failed to authorize user or device. | -Check if the token is valid and user has permission to register Passport keys. | -
| 0x801C03EB | -Server response http status is not valid | -Sign out and then sign in again. | -
| 0x801C03EC | -Unhandled exception from server. | -sign out and then sign in again. | -
| 0x801C03ED | -Multi-factor authentication is required for a 'ProvisionKey' operation, but was not performed --or- -Token was not found in the Authorization header --or- -Failed to read one or more objects --or- The request sent to the server was invalid. |
-Sign out and then sign in again. If that doesn't resolve the issue, unjoin the device from Azure Active Directory (Azure AD) and rejoin. | -
| 0x801C03EE | -Attestation failed | -Sign out and then sign in again. | -
| 0x801C03EF | -The AIK certificate is no longer valid | -Sign out and then sign in again. | -
| 0x801C044D | -Unable to obtain user token | -Sign out and then sign in again. Check network and credentials. | -
| 0x801C044E | -Failed to receive user creds input | -Sign out and then sign in again. | -
| Microsoft Passport method | -Azure AD | -Hybrid Active Directory | -
|---|---|---|
| Key-based | -Azure AD subscription |
-
|
-
| Certificate-based | -Azure AD subscription -PKI infrastructure -Intune |
-
|
-
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
Important:
Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.
The support for your operating system has expired. Windows Defender is no longer supported on your operating system, has stopped functioning, and is not protecting against malware threats.
Symbolic name:
MALWAREPROTECTION_SAMPLESUBMISSION_UPLOAD
Message:
The antimalware engine has uploaded a file for further analysis.
Filename <uploaded filename>
Sha256: <file SHA>
Description:
A file was uploaded to the Windows Defender Antimalware cloud for further analysis or processing.
Symbolic name:
MALWAREPROTECTION_SAMPLESUBMISSION_UPLOADED_FAILED
Message:
The antimalware engine has encountered an error trying to upload a suspicious file for further analysis.
+Filename: <uploaded filename>
+Sha256: <file SHA>
+Current Signature Version: <signature version number>
+Current Engine Version: <engine version number>
+Error code: <error code>
Description:
A file could not be uploaded to the Windows Defender Antimalware cloud.
User action:
You can attempt to manually submit the file.
[Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
This article details an end-to-end solution that helps you protect high-value assets by enforcing, controlling, and reporting the health of Windows 10-based devices.
[Microsoft Passport guide](microsoft-passport-guide.md)
This guide describes the new Windows Hello and Microsoft Passport technologies that are part of the Windows 10 operating system. It highlights specific capabilities of these technologies that help mitigate threats from conventional credentials and provides guidance about how to design and deploy these technologies as part of your Windows 10 rollout.
[Windows 10 Mobile security guide](windows-10-mobile-security-guide.md)
This guide provides a detailed description of the most important security features in the Windows 10 Mobile operating system—identity access and control, data protection, malware resistance, and app platform security.