Merged PR 14212: 2/8 AM Publish

devices/surface-hub/prepare-your-environment-for-surface-hub.md

@@ -25,7 +25,7 @@ Review these dependencies to make sure Surface Hub features will work in your IT
 |-------------|------------------|
 | Active Directory or Azure Active Directory (Azure AD) | <p>The Surface Hub's uses an Active Directory or Azure AD account (called a **device account**) to access Exchange and Skype for Business services. The Surface Hub must be able to connect to your Active Directory domain controller or to your Azure AD tenant in order to validate the device account’s credentials, as well as to access information like the device account’s display name, alias, Exchange server, and Session Initiation Protocol (SIP) address.</p>You can also domain join or Azure AD join your Surface Hub to allow a group of authorized users to configure settings on the Surface Hub. |
 | Exchange (Exchange 2013 or later, or Exchange Online) and Exchange ActiveSync | <p>Exchange is used for enabling mail and calendar features, and also lets people who use the device send meeting requests to the Surface Hub, enabling one-touch meeting join.</p>ActiveSync is used to sync the device account’s calendar and mail to the Surface Hub. If the device cannot use ActiveSync, it will not show meetings on the welcome screen, and joining meetings and emailing whiteboards will not be enabled. |
-| Skype for Business (Lync Server 2013 or later, or Skype for Business Online)  | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.</br></br>If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. |
+| Skype for Business (Lync Server 2013 or later, or Skype for Business Online)  | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.|
 | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
 | Microsoft Operations Managmement Suite (OMS)   | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
 | Network and Internet access   | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.</br></br></br>**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.</br>**Note:** For more information on enabling 802.1X wired authentication on Surface Hub, see [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md).</br></br>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</br></br>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |

devices/surface/TOC.md

@@ -13,6 +13,7 @@
 ### [Maintain optimal power settings on Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
 ### [Battery Limit setting](battery-limit.md)
 ### [Surface Brightness Control](microsoft-surface-brightness-control.md)
+### [Surface Asset Tag](assettag.md)
 ## [Surface firmware and driver updates](update.md)
 ### [Download the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md)
 ### [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md)

devices/surface/assettag.md

@@ -0,0 +1,112 @@
+---
+title: Surface Asset Tag Tool
+description: This topic explains how to use the Surface Asset Tag Tool.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+author: coveminer
+ms.author: v-jokai
+ms.topic: article
+ms.date: 02/01/2019
+---
+
+# Surface Asset Tag Tool
+
+Surface Asset Tag is a command line interface (CLI) utility
+that allows you to view, assign, and modify an assigned asset tag value
+for Surface devices. It works on Surface Pro 3 and all newer Surface devices.
+
+## System requirements
+
+  - Surface Pro 3 or later
+
+  - UEFI firmware version 3.9.150.0 or later
+
+## Using Surface Asset Tag 
+
+To run Surface Asset Tag:
+
+1.  On the Surface device, download **Surface Pro 3 AssetTag.zip** from the [Microsoft Download
+    Center](http://www.microsoft.com/download/details.aspx?id=44076),
+    extract the zip file, and save AssetTag.exe in desired folder (in
+    this example, C:\\assets).
+
+2.  Open a command console as an Administrator and run AssetTag.exe,
+    entering the full path to the tool.
+
+3.  Restart Surface.
+
+### Asset Tag tool commands   
+In the following examples, AssetTag.exe is saved in a directory on a local machine (C:\assets). 
+
+To get the proposed asset tag, run AssetTag -g.
+
+**Example**
+
+   ```
+ C:\assets\AssetTag.exe -g
+  ```
+ 
+ To clear the proposed asset tag, run AssetTag -s.
+ 
+ **Example**
+ 
+   ```
+C:\assets\AssetTag.exe -s
+  ```
+To set the proposed asset tag, run AssetTag -s testassettag12.
+
+**Example**
+
+```
+C:\assets\AssetTag.exe -s testassettag12
+```
+
+>[!NOTE]
+>The asset tag value must contain between 1 and 36 characters. Valid characters include A-Z, a-z, 0-9, period (.) and hyphen (-).
+
+
+## Managing asset tags
+
+You can view the existing asset tag in the UEFI settings under Device
+Information (**Control Panel > Recovery > Advanced Startup > Restart
+now**.)
+
+The figure below shows the results of running the Asset Tag Tool on
+Surface Go.
+
+![Results of running Surface Asset Tag tool on Surface Go.
+](images/assettag-fig1.png)
+
+> **Figure 1.** Results of running Surface Asset Tag tool on Surface Go
+
+Alternately, you can use WMI to query the existing asset tag on a device:
+
+(Get-WmiObject -query “Select * from Win32_SystemEnclosure”)
+
+**Example**
+
+   ```
+C:\Windows\System32> (Get-WmiObject -query “Select * from Win32_SystemEnclosure”)
+  ```
+  
+### Using PowerShell
+
+You can use the script below as a way of getting the proposed value and
+interpreting any errors.
+
+ ```
+AssetTag -g \> $asset\_tag 2\> $error\_message  
+$asset\_tag\_return\_code = $LASTEXITCODE  
+$asset\_tag = $asset\_tag.Trim(“\`r\`n”)
+
+if ($asset\_tag\_return\_code -eq 0) {  
+Write-Output (“Good Tag = ” + $asset\_tag)  
+} else {  
+Write-Output (  
+“Failure: Code = ” + $asset\_tag\_return\_code +  
+“Tag = ” + $asset\_tag +  
+“Message = ” + $error\_message)
+
+}
+ ```

devices/surface/change-history-for-surface.md

@@ -13,6 +13,13 @@ ms.topic: article
 
 This topic lists new and updated topics in the Surface documentation library.
 
+## February 2019
+
+New or changed topic | Description
+--- | ---
+[Surface Asset Tag](assettag.md) | New
+
+
 ## January 2019
 
 New or changed topic | Description

devices/surface/enroll-and-configure-surface-devices-with-semm.md

@@ -35,13 +35,13 @@ To create a Surface UEFI configuration package, follow these steps:
 2. Click **Start**.
 3. Click **Configuration Package**, as shown in Figure 1.
 
-   ![Create a package for SEMM enrollment](images\surface-semm-enroll-fig1.png "Create a package for SEMM enrollment")
+   ![Create a package for SEMM enrollment](images\surface-ent-mgmt-fig1-uefi-configurator.png "Create a package for SEMM enrollment")
 
    *Figure 1. Select Configuration Package to create a package for SEMM enrollment and configuration*
 
 4. Click **Certificate Protection** to add your exported certificate file with private key (.pfx), as shown in Figure 2. Browse to the location of your certificate file, select the file, and then click **OK**.
 
-   ![Add the SEM certificate and Surface UEFI password to configuration package](images\surface-semm-enrollment-fig2.png "Add the SEM certificate and Surface UEFI password to configuration package")
+   ![Add the SEM certificate and Surface UEFI password to configuration package](images\surface-ent-mgmt-fig2-securepackage.png "Add the SEM certificate and Surface UEFI password to configuration package")
 
    *Figure 2. Add the SEMM certificate and Surface UEFI password to a Surface UEFI configuration package*
 
@@ -57,14 +57,14 @@ To create a Surface UEFI configuration package, follow these steps:
 9. Click **Next**.
 10. If you want to deactivate a component on managed Surface devices, on the **Choose which components you want to activate or deactivate** page, click the slider next to any device or group of devices you want to deactivate so that the slider is in the **Off** position. (Shown in Figure 4.) The default configuration for each device is **On**. Click the **Reset** button if you want to return all sliders to the default position.
 
-   ![Disable or enable Surface components](images\surface-semm-enroll-fig4.png "Disable or enable Surface components")
+   ![Disable or enable Surface components](images\surface-ent-mgmt-fig3-enabledisable.png "Disable or enable Surface components")
 
    *Figure 4. Disable or enable individual Surface components*
 
 11.	Click **Next**.
 12.	To enable or disable advanced options in Surface UEFI or the display of Surface UEFI pages, on the **Choose the advanced settings for your devices** page, click the slider beside the desired setting to configure that option to **On** or **Off** (shown in Figure 5). In the **UEFI Front Page** section, you can use the sliders for **Security**, **Devices**, and **Boot** to control what pages are available to users who boot into Surface UEFI. (For more information about Surface UEFI settings, see [Manage Surface UEFI settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).) Click **Build** when you have finished selecting options to generate and save the package.
 
-   ![Control advanced Surface UEFI settings and Surface UEFI pages](images\surface-semm-enroll-fig5.png "Control advanced Surface UEFI settings and Surface UEFI pages")
+   ![Control advanced Surface UEFI settings and Surface UEFI pages](images\surface-ent-mgmt-fig4-advancedsettings.png "Control advanced Surface UEFI settings and Surface UEFI pages")
 
    *Figure 5. Control advanced Surface UEFI settings and Surface UEFI pages with SEMM*
 
@@ -74,7 +74,7 @@ To create a Surface UEFI configuration package, follow these steps:
 >[!NOTE]
 >Record the certificate thumbprint characters that are displayed on this page, as shown in Figure 6. You will need these characters to confirm enrollment of new Surface devices in SEMM. Click **End** to complete package creation and close Microsoft Surface UEFI Configurator.
 
-![Display of certificate thumbprint characters](images\surface-semm-enroll-fig6.png "Display of certificate thumbprint characters")
+![Display of certificate thumbprint characters](images\surface-ent-mgmt-fig5-success.png "Display of certificate thumbprint characters")
 
 *Figure 6. The last two characters of the certificate thumbprint are displayed on the Successful page*
 

windows/client-management/mdm/policy-csp-deviceinstallation.md

@@ -427,7 +427,7 @@ To enable this policy, use the following SyncML. This example prevents Windows f
                 <Meta>
                     <Format xmlns="syncml:metinf">string</Format>
                 </Meta>
-                <Data><enabled/><Data id="1"/></Data>
+                <Data><enabled/><data id="DenyUnspecified" value="1"/></Data>
                 </Item>
         </Replace>
     </SyncBody>

windows/client-management/mdm/vpnv2-csp.md

@@ -424,6 +424,10 @@ Nodes under NativeProfile are required when using a Windows Inbox VPN Protocol (
 <a href="" id="vpnv2-profilename-nativeprofile-servers"></a>**VPNv2/***ProfileName***/NativeProfile/Servers**  
 Required for native profiles. Public or routable IP address or DNS name for the VPN gateway. It can point to the external IP of a gateway or a virtual IP for a server farm. Examples, 208.147.66.130 or vpn.contoso.com. 
 
+The name can be a server name plus a friendly name separated with a semi-colon. For example, server2.example.com;server2FriendlyName. When you get the value, the return will include both the server name and the friendly name; if no friendly name had been supplied it will default to the server name. 
+
+You can make a list of server by making a list of server names (with optional friendly names) seperated by commas. For example, server1.example.com,server2.example.com.
+
 Value type is chr. Supported operations include Get, Add, Replace, and Delete.
 
 <a href="" id="vpnv2-profilename-nativeprofile-routingpolicytype"></a>**VPNv2/***ProfileName***/NativeProfile/RoutingPolicyType**  

windows/deployment/update/windows-as-a-service.md

@@ -56,6 +56,7 @@ Written by IT pros for IT pros, sharing real world examples and scenarios for Wi
 
 <img src="images/champs-2.png" alt="" width="640" height="320">
 
+<a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Classifying-Windows-updates-in-common-deployment-tools/ba-p/331175">**NEW** Classifying Windows updates in common deployment tools</a>
 
 <a href="waas-servicing-differences.md">**NEW** Understanding the differences between servicing Windows 10-era and legacy Windows operating systems</a>
 

windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md

@@ -29,6 +29,7 @@ Windows Autopilot depends on specific capabilities available in Windows 10 and A
     -   [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx)
     -   [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune)
     -   [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features
+    -   [Intune for Education subscriptions](https://docs.microsoft.com/en-us/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features
     -   [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/en-us/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service)
 
 Additionally, the following are also recommended but not required:

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md

@@ -37,7 +37,7 @@ Domain controllers automatically request a certificate from the *Domain Controll
 
 To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
 
-#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object
+#### Create a Domain Controller Automatic Certificate Enrollment Group Policy object
 
 Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
 

windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md

@@ -38,7 +38,7 @@ A lab or proof-of-concept environment does not need high-availability or scalabi
 Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. 
 
 >[!IMPORTANT]
->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use instllation instructions provided in the article.
+>Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use installation instructions provided in the article.
 
 Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-key-trust-deploy-mfa.md).
 

windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md

@@ -64,7 +64,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
 4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
 5.	On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise’s needs.   
     **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
-6.	On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+6.	On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
 7.	On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
 8.	Close the console.
 

windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md

@@ -1,31 +1,23 @@
 ---
-title: BitLocker How to deploy on Windows Server 2012 and later (Windows 10)
+title: BitLocker How to deploy on Windows Server 2012 and later
-description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later.
+description: This topic for the IT professional explains how to deploy BitLocker and Windows Server 2012 and later
 ms.assetid: 91c18e9e-6ab4-4607-8c75-d983bbe2542f
-ms.prod: w10
+ms.prod: windows-server-threshold
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 02/04/2019
 ---
 
 # BitLocker: How to deploy on Windows Server 2012 and later
 
-**Applies to**
+> Applies to: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019
--   Windows 10
 
-This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later.
+This topic for the IT professional explains how to deploy BitLocker on Windows Server 2012 and later. For all Windows Server editions, BitLocker can be installed using Server Manager or Windows PowerShell cmdlets. BitLocker requires administrator privileges on the server to install.
-
-For all Windows Server editions, BitLocker must be installed using Server Manager. However, you can still provision BitLocker before the server operating system is installed as part of your deployment.
 
 ## <a href="" id="installing-bitlocker-"></a>Installing BitLocker
 
-BitLocker requires administrator privileges on the server to install. You can install BitLocker either by using Server Manager or Windows PowerShell cmdlets.
-
--   To install BitLocker using Server Manager
--   To install BitLocker using Windows PowerShell
-
 ### <a href="" id="bkmk-blinstallsrvmgr"></a>To install BitLocker using Server Manager
 
 1.  Open Server Manager by selecting the Server Manager icon or running servermanager.exe.

windows/security/threat-protection/device-control/control-usb-devices-using-intune.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 ms.author: justinha
 author: justinha
-ms.date: 12/20/2018
+ms.date: 02/06/2019
 ---
 
 # How to control USB devices and other removable media using Windows Defender ATP
@@ -167,10 +167,9 @@ Allowing installation of specific devices requires also enabling [DeviceInstalla
 
 ### Prevent installation of specifically prohibited peripherals
 
-Windows Defender ATP also blocks installation and usage of prohibited peripherals with a custom profile in Intune. 
+Windows Defender ATP also blocks installation and usage of prohibited peripherals either by using **Administrative Templates** or [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. 
-For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USBSTOR\DiskVendorCo" and "USBSTOR\DiskSanDisk_Cruzer_Glide_3.0", and applies to USB devices with matching hardware IDs that are already installed.
 
-![Custom profile](images/custom-profile-prevent-device-ids.png)
+For more information about using **Administrative Templates**, see [Windows 10 templates to configure Group Policy settings in Microsoft Intune](https://docs.microsoft.com/intune/administrative-templates-windows).
 
 For a SyncML example that prevents installation of specific device IDs, see [DeviceInstallation/PreventInstallationOfMatchingDeviceIDs CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids). To prevent specific device classes, see [DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). 
 

windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md

@@ -39,7 +39,7 @@ Run the following PowerShell script on a newly onboarded machine to verify that
 3. At the prompt, copy and run the following command:
 
     ```
-    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-WDATP-test\invoice.exe');Start-Process 'C:\test-WDATP-test\invoice.exe'
+    powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden $ErrorActionPreference= 'silentlycontinue';(New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\\test-WDATP-test\\invoice.exe');Start-Process 'C:\\test-WDATP-test\\invoice.exe'
     ```
 
 The Command Prompt window will close automatically. If successful, the detection test will be marked as completed and a new alert will appear in the portal for the onboarded machine in approximately 10 minutes.