deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #4384 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Thomas Raya 2020-12-15 13:29:41 -08:00 committed by GitHub
commit 63b7cdd2a2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
21 changed files with 85 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/client-management/mdm/get-product-package.md
View File

@ -1,6 +1,6 @@
--- ---
title: Get product package title: Get product package
description: The Get product package operation retrieves the information about a specific application in the Micosoft Store for Business. description: The Get product package operation retrieves the information about a specific application in the Microsoft Store for Business.
ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F ms.assetid: 4314C65E-6DDC-405C-A591-D66F799A341F
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
@ -14,7 +14,7 @@ ms.date: 09/18/2017
# Get product package # Get product package
The **Get product package** operation retrieves the information about a specific application in the Micosoft Store for Business. The **Get product package** operation retrieves the information about a specific application in the Microsoft Store for Business.
## Request ## Request

4
windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
View File

@ -51,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet.
## Procedures ## Procedures
1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot. 1. Start the PC0001 computer. At the Pre-Boot Execution Environment (PXE) boot menu, press **Enter** to allow it to PXE boot.
2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass@word1** and click **Next**. 2. On the **Welcome to the Task Sequence Wizard** page, type in the password **pass\@word1** and click **Next**.
3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**. 3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**.
4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**. 4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**.
5. The operating system deployment will take several minutes to complete. 5. The operating system deployment will take several minutes to complete.
@ -99,4 +99,4 @@ Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Ma
[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br> [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)<br>
[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br> [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br> [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br> [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>

4
windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
View File

@ -129,7 +129,7 @@ In order for the Configuration Manager Join Domain Account (CM\_JD) to join mach
On **DC01**: On **DC01**:
1. Sign in as contoso\administrtor and enter the following at an elevated Windows PowerShell prompt: 1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt:
``` ```
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force
@ -389,4 +389,4 @@ You can create reference images for Configuration Manager in Configuration Manag
[Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br> [Create a task sequence with Configuration Manager and MDT](../deploy-windows-mdt/create-a-task-sequence-with-configuration-manager-and-mdt.md)<br>
[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br> [Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)<br>
[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br> [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)<br>
[Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md)

2
windows/deployment/windows-10-poc-sc-config-mgr.md
View File

@ -283,7 +283,7 @@ This section contains several procedures to support Zero Touch installation with
3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**. 3. On the **Network Access Account** tab, choose **Specify the account that accesses network locations**.
4. Click the yellow starburst and then click **New Account**. 4. Click the yellow starburst and then click **New Account**.
5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**. 5. Click **Browse** and then under **Enter the object name to select**, type **CM_NAA** and click **OK**.
6. Next to **Password** and **Confirm Password**, type **pass@word1**, and then click **OK** twice. 6. Next to **Password** and **Confirm Password**, type **pass\@word1**, and then click **OK** twice.
### Configure a boundary group ### Configure a boundary group

16
windows/deployment/windows-10-poc.md
View File

@ -214,7 +214,7 @@ Starting with Windows 8, the host computers microprocessor must support secon
2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command: 2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
<pre style="overflow-y: visible">Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V All</pre> <pre style="overflow-y: visible">Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All</pre>
This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command: This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
@ -542,8 +542,8 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host: 1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
<pre style="overflow-y: visible"> <pre style="overflow-y: visible">
Resize-VHD Path c:\VHD\2012R2-poc-2.vhd SizeBytes 100GB Resize-VHD -Path c:\VHD\2012R2-poc-2.vhd -SizeBytes 100GB
$x = (Mount-VHD Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter $x = (Mount-VHD -Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
</pre> </pre>
@ -551,7 +551,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible"> <pre style="overflow-y: visible">
Get-Volume -DriveLetter $x Get-Volume -DriveLetter $x
Dismount-VHD Path c:\VHD\2012R2-poc-2.vhd</pre> Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd</pre>
### Configure Hyper-V ### Configure Hyper-V
@ -712,7 +712,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible"> <pre style="overflow-y: visible">
Rename-Computer DC1 Rename-Computer DC1
New-NetIPAddress InterfaceAlias Ethernet IPAddress 192.168.0.1 PrefixLength 24 -DefaultGateway 192.168.0.2 New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.1 -PrefixLength 24 -DefaultGateway 192.168.0.2
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2 Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
</pre> </pre>
@ -749,7 +749,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
netsh dhcp add securitygroups netsh dhcp add securitygroups
Restart-Service DHCPServer Restart-Service DHCPServer
Add-DhcpServerInDC dc1.contoso.com 192.168.0.1 Add-DhcpServerInDC dc1.contoso.com 192.168.0.1
Set-ItemProperty Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 Name ConfigurationState Value 2 Set-ItemProperty -Path registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ServerManager\Roles\12 -Name ConfigurationState -Value 2
</pre> </pre>
10. Next, add a DHCP scope and set option values: 10. Next, add a DHCP scope and set option values:
@ -886,7 +886,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible"> <pre style="overflow-y: visible">
Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface" Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
Copy-VMFile "PC1" SourcePath "C:\VHD\pc1.ps1" DestinationPath "C:\pc1.ps1" CreateFullPath FileSource Host Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
</pre> </pre>
>In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service. >In order for this command to work properly, PC1 must be running the vmicguestinterface (Hyper-V Guest Service Interface) service. If this service is not enabled in this step, then the copy-VMFile command will fail. In this case, you can try updating integration services on the VM by mounting the Hyper-V Integration Services Setup (vmguest.iso), which is located in C:\Windows\System32 on Windows Server 2012 and 2012 R2 operating systems that are running the Hyper-V role service.
@ -917,7 +917,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
<pre style="overflow-y: visible"> <pre style="overflow-y: visible">
Rename-Computer SRV1 Rename-Computer SRV1
New-NetIPAddress InterfaceAlias Ethernet IPAddress 192.168.0.2 PrefixLength 24 New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.2 -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2 Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
Restart-Computer Restart-Computer
</pre> </pre>

2
windows/deployment/windows-10-subscription-activation.md
View File

@ -91,7 +91,7 @@ For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products &
For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md). For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://blogs.windows.com/business/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
#### Multi-factor authentication #### Multi-factor authentication

24
windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
View File

@ -66,26 +66,18 @@ You configure Windows 10 to use the Microsoft PIN Reset service using the comput
3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**. 3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC. 4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
### Configure Windows devices to use PIN reset using Microsoft Intune
To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
#### Create a PIN Reset Device configuration profile using Microsoft Intune #### Create a PIN Reset Device configuration profile using Microsoft Intune
1. Sign-in to [Azure Portal](https://portal.azure.com) using a Global administrator account. 1. Sign-in to [Enpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
2. You need your tenant ID to complete the following task. You can discover your tenant ID by viewing the **Properties** of your Azure Active Directory from the Azure Portal. It will be listed under Directory ID. You can also use the following command in a Command window on any Azure AD-joined or hybrid Azure AD-joined computer.</br> 2. Click **Endpoint Security**-> **Account Protection**-> **Properties**.
3. Set **Enable PIN recovery** to **Yes**.
``` > [!NOTE]
dsregcmd /status | findstr -snip "tenantid" > You can also setup PIN recovery using configuration profiles.
``` > 1. Sign in to Endpoint Manager.
> 2. Click **Devices** -> **Configuration Profiles** -> Create a new profile or edit an existing profile using the Identity Protection profile type.
> 3. Set **Enable PIN recovery** to **Yes**.
1. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
1. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list.
1. In the **Custom OMA-URI Settings** blade, Click **Add**.
1. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where <b>*tenant ID*</b> is your Azure Active Directory tenant ID from step 2.
1. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
1. Click **OK** to save the row configuration. Click **OK** to close the <b>Custom OMA-URI Settings blade. Click **Create</b> to save the profile.
#### Assign the PIN Reset Device configuration profile using Microsoft Intune #### Assign the PIN Reset Device configuration profile using Microsoft Intune
1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. 1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account.

78
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -532,15 +532,12 @@ The Intune Certificate Connector application enables Microsoft Intune to enroll
### Download Intune Certificate Connector ### Download Intune Certificate Connector
Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/). 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
![Microsoft Intune Console](images/aadjcert/microsoftintuneconsole.png) 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
3. Select **Device Configuration**, and then select **Certificate Connectors**. ![Intune Certificate Authority](images/aadjcert/profile01.png)
![Intune Certificate Authority](images/aadjcert/intunedeviceconfigurationcertauthority.png) 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section. 5. Sign-out of the Microsoft Endpoint Manager admin center.
![Intune Download Certificate connector](images/aadjcert/intunedownloadcertconnector.png)
5. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
6. Sign-out of the Azure Portal.
### Install the Intune Certificate Connector ### Install the Intune Certificate Connector
Sign-in the NDES server with access equivalent to _domain administrator_. Sign-in the NDES server with access equivalent to _domain administrator_.
@ -639,47 +636,42 @@ Sign-in a workstation with access equivalent to a _domain user_.
### Create a SCEP Certificate Profile ### Create a SCEP Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/). 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. 2. Select **Devices**, and then click **Configuration Profiles**.
3. Select **Device Configuration**, and then click **Profiles**. 3. Select **Create Profile**.
4. Select **Create Profile**. ![Intune Device Configuration Create Profile](images/aadjcert/profile02.png)
![Intune Device Configuration Create Profile](images/aadjcert/intunedeviceconfigurationcreateprofile.png) 4. Select **Windows 10 and later** from the **Platform** list.
5. Select **Windows 10 and later** from the **Platform** list. 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
6. Choose **SCEP certificate** from the **Profile** list, and select **Create**. 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
7. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**. 7. Next to **Description**, provide a description meaningful for your environment, then select **Next**.
8. Next to **Description**, provide a description meaningful for your environment, then select **Next**. 8. Select **User** as a certificate type.
9. Select **User** as a certificate type. 9. Configure **Certificate validity period** to match your organization.
10. Configure **Certificate validity period** to match your organization.
> [!IMPORTANT] > [!IMPORTANT]
> Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity. > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
11. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list. 10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
12. Select **Custom** from the **Subject name format** list. 11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
13. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate. 12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
14. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** value. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
15. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
16. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png) 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
17. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. ![WHFB SCEP certificate Profile EKUs](images/aadjcert/profile03.png)
18. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) 18. Click **Next**.
19. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile. 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
20. Click **Next**.
21. Click **Next** two more times to skip the **Scope tags** and **Assignments** steps of the wizard and click **Create**.
### Assign Group to the WHFB Certificate Enrollment Certificate Profile ### Assign Group to the WHFB Certificate Enrollment Certificate Profile
Sign-in a workstation with access equivalent to a _domain user_. Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/). 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. 2. Select **Devices**, and then click **Configuration Profiles**.
3. Select **Device Configuration**, and then click **Profiles**. 3. Click **WHFB Certificate Enrollment**.
4. Click **WHFB Certificate Enrollment**. 4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
![WHFB Scep Profile landing](images/aadjcert/intunewhfbscepprofile-04.png) 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
5. Click **Assignments**. ![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png)
6. In the **Assignments** pane, Click **Include**. Select **Selected Groups** from the **Assign to** list. Click **Select groups to include**. 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
![WHFB SCEP Profile Assignment](images/aadjcert/intunewhfbscepprofileassignment.png) 7. Click **Review + Save**, and then **Save**.
7. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
8. Click **Save**.
You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources. You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile01.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 145 KiB

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile02.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile03.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
windows/security/identity-protection/hello-for-business/images/aadjCert/profile04.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 22 KiB

2
windows/security/identity-protection/vpn/vpn-name-resolution.md
View File

@ -52,7 +52,7 @@ Primary DNS suffix is set using the **VPNv2/*ProfileName*/DnsSuffix** node.
## Persistent ## Persistent
You can also configure *persistent* name resolution rules. Name resolution for specified items will only performed over VPN. You can also configure *persistent* name resolution rules. Name resolution for specified items will only be performed over the VPN.
Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node. Persistent name resolution is set using the **VPNv2/*ProfileName*/DomainNameInformationList//*dniRowId*/Persistent** node.

3
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

@ -37,6 +37,9 @@ Most of the BitLocker Group Policy settings are applied when BitLocker is initia
If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group If multiple changes are necessary to bring the drive into compliance, you must suspend BitLocker protection, make the necessary changes, and then resume protection. This situation could occur, for example, if a removable drive was initially configured to be unlocked with a password and then Group
Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed. Policy settings are changed to disallow passwords and require smart cards. In this situation, you need to suspend BitLocker protection by using the [Manage-bde](/windows-server/administration/windows-commands/manage-bde) command-line tool, delete the password unlock method, and add the smart card method. After this is complete, BitLocker is compliant with the Group Policy setting and BitLocker protection on the drive can be resumed.
> [!NOTE]
> For more details about Active Directory configuration related to BitLocker enablement, please see [Set up MDT for BitLocker](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker).
## <a href="" id="bkmk-gptop"></a>BitLocker Group Policy settings ## <a href="" id="bkmk-gptop"></a>BitLocker Group Policy settings
The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives. The following sections provide a comprehensive list of BitLocker Group Policy settings that are organized by usage. BitLocker Group Policy settings include settings for specific drive types (operating system drives, fixed data drives, and removable data drives) and settings that are applied to all drives.

2
windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
View File

@ -56,7 +56,7 @@ For more information about the specific network-connectivity requirements to ens
For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles) For more information about Intune device profiles, including how to create and configure their settings, see [What are Microsoft Intune device profiles?](https://docs.microsoft.com/intune/device-profiles)
## Use Microsoft Endpoint Configuration Manager to turn on cloud-delivered protection ## Use Microsoft Endpoint Manager to turn on cloud-delivered protection
1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in. 1. Go to the Microsoft Endpoint Manager admin center ([https://endpoint.microsoft.com](https://endpoint.microsoft.com)) and log in.
2. Choose **Endpoint security** > **Antivirus**. 2. Choose **Endpoint security** > **Antivirus**.

16
windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode.md
View File

@ -15,7 +15,7 @@ ms.localizationpriority: medium
ms.custom: ms.custom:
- next-gen - next-gen
- edr - edr
ms.date: 12/10/2020 ms.date: 12/14/2020
ms.collection: ms.collection:
- m365-security-compliance - m365-security-compliance
- m365initiative-defender-endpoint - m365initiative-defender-endpoint
@ -43,7 +43,7 @@ EDR in block mode is also integrated with [threat & vulnerability management](ht
## What happens when something is detected? ## What happens when something is detected?
When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Remediated** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center). When EDR in block mode is turned on, and a malicious artifact is detected, blocking and remediation actions are taken. You'll see detection status as **Blocked** or **Prevented** as completed actions in the [Action center](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts#check-activity-details-in-action-center).
The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode: The following image shows an instance of unwanted software that was detected and blocked through EDR in block mode:
@ -83,11 +83,11 @@ The following image shows an instance of unwanted software that was detected and
### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices? ### Do I need to turn EDR in block mode on even when I have Microsoft Defender Antivirus running on devices?
We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Microsoft Defender for Endpoint to take actions based on post-breach behavioral EDR detections. We recommend keeping EDR in block mode on, whether Microsoft Defender Antivirus is running in passive mode or in active mode. EDR in block mode gives you an added layer of defense with Microsoft Defender for Endpoint. It allows Defender for Endpoint to take actions based on post-breach behavioral EDR detections.
### Will EDR in block mode have any impact on a user's antivirus protection? ### Will EDR in block mode have any impact on a user's antivirus protection?
No. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode kicks in if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected. EDR in block mode does not affect third-party antivirus protection running on users' devices. EDR in block mode works if the primary antivirus solution misses something, or if there is a post-breach detection. EDR in block mode works just like [Microsoft Defender Antivirus in passive mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility#functionality-and-features-available-in-each-state), with the additional steps of blocking and remediating malicious artifacts or behaviors that are detected.
### Why do I need to keep Microsoft Defender Antivirus up to date? ### Why do I need to keep Microsoft Defender Antivirus up to date?
@ -99,9 +99,7 @@ Cloud protection is needed to turn on the feature on the device. Cloud protectio
## See also ## See also
[Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617) - [Tech Community blog: Introducing EDR in block mode: Stopping attacks in their tracks](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617)
- [Behavioral blocking and containment](behavioral-blocking-containment.md)
[Behavioral blocking and containment](behavioral-blocking-containment.md) - [Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus)
[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/why-use-microsoft-antivirus)

14
windows/security/threat-protection/microsoft-defender-atp/get-started-partner-integration.md
View File

@ -52,16 +52,12 @@ To have your company listed as a partner in the in-product partner page, you wil
6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA). 6. Include the User-Agent field in each API call made to Microsoft Defender for Endpoint public set of APIs or Graph Security APIs. This will be used for statistical purposes, troubleshooting, and partner recognition. In addition, this step is a requirement for membership in Microsoft Intelligent Security Association (MISA).
Follow these steps: Follow these steps:
1. Identify a name adhering to the following nomenclature that includes your company name and the Microsoft Defender for Endpoint-integrated product with the version of the product that includes this integration.
- ISV Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{Version}`
- Security partner Nomenclature: `MdatpPartner-{CompanyName}-{ProductName}/{TenantID}`
- Set the User-Agent field in each HTTP request header to the name based on the Following nomenclature.
- `MsdePartner-{CompanyName}-{ProductName}/{Version}`
- For example, User-Agent: `MdatpPartner-Contoso-ContosoCognito/1.0.0` - Set the User-Agent field in each HTTP request header to the below format.
- `MdePartner-{CompanyName}-{ProductName}/{Version}`
- For example, User-Agent: `MdePartner-Contoso-ContosoCognito/1.0.0`
- For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43). - For more information, see [RFC 2616 section-14.43](https://tools.ietf.org/html/rfc2616#section-14.43).

BIN
windows/security/threat-protection/microsoft-defender-atp/images/2bda9244ec25d1526811da4ea91b1c86.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 315 KiB

After

Width:  |  Height:  |  Size: 312 KiB

5
windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md
View File

@ -143,6 +143,11 @@ In order to preview new features and provide early feedback, it is recommended t
```bash ```bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-[channel].list
``` ```
For example, if you chose *insiders-fast* channel:
```bash
sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-insiders-fast.list
```
- Install the `gpg` package if not already installed: - Install the `gpg` package if not already installed:

2
windows/security/threat-protection/microsoft-defender-atp/review-alerts.md
View File

@ -46,7 +46,7 @@ Clicking on an alert's name in Defender for Endpoint will land you on its alert
![An alert page when you first land on it](images/alert-landing-view.png) ![An alert page when you first land on it](images/alert-landing-view.png)
Note the detection status for your alert. Blocked, prevented, or remediated means actions were already taken by Defender for Endpoint. Note the detection status for your alert. Blocked, or prevented means actions were already taken by Defender for Endpoint.
Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions. Start by reviewing the *automated investigation details* in your alert's [details pane](#take-action-from-the-details-pane), to see which actions were already taken, as well as reading the alert's description for recommended actions.
![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png) ![A snippet of the details pane with the alert description and automatic investigation sections highlighted](images/alert-air-and-alert-description.png)

3
windows/security/threat-protection/security-policy-settings/maximum-password-age.md
View File

@ -39,6 +39,9 @@ The **Maximum password age** policy setting determines the period of time (in da
Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources. Set **Maximum password age** to a value between 30 and 90 days, depending on your environment. This way, an attacker has a limited amount of time in which to compromise a user's password and have access to your network resources.
> [!NOTE]
> The security baseline recommended by Microsoft doesn't contain the password-expiration policy, as it is less effective than modern mitigations. However, companies that didn't implement Azure AD Password Protection, multifactor authentication, or other modern mitigations of password-guessing attacks, should leave this policy in effect.
### Location ### Location
**Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy**