From fdb56f434d51a1715087d3935ec5b43d7aef9613 Mon Sep 17 00:00:00 2001 From: James Date: Mon, 15 Apr 2019 09:44:27 +0930 Subject: [PATCH 01/25] Corrected malformed formatting tag Replaced an unescaped backslash with HTML code to prevent formatting error. --- windows/deployment/usmt/usmt-scanstate-syntax.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index ca8aab7167..5816f71940 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -89,7 +89,7 @@ To create an encrypted store using the Config.xml file and the default migration

StorePath

-

Indicates a folder where files and settings will be saved. Note that StorePath cannot be c:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

+

Indicates a folder where files and settings will be saved. Note that StorePath cannot be c:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

/apps

From c21c58af329afe0d003ebbb2af5b5b473a41acd4 Mon Sep 17 00:00:00 2001 From: James Date: Mon, 15 Apr 2019 11:52:54 +0930 Subject: [PATCH 02/25] Capitalized 'C:\' --- windows/deployment/usmt/usmt-scanstate-syntax.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/usmt/usmt-scanstate-syntax.md b/windows/deployment/usmt/usmt-scanstate-syntax.md index 5816f71940..3090160049 100644 --- a/windows/deployment/usmt/usmt-scanstate-syntax.md +++ b/windows/deployment/usmt/usmt-scanstate-syntax.md @@ -89,7 +89,7 @@ To create an encrypted store using the Config.xml file and the default migration

StorePath

-

Indicates a folder where files and settings will be saved. Note that StorePath cannot be c:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

+

Indicates a folder where files and settings will be saved. Note that StorePath cannot be C:\. You must specify the StorePath option in the ScanState command, except when using the /genconfig option. You cannot specify more than one StorePath location.

/apps

From 48bdf6633d8f62f0cfdfb38fa4cea45519c522a4 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 17 Apr 2019 10:40:41 +0300 Subject: [PATCH 03/25] added info https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3012 --- .../tpm/switch-pcr-banks-on-tpm-2-0-devices.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index eacf850aab..6835ee1323 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -50,6 +50,22 @@ As a result, if the currently used PCR bank is switched all keys that have been Before switching PCR banks you should suspend or disable BitLocker – or have your recovery key ready. For steps on how to switch PCR banks on your PC, you should contact your OEM or UEFI vendor. +## How can I identify which PCR bank is being used? + +You can identify which PCR bank is currently used by Windows by looking at the registry. + +Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices + +DWORD: TPMActivePCRBanks + +Defines which PCR banks are currently active. + +Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices + +DWORD: TPMDigestAlgID + +Algorithm ID of the PCR bank that Windows is currently using. + ## Related topics - [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics) From 2b207542d53a3f50cfcbee765fe4d55b744aa0bf Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 19 Apr 2019 23:18:30 +0530 Subject: [PATCH 04/25] Added new link Just now I added windows 10 1809 update history link. So approve my request and allow to publish . Thanks --- windows/deployment/update/windows-update-troubleshooting.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 5f09b45f16..7fec2c9557 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -20,7 +20,8 @@ If you run into problems when using Windows Update, start with the following ste 1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**. 2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. 3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: -  + + - [Windows 10, version 1809 and Windows server 2019](https://support.microsoft.com/en-ae/help/4464619)   - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) From e584f2554a665893d568d67ae6e589ec5651bb69 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sat, 20 Apr 2019 02:20:44 +0530 Subject: [PATCH 05/25] Update windows/deployment/update/windows-update-troubleshooting.md Co-Authored-By: RAJU2529 <3296790+RAJU2529@users.noreply.github.com> --- windows/deployment/update/windows-update-troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 7fec2c9557..1081e93f0a 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -21,7 +21,7 @@ If you run into problems when using Windows Update, start with the following ste 2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. 3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: - - [Windows 10, version 1809 and Windows server 2019](https://support.microsoft.com/en-ae/help/4464619)   + - [Windows 10, version 1809 and Windows server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) From 651e2de7ab6ac2c577984599d262e64080bd34ec Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Sat, 20 Apr 2019 02:39:32 +0530 Subject: [PATCH 06/25] Update windows/deployment/update/windows-update-troubleshooting.md Co-Authored-By: RAJU2529 <3296790+RAJU2529@users.noreply.github.com> --- windows/deployment/update/windows-update-troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 1081e93f0a..4c56170e4d 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -21,7 +21,7 @@ If you run into problems when using Windows Update, start with the following ste 2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU. 3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system: - - [Windows 10, version 1809 and Windows server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) + - [Windows 10, version 1809 and Windows Server 2019](https://support.microsoft.com/help/4464619/windows-10-update-history) - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history) - [Windows 10, version 1709](https://support.microsoft.com/help/4043454) - [Windows 10, version 1703](https://support.microsoft.com/help/4018124) From 07c45263ab327625a88725f76644ff0577e41ad5 Mon Sep 17 00:00:00 2001 From: Malin De Silva Date: Sat, 20 Apr 2019 10:12:36 +0530 Subject: [PATCH 07/25] added changes described. --- .../bitlocker/bitlocker-management-for-enterprises.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 9879494122..b0d4f8384a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -29,12 +29,14 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h ## Managing devices joined to Azure Active Directory -Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10 v1809, only local administrators can enable Bitlocker via Intune policy. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. -Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones. +Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows Phones. For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. +This is applicable for Azure Hybrid AD as well. + ## Managing workplace-joined PCs and phones @@ -134,4 +136,4 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#a-href-idbkmk-blcmdletsabitlocker-cmdlets-for-windows-powershell) -[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs) \ No newline at end of file +[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs) From 3a88dfc0e640faeab148bd94503c663c9813e04e Mon Sep 17 00:00:00 2001 From: Karam Masri Date: Sun, 21 Apr 2019 17:25:02 +0400 Subject: [PATCH 08/25] fix links --- .../hello-how-it-works-authentication.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 5a2a096de4..922d3e0990 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -22,11 +22,11 @@ ms.date: 08/19/2018 Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
-[Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)
-[Azure AD join authentication to Active Directory using a Key](#Azure-AD-join-authentication-to-Active-Directory-using-a-Key)
-[Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)
-[Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)
-[Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)
+[Azure AD join authentication to Azure Active Directory](#azure-ad-join-authentication-to-azure-active-directory)
+[Azure AD join authentication to Active Directory using a Key](#azure-ad-join-authentication-to-active-directory-using-a-key)
+[Azure AD join authentication to Active Directory using a Certificate](#azure-ad-join-authentication-to-active-directory-using-a-certificate)
+[Hybrid Azure AD join authentication using a Key](#hybrid-azure-ad-join-authentication-using-a-key)
+[Hybrid Azure AD join authentication using a Certificate](#hybrid-azure-ad-join-authentication-using-a-certificate)
## Azure AD join authentication to Azure Active Directory From a4a379ebcdcef4a3ff3af0768e892757332e1659 Mon Sep 17 00:00:00 2001 From: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> Date: Wed, 24 Apr 2019 14:11:22 +0530 Subject: [PATCH 09/25] Update windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md Co-Authored-By: Malind19 --- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index b0d4f8384a..374ef396b7 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -31,7 +31,7 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10 v1809, only local administrators can enable Bitlocker via Intune policy. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. -Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows Phones. +Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones. For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. From 1beb3987349979846c82b2900d8278d21358ba92 Mon Sep 17 00:00:00 2001 From: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> Date: Wed, 24 Apr 2019 14:11:34 +0530 Subject: [PATCH 10/25] Update windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md Co-Authored-By: Malind19 --- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 374ef396b7..bf387d1692 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -35,7 +35,7 @@ Starting with Windows 10 version 1703 (also known as the Windows Creators Update For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD. -This is applicable for Azure Hybrid AD as well. +This is applicable to Azure Hybrid AD as well. ## Managing workplace-joined PCs and phones From 6e3a7b0c212d14df795b57dcaac2715709606ab7 Mon Sep 17 00:00:00 2001 From: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> Date: Wed, 24 Apr 2019 14:11:46 +0530 Subject: [PATCH 11/25] Update windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md Co-Authored-By: Malind19 --- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index bf387d1692..2ecb0916ed 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -29,7 +29,7 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h ## Managing devices joined to Azure Active Directory -Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10 v1809, only local administrators can enable Bitlocker via Intune policy. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10 v1809, only local administrators can enable BitLocker via Intune policy. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones. From dd1d7eeb0cf90538090bcede1fd7bbadca4d8553 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Thu, 25 Apr 2019 21:48:52 +0200 Subject: [PATCH 12/25] Update mdm-enrollment-of-windows-devices.md Added acronym descriptions. --- .../client-management/mdm/mdm-enrollment-of-windows-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index c841ddef41..e873b96afb 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -296,7 +296,7 @@ The deep link used for connecting your device to work will always use the follow | Parameter | Description | Supported Value for Windows 10| |-----------|--------------------------------------------------------------|----------------------------------------------| -| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm”, "awa", "aadj" | +| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm” (Mobile Device Management), "awa" (Adding Work Account), "aadj" (Azure Active Directory Joined). | |username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | | servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | From 81fc76a85247ba4714a6559878342ba2e039a599 Mon Sep 17 00:00:00 2001 From: Malin De Silva Date: Fri, 26 Apr 2019 09:30:13 +0530 Subject: [PATCH 13/25] Intune for standard users added from v1809 --- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 2ecb0916ed..c0e27d8f50 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -29,7 +29,7 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h ## Managing devices joined to Azure Active Directory -Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10 v1809, only local administrators can enable BitLocker via Intune policy. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10 v1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10 v1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones. From 4be2bf64b391459b2447d070111b3d362b52259a Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Fri, 26 Apr 2019 08:52:07 +0200 Subject: [PATCH 14/25] Update windows/client-management/mdm/mdm-enrollment-of-windows-devices.md Capitalise acronyms. Co-Authored-By: lindspea <45809756+lindspea@users.noreply.github.com> --- .../client-management/mdm/mdm-enrollment-of-windows-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md index e873b96afb..7c84c08b31 100644 --- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md +++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md @@ -296,7 +296,7 @@ The deep link used for connecting your device to work will always use the follow | Parameter | Description | Supported Value for Windows 10| |-----------|--------------------------------------------------------------|----------------------------------------------| -| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| “mdm” (Mobile Device Management), "awa" (Adding Work Account), "aadj" (Azure Active Directory Joined). | +| mode | Describes which mode will be executed in the enrollment app. Added in Windows 10, version 1607| MDM (Mobile Device Management), AWA (Adding Work Account), and AADJ (Azure Active Directory Joined). | |username | Specifies the email address or UPN of the user who should be enrolled into MDM. Added in Windows 10, version 1703. | string | | servername | Specifies the MDM server URL that will be used to enroll the device. Added in Windows 10, version 1703. | string| | accesstoken | Custom parameter for MDM servers to use as they see fit. Typically, this can be used as a token to validate the enrollment request. Added in Windows 10, version 1703. | string | From 9fd882d7a7e663f90630003b5bd8c587e95333c7 Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Fri, 26 Apr 2019 11:17:48 +0200 Subject: [PATCH 15/25] Update use-the-mdt-database-to-stage-windows-10-deployment-information.md Modified the Notes sections to follow standard from other pages. --- ...database-to-stage-windows-10-deployment-information.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md index c815cc9c41..a2f2212ae8 100644 --- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md +++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md @@ -21,15 +21,15 @@ This topic is designed to teach you how to use the MDT database to pre-stage inf MDT can use either SQL Server Express or full SQL Server, but since the deployment database isn't big, even in large enterprise environments, we recommend using the free SQL Server 2012 SP1 Express database in your environment. -**Note**   -Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database. +>[!NOTE] +>Be sure to enable Named Pipes when configuring the SQL Server 2012 SP1 Express database. Although it is a legacy protocol, Named Pipes has proven to work well when connecting from Windows Preinstallation Environment (Windows PE) to the SQL Server database.   ## Create the deployment database The MDT database is by default created and managed from the Deployment Workbench. In these steps, we assume you have installed SQL Server 2012 SP1 Express on MDT01. -**Note**   -Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01. +>[!NOTE] +>Since SQL Server 2012 SP1 Express runs by default on a separate instance (SQLEXPRESS), the SQL Server Browser service must be running, and the firewall configured to allow traffic to it. Port 1433 TCP and port 1434 UDP need to be opened for inbound traffic on MDT01.   1. On MDT01, using Deployment Workbench, expand the MDT Production deployment share, expand **Advanced Configuration**, right-click **Database**, and select **New Database**. 2. In the New DB Wizard, on the **SQL Server Details** page, enter the following settings and click **Next**: From aa45e98c0155f543ab68a20e05577412c1de511e Mon Sep 17 00:00:00 2001 From: Baard Hermansen Date: Fri, 26 Apr 2019 11:27:20 +0200 Subject: [PATCH 16/25] Update set-up-mdt-for-bitlocker.md Updated markup for Notes sections. --- .../deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 8dcb9a871f..933f240e24 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -26,8 +26,8 @@ To configure your environment for BitLocker, you will need to do the following: 3. Configure the operating system deployment task sequence for BitLocker. 4. Configure the rules (CustomSettings.ini) for BitLocker. -**Note**   -Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker. +>[!NOTE] +>Even though it is not a BitLocker requirement, we recommend configuring BitLocker to store the recovery key and TPM owner information in Active Directory. For additional information about these features, see [Backing Up BitLocker and TPM Recovery Information to AD DS](https://go.microsoft.com/fwlink/p/?LinkId=619548). If you have access to Microsoft BitLocker Administration and Monitoring (MBAM), which is part of Microsoft Desktop Optimization Pack (MDOP), you have additional management features for BitLocker.   For the purposes of this topic, we will use DC01, a domain controller that is a member of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](deploy-windows-10-with-the-microsoft-deployment-toolkit.md#proof). @@ -35,8 +35,8 @@ For the purposes of this topic, we will use DC01, a domain controller that is a To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory. -**Note**   -Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory. +>[!NOTE] +>Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.   In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information. @@ -79,8 +79,8 @@ Following these steps, you enable the backup of BitLocker and TPM recovery infor Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services 4. Enable the **Turn on TPM backup to Active Directory Domain Services** policy. -**Note**   -If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using. +>[!NOTE] +>If you consistently get the error "Windows BitLocker Drive Encryption Information. The system boot information has changed since BitLocker was enabled. You must supply a BitLocker recovery password to start this system." after encrypting a computer with BitLocker, you might have to change the various "Configure TPM platform validation profile" Group Policies, as well. Whether or not you need to do this will depend on the hardware you are using.   ### Set permissions in Active Directory for BitLocker From 74fff4d95470672c014059af53f5033b9490fa37 Mon Sep 17 00:00:00 2001 From: illfated Date: Fri, 26 Apr 2019 18:37:51 +0200 Subject: [PATCH 17/25] Defender Exploit guard: update troubleshoot-np.md The section "Collect diagnostic data for file submissions" contains 2 command lines with MarkDown code block fences, but before this change, they were presumptuously tagged as ```console instead of only the 3 back ticks. This MarkDown code works fine on Github, but does not translate correctly to the HTML pages on docs.microsoft.com - hence this removal. - Closes #3282 --- .../windows-defender-exploit-guard/troubleshoot-np.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md index 708142ccf5..aac22be513 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md @@ -72,11 +72,11 @@ If you've tested the feature with the demo site and with audit mode, and network When you report a problem with network protection, you are asked to collect and submit diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues. 1. Open an elevated command prompt and change to the Windows Defender directory: - ```console + ``` cd c:\program files\windows defender ``` 2. Run this command to generate the diagnostic logs: - ```console + ``` mpcmdrun -getfiles ``` 3. By default, they are saved to C:\ProgramData\Microsoft\Windows Defender\Support\MpSupportFiles.cab. Attach the file to the submission form. From 116dcd29979860dbd1a1015648cc09f6ad8a07c1 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 26 Apr 2019 11:47:57 -0700 Subject: [PATCH 18/25] Update switch-pcr-banks-on-tpm-2-0-devices.md Adding revisions from our engineering partner --- .../switch-pcr-banks-on-tpm-2-0-devices.md | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index 6835ee1323..a8241027c8 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -52,19 +52,19 @@ Before switching PCR banks you should suspend or disable BitLocker – or have y ## How can I identify which PCR bank is being used? +A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. + +Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
+DWORD: TPMActivePCRBanks
+Defines which PCR banks are currently active. This is a bitmap defined in the TCG Algorithm Registry.
+Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met. + You can identify which PCR bank is currently used by Windows by looking at the registry. -Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices - -DWORD: TPMActivePCRBanks - -Defines which PCR banks are currently active. - -Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices - -DWORD: TPMDigestAlgID - -Algorithm ID of the PCR bank that Windows is currently using. +Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
+DWORD: TPMDigestAlgID
+Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)
+Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted. ## Related topics From cd65e01ecc2823796e0c64990b626225499a12a7 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 26 Apr 2019 11:49:52 -0700 Subject: [PATCH 19/25] Update switch-pcr-banks-on-tpm-2-0-devices.md --- .../tpm/switch-pcr-banks-on-tpm-2-0-devices.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index a8241027c8..25e1754f08 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -54,16 +54,16 @@ Before switching PCR banks you should suspend or disable BitLocker – or have y A TPM can be configured to have multiple PCR banks active. When BIOS is performing measurements it will do so into all active PCR banks, depending on its capability to make these measurements. BIOS may chose to deactivate PCR banks that it does not support or "cap" PCR banks that it does not support by extending a separator. The following registry value identifies which PCR banks are active. -Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
-DWORD: TPMActivePCRBanks
-Defines which PCR banks are currently active. This is a bitmap defined in the TCG Algorithm Registry.
+- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
+- DWORD: TPMActivePCRBanks
+- Defines which PCR banks are currently active. This is a bitmap defined in the TCG Algorithm Registry.
Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met. You can identify which PCR bank is currently used by Windows by looking at the registry. -Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
-DWORD: TPMDigestAlgID
-Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)
+- Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
+- DWORD: TPMDigestAlgID
+- Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)
Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted. ## Related topics From 70ccde012bbfe18d8e851d1781b545128fb04403 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 26 Apr 2019 12:01:24 -0700 Subject: [PATCH 20/25] Update switch-pcr-banks-on-tpm-2-0-devices.md edits --- .../tpm/switch-pcr-banks-on-tpm-2-0-devices.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md index 25e1754f08..5493d4428d 100644 --- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md +++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md @@ -57,6 +57,7 @@ A TPM can be configured to have multiple PCR banks active. When BIOS is performi - Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
- DWORD: TPMActivePCRBanks
- Defines which PCR banks are currently active. This is a bitmap defined in the TCG Algorithm Registry.
+ Windows checks which PCR banks are active and supported by the BIOS. Windows also checks if the measured boot log supports measurements for all active PCR banks. Windows will prefer the use of the SHA-256 bank for measurements and will fall back to SHA1 PCR bank if one of the pre-conditions is not met. You can identify which PCR bank is currently used by Windows by looking at the registry. @@ -64,6 +65,7 @@ You can identify which PCR bank is currently used by Windows by looking at the r - Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\IntegrityServices
- DWORD: TPMDigestAlgID
- Algorithm ID of the PCR bank that Windows is currently using. (For the full list of supported algorithms, see the TCG Algorithm Registry.)
+ Windows only uses one PCR bank to continue boot measurements. All other active PCR banks will be extended with a separator to indicate that they are not used by Windows and measurements that appear to be from Windows should not be trusted. ## Related topics From 20a24956e3d3f56f1fccf9e2fe3b5d825cb6793d Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Fri, 26 Apr 2019 16:00:58 -0700 Subject: [PATCH 21/25] Fixing link warning --- .../hello-for-business/hello-how-it-works-provisioning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index ef8b59ba42..23eed38ace 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -28,7 +28,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)
-[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-federated-environment)
+[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
[Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
From 0971a741318ee553d9493cb432a3b208200c2e44 Mon Sep 17 00:00:00 2001 From: Yimanh <50034647+Yimanh@users.noreply.github.com> Date: Fri, 26 Apr 2019 16:55:53 -0700 Subject: [PATCH 22/25] Update IE site discovery troubleshooting --- .../update/windows-analytics-FAQ-troubleshooting.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index c1f447026d..ea9214c57b 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -195,6 +195,11 @@ Upgrade Readiness only collects app inventory on devices that are not yet upgrad Double-check that IE site discovery opt-in has been configured in the deployment script. (See the [Upgrade Readiness deployment script](../upgrade/upgrade-readiness-deployment-script.md) topic for information about obtaining and running the script, and for a description of the error codes that can be displayed. See ["Understanding connectivity scenarios and the deployment script"](https://blogs.technet.microsoft.com/upgradeanalytics/2017/03/10/understanding-connectivity-scenarios-and-the-deployment-script/) on the Windows Analytics blog for a summary of setting the ClientProxy for the script, which will enable the script properly check for diagnostic data endpoint connectivity.) Also, on Windows 10 devices remember that IE site discovery requires data diagnostics set to the Enhanced level. + +There are two additional configurations to check: +1. Make sure Flip Ahead with Page Prediction is enabled. It can be configured at Internet Options -> Advanced -> Browsing -> Enable flip ahead with page prediction. +2. Make sure IE is not running in InPrivate mode. + Finally, Upgrade Readiness only collects IE site discovery data on devices that are not yet upgraded to the target operating system version specified in the Upgrade Readiness Overview blade. This is because Upgrade Readiness targets upgrade planning (for devices not yet upgraded). >[!NOTE] From 46ba938f8eaab1d57057c77e7a81a87ede7a0096 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Fri, 26 Apr 2019 17:26:38 -0700 Subject: [PATCH 23/25] Changed references to 1809 to follow standards. --- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index c0e27d8f50..b2895dd5ac 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -29,7 +29,7 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h ## Managing devices joined to Azure Active Directory -Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10 v1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10 v1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones. From eab71d85a7ff5fd6176c4689c978ff5172db9554 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Fri, 26 Apr 2019 17:27:44 -0700 Subject: [PATCH 24/25] Update bitlocker-management-for-enterprises.md --- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index b2895dd5ac..8ff7bcfc96 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -29,7 +29,7 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h ## Managing devices joined to Azure Active Directory -Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. +Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online. Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones. From fe569cd214e26de7996b5cdabfe465a03859cf8d Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Fri, 26 Apr 2019 18:03:41 -0700 Subject: [PATCH 25/25] fixing warnings --- .../hello-how-it-works-authentication.md | 7 ------- .../bitlocker/bitlocker-management-for-enterprises.md | 2 +- 2 files changed, 1 insertion(+), 8 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index ce3277a43c..febe2008ee 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -40,7 +40,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.| |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| -[Return to top](#Windows-Hello-for-Business-and-Authentication) ## Azure AD join authentication to Active Directory using a Key ![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png) @@ -52,7 +51,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.| -[Return to top](#Windows-Hello-for-Business-and-Authentication) ## Azure AD join authentication to Active Directory using a Certificate ![Azure AD join authentication to Active Directory using a Certificate](images/howitworks/auth-aadj-certtrust-kerb.png) @@ -62,7 +60,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ.
The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.| |C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.| -[Return to top](#Windows-Hello-for-Business-and-Authentication) ## Hybrid Azure AD join authentication using a Key ![Hybrid Azure AD join authentication using a Key](images/howitworks/auth-haadj-keytrust.png) @@ -76,7 +73,6 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.| |G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.| -[Return to top](#Windows-Hello-for-Business-and-Authentication) ## Hybrid Azure AD join authentication using a Certificate ![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png) @@ -90,6 +86,3 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c |F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.| |G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.
The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.
The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.| -[Return to top](#Windows-Hello-for-Business-and-Authentication) - - diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 8ff7bcfc96..1325357065 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -53,7 +53,7 @@ If you are installing a server manually, such as a stand-alone server, then choo Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). - For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#articles). + For more information, see the Bitlocker FAQs article and other useful links in [Related Articles](#related-articles).   ## PowerShell examples