From 54f68f3cd70d3ade60cbc338d83dda05665f94b1 Mon Sep 17 00:00:00 2001 From: Christopher Yoo Date: Fri, 7 Jun 2019 16:39:45 -0700 Subject: [PATCH 001/311] Call out for those without Store on their machine --- windows/privacy/diagnostic-data-viewer-overview.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index ec0ba4cd4a..92b7cb467a 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -44,6 +44,9 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn ### Download the Diagnostic Data Viewer Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. + >[!Important] + >It's possible that your Windows machine may not have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830). + ### Start the Diagnostic Data Viewer You can start this app from the **Settings** panel. From 571ede347299e39f7d762b0972120a1482b33e39 Mon Sep 17 00:00:00 2001 From: mapalko Date: Mon, 10 Jun 2019 11:59:23 -0700 Subject: [PATCH 002/311] Updating CDF references Removing some of the CDF section. This should not be recommended to meet FIPS compliance. --- .../threat-protection/windows-10-mobile-security-guide.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index cadf290d91..cd1f4442c5 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -72,8 +72,6 @@ The biometric image collected at enrollment is converted into an algorithmic for A Windows Hello companion device enables a physical device, like a wearable, to serve as a factor for validating the user’s identity before granting them access to their credentials. For instance, when the user has physical possession of a companion device they can easily, possibly even automatically, unlock their PC and authenticate with apps and websites. This type of device can be useful for smartphones or tablets that don’t have integrated biometric sensors or for industries where users need a faster, more convenient sign-in experience, such as retail. -In some cases, the companion device for Windows Hello enables a physical device, like a phone, wearable, or other types of device to store all of the user’s credentials. Storage of the credentials on a mobile device makes it possible to use them on any supporting device, like a kiosk or family PC, and eliminates the need to enroll Windows Hello on each device. Companion devices also help enable organizations to meet regulatory requirements, such as Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS 140-2). - ### Standards-based approach The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms. From 97758f49989d22ddb32f17778cddd58b24b01394 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Wed, 12 Jun 2019 15:20:26 -0700 Subject: [PATCH 003/311] Changed "machine" to "device." --- windows/privacy/diagnostic-data-viewer-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 92b7cb467a..44a4dba799 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -45,7 +45,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. >[!Important] - >It's possible that your Windows machine may not have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830). + >It's possible that your Windows device doesn't have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830). ### Start the Diagnostic Data Viewer You can start this app from the **Settings** panel. From fd0654a2fc5932f30eb1ed084295ef93f66b5b83 Mon Sep 17 00:00:00 2001 From: Marcelo di Iorio Date: Thu, 13 Jun 2019 10:22:37 +0200 Subject: [PATCH 004/311] Update hello-hybrid-cert-whfb-settings-pki.md In line 114, shouldn't we say "Exchange Enrollment Agent (Offline request)"? --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 6e3126b3c7..d4233e1945 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -111,7 +111,7 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. +3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. From b4e06f0a5db03e0f2067a1e1cb37a305f370b705 Mon Sep 17 00:00:00 2001 From: Chris Kibble <39386226+ChrisKibble@users.noreply.github.com> Date: Thu, 13 Jun 2019 08:40:54 -0400 Subject: [PATCH 005/311] Fixed end comment in previous suggested file change. --- windows/deployment/update/feature-update-user-install.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index 489c2fcbfd..f46f295f30 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -69,6 +69,7 @@ foreach ($k in $iniSetupConfigKeyValuePair.Keys) #Write content to file New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force +<# Disclaimer Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without @@ -78,6 +79,7 @@ Microsoft, its authors, or anyone else involved in the creation, production, or for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script or documentation, even if Microsoft has been advised of the possibility of such damages. +#> ``` >[!NOTE] From b3c063d4b024220067f446b815bd0e5ae78294bf Mon Sep 17 00:00:00 2001 From: karthigb Date: Thu, 20 Jun 2019 09:35:16 -0700 Subject: [PATCH 006/311] Update create-windows-firewall-rules-in-intune.md --- .../create-windows-firewall-rules-in-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 8de4021830..bf20974a75 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -123,8 +123,8 @@ Default is Any address. [Learn more](https://aka.ms/intunefirewallremotaddressrule) -## Edge traversal (coming soon) -Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. +## Edge traversal (UI coming soon) +Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. This setting can only be configured via Intune Graph at this time. [Learn more](https://aka.ms/intunefirewalledgetraversal) From 57d788db8fd09445942c9531569f719ccd8f5242 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Oliveira?= Date: Tue, 25 Jun 2019 16:12:33 +0100 Subject: [PATCH 007/311] Update enterprise-mode-schema-version-2-guidance.md Added more details on the release of Windows 10 for which schema v2 applies. allow-redirect flag is only available starting from RS3 (v 1709) --- .../enterprise-mode-schema-version-2-guidance.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index 187ba67198..186b96bd2c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -19,11 +19,11 @@ ms.date: 12/04/2017 **Applies to:** -- Windows 10 +- Windows 10 (>= v1709) - Windows 8.1 - Windows 7 -Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. +Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10 (>= v1709), using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. **Important**
If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). From b74a68a6420d250082bf2cd1cc478167d7ae80a7 Mon Sep 17 00:00:00 2001 From: skycommand Date: Wed, 26 Jun 2019 11:33:29 +0430 Subject: [PATCH 008/311] Unfurl the list, perform link maintenance From top to bottom, I propose the following changes without prejudice: 1. Converted the heaped mass of links was into an accessible list, compliant with Microsoft Docs guideline. 2. Deleted the second, redundant instance of the link to "Release Notes for MBAM 2.5". 3. Deleted the link to "MDOP TechCenter Page". This page is now deleted. The link redirects to "MDOP Information Experience" to which there is already link in the page. 4. Deleted feedback links (email, Twitter, and Facebook). These channels have been defunct since 2015. 5. Deleted the entire "Got a suggestion for MBAM" section. Both links in it are dead. The UserVoice channel and TechNet subforum have been gone for a long time now. --- mdop/mbam-v25/index.md | 84 ++++++++++++++++++++---------------------- 1 file changed, 40 insertions(+), 44 deletions(-) diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md index 9e5c96e03d..81d7b89f5e 100644 --- a/mdop/mbam-v25/index.md +++ b/mdop/mbam-v25/index.md @@ -16,61 +16,57 @@ ms.date: 04/19/2017 Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM, see [About MBAM 2.5](about-mbam-25.md). -To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). +To obtain MBAM, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). -[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md) +## Outline -[About MBAM 2.5](about-mbam-25.md)**|**[Release Notes for MBAM 2.5](release-notes-for-mbam-25.md)**|**[About MBAM 2.5 SP1](about-mbam-25-sp1.md)**|**[Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md)**|**[Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md)**|**[High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)**|**[Accessibility for MBAM 2.5](accessibility-for-mbam-25.md) - -[Planning for MBAM 2.5](planning-for-mbam-25.md) - -[Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md)**|**[MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)**|**[Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md)**|**[Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md)**|**[Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md)**|**[Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)**|**[MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)**|**[Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md)**|**[MBAM 2.5 Security Considerations](mbam-25-security-considerations.md)**|**[MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md) - -[Deploying MBAM 2.5](deploying-mbam-25.md) - -[Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md)**|**[Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)**|**[Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)**|**[MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md)**|**[Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md)**|**[Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md) - -[Operations for MBAM 2.5](operations-for-mbam-25.md) - -[Administering MBAM 2.5 Features](administering-mbam-25-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md)**|**[Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)**|**[Maintaining MBAM 2.5](maintaining-mbam-25.md)**|**[Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md) - -[Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md) - -[Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md) - -[Client Event Logs](client-event-logs.md)**|**[Server Event Logs](server-event-logs.md) +- [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md) + - [About MBAM 2.5](about-mbam-25.md) + - [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md) + - [About MBAM 2.5 SP1](about-mbam-25-sp1.md) + - [Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md) + - [Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md) + - [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md) + - [Accessibility for MBAM 2.5](accessibility-for-mbam-25.md) +- [Planning for MBAM 2.5](planning-for-mbam-25.md) + - [Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md) + - [MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md) + - [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md) + - [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md) + - [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md) + - [Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md) + - [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md) + - [Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md) + - [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md) + - [MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md) +- [Deploying MBAM 2.5](deploying-mbam-25.md) + - [Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md) + - [Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md) + - [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md) + - [MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md) + - [Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md) + - [Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md) +- [Operations for MBAM 2.5](operations-for-mbam-25.md) + - [Administering MBAM 2.5 Features](administering-mbam-25-features.md) + - [Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md) + - [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md) + - [Maintaining MBAM 2.5](maintaining-mbam-25.md) + - [Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md) +- [Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md) +- [Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md) + - [Client Event Logs](client-event-logs.md) + - [Server Event Logs](server-event-logs.md) ### More Information -- [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md) - - View updated product information and known issues for MBAM 2.5. - -- [MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) - - Learn about the latest MDOP information and resources. - - [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) - Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). + Find documentation, videos, and other resources for MDOP technologies. - [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398) Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. - + - [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) Guide of how to apply MBAM 2.5 SP1 Server hotfixes - -## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). -- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). - -  - -  - - - - - From 1ea33cd8c4c6663abc74215f5e83eef5de8a33d1 Mon Sep 17 00:00:00 2001 From: skycommand Date: Wed, 26 Jun 2019 17:23:57 +0430 Subject: [PATCH 009/311] Link maintenance\ --- mdop/mbam-v25/index.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md index 81d7b89f5e..244e0ae818 100644 --- a/mdop/mbam-v25/index.md +++ b/mdop/mbam-v25/index.md @@ -10,13 +10,11 @@ ms.prod: w10 ms.date: 04/19/2017 --- - # Microsoft BitLocker Administration and Monitoring 2.5 - Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM, see [About MBAM 2.5](about-mbam-25.md). -To obtain MBAM, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). +To obtain MBAM, see [How Do I Get MDOP](index.md#how-to-get-mdop). ## Outline @@ -57,16 +55,16 @@ To obtain MBAM, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId= - [Client Event Logs](client-event-logs.md) - [Server Event Logs](server-event-logs.md) -### More Information +## More Information -- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) +- [MDOP Information Experience](index.md) - Find documentation, videos, and other resources for MDOP technologies. + Find documentation, videos, and other resources for MDOP technologies. -- [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398) +- [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398) - Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. + Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. -- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) +- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) - Guide of how to apply MBAM 2.5 SP1 Server hotfixes + Guide of how to apply MBAM 2.5 SP1 Server hotfixes From 6bea2eb3189bf5a38be88cc26b88d3b21c0fc990 Mon Sep 17 00:00:00 2001 From: skycommand Date: Wed, 26 Jun 2019 17:29:21 +0430 Subject: [PATCH 010/311] Unfurl the list, perform link maintenance From top to bottom, I propose the following changes without prejudice: 1. Convert the heaped mass of links into an accessible list, compliant with Microsoft Docs guideline. 2. Delete the second, redundant instance of the link to "Release Notes for MBAM 2.0". 3. Delete the link to "MDOP TechCenter Page". This page is now deleted. The link redirects to "MDOP Information Experience" to which there is already a link in the page. 4. Delete feedback links (email, Twitter, and Facebook). These channels have been defunct since 2015. --- mdop/mbam-v2/index.md | 62 +++++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 29 deletions(-) diff --git a/mdop/mbam-v2/index.md b/mdop/mbam-v2/index.md index 5337db9b65..7f73c171c5 100644 --- a/mdop/mbam-v2/index.md +++ b/mdop/mbam-v2/index.md @@ -10,43 +10,47 @@ ms.prod: w8 ms.date: 04/19/2017 --- - # Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide - Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 provides a simplified administrative interface that you can use to manage BitLocker drive encryption. In BitLocker Administration and Monitoring 2.0, you can select BitLocker drive encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. -[Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md) +## Outline -[About MBAM 2.0](about-mbam-20-mbam-2.md)**|**[Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md)**|**[About MBAM 2.0 SP1](about-mbam-20-sp1.md)**|**[Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md)**|**[Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md)**|**[High-Level Architecture for MBAM 2.0](high-level-architecture-for-mbam-20-mbam-2.md)**|**[Accessibility for MBAM 2.0](accessibility-for-mbam-20-mbam-2.md) +- [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md) + - [About MBAM 2.0](about-mbam-20-mbam-2.md) + - [Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md) + - [About MBAM 2.0 SP1](about-mbam-20-sp1.md) + - [Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md) + - [Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md) + - [High-Level Architecture for MBAM 2.0](high-level-architecture-for-mbam-20-mbam-2.md) + - [Accessibility for MBAM 2.0](accessibility-for-mbam-20-mbam-2.md) +- [Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md) + - [Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md) + - [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md) + - [Planning to Deploy MBAM 2.0](planning-to-deploy-mbam-20-mbam-2.md) + - [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md) + - [MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md) +- [Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md) + - [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md) + - [Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md) + - [Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md) + - [MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md) + - [Upgrading from Previous Versions of MBAM](upgrading-from-previous-versions-of-mbam.md) +- [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md) + - [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md) + - [Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md) + - [Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md) + - [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md) + - [Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md) + - [Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md) + - [Administering MBAM 2.0 Using PowerShell](administering-mbam-20-using-powershell-mbam-2.md) +- [Troubleshooting MBAM 2.0](troubleshooting-mbam-20-mbam-2.md) -[Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md) +## More Information -[Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md)**|**[MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)**|**[Planning to Deploy MBAM 2.0](planning-to-deploy-mbam-20-mbam-2.md)**|**[MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)**|**[MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md) +- [MDOP Information Experience](index.md) -[Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md) - -[Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)**|**[Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)**|**[Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)**|**[MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md)**|**[Upgrading from Previous Versions of MBAM](upgrading-from-previous-versions-of-mbam.md) - -[Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md) - -[Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)**|**[Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md)**|**[Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)**|**[Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md)**|**[Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md)**|** [Administering MBAM 2.0 Using PowerShell](administering-mbam-20-using-powershell-mbam-2.md) - -[Troubleshooting MBAM 2.0](troubleshooting-mbam-20-mbam-2.md) - -### More Information - -- [Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md) - - View updated product information and known issues for MBAM 2.0. - -- [MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) - - Learn about the latest MDOP information and resources. - -- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) - - Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). + Find documentation, videos, and other resources for MDOP technologies.   From 69e37cd6f1ef7879544099001d0c42d98e9fc845 Mon Sep 17 00:00:00 2001 From: skycommand Date: Thu, 27 Jun 2019 14:32:01 +0430 Subject: [PATCH 011/311] Unfurl the list, perform link maintenance From top to bottom, I propose the following changes without prejudice: 1. Convert the heaped mass of links into an accessible list, compliant with Microsoft Docs guideline. 2. Move the link to "Release Notes for MBAM 1.0" into the outline for consistency with the other MBAM admin guides. 3. Delete the link to "MDOP TechCenter Page". This page is now deleted. The link redirects to "MDOP Information Experience" to which there is already a link in the page. 4. Delete feedback links (email, Twitter, and Facebook). These channels have been defunct since 2015. --- mdop/mbam-v1/index.md | 66 ++++++++++++++++++------------------------- 1 file changed, 28 insertions(+), 38 deletions(-) diff --git a/mdop/mbam-v1/index.md b/mdop/mbam-v1/index.md index f7646af27e..4424f1bfa5 100644 --- a/mdop/mbam-v1/index.md +++ b/mdop/mbam-v1/index.md @@ -10,46 +10,36 @@ ms.prod: w8 ms.date: 04/19/2017 --- - # Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide - Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker drive encryption. With MBAM, you can select BitLocker encryption policy options that are appropriate to your enterprise and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the entire enterprise. In addition, you can access recovery key information when users forget their PIN or password, or when their BIOS or boot record changes. -[Getting Started with MBAM 1.0](getting-started-with-mbam-10.md) - -[About MBAM 1.0](about-mbam-10.md)**|**[Evaluating MBAM 1.0](evaluating-mbam-10.md)**|**[High Level Architecture for MBAM 1.0](high-level-architecture-for-mbam-10.md)**|**[Accessibility for MBAM 1.0](accessibility-for-mbam-10.md)**|**[Privacy Statement for MBAM 1.0](privacy-statement-for-mbam-10.md) - -[Planning for MBAM 1.0](planning-for-mbam-10.md) - -[Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md)**|**[MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)**|**[Planning to Deploy MBAM 1.0](planning-to-deploy-mbam-10.md)**|**[MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)**|**[MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md) - -[Deploying MBAM 1.0](deploying-mbam-10.md) - -[Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)**|**[Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)**|**[Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)**|**[Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)**|**[MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md) - -[Operations for MBAM 1.0](operations-for-mbam-10.md) - -[Administering MBAM 1.0 Features](administering-mbam-10-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md)**|**[Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)**|**[Administering MBAM 1.0 by Using PowerShell](administering-mbam-10-by-using-powershell.md) - -[Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md) - -### More Information - -[Release Notes for MBAM 1.0](release-notes-for-mbam-10.md) -View updated product information and known issues for MBAM 1.0. - -[MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) -Learn about the latest MDOP information and resources. - -[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) -Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). - -  - -  - - - - +- [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md) + - [About MBAM 1.0](about-mbam-10.md) + - [Release Notes for MBAM 1.0](release-notes-for-mbam-10.md) + - [Evaluating MBAM 1.0](evaluating-mbam-10.md) + - [High Level Architecture for MBAM 1.0](high-level-architecture-for-mbam-10.md) + - [Accessibility for MBAM 1.0](accessibility-for-mbam-10.md) + - [Privacy Statement for MBAM 1.0](privacy-statement-for-mbam-10.md) +- [Planning for MBAM 1.0](planning-for-mbam-10.md) + - [Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md) + - [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md) + - [Planning to Deploy MBAM 1.0](planning-to-deploy-mbam-10.md) + - [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md) + - [MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md) +- [Deploying MBAM 1.0](deploying-mbam-10.md) + - [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md) + - [Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md) + - [Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md) + - [Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md) + - [MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md) +- [Operations for MBAM 1.0](operations-for-mbam-10.md) + - [Administering MBAM 1.0 Features](administering-mbam-10-features.md) + - [Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md) + - [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md) + - [Administering MBAM 1.0 by Using PowerShell](administering-mbam-10-by-using-powershell.md) +- [Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md) +## More Information +- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) + Find documentation, videos, and other resources for MDOP technologies. From c5158881016392ecf9eb060399d86f82659f7b7e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 27 Jun 2019 21:55:49 +0530 Subject: [PATCH 012/311] Just now added corresponding registry key and download link for templates I taken example from windows 10 v1903, i found the corresponding registry keys for hide all notifications and hide non-critical notifications [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications] "DisableNotifications"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications] "DisableEnhancedNotifications"=dword:00000001 Also i added the download link for latest administrative templates for Windows 10 v1809. So please add these registry keys and download link as my contribution in this document. Thanking you --- .../wdsc-hide-notifications.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 9ae361f1fd..008876e723 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -56,6 +56,10 @@ This can only be done in Group Policy. > >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +0. Download the latest Administrative templates for windows 10 v1809 from below Microsoft official site + **https://www.microsoft.com/en-us/download/details.aspx?id=57576** + + 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. @@ -74,6 +78,8 @@ You can hide all notifications that are sourced from the Windows Security app. T This can only be done in Group Policy. >[!IMPORTANT] + + >### Requirements > >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. @@ -86,4 +92,14 @@ This can only be done in Group Policy. 6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). +7. Corresponding registry key for **Hide all notifications** + + **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** + **"DisableNotifications"=dword:00000001** + +8. Corresponding registry key for **Hide not-critical notifications** + + **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** + **"DisableEnhancedNotifications"=dword:00000001** + +9. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). From a2d96c43e065d29a1e49bfd6c36fff16e45bf528 Mon Sep 17 00:00:00 2001 From: illfated Date: Mon, 10 Jun 2019 09:48:26 +0200 Subject: [PATCH 013/311] Windows/Security: update passwordless-strategy.md - Grammar corrections - Simplification of double spacing between sentences - Typo corrections - Removal of trailing spaces Closes #3959 --- .../passwordless-strategy.md | 186 +++++++++--------- 1 file changed, 93 insertions(+), 93 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 284982d26b..8e163285dc 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -14,7 +14,7 @@ ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +ms.reviewer: --- # Password-less Strategy @@ -25,184 +25,184 @@ Over the past few years, Microsoft has continued their commitment to enabling a ### 1. Develop a password replacement offering -Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory. +Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory. -Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. +Deploying Windows Hello for Business is the first step towards password-less. Windows Hello for Business deployed coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a password-less deployment -Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: +Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: - the user never types their password - the user never changes their password - the user does not know their password -In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. +In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. ### 4. Eliminate passwords from the identity directory -The final step of the password-less story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly password-less environment. +The final step of the password-less story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly password-less environment. ## Methodology -The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations. +The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations. -### Prepare for the Journey -The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey. +### Prepare for the Journey +The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey. -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is: +The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is: - Number of departments -- Organization or department hierarchy +- Organization or department hierarchy - Number and type of applications and services - Number of work personas - Organization's IT structure -#### Number of departments -The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. +#### Number of departments +The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computer (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. +You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computer (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. #### Organization or department hierarchy -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. +Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. #### Number and type of applications and services -The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. +The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. -Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacture and the version. Also, do not forget web-based applications or services when inventorying applications. +Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacture and the version. Also, do not forget web-based applications or services when inventorying applications. #### Number of work personas -Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. +Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. +A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. -Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. +Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. -Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or that needs a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. +Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or that needs a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. #### Organization's IT structure -IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded. +IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded. #### Assess your Organization -You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? +You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? -By now you can see why its a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple-- meaning a solution already exists in the environment and its a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. +By now you can see why its a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple-- meaning a solution already exists in the environment and its a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. -How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: +How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: - work through the work personas - organize and deploy user acceptance testing - evaluate user acceptance testing results for user-visible password surfaces - work with stakeholders to create solutions that mitigate user-visible password surfaces - add the solution to the project backlog and prioritize against other projects -- deploy solution +- deploy solution - User acceptance testing to confirm the solution mitigates the user-visible password surface - Repeat as needed -Your organization's journey to password-less may take some time to get there. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it is likely that to go password-less tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to password-less. +Your organization's journey to password-less may take some time to get there. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it is likely that to go password-less tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to password-less. ### Where to start? -What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused. +What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused. -#### Work persona -You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps. +#### Work persona +You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps. > [!IMPORTANT] -> Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. +> Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. -Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. +Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. -Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. +Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. -You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your time line. +You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your time line. ## The Process -The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like +The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like -1. Password-less replacement offering (Step 1) - 1. Identify test users that represent the targeted work persona. +1. Password-less replacement offering (Step 1) + 1. Identify test users representing the targeted work persona. 2. Deploy Windows Hello for Business to test users. - 3. Validate password and Windows Hello for Business work. + 3. Validate that passwords and Windows Hello for Business work. 2. Reduce User-visible Password Surface (Step 2) 1. Survey test user workflow for password usage. 2. Identify password usage and plan, develop, and deploy password mitigations. 3. Repeat until all user password usage is mitigated. - 4. Remove password capabilities from the Windows. - 5. Validate **all** workflows do not need passwords. + 4. Remove password capabilities from Windows. + 5. Validate that **none of the workflows** need passwords. 3. Transition into a password-less (Step 3) - 1. Awareness campaign and user education. - 2. Including remaining users that fit the work persona. - 3. Validate **all** users of the work personas do not need passwords. - 4. Configure user accounts to disallow password authentication. + 1. Awareness campaign and user education. + 2. Including remaining users that fit the work persona. + 3. Validate that **none of the users** of the work personas need passwords. + 4. Configure user accounts to disallow password authentication. -After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. +After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. ### Password-less replacement offering (Step 1) -THe first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. +The first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona -A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. +A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. #### Deploy Windows Hello for Business to test users -Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. +Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. -With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. +With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. > [!NOTE] -> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. +> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. -#### Validate password and Windows Hello for Business work -In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas. +#### Validate that passwords and Windows Hello for Business work +In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas. ### Reduce User-visible Password Surface (Step 2) Before you move to step 2, ensure you have: -- selected your targeted work persona. +- selected your targeted work persona. - identified your test users that represented the targeted work persona. - deployed Windows Hello for Business to test users. - validated passwords and Windows Hello for Business both work for the test users. #### Survey test user workflow for password usage -Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2. +Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2. -Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simply task. Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is: +Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simply task. Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is: - What is the name of the application that asked for a password?. - Why do they use the application that asked for a password? (Example: is there more than one application that can do the same thing?). - What part of their workflow makes them use the application? Try to be as specific as possible (I use application x to issue credit card refunds for amounts over y.). - How frequently do you use this application in a given day? week? -- Is the password you type into the application the same as the password you use to sign-in to Windows? +- Is the password you type into the application the same as the password you use to sign-in to Windows? -Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt which could delay the transition to password-less. +Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt which could delay the transition to password-less. #### Identify password usage and plan, develop, and deploy password mitigations -Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. +Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. -Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. +Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. -Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they low percentage scenarios. Remember to include scenarios like: +Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they low percentage scenarios. Remember to include scenarios like: - Provisioning a new brand new user without a password. - Users who forget the PIN or other remediation flows when the strong credential is unusable. -Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions-- whichever of the two is easier or quicker. This will certainly vary by organization. +Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions-- whichever of the two is easier or quicker. This will certainly vary by organization. -Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. +Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). -The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. +The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. -Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authenticate. +Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication. #### Repeat until all user password usage is mitigated -Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance. +Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance. -#### Remove password capabilities from the Windows -You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password. +#### Remove password capabilities from Windows +You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password. -Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider. +Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider. -##### Security Policy -You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. +##### Security Policy +You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. ![securityPolicyLocation](images/passwordless/00-securityPolicy.png) **Windows Server 2016 and earlier** @@ -213,32 +213,32 @@ The policy name for these operating systems is **Interactive logon: Require smar The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. ![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png) -When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. +When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider -You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon** +You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon** ![HideCredProvPolicy](images/passwordless/00-hidecredprov.png) -The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. +The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. ![HideCredProvPolicy2](images/passwordless/01-hidecredprov.png) -Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. +Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. -#### Validate all workflows do not need passwords -This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a passwords. Users will be blocked is any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. +#### Validate that none of the workflows need passwords +This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. -### Transition into a password-less deployment (Step 3) -Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success. +### Transition into a password-less deployment (Step 3) +Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success. #### Awareness and user education In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. -An awareness campaign is introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide user education, where you can show the users the changes and, if your environment allows, enable the users to try the experience out. +An awareness campaign is introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide user education, where you can show the users the changes and, if your environment allows, enable the users to try the experience out. #### Including remaining users that fit the work persona -You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. +You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. -#### Validate **all** users of the work personas do not need passwords. +#### Validate that none of the users of the work personas need passwords You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment. Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are: @@ -247,24 +247,24 @@ Track all reported issues. Set priority and severity to each reported issue and - Is the outage a result of a misconfiguration? - Is the outage a overlooked gap from step 2? -Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process. +Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process. -Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating. +Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating. #### Configure user accounts to disallow password authentication. -You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. +You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object. The account options on a user account includes an option -- **Smart card is required for interactive logon**, also known as (SCRIL). > [!NOTE] -> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. +> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. ![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png) **SCRIL setting for a user on Active Directory Users and Computers.** -When you configure an user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users is effectively password-less because: +When you configure an user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users is effectively password-less because: - the do not know their password. - their password is 128 random bits of data and is likely to include non-typable characters. - the user is not asked to change their password @@ -274,7 +274,7 @@ When you configure an user account for SCRIL, Active Directory changes the affec **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.** > [!NOTE] -> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically. +> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically. ![SCRIL setting from ADAC on Windows Server 2016](images/passwordless/01-scril-adac-2016.png) **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.** @@ -283,14 +283,14 @@ When you configure an user account for SCRIL, Active Directory changes the affec > Windows Hello for Business was formerly known as Microsoft Passport. ##### Automatic password change for SCRIL configured users -Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for a SCRIL enabled users by configuring the domain to automatically change the password for SCRIL users. +Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for a SCRIL enabled users by configuring the domain to automatically change the password for SCRIL users. -In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages. +In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages. ![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) > [!NOTE] -> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability with while reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. +> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability with while reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. ## The Road Ahead -The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). +The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). From 1c707b838f34e0d7c04a773788170be8e8e33b96 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 10 Jun 2019 23:45:06 +0200 Subject: [PATCH 014/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md * "password-less" changed to passwordless Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 8e163285dc..18107d412e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 08/20/2018 ms.reviewer: --- -# Password-less Strategy +# Passwordless Strategy ## Four steps to Password-less From a8898d572f56ca6e8c7311e43a9da1215e91821d Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 10 Jun 2019 23:54:02 +0200 Subject: [PATCH 015/311] Update passwordless-strategy.md - "Password-less" in the heading replaced with 'password freedom' - "Password-less" in the image comment contracted to 'passwordless' --- .../hello-for-business/passwordless-strategy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 18107d412e..d4a553671e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -18,10 +18,10 @@ ms.reviewer: --- # Passwordless Strategy -## Four steps to Password-less +## Four steps to password freedom Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password-less. -![Password-less approach](images/four-steps-passwordless.png) +![Passwordless approach](images/four-steps-passwordless.png) ### 1. Develop a password replacement offering From 0648ea96971ef6998db3fa86e2837360dc5f3bf7 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:39:38 +0200 Subject: [PATCH 016/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - correction in line 63 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index d4a553671e..225c7f44e9 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -60,7 +60,7 @@ The most intuitive answer is the size of the organization, and that would be cor #### Number of departments The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computer (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. +You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. From 1f38acc0c83b939bf3773564a1ffaadfae66218f Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:41:27 +0200 Subject: [PATCH 017/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - correction in line 65 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 225c7f44e9..cdbda1bf4d 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -62,7 +62,7 @@ The number of departments within an organization varies. Most organizations have You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password-less. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. #### Organization or department hierarchy Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. From 5800d73a93ec51e4d748b841a4e9b686d0d6b237 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:42:42 +0200 Subject: [PATCH 018/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - correction in line 73 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index cdbda1bf4d..362b41a5a6 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -70,7 +70,7 @@ Organization and department hierarchy is the management layers within the depart #### Number and type of applications and services The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. -Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacture and the version. Also, do not forget web-based applications or services when inventorying applications. +Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. #### Number of work personas Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. From e4afb2da405da663f44c918d3200f7ef6df1676b Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:43:30 +0200 Subject: [PATCH 019/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - punctuation in line 78 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 362b41a5a6..c20390c1a3 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -75,7 +75,7 @@ Capturing the number of applications used is easier once you have the department #### Number of work personas Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. +A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. From 948118e668aefc62adfcd4a681050c5374f05f29 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:46:21 +0200 Subject: [PATCH 020/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - punctuation in line 90 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index c20390c1a3..ef7f71019c 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -87,7 +87,7 @@ IT department structures can vary more than the organization. Some IT department #### Assess your Organization You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? -By now you can see why its a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple-- meaning a solution already exists in the environment and its a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. +By now you can see why it's a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: - work through the work personas From 4ca65d872c67ff16b2f871e9aaddcb56c68ff548 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:47:15 +0200 Subject: [PATCH 021/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections in line 117 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index ef7f71019c..96ea10e3dd 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -114,7 +114,7 @@ Review your collection of work personas. Early in your password-less journey, id Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. -You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your time line. +You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always a good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your timeline. ## The Process From b8cc24c5007b7aff32843c54a4ecdc50af860b67 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:49:15 +0200 Subject: [PATCH 022/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - added " this:" to the end of line 121 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 96ea10e3dd..6cb845ddbf 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -118,7 +118,7 @@ You will want to balance testing in a lab with providing results to management q ## The Process -The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like +The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: 1. Password-less replacement offering (Step 1) 1. Identify test users representing the targeted work persona. From 1dc0a0dccb4823419cecf488b27ece40a143e65b Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:49:50 +0200 Subject: [PATCH 023/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction in line 135 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 6cb845ddbf..3d638a913e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -132,7 +132,7 @@ The journey to password-less is to take each work persona through each password- 5. Validate that **none of the workflows** need passwords. 3. Transition into a password-less (Step 3) 1. Awareness campaign and user education. - 2. Including remaining users that fit the work persona. + 2. Include remaining users that fit the work persona. 3. Validate that **none of the users** of the work personas need passwords. 4. Configure user accounts to disallow password authentication. From dc69ad9566ac53f2179655e14aff8dec4580b018 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:50:45 +0200 Subject: [PATCH 024/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction in line 182 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 3d638a913e..e796bf83fe 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -179,7 +179,7 @@ Your test users have provided you valuable information that describes the how, w Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. -Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they low percentage scenarios. Remember to include scenarios like: +Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they are low percentage scenarios. Remember to include scenarios like: - Provisioning a new brand new user without a password. - Users who forget the PIN or other remediation flows when the strong credential is unusable. From fd9c68a97a4838772486582a2981c1bc2d30be5c Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:51:48 +0200 Subject: [PATCH 025/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - punctuation adjustment in line 186 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index e796bf83fe..e9b21afa27 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -183,7 +183,7 @@ Keep in mind your test users will not uncover all scenarios. Some scenarios you - Provisioning a new brand new user without a password. - Users who forget the PIN or other remediation flows when the strong credential is unusable. -Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions-- whichever of the two is easier or quicker. This will certainly vary by organization. +Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization. Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. From a9d059d811477b0d9b940462deedbe504e5f7591 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:54:25 +0200 Subject: [PATCH 026/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction ("A" to An) in line 188 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index e9b21afa27..514bbbca61 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -185,7 +185,7 @@ Keep in mind your test users will not uncover all scenarios. Some scenarios you Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization. -Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. +Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). From c0b9fce31e03d5548dac97f2f614c8b7c7426e07 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:57:06 +0200 Subject: [PATCH 027/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - word duplication removal + punctuation adjustment in line 192 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 514bbbca61..2b811f0b73 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -189,7 +189,7 @@ Start mitigating password usages based on the workflows of your targeted persona Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). -The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. +The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication. From 5829b2c3a321c1500aac00eeea4e6d2c8d2e097d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:58:53 +0200 Subject: [PATCH 028/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections in line 197 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2b811f0b73..570bd01ddf 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -194,7 +194,7 @@ The ideal mitigation for applications that prompt the user for a password is to Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication. #### Repeat until all user password usage is mitigated -Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance. +Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you are stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you are out of options, contact Microsoft for assistance. #### Remove password capabilities from Windows You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password. From c45befa44f1b3cfdfc653aa2b9706da224e1a1b1 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:59:45 +0200 Subject: [PATCH 029/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar + punctuation correction in line 200 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 570bd01ddf..66e43a918d 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -197,7 +197,7 @@ Each scenario on your master list should now have a problem statement, an invest Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you are stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you are out of options, contact Microsoft for assistance. #### Remove password capabilities from Windows -You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password. +You believe you have mitigated all the password usage for the targeted work persona. Now comes the true test - configure Windows so the user cannot use a password. Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider. From d8e11458716d26aa40e2877aa699324144319dd8 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 08:00:32 +0200 Subject: [PATCH 030/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar/typo correction in line 216 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 66e43a918d..a637f3fdfe 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -213,7 +213,7 @@ The policy name for these operating systems is **Interactive logon: Require smar The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. ![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png) -When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. +When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon** From aaf6de66b46715a4e687cbcc7f412db745ef61a7 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 08:01:41 +0200 Subject: [PATCH 031/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar + punctuation correction in line 231 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index a637f3fdfe..59affc9a4a 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -228,7 +228,7 @@ Excluding the password credential provider hides the password credential provide This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. ### Transition into a password-less deployment (Step 3) -Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success. +Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. From 3fdde5fc4fd48d50b025528894b4387bfbeb8bf2 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 08:02:35 +0200 Subject: [PATCH 032/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections in line 236 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 59affc9a4a..9c3e8f09bf 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -233,7 +233,7 @@ Congratulations! You are ready to transition one or more portions of your organ #### Awareness and user education In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. -An awareness campaign is introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide user education, where you can show the users the changes and, if your environment allows, enable the users to try the experience out. +An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience. #### Including remaining users that fit the work persona You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. From 08bfea5bb27cb32aa394aa97a63b4d699e8d3b60 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 08:03:33 +0200 Subject: [PATCH 033/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction in line 241 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 9c3e8f09bf..08ca0c4975 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -238,7 +238,7 @@ An awareness campaign introduces the users to the new way of authenticating to t #### Including remaining users that fit the work persona You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. -#### Validate that none of the users of the work personas need passwords +#### Validate that none of the users of the work personas needs passwords You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment. Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are: From 68b0467247d61ca9350c0c14df12539aed9591ee Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:28:37 +0200 Subject: [PATCH 034/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - add missing word at the end of line 252 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 08ca0c4975..611d453547 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -249,7 +249,7 @@ Track all reported issues. Set priority and severity to each reported issue and Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process. -Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating. +Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. #### Configure user accounts to disallow password authentication. You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. From f353e7f771d8d81fe5626f678b8b9289b3c5ffad Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:32:43 +0200 Subject: [PATCH 035/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - 2 grammar corrections in line 267 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 611d453547..b5c133806d 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -264,7 +264,7 @@ The account options on a user account includes an option -- **Smart card is requ ![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png) **SCRIL setting for a user on Active Directory Users and Computers.** -When you configure an user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users is effectively password-less because: +When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively password-less because: - the do not know their password. - their password is 128 random bits of data and is likely to include non-typable characters. - the user is not asked to change their password From ff48adfa44ddb5e0a27bcdad3ae9f6dad9d40f76 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:33:32 +0200 Subject: [PATCH 036/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - single grammar correction in line 286 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index b5c133806d..48e6d384ca 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -283,7 +283,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect > Windows Hello for Business was formerly known as Microsoft Passport. ##### Automatic password change for SCRIL configured users -Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for a SCRIL enabled users by configuring the domain to automatically change the password for SCRIL users. +Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages. ![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) From 2e04972a9e2f55cbffea39932eafbcce9f8a40c2 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:36:24 +0200 Subject: [PATCH 037/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - various grammar corrections in line 288 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 48e6d384ca..390311c324 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -285,7 +285,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect ##### Automatic password change for SCRIL configured users Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. -In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages. +In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages. ![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) > [!NOTE] From 111505ef9eed1ee775e38315d1588cdf8de2e915 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:37:56 +0200 Subject: [PATCH 038/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - structural grammar correction in line 292 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 390311c324..2769cfa228 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -289,7 +289,7 @@ In this configuration, passwords for SCRIL-configured users expire based on Acti ![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) > [!NOTE] -> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability with while reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. +> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. ## The Road Ahead The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). From 16bcc67eaaa69d280f8eae501f864731253e6b97 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:53:13 +0200 Subject: [PATCH 039/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - well needed punctuation corrections in line 295 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2769cfa228..561a121ec9 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -292,5 +292,5 @@ In this configuration, passwords for SCRIL-configured users expire based on Acti > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. ## The Road Ahead -The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). +The information presented here is just the beginning. We will update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). From 0e2b598e45276438b2c19d612254145e664deef6 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:58:35 +0200 Subject: [PATCH 040/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - combine corrections from JohanFreelancer9 with my own --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 561a121ec9..acd249a15e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -247,7 +247,7 @@ Track all reported issues. Set priority and severity to each reported issue and - Is the outage a result of a misconfiguration? - Is the outage a overlooked gap from step 2? -Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process. +Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process. Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. From d450d0d28cfbd43142a30050fa61e4b066b66ff4 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:40:24 +0200 Subject: [PATCH 041/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction in line 30 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index acd249a15e..b01918cfd7 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -27,7 +27,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a ### 1. Develop a password replacement offering Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory. -Deploying Windows Hello for Business is the first step towards password-less. Windows Hello for Business deployed coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. +Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. From 26135c92257299aecd6e980209ca9470e0c0a931 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:42:22 +0200 Subject: [PATCH 042/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - readability simplification in line 33 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index b01918cfd7..9940c4bdd0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -30,7 +30,7 @@ Before you move away from passwords, you need something to replace them. With Wi Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a password-less deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: From 819b07f6fd4d63e1eab326ab69a210f0881669d6 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:43:34 +0200 Subject: [PATCH 043/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - heading format corrections in line 35 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 9940c4bdd0..e86cef3768 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -32,7 +32,7 @@ Deploying Windows Hello for Business is the first step towards a passwordless en ### 2. Reduce user-visible password surface area With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. -### 3. Transition into a password-less deployment +### 3. Transition into a passwordless deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: - the user never types their password - the user never changes their password From d0ae5347d59217147703d3e82739262037c68bf3 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:44:41 +0200 Subject: [PATCH 044/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => passwordless in line 36 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index e86cef3768..1a4a88c244 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -33,7 +33,7 @@ Deploying Windows Hello for Business is the first step towards a passwordless en With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a passwordless deployment -Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: +Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where: - the user never types their password - the user never changes their password - the user does not know their password From db8b536a211dcf3e0214a5fc17d8a91e7957a777 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:45:30 +0200 Subject: [PATCH 045/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - 2x "password-less" => passwordless in line 44 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 1a4a88c244..ba18f2dbc4 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -41,7 +41,7 @@ Once the user-visible password surface has been eliminated, your organization ca In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. ### 4. Eliminate passwords from the identity directory -The final step of the password-less story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly password-less environment. +The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment. ## Methodology The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations. From 9cb6ebdba87f334dbec0f4d96692404f43fe4627 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:47:00 +0200 Subject: [PATCH 046/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - readability improvement in line 47 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index ba18f2dbc4..b3968d3355 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -44,7 +44,7 @@ In this world, the user signs in to Windows 10 using Windows Hello for Business The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment. ## Methodology -The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations. +Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations. ### Prepare for the Journey The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey. From 1aa853886bb9a08cd7c42d2a914b6cbb0036f961 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:48:12 +0200 Subject: [PATCH 047/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections in line 50 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index b3968d3355..96e7c243dd 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -47,7 +47,7 @@ The final step of the passwordless story is where passwords simply do not exist. Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations. ### Prepare for the Journey -The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey. +The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria that influence the length of the journey. The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is: - Number of departments From a45d3197b600d6431e01d12d40c3114e01a4d41e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:48:44 +0200 Subject: [PATCH 048/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - punctuation correction in line 52 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 96e7c243dd..35744f5215 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -49,7 +49,7 @@ Four steps to password freedom provides an overall view of how Microsoft envisio ### Prepare for the Journey The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria that influence the length of the journey. -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is: +The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is: - Number of departments - Organization or department hierarchy - Number and type of applications and services From 31af310df1fe8c474ef35183e49acfc87a698055 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:50:23 +0200 Subject: [PATCH 049/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - readability improvement (simplification) at the end of line 63 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 35744f5215..a4fd3640a5 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -60,7 +60,7 @@ The most intuitive answer is the size of the organization, and that would be cor #### Number of departments The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. +You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable. Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password-less. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. From d7ecdc25ac1ef2da9658d323f2482db3cfff12fe Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:52:38 +0200 Subject: [PATCH 050/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction in line 65 (might need removal of 1 space) Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index a4fd3640a5..b293c1e2a6 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -62,7 +62,7 @@ The number of departments within an organization varies. Most organizations have You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password-less. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. From ee11f61f7fdd6b453df7d621ad237fd2dd774a16 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:56:43 +0200 Subject: [PATCH 051/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 68 (also should be updated later with "differently from" instead of "differently than") Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index b293c1e2a6..75f91de16e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -65,7 +65,7 @@ You need to know all the departments within your organization and you need to kn Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. +Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. From 01ff56b01a8ee17041d3f8c2b9a0e488a3d19d8f Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:57:40 +0200 Subject: [PATCH 052/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 71 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 75f91de16e..36b3b6d7d1 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -68,7 +68,7 @@ Your count of the departments must be thorough and accurate, as well as knowing Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services -The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. +The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. From ed1abd1ade8c801b2448b9cf0b301ba62745d37e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:59:26 +0200 Subject: [PATCH 053/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections in line 78 (might need to add one or two commas here later) Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 36b3b6d7d1..aad6e3c128 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -75,7 +75,7 @@ Capturing the number of applications used is easier once you have the department #### Number of work personas Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. +A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work and you will refer to them in documentation and in meetings. You need to give them a name. Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. From cacf39a5875955711635c30fe53a3c6defe45123 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:00:46 +0200 Subject: [PATCH 054/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - semantic improvement in line 82 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index aad6e3c128..8851e977ab 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -79,7 +79,7 @@ A work persona classifies a category of user, title or role (individual contribu Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. -Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or that needs a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. +Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. #### Organization's IT structure IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded. From 6edb7070e14d9bf4ba011095274c990f9c31e40d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:02:42 +0200 Subject: [PATCH 055/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - multiple corrections of "password-less" => 'passwordless' also with a couple of words added in line 85 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 8851e977ab..f1ef213674 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -82,7 +82,7 @@ Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. #### Organization's IT structure -IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded. +IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to being passwordless will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to being passwordless. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded. #### Assess your Organization You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? From b94a3f8b78e0e79f650f999f70c85d4de1ecbc9e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:07:18 +0200 Subject: [PATCH 056/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - multiple corrections of "password-less" ('passwordless' or improving the semantics by replacing the words) Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index f1ef213674..09569176b9 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -89,7 +89,7 @@ You have a ton of information. You have created your work personas, you identifi By now you can see why it's a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. -How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: +How long does it take to become passwordless? The answer is "it depends". It depends on the organizational alignment of a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: - work through the work personas - organize and deploy user acceptance testing - evaluate user acceptance testing results for user-visible password surfaces From 59ae4bc850eda787123077d799b72c43d014b866 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:09:44 +0200 Subject: [PATCH 057/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections and punctuation improvements in line 102 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 09569176b9..f583d3c80a 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -99,7 +99,7 @@ How long does it take to become passwordless? The answer is "it depends". It de - User acceptance testing to confirm the solution mitigates the user-visible password surface - Repeat as needed -Your organization's journey to password-less may take some time to get there. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it is likely that to go password-less tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to password-less. +Your organization's journey to being passwordless may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. ### Where to start? What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused. From c1ba62b192f3532adb62ba331c3abf6b9ce44e7d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:10:48 +0200 Subject: [PATCH 058/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections and semantic improvements in line 105 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index f583d3c80a..a26a2124ae 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -102,7 +102,7 @@ How long does it take to become passwordless? The answer is "it depends". It de Your organization's journey to being passwordless may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. ### Where to start? -What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused. +What is the best guidance for kicking off the passwordless journey? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. #### Work persona You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps. From c0b74942ad5c66909391efb1c26eeb6d65c70b3f Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:11:56 +0200 Subject: [PATCH 059/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 108 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index a26a2124ae..5ba7909b91 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -105,7 +105,7 @@ Your organization's journey to being passwordless may take some time. Counting t What is the best guidance for kicking off the passwordless journey? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. #### Work persona -You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps. +You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the passwordless steps. > [!IMPORTANT] > Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. From 7d2401d85709361c7969f7a812053dc2c5142eac Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:12:32 +0200 Subject: [PATCH 060/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 111 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 5ba7909b91..891f2b248e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -108,7 +108,7 @@ What is the best guidance for kicking off the passwordless journey? You will wa You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the passwordless steps. > [!IMPORTANT] -> Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. +> Avoid using any work personas from your IT department. This is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. From 1ca09e1e7f018514859e0f0d4b05ccf1f1a64f39 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:13:03 +0200 Subject: [PATCH 061/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 113 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 891f2b248e..b8714f89a9 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -110,7 +110,7 @@ You begin with your work personas. These were part of your preparation process. > [!IMPORTANT] > Avoid using any work personas from your IT department. This is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. -Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. +Review your collection of work personas. Early in your passwordless journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. From ddf3841e76a79b3d974053e1b3b411b3e0cb1551 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:14:29 +0200 Subject: [PATCH 062/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'a password-free strategy' in line 115 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index b8714f89a9..1c34b1ee92 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -112,7 +112,7 @@ You begin with your work personas. These were part of your preparation process. Review your collection of work personas. Early in your passwordless journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. -Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. +Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always a good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your timeline. From fc6fc54c72c94b30aee236476ea6783df1f933b0 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:15:49 +0200 Subject: [PATCH 063/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - 2 "password-less" corrections + 1 word added in line 121 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 1c34b1ee92..89d029e35e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -118,7 +118,7 @@ You will want to balance testing in a lab with providing results to management q ## The Process -The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: +The journey to being passwordless is to take each work persona through each passwordless step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: 1. Password-less replacement offering (Step 1) 1. Identify test users representing the targeted work persona. From 3c550a7a38f4ef050a9e3dc6da8c4b11e8712862 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:17:34 +0200 Subject: [PATCH 064/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "Password-less" => 'Passwordless' in line 123 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 89d029e35e..2a0047ddc2 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -120,7 +120,7 @@ You will want to balance testing in a lab with providing results to management q The journey to being passwordless is to take each work persona through each passwordless step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: -1. Password-less replacement offering (Step 1) +1. Passwordless replacement offering (Step 1) 1. Identify test users representing the targeted work persona. 2. Deploy Windows Hello for Business to test users. 3. Validate that passwords and Windows Hello for Business work. From 62577a1488f95b4a6af09de77de7f614fa8edc31 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:18:21 +0200 Subject: [PATCH 065/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "Password-less" => 'Passwordless' in line 141 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2a0047ddc2..01b6573b1f 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -138,7 +138,7 @@ The journey to being passwordless is to take each work persona through each pass After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. -### Password-less replacement offering (Step 1) +### Passwordless replacement offering (Step 1) The first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona From 5cfdf4dcdf5df8e1f5a75b3fd632353774803412 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:19:18 +0200 Subject: [PATCH 066/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'password freedom' in line 142 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 01b6573b1f..90a8521d72 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -139,7 +139,7 @@ The journey to being passwordless is to take each work persona through each pass After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. ### Passwordless replacement offering (Step 1) -The first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. +The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. From 598c9e3e44ef1112f4529de48b84bb93d71ac918 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:20:25 +0200 Subject: [PATCH 067/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - readability improvement (removal of "password-less") in line 145 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 90a8521d72..63192115fe 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -142,7 +142,7 @@ After successfully moving a work persona to password-less, you can prioritize th The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona -A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. +A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. #### Deploy Windows Hello for Business to test users Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. From 196c4ff45b6ee6bb7f8833a142698c2e5691dd72 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:21:24 +0200 Subject: [PATCH 068/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - semantic improvement (including "password-less" => 'passwordless') in line 190 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 63192115fe..c0184a9f9b 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -187,7 +187,7 @@ Next, review your master list of scenarios. You can start with the workflows tha Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. -Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). +Mitigating password usage with applications is one or the more challenging obstacle in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. From aad240c225f5a1098e25a0738fac7ec38c421104 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:22:21 +0200 Subject: [PATCH 069/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 230 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index c0184a9f9b..e2a52e5fd2 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -227,7 +227,7 @@ Excluding the password credential provider hides the password credential provide #### Validate that none of the workflows need passwords This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. -### Transition into a password-less deployment (Step 3) +### Transition into a passwordless deployment (Step 3) Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education From 2c64492583099129f7eed6c11359cc9e1922b594 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:23:07 +0200 Subject: [PATCH 070/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 231 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index e2a52e5fd2..007105df76 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -228,7 +228,7 @@ Excluding the password credential provider hides the password credential provide This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. ### Transition into a passwordless deployment (Step 3) -Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. +Congratulations! You are ready to transition one or more portions of your organization to a passwordless deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. From d911333b88d04ccb185424e2337c8565629bf3fe Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:23:57 +0200 Subject: [PATCH 071/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - 2x "password-less" => 'passwordless' in line 255 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 007105df76..36ab994644 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -252,7 +252,7 @@ Each organization's priority and severity will differ. However, most organizatio Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. #### Configure user accounts to disallow password authentication. -You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. +You transitioned all the users for the targeted work persona to a passwordless environment and you have successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object. From 93da7499512b6275b9949ae06d246e88ebb378c6 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:24:55 +0200 Subject: [PATCH 072/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 267 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 36ab994644..2023b4d469 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -264,7 +264,7 @@ The account options on a user account includes an option -- **Smart card is requ ![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png) **SCRIL setting for a user on Active Directory Users and Computers.** -When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively password-less because: +When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: - the do not know their password. - their password is 128 random bits of data and is likely to include non-typable characters. - the user is not asked to change their password From 49f41cefb13cae9d927c57bd0a0b242bf6a9c70c Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:26:11 +0200 Subject: [PATCH 073/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => "a passwordless future" in line 295 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2023b4d469..10e2239dcb 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -292,5 +292,5 @@ In this configuration, passwords for SCRIL-configured users expire based on Acti > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. ## The Road Ahead -The information presented here is just the beginning. We will update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). +The information presented here is just the beginning. We will update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a passwordless future, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). From 4ac7ebed1c557f9f88c6239ce8c2ff23e5e1eeab Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 20:34:45 +0200 Subject: [PATCH 074/311] Update hello-for-business/passwordless-strategy.md - "password-less" => 'password freedom' in line 23 (to keep it in tune with the preceding headline) --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 10e2239dcb..34b853b30b 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -20,7 +20,7 @@ ms.reviewer: ## Four steps to password freedom -Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password-less. +Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom. ![Passwordless approach](images/four-steps-passwordless.png) From f2706af5217d547d26f1e967f63719efea9f712c Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 20:51:35 +0200 Subject: [PATCH 075/311] Update hello-for-business/passwordless-strategy.md Further corrections in line 65: - reduced a double space to single space from previous changes - "organizations" => organization (our own organization is singular in the reader's perspective) --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 34b853b30b..c9bb8cdad0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -62,7 +62,7 @@ The number of departments within an organization varies. Most organizations have You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. From 40d4c5e8d4916e0597f1e1eaf1041d4918b9cfb7 Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 21:06:40 +0200 Subject: [PATCH 076/311] Update hello-for-business/passwordless-strategy.md Correction in line 68: - "differently than" => 'differently compared to' Correct use cases are usually "different than" or "different from", but "differently" needs more details in the comparison. --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index c9bb8cdad0..c59aefdb5a 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -65,7 +65,7 @@ You need to know all the departments within your organization and you need to kn Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. +Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. From 44507a5280204180300b48c2709e38b7952d9faf Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 21:09:46 +0200 Subject: [PATCH 077/311] Update hello-for-business/passwordless-strategy.md Correction in line 78: 1 comma added to maintain structural semantics. --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index c59aefdb5a..8927498ca0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -75,7 +75,7 @@ Capturing the number of applications used is easier once you have the department #### Number of work personas Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work and you will refer to them in documentation and in meetings. You need to give them a name. +A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work, and you will refer to them in documentation and in meetings. You need to give them a name. Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. From b2336814df149421626b6e98a59608779aa7fc5d Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 22:53:30 +0200 Subject: [PATCH 078/311] Update hello-for-business/passwordless-strategy.md Add some changes in the lines 98-100 to make each bullet point work as a complete sentence starting with "Those resources will [...]" --- .../hello-for-business/passwordless-strategy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 8927498ca0..a87e88a60f 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -95,9 +95,9 @@ How long does it take to become passwordless? The answer is "it depends". It de - evaluate user acceptance testing results for user-visible password surfaces - work with stakeholders to create solutions that mitigate user-visible password surfaces - add the solution to the project backlog and prioritize against other projects -- deploy solution -- User acceptance testing to confirm the solution mitigates the user-visible password surface -- Repeat as needed +- deploy the solution +- perform user acceptance testing to confirm that the solution mitigates the user-visible password surface +- repeat the testing as needed Your organization's journey to being passwordless may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. From 968acf48e98fd243d91c3c6c7ed308620fc36b9a Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 23:01:16 +0200 Subject: [PATCH 079/311] Update hello-for-business/passwordless-strategy.md Change in line 33: "the user knows they have a password" replaced with "the users know they have a password" to match the plural 'users' referenced elsewhere. --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index a87e88a60f..6b375fe6dc 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -30,7 +30,7 @@ Before you move away from passwords, you need something to replace them. With Wi Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a passwordless deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where: From 1098a4cd9e67bdf035e1524545e5e220f91736ec Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 23:07:35 +0200 Subject: [PATCH 080/311] Update hello-for-business/passwordless-strategy.md Changes in the lines 37-39: user => users (along with the verbs corrected to plural) to match the plural 'users' referenced elsewhere. --- .../hello-for-business/passwordless-strategy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 6b375fe6dc..f872f56909 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -34,9 +34,9 @@ With Windows Hello for Business and passwords coexisting in your environment, th ### 3. Transition into a passwordless deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where: - - the user never types their password - - the user never changes their password - - the user does not know their password + - the users never type their password + - the users never change their password + - the users do not know their password In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. From 310179b7b35c256d93d6c143ba7d9e51b58c7d0d Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 23:56:44 +0200 Subject: [PATCH 081/311] Update hello-for-business/passwordless-strategy.md Multiple scattered changes, including: - "password-less" => passwordless - both in titles and sentences (should resolve all remaining occurrences of "password-less") - semantics improvements - punctuation adjustments (mainly comma placements) - singular/plural corrections based on general reference - added some missing structural words --- .../passwordless-strategy.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index f872f56909..7426c2c6dc 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,5 +1,5 @@ --- -title: Password-less Strategy +title: Passwordless Strategy description: Reducing Password Usage Surface keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: w10 @@ -60,7 +60,7 @@ The most intuitive answer is the size of the organization, and that would be cor #### Number of departments The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable. +You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed that it is not applicable. Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. @@ -68,7 +68,7 @@ Your count of the departments must be thorough and accurate, as well as knowing Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services -The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. +The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. @@ -114,7 +114,7 @@ Review your collection of work personas. Early in your passwordless journey, ide Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. -You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always a good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your timeline. +You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your journey to being passwordless is always a good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your timeline. ## The Process @@ -130,13 +130,13 @@ The journey to being passwordless is to take each work persona through each pass 3. Repeat until all user password usage is mitigated. 4. Remove password capabilities from Windows. 5. Validate that **none of the workflows** need passwords. -3. Transition into a password-less (Step 3) +3. Transition into a passwordless scenario (Step 3) 1. Awareness campaign and user education. - 2. Include remaining users that fit the work persona. + 2. Include remaining users who fit the work persona. 3. Validate that **none of the users** of the work personas need passwords. 4. Configure user accounts to disallow password authentication. -After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. +After successfully moving a work persona to being passwordless, you can prioritize the remaining work personas, and repeat the process. ### Passwordless replacement offering (Step 1) The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. @@ -145,9 +145,9 @@ The first step to password freedom is providing an alternative to passwords. Win A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. #### Deploy Windows Hello for Business to test users -Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. +Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. -With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. +With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. > [!NOTE] > There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. @@ -172,7 +172,7 @@ Test users create the workflows associated with the targeted work persona. Their - How frequently do you use this application in a given day? week? - Is the password you type into the application the same as the password you use to sign-in to Windows? -Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt which could delay the transition to password-less. +Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless. #### Identify password usage and plan, develop, and deploy password mitigations Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. @@ -231,15 +231,15 @@ This is the big moment. You have identified password usage, developed solutions Congratulations! You are ready to transition one or more portions of your organization to a passwordless deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education -In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. +In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of being passwordless. Before you do this, you want to invest in an awareness campaign. An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience. #### Including remaining users that fit the work persona -You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. +You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment. #### Validate that none of the users of the work personas needs passwords -You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment. +You have successfully transitioned all users for the targeted work persona to being passwordless. Monitor the users within the work persona to ensure they do not encounter any issues while working in a passwordless environment. Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are: - Is the reporting user performing a task outside the work persona? @@ -249,7 +249,7 @@ Track all reported issues. Set priority and severity to each reported issue and Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process. -Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. +Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal, but do not let this slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. #### Configure user accounts to disallow password authentication. You transitioned all the users for the targeted work persona to a passwordless environment and you have successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. From f8d8da725333c8abef7c62545d2c27a6e5603f9a Mon Sep 17 00:00:00 2001 From: illfated Date: Thu, 13 Jun 2019 00:58:18 +0200 Subject: [PATCH 082/311] Update hello-for-business/passwordless-strategy.md Another round of multiple scattered changes. Multiple occurrences of 'passwordless' replaced with "password freedom", specifically where "the journey to password freedom" fits better. --- .../passwordless-strategy.md | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 7426c2c6dc..d448e47f84 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -44,12 +44,12 @@ In this world, the user signs in to Windows 10 using Windows Hello for Business The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment. ## Methodology -Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations. +Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed by any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations. ### Prepare for the Journey -The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria that influence the length of the journey. +The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria influencing the length of that journey. -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is: +The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the - Number of departments - Organization or department hierarchy - Number and type of applications and services @@ -58,38 +58,38 @@ The most intuitive answer is the size of the organization, and that would be cor - Organization's IT structure #### Number of departments -The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. +The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly, while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed that it is not applicable. +You need to know all the departments within your organization and you need to know which departments use computers and which ones do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed that it is not applicable. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. +Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used, most likely differs between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. -Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. +Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the latter, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. #### Number of work personas Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work, and you will refer to them in documentation and in meetings. You need to give them a name. -Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. +Give your personas easy and intuitive names like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. #### Organization's IT structure -IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to being passwordless will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to being passwordless. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded. +IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded. #### Assess your Organization -You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? +You have a ton of information. You have created your work personas, you have identified your stakeholders throughout the different IT groups. Now what? -By now you can see why it's a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. +By now you can see why it is a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you have identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it is only a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project which must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. -How long does it take to become passwordless? The answer is "it depends". It depends on the organizational alignment of a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: +How long does it take to become passwordless? The answer is "it depends". It depends on the organizational alignment of a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they have agreed on the strategy). Those resources will: - work through the work personas - organize and deploy user acceptance testing - evaluate user acceptance testing results for user-visible password surfaces @@ -99,26 +99,26 @@ How long does it take to become passwordless? The answer is "it depends". It de - perform user acceptance testing to confirm that the solution mitigates the user-visible password surface - repeat the testing as needed -Your organization's journey to being passwordless may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. +Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. ### Where to start? -What is the best guidance for kicking off the passwordless journey? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. +What is the best guidance for kicking off the journey to password freedom? You will want to show your management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. #### Work persona -You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the passwordless steps. +You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the steps to password freedom. > [!IMPORTANT] > Avoid using any work personas from your IT department. This is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. -Review your collection of work personas. Early in your passwordless journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. +Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. -Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. +Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could take a few days or several weeks, depending on the complexity of targeted work persona. -You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your journey to being passwordless is always a good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your timeline. +You will want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline. ## The Process -The journey to being passwordless is to take each work persona through each passwordless step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: +The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: 1. Passwordless replacement offering (Step 1) 1. Identify test users representing the targeted work persona. @@ -136,13 +136,13 @@ The journey to being passwordless is to take each work persona through each pass 3. Validate that **none of the users** of the work personas need passwords. 4. Configure user accounts to disallow password authentication. -After successfully moving a work persona to being passwordless, you can prioritize the remaining work personas, and repeat the process. +After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process. ### Passwordless replacement offering (Step 1) The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona -A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. +A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. #### Deploy Windows Hello for Business to test users Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. @@ -158,14 +158,14 @@ In this first step, passwords and Windows Hello for Business must coexist. You w ### Reduce User-visible Password Surface (Step 2) Before you move to step 2, ensure you have: - selected your targeted work persona. -- identified your test users that represented the targeted work persona. +- identified your test users who represent the targeted work persona. - deployed Windows Hello for Business to test users. - validated passwords and Windows Hello for Business both work for the test users. #### Survey test user workflow for password usage Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2. -Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simply task. Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is: +Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions: - What is the name of the application that asked for a password?. - Why do they use the application that asked for a password? (Example: is there more than one application that can do the same thing?). - What part of their workflow makes them use the application? Try to be as specific as possible (I use application x to issue credit card refunds for amounts over y.). @@ -231,7 +231,7 @@ This is the big moment. You have identified password usage, developed solutions Congratulations! You are ready to transition one or more portions of your organization to a passwordless deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education -In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of being passwordless. Before you do this, you want to invest in an awareness campaign. +In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password freedom. Before you do this, you want to invest in an awareness campaign. An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience. From e109dd02a04562e5b10f4da6311c0b4421e1f378 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:23:46 +0200 Subject: [PATCH 083/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - single semantic addition ("the") in line 115 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index d448e47f84..903207c8a6 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -112,7 +112,7 @@ You begin with your work personas. These were part of your preparation process. Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. -Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could take a few days or several weeks, depending on the complexity of targeted work persona. +Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could take a few days or several weeks, depending on the complexity of the targeted work persona. You will want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline. From 428824d490176d67ffa6835a5fb0a27fb42e3e00 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:24:42 +0200 Subject: [PATCH 084/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "your => you" typo correction in line 166 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 903207c8a6..aa86612a39 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -163,7 +163,7 @@ Before you move to step 2, ensure you have: - validated passwords and Windows Hello for Business both work for the test users. #### Survey test user workflow for password usage -Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2. +Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as you further your progress through step 2. Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions: - What is the name of the application that asked for a password?. From 399dde0af66b31c438cae7bf01197087a4de6de1 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:25:25 +0200 Subject: [PATCH 085/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "its => it is" correction in line 180 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index aa86612a39..522e711308 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -177,7 +177,7 @@ Some organizations will empower their users to write this information while some #### Identify password usage and plan, develop, and deploy password mitigations Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. -Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. +Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If it is policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they are low percentage scenarios. Remember to include scenarios like: - Provisioning a new brand new user without a password. From cba2d309655b6562e7cd0fa565e72149a90599cd Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:25:59 +0200 Subject: [PATCH 086/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - punctuation (comma) correction in line 186 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 522e711308..d8550c51dd 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -183,7 +183,7 @@ Keep in mind your test users will not uncover all scenarios. Some scenarios you - Provisioning a new brand new user without a password. - Users who forget the PIN or other remediation flows when the strong credential is unusable. -Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization. +Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization. Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. From 621092136c770a03f790fe60f286e13192397b35 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:27:05 +0200 Subject: [PATCH 087/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar & typo correction in line 190 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index d8550c51dd..1448ed5051 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -187,7 +187,7 @@ Next, review your master list of scenarios. You can start with the workflows tha Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. -Mitigating password usage with applications is one or the more challenging obstacle in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). +Mitigating password usage with applications is one of the more challenging obstacles in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. From 053573452deae36adaf5d466aed84068377c3cef Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:28:04 +0200 Subject: [PATCH 088/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - singular/plural correction (setting) in line 219 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 1448ed5051..1b6ed949d7 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -216,7 +216,7 @@ The policy name for these operating systems is **Interactive logon: Require Wind When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider -You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon** +You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > Logon** ![HideCredProvPolicy](images/passwordless/00-hidecredprov.png) The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. From a7d08cc1bc3166ec67d772b78a702235d6d5c744 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:33:09 +0200 Subject: [PATCH 089/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "none" taking singular verb -- line 227 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 1b6ed949d7..480d0d5c10 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -224,7 +224,7 @@ The name of the policy setting is **Exclude credential providers**. The value to Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. -#### Validate that none of the workflows need passwords +#### Validate that none of the workflows needs passwords This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. ### Transition into a passwordless deployment (Step 3) From 9768384a4c9fc43c3d8dee88527b310074a17129 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:34:09 +0200 Subject: [PATCH 090/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - addition of colon before a following list -- line 52 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 480d0d5c10..c4eaab4612 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -49,7 +49,7 @@ Four steps to password freedom provides an overall view of how Microsoft envisio ### Prepare for the Journey The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria influencing the length of that journey. -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the +The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the: - Number of departments - Organization or department hierarchy - Number and type of applications and services From 0aaad1aaf624370d867380cbe8cb3ea317132cee Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 2 Jul 2019 23:48:54 +0200 Subject: [PATCH 091/311] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - remove 2 commas and substitute the last one with "and". --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index c4eaab4612..dad7dbf3f8 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -79,7 +79,7 @@ A work persona classifies a category of user, title or role (individual contribu Give your personas easy and intuitive names like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. -Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. +Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person who is in that department and who uses that specific software. #### Organization's IT structure IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded. From a1cfdd776d2ba81e4bbba32079c30f5b859f37fd Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Thu, 4 Jul 2019 11:38:05 +0200 Subject: [PATCH 092/311] Update waas-overview.md Added additional link. --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 787af15764..e1523a2e7f 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -145,7 +145,7 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. >[!NOTE] ->Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). +>Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products) and [Windows Processor Requirements.](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements) The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. From 5f59ccc20acedca416f9af20ecfcce9cd7d41428 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sun, 7 Jul 2019 13:26:09 +0200 Subject: [PATCH 093/311] Update windows/deployment/update/waas-overview.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index e1523a2e7f..0b135a319f 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -145,7 +145,7 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. >[!NOTE] ->Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products) and [Windows Processor Requirements.](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements) +>Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products) and [Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements). The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. From 8ac9ffb2ca15db5e67cedfbd7e2abbf0acdae760 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Sun, 7 Jul 2019 18:56:44 +0200 Subject: [PATCH 094/311] Update set-up-mdt-for-bitlocker.md Edits for clarity, adds note format, resolves https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4266 --- .../deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index f61b25241d..e0b049b416 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -136,12 +136,14 @@ cscript.exe SetConfig.vbs SecurityChip Active ``` ## Configure the Windows 10 task sequence to enable BitLocker -When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions: +When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). + +We added these five actions to the task sequence: - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. - **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. - **Note**   - It is common for organizations wrapping these tools in scripts to get additional logging and error handling. - + + > [!NOTE] + > It is common for organizations wrapping these tools in scripts to get additional logging and error handling. - **Restart computer.** Self-explanatory, reboots the computer. - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. - **Enable BitLocker.** Runs the built-in action to activate BitLocker. From 88960816c21441b15ad48bc2a67e8d43124047ed Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sun, 7 Jul 2019 19:43:46 +0200 Subject: [PATCH 095/311] Update windows/deployment/update/waas-overview.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 0b135a319f..07acf89db8 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -145,7 +145,7 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. >[!NOTE] ->Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products) and [Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements). +>Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information about Windows support for the latest processor and chipsets, see [Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements). The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. From 69713821d072e07ab97c8347ec877effc64fd70e Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Sun, 7 Jul 2019 23:40:38 +0200 Subject: [PATCH 096/311] Update set-up-mdt-for-bitlocker.md Note clarified --- .../deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index e0b049b416..2d6089ad5e 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -143,7 +143,7 @@ We added these five actions to the task sequence: - **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. > [!NOTE] - > It is common for organizations wrapping these tools in scripts to get additional logging and error handling. + > It is common for organizations to wrap these tools in scripts to get additional logging and error handling. - **Restart computer.** Self-explanatory, reboots the computer. - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. - **Enable BitLocker.** Runs the built-in action to activate BitLocker. From 240578799f5e72ade5587d58df31d8a2dd177a50 Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Tue, 9 Jul 2019 11:38:41 -0400 Subject: [PATCH 097/311] Acronym Expansion For Clearer Translation https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4270 --- .../update/waas-delivery-optimization-reference.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 415928e9ba..652a143a93 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -106,7 +106,7 @@ Download mode dictates which download sources clients are allowed to use when do | --- | --- | | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.| -| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | +| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and Active Directory Domain Services sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | @@ -116,7 +116,7 @@ Download mode dictates which download sources clients are allowed to use when do ### Group ID -By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. +By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. [//]: # (SCCM Boundary Group option; GroupID Source policy) @@ -128,7 +128,7 @@ By default, peer sharing on clients using the group download mode is limited to ### Select the source of Group IDs Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source. The options are: - 0 = not set -- 1 = AD Site +- 1 = Authenticated Domain Site - 2 = Authenticated domain SID - 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID) - 4 = DNS Suffix From 37683cf7aea19fd50433d8f48cf376e211645e7b Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Tue, 9 Jul 2019 12:06:53 -0400 Subject: [PATCH 098/311] Adding Note Of Recent Changes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4085 --- .../hello-for-business/hello-key-trust-validate-deploy-mfa.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 732aada2b0..1eecb7cf9f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -18,6 +18,9 @@ ms.reviewer: --- # Validate and Deploy Multifactor Authentication Services (MFA) +> [!IMPORTANT] +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. + **Applies to** - Windows 10, version 1703 or later - On-premises deployment From 32885dbfedf8d03fc6f794ff325ba67aeb91193e Mon Sep 17 00:00:00 2001 From: jaimeo Date: Tue, 9 Jul 2019 14:01:30 -0700 Subject: [PATCH 099/311] safety commit --- .../deployment/update/waas-mobile-updates.md | 36 ++++++------------- windows/deployment/update/waas-quick-start.md | 5 ++- 2 files changed, 12 insertions(+), 29 deletions(-) diff --git a/windows/deployment/update/waas-mobile-updates.md b/windows/deployment/update/waas-mobile-updates.md index 64cc697106..096224042e 100644 --- a/windows/deployment/update/waas-mobile-updates.md +++ b/windows/deployment/update/waas-mobile-updates.md @@ -4,10 +4,9 @@ description: tbd ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greglin -ms.date: 07/27/2017 +ms.author: jaimeo ms.reviewer: manager: laurawi ms.topic: article @@ -26,36 +25,22 @@ ms.topic: article >[!TIP] >If you're not familiar with the Windows 10 servicing or release channels, read [Servicing channels](waas-overview.md#servicing-channels) first. -Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program) or assign the device to Current Branch for Business (CBB). Only devices running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile can be assigned to CBB. +Devices running Windows 10 Mobile and Windows 10 IoT Mobile receive updates from the Semi-annual Channel unless you [enroll the device in the Windows Insider Program](waas-servicing-channels-windows-10-updates.md#enroll-devices-in-the-windows-insider-program). [Learn how to upgrade Windows 10 Mobile to Windows 10 Mobile Enterprise](https://technet.microsoft.com/itpro/windows/deploy/windows-10-edition-upgrades) -
->[!IMPORTANT] ->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. -> ->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. -| Windows 10 edition | CB | CBB | Insider Program | -| --- | --- | --- | --- | --- | -| Mobile | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | -| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | -| IoT Mobile | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | +| Windows 10 edition | Semi-annual Channel | Insider Program | +| --- | --- | --- | --- | +| Mobile | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | +| Mobile Enterprise | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | +| IoT Mobile | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | -
-Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to Quality Updates only. That is, Windows Mobile Feature Updates are categorized the same as Quality Updates, and can only be deferred by setting the Quality Update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile. -## Windows 10, version 1511 +Configuration of Windows 10 Mobile and Windows 10 IoT Mobile devices is limited to the feature set pertaining to quality updates only. That is, Windows Mobile feature updates are categorized the same as quality updates, and can only be deferred by setting the quality update deferral period, for a maximum period of 30 days. You can use mobile device management (MDM) to manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile. Updates cannot be managed for Windows 10 Mobile. -Only the following Windows Update for Business policies are supported for Windows 10 Mobile and Windows 10 IoT Mobile: - -- ../Vendor/MSFT/Policy/Config/Update/RequireDeferredUpgrade -- ../Vendor/MSFT/Policy/Config/Update/DeferUpdatePeriod -- ../Vendor/MSFT/Policy/Config/Update/PauseDeferrals - -To defer the update period or pause deferrals, the device must be configured for CBB servicing branch by applying the **RequireDeferredUpgrade** policy. ## Windows 10, version 1607 @@ -65,9 +50,8 @@ Only the following Windows Update for Business policies are supported for Window - ../Vendor/MSFT/Policy/Config/Update/DeferQualityUpdatesInDays - ../Vendor/MSFT/Policy/Config/Update/PauseQualityUpdates -In version 1607, you can defer and pause updates for devices on both the CB and CBB servicing branches. -If a device running Windows 10 Mobile Enterprise or Windows 10 IoT Mobile, version 1511, has Windows Update for Business policies applied and is then updated to version 1607, version 1511 policies continue to apply until version 1607 policies are applied. + diff --git a/windows/deployment/update/waas-quick-start.md b/windows/deployment/update/waas-quick-start.md index 2c926db3d9..3b707751c0 100644 --- a/windows/deployment/update/waas-quick-start.md +++ b/windows/deployment/update/waas-quick-start.md @@ -5,10 +5,9 @@ keywords: updates, servicing, current, deployment, semi-annual channel, feature, ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library -author: greg-lindsay +author: jaimeo ms.localizationpriority: medium -ms.author: greg-lindsay -ms.date: 10/17/2018 +ms.author: jaimeo ms.reviewer: manager: laurawi ms.topic: article From 30ff51b96e72101031d981c1522c93f787ad1865 Mon Sep 17 00:00:00 2001 From: Steve Burkett Date: Wed, 10 Jul 2019 14:04:40 +1200 Subject: [PATCH 100/311] Update hello-hybrid-aadj-sso-cert.md Couple of small corrections - Certificate Authorities now called Certificate Connectors in Intune portal; typo in NDES Connector test command. --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 4baae2e5a4..1c768a8f42 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -535,7 +535,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/). 2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. ![Microsoft Intune Console](images/aadjcert/microsoftintuneconsole.png) -3. Select **Device Configuration**, and then select **Certificate Authority**. +3. Select **Device Configuration**, and then select **Certificate Connectors**. ![Intune Certificate Authority](images/aadjcert/intunedeviceconfigurationcertauthority.png) 4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section. ![Intune Download Certificate connector](images/aadjcert/intunedownloadcertconnector.png) @@ -610,7 +610,7 @@ Sign-in the NDES server with access equivalent to _domain admin_. 1. Open a command prompt. 2. Type the following command to confirm the NDES Connector's last connection time is current.
-```reg query hklm\software\Micosoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
+```reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
3. Close the command prompt. 4. Open **Internet Explorer**. 5. In the navigation bar, type
From bc78f83a1ff9f560bb7470061c6b414706c59a81 Mon Sep 17 00:00:00 2001 From: Steve Burkett Date: Wed, 10 Jul 2019 14:26:06 +1200 Subject: [PATCH 101/311] Update hello-hybrid-aadj-sso-cert.md Minor changes: corrected 1 x typo and 1 x bad formatting. --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 4baae2e5a4..50b9d742a4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -636,7 +636,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. 9. Click **Create**. -### Create a SCEP Certificte Profile +### Create a SCEP Certificate Profile Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/). @@ -659,7 +659,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. ![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png) -15. Under **Extended key usage**, type **Smart Card Logon** under Name. Type **1.3.6.1.4.1.311.20.2.2 under **Object identifier**. Click **Add**. +15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile. From 2a7393b19ae320ba608d4d7c27e01ffa57242541 Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Wed, 10 Jul 2019 15:32:27 +0200 Subject: [PATCH 102/311] Update remove-provisioned-apps-during-update.md Added apps. --- .../remove-provisioned-apps-during-update.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 371e401c1a..a828991d9d 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -162,9 +162,13 @@ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneMusic_8wekyb3d8bbwe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneVideo_8wekyb3d8bbwe] -``` +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.3DBuilder_8wekyb3d8bbwe] +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.HEVCVideoExtension_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Messaging_8wekyb3d8bbwe] +``` [Get-AppxPackage](https://docs.microsoft.com/powershell/module/appx/get-appxpackage) [Get-AppxPackage -allusers](https://docs.microsoft.com/powershell/module/appx/get-appxpackage) From 33e13b0fde00ca8c57ebafe9a2d21a7645a80752 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 12 Jul 2019 11:53:02 +0500 Subject: [PATCH 103/311] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 960a7fb0ca..3e059d2d47 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -111,15 +111,16 @@ They could also choose to create a catalog that captures information about the u Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. -- New-CIPolicy parameters +- New-CIPolicy parameter - FilePath: create path rules under path \ for anything not user-writeable (at the individual file level) ```powershell - New-CIPolicy -f .\mypolicy.xml -l FilePath -s -u + New-CIPolicy -FilePath .\mypolicy.xml -Level FileName -ScanPath -UserPEs ``` Optionally, add -UserWriteablePaths to ignore user writeability - + +- New-CIPolicyRule parameter - FilePathRule: create a rule where filepath string is directly set to value of \ ```powershell @@ -134,7 +135,7 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD $rules = New-CIPolicyRule … $rules += New-CIPolicyRule … … - New-CIPolicyRule -f .\mypolicy.xml -u + New-CIPolicyRule -FilePath .\mypolicy.xml -UserPEs ``` - Wildcards supported @@ -149,6 +150,6 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD - Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: ```powershell - Set-RuleOption -o 18 .\policy.xml + Set-RuleOption -Option 18 .\policy.xml ``` From bb8cbe683de5601a10b98b411c6257eb6e3cefe7 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 12 Jul 2019 12:00:14 +0500 Subject: [PATCH 104/311] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 3e059d2d47..a040c9fc58 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -135,7 +135,7 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD $rules = New-CIPolicyRule … $rules += New-CIPolicyRule … … - New-CIPolicyRule -FilePath .\mypolicy.xml -UserPEs + New-CIPolicy -FilePath .\mypolicy.xml -Rules $rules -UserPEs ``` - Wildcards supported From 680646be9ae7e8d6167977154c12d978dd401de9 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 12 Jul 2019 16:46:03 -0400 Subject: [PATCH 105/311] fix: MD037/no-space-in-emphasis Spaces inside emphasis markers --- mdop/appv-v4/app-v-45-sp2-release-notes.md | 4 ++-- ...nly-cache-on-the-app-v-client--rds--sp1.md | 2 +- ...ad-only-cache-on-the-app-v-client--vdi-.md | 2 +- ...ion-46-service-pack-2-privacy-statement.md | 24 +++++++++---------- mdop/appv-v4/planning-for-client-security.md | 4 ++-- .../security-and-protection-overview.md | 2 +- .../how-to-configure-image-pre-staging.md | 12 +++++----- .../get-started-with-ue-v-2x-new-uevv2.md | 2 +- .../mdm/policy-csp-applicationmanagement.md | 2 +- .../mdm/policy-csp-internetexplorer.md | 4 ++-- .../mdm/policy-csp-remotemanagement.md | 2 +- .../mdm/policy-csp-system.md | 4 ++-- .../troubleshoot-inaccessible-boot-device.md | 2 +- .../access-control/security-identifiers.md | 4 ++-- .../hello-for-business/hello-features.md | 2 +- .../threat-protection/auditing/event-4612.md | 4 ++-- .../threat-protection/auditing/event-4615.md | 2 +- .../threat-protection/auditing/event-4624.md | 2 +- .../threat-protection/auditing/event-4670.md | 2 +- .../threat-protection/auditing/event-4688.md | 2 +- .../threat-protection/auditing/event-4704.md | 2 +- .../threat-protection/auditing/event-4705.md | 2 +- .../threat-protection/auditing/event-4715.md | 2 +- .../threat-protection/auditing/event-4717.md | 2 +- .../threat-protection/auditing/event-4718.md | 2 +- .../threat-protection/auditing/event-4738.md | 2 +- .../threat-protection/auditing/event-4742.md | 2 +- .../threat-protection/auditing/event-4817.md | 4 ++-- .../threat-protection/auditing/event-4864.md | 2 +- .../threat-protection/auditing/event-4907.md | 2 +- .../threat-protection/auditing/event-4911.md | 2 +- .../threat-protection/auditing/event-4913.md | 2 +- .../threat-protection/auditing/event-5143.md | 2 +- .../threat-protection/auditing/event-5145.md | 2 +- .../threat-protection/auditing/event-5150.md | 2 +- .../threat-protection/auditing/event-5151.md | 2 +- .../threat-protection/auditing/event-6400.md | 2 +- .../threat-protection/auditing/event-6401.md | 2 +- .../threat-protection/auditing/event-6402.md | 2 +- .../threat-protection/auditing/event-6403.md | 2 +- .../threat-protection/auditing/event-6404.md | 2 +- .../threat-protection/auditing/event-6409.md | 2 +- .../get-user-related-alerts.md | 2 +- .../get-user-related-machines.md | 2 +- ...dit-the-access-of-global-system-objects.md | 2 +- ...-connections-windows-defender-antivirus.md | 6 ++--- .../using-event-viewer-with-applocker.md | 8 +++---- .../working-with-applocker-policies.md | 2 +- 48 files changed, 76 insertions(+), 76 deletions(-) diff --git a/mdop/appv-v4/app-v-45-sp2-release-notes.md b/mdop/appv-v4/app-v-45-sp2-release-notes.md index dc5d8fafe0..881c7d1187 100644 --- a/mdop/appv-v4/app-v-45-sp2-release-notes.md +++ b/mdop/appv-v4/app-v-45-sp2-release-notes.md @@ -73,11 +73,11 @@ When this has been completed, install the App-V 4.5 SP2 Clients by using Setup.m When installing Microsoft Application Error Reporting, use the following command if you are installing or upgrading to the App-V 4.5 SP2 Desktop Client: -**    msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** +**msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** Alternatively, if you are installing or upgrading to the App-V 4.5 SP2 Client for Remote Desktop Services (formerly Terminal Services), use the following command: -**    msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** +**msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** **Note**   - The APPGUID parameter references the product code of the App-V Clients that you install or upgrade. The product code is unique for each Setup.msi. You can use the Orca Database Editor or a similar tool to examine Windows Installer files and determine the product code. This step is required for all installations or upgrades to App-V 4.5 SP2. diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md index 801b2d13bc..130a3ba1eb 100644 --- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md +++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md @@ -156,7 +156,7 @@ Instead of changing the AppFS key FILENAME value every time that a new cache fil 3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled. - **     fsutil behavior set SymlinkEvaluation R2R:1** + **fsutil behavior set SymlinkEvaluation R2R:1** **Note**   On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**. diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md index 2ee211e811..ab53e737d0 100644 --- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md +++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md @@ -167,7 +167,7 @@ Instead of modifying the AppFS key FILENAME value every time that a new cache fi 3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled. - **     fsutil behavior set SymlinkEvaluation R2R:1** + **fsutil behavior set SymlinkEvaluation R2R:1** **Note**   On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**. diff --git a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md index f7ffd9de24..11b0ee223a 100644 --- a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md +++ b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md @@ -76,7 +76,7 @@ This section is divided into two parts: (1) features in all versions of App-V an Microsoft Error Reporting provides a service that allows you to report problems you may be having with App-V to Microsoft and to receive information that may help you avoid or solve such problems. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** For information about the information collected, processed, or transmitted by Microsoft Error Reporting, see the Microsoft Error Reporting privacy statement at . @@ -84,7 +84,7 @@ For information about the information collected, processed, or transmitted by Mi We use the error reporting data to solve customer problems and improve our software and services. -**Choice/Control: ** +**Choice/Control:** App-V does not change your Microsoft Error Reporting settings. If you previously turned on error reporting, it will send Microsoft the information about the errors you encountered. When Microsoft needs additional data to analyze the problem, you will be prompted to review the data and choose whether or not to send it.  App-V will always respect your Microsoft Error Reporting settings. @@ -98,7 +98,7 @@ Enterprise customers can use Group Policy to configure how Microsoft Error Repor Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software, including App-V.  For details about what information is collected, how it is used and how to change your settings, see the Update Services Privacy Statement at . -**Choice/Control: ** +**Choice/Control:** If Microsoft Update is not enabled, you can opt-in during setup and subsequent checks for updates will follow the machine-wide schedule. You can update this option from the Microsoft Update Control Panel item. @@ -108,7 +108,7 @@ If Microsoft Update is not enabled, you can opt-in during setup and subsequent c The product will collect various configuration items, including UserID, MachineID and SecurityGroup details, to be able to enforce settings on managed nodes. The data is stored in the App-V SQL database and transmitted across the App-V server and client components to enforce the configuration on the managed node. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** User and machine information and configuration content @@ -116,7 +116,7 @@ User and machine information and configuration content The information is used to enforce the application access configuration on the managed nodes within the enterprise. The information does not leave the enterprise. -**Choice/Control: ** +**Choice/Control:** By default, the product does not have any data. All data is entered and enabled by the admin and can be viewed in the Management console. The feature cannot be disabled as this is the product functionality. To disable this, App-V will need to be uninstalled. @@ -130,7 +130,7 @@ None of this information is sent out of the enterprise. It captures package history and asset information as part of the package. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** Information about the package and the sequencing environment is collected and stored in the package manifest during sequencing. @@ -138,7 +138,7 @@ Information about the package and the sequencing environment is collected and st The information will be used by the admin to track the updates done to a package during its lifecycle. It will also be used by software deployment systems to track the package deployments within the organization. -**Choice/Control: ** +**Choice/Control:** This feature is always enabled and cannot be turned off. @@ -152,7 +152,7 @@ This administrator information will be stored in the package and can be viewed b The product will collect a variety of reporting data points, including the username, to allow reporting on the usage of the product. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** Information about the machine, package and application usage are collected from every machine that reporting is enabled on. @@ -160,7 +160,7 @@ Information about the machine, package and application usage are collected from The information is used to report on application usage within the enterprise. The information does not leave the enterprise. -**Choice/Control: ** +**Choice/Control:** By default, the product does not have any data. Data is only collected once the reporting feature is enabled on the App-V Client. To disable the collection of reporting data, the reporting feature must be disabled on all clients. @@ -178,7 +178,7 @@ This section addresses specific features available in App-V 4.6 SP1 and later. The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at . @@ -186,7 +186,7 @@ For more information about the information collected, processed, or transmitted We use this information to improve the quality, reliability, and performance of Microsoft software and services. -**Choice/Control: ** +**Choice/Control:** CEIP is optional and the opt-in status can be updated during install or post install from the GUI.   @@ -196,7 +196,7 @@ CEIP is optional and the opt-in status can be updated during install or post ins Customers can use Application Package Accelerators to automatically package complex applications without installing the application. The App-V sequencer allows you to create package accelerators for each virtual package. You can then use these package accelerators to automatically re-create the same virtual package in the future. You may also use package accelerators released by Microsoft or other third parties to simplify and automate packaging of complex applications. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** Application Package Accelerators may contain information such as computer names, user account information, and information about applications included in the Package Accelerator file. diff --git a/mdop/appv-v4/planning-for-client-security.md b/mdop/appv-v4/planning-for-client-security.md index 6050d3895b..4d95a5a3b3 100644 --- a/mdop/appv-v4/planning-for-client-security.md +++ b/mdop/appv-v4/planning-for-client-security.md @@ -34,7 +34,7 @@ By default, at installation the App-V client is configured with the minimum perm By default, the installation of the client registers file type associations (FTAs) for OSD files, which enables users to start applications directly from OSD files instead of the published shortcuts. If a user with local administrator rights receives an OSD file containing malicious code, either in e-mail or downloaded from a Web site, the user can open the OSD file and start the application even if the client has been set to restrict the **Add Application** permission. You can unregister the FTAs for the OSD to reduce this risk. Also, consider blocking this extension in the e-mail system and at the firewall. For more information about configuring Outlook to block extensions, see . -**Security Note:  ** +**Security Note:** Starting with App-V version 4.6, the file type association is no longer created for OSD files during a new installation of the client, although the existing settings will be maintained during an upgrade from version 4.2 or 4.5 of the App-V client. If for any reason it is essential to create the file type association, you can create the following registry keys and set their values as shown: @@ -50,7 +50,7 @@ During installation, you can use the **RequireAuthorizationIfCached** parameter Antivirus software running on an App-V Client computer can detect and report an infected file in the virtual environment. However, it cannot disinfect the file. If a virus is detected in the virtual environment, the antivirus software would perform the configured quarantine or repair operation in the cache, not in the actual package. Configure the antivirus software with an exception for the sftfs.fsd file. This file is the cache file that stores packages on the App-V Client. -**Security Note:  ** +**Security Note:** If a virus is detected in an application or package deployed in the production environment, replace the application or package with a virus-free version. diff --git a/mdop/appv-v4/security-and-protection-overview.md b/mdop/appv-v4/security-and-protection-overview.md index fc4bd7ab49..ccac6f1558 100644 --- a/mdop/appv-v4/security-and-protection-overview.md +++ b/mdop/appv-v4/security-and-protection-overview.md @@ -21,7 +21,7 @@ Microsoft Application Virtualization 4.5 provides the following enhanced securi - Application Virtualization now supports Transport Layer Security (TLS) using X.509 V3 certificates. Provided that a server certificate has been provisioned to the planned Application Virtualization Management or Streaming Server, the installation will default to secure, using the RTSPS protocol over port 322. Using RTSPS ensures that communication between the Application Virtualization Servers and the Application Virtualization Clients is signed and encrypted. If no certificate is assigned to the server during the Application Virtualization Server installation, the communication will be set to RTSP over port 554. - **Security Note:  ** + **Security Note:** To help provide a secure setup of the server, you must make sure that RTSP ports are disabled even if you have all packages configured to use RTSPS. diff --git a/mdop/medv-v1/how-to-configure-image-pre-staging.md b/mdop/medv-v1/how-to-configure-image-pre-staging.md index 5d736b92b9..36f12450ad 100644 --- a/mdop/medv-v1/how-to-configure-image-pre-staging.md +++ b/mdop/medv-v1/how-to-configure-image-pre-staging.md @@ -72,17 +72,17 @@ Image pre-staging is useful only for the initial image download. It is not suppo **NT AUTHORITY\\Authenticated Users:(OI)(CI)(special access:)** - **                                READ\_CONTROL** + **READ\_CONTROL** - **                                                                                SYNCHRONIZE** + **SYNCHRONIZE** - **                                                                                FILE\_GENERIC\_READ** + **FILE\_GENERIC\_READ** - **                                                                                                FILE\_READ\_DATA** + **FILE\_READ\_DATA** - **                                                                                FILE\_READ\_EA** + **FILE\_READ\_EA** - **                                                                                FILE\_READ\_ATTRIBUTES** + **FILE\_READ\_ATTRIBUTES** **NT AUTHORITY\\SYSTEM:(OI)(CI)F** diff --git a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md index a18ae22ef9..d918fb1b54 100644 --- a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md +++ b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md @@ -193,7 +193,7 @@ You’ll need to deploy a settings storage location, a standard network share wh -**Security Note:  ** +**Security Note:** If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor: diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 29d419c3dd..3adcbafde8 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -537,7 +537,7 @@ Added in Windows 10, version 1607. Boolean value that disables the launch of al ADMX Info: -- GP English name: *Disable all apps from Microsoft Store * +- GP English name: *Disable all apps from Microsoft Store* - GP name: *DisableStoreApps* - GP path: *Windows Components/Store* - GP ADMX file name: *WindowsStore.admx* diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 69b9a21645..0cb9a3b3d4 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -13428,7 +13428,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T ADMX Info: -- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer * +- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer* - GP name: *VerMgmtDisableRunThisTime* - GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* @@ -16504,7 +16504,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy. ADMX Info: -- GP English name: *Security Zones: Use only machine settings * +- GP English name: *Security Zones: Use only machine settings* - GP name: *Security_HKLM_only* - GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index ba8a7d6310..f176045650 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -365,7 +365,7 @@ If you disable or do not configure this policy setting, the WinRM service will n The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges. -You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses. +You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses. For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 99b3c5e4f3..11e0ca009c 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1068,7 +1068,7 @@ If you disable or don't configure this policy setting, the Delete diagnostic dat ADMX Info: -- GP English name: *Disable deleting diagnostic data * +- GP English name: *Disable deleting diagnostic data* - GP name: *DisableDeviceDelete* - GP element: *DisableDeviceDelete* - GP path: *Data Collection and Preview Builds* @@ -1131,7 +1131,7 @@ If you disable or don't configure this policy setting, the Diagnostic Data Viewe ADMX Info: -- GP English name: *Disable diagnostic data viewer. * +- GP English name: *Disable diagnostic data viewer.* - GP name: *DisableDiagnosticDataViewer* - GP element: *DisableDiagnosticDataViewer* - GP path: *Data Collection and Preview Builds* diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index c82c69f352..de195c15da 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -171,7 +171,7 @@ Run the following command to verify the Windows update installation and dates: Dism /Image:: /Get-packages ``` -After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages: +After you run this command, you will see the **Install pending** and **Uninstall Pending** packages: ![Dism output](images/pendingupdate.png) diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index d8db3e63d2..c1d0c47fdc 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -194,9 +194,9 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID | S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.| | S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.| | S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.| -| S-1-5-5- *X *- *Y * | Logon Session| The *X * and *Y * values for these SIDs uniquely identify a particular logon session.| +| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.| | S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.| -| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName *, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName * (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| +| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| | S-1-5-8| Proxy| Does not currently apply: this SID is not used.| | S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.| | S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.| diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index cc796078e6..edcd394519 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -147,7 +147,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 ### On-premises Deployments -** Requirements** +**Requirements** * Active Directory * On-premises Windows Hello for Business deployment * Reset from settings - Windows 10, version 1703, Professional diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index 163c584492..2ca7cca35a 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -30,9 +30,9 @@ There is no example of this event in this document. ***Event Schema:*** -*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. * +*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.* -*Number of audit messages discarded: %1 * +*Number of audit messages discarded: %1* *This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.* diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index be8925c8ba..9231f28b82 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -48,7 +48,7 @@ It appears that this event never occurs. *LPC Server Port Name:%6* -*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." * +*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index f3c3ed088b..2ca7e8267c 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -138,7 +138,7 @@ This event generates when a logon session is created (on destination machine). I - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.” -**Logon Information** \[Version 2\]**: ** +**Logon Information** \[Version 2\]**:** - **Logon Type** \[Version 0, 1, 2\] \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field. diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index 95a2dfe34f..45dcd000c9 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -142,7 +142,7 @@ Before this event can generate, certain ACEs might need to be set in the object - **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 8e1fe42fab..94d84a85cf 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -151,7 +151,7 @@ This event generates every time a new process starts. - **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process. -- **Token Elevation Type** \[Type = UnicodeString\]**: ** +- **Token Elevation Type** \[Type = UnicodeString\]**:** - **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index f9b06a7a3b..f78b83ef3c 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -99,7 +99,7 @@ You will see unique event for every user. - **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**New Right: ** +**New Right:** - **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights: diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index d009b73786..09c240e026 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -99,7 +99,7 @@ You will see unique event for every user. - **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**Removed Right: ** +**Removed Right:** - **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights: diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index 38d46d5ace..c51f51c999 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -100,7 +100,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category - **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index f04223bd5b..13f2c744aa 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were granted to mu - **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was granted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**Access Granted: ** +**Access Granted:** - **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows: diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index a86f9f5168..9bb398d835 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were removed for m - **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**Access Removed: ** +**Access Removed:** - **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows: diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index 8597d956a6..faa3dcf853 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -266,7 +266,7 @@ For 4738(S): A user account was changed. |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Display Name**
**User Principal Name**
**Home Directory**
**Home Drive**
**Script Path**
**Profile Path**
**User Workstations**
**Password Last Set**
**Account Expires**
**Primary Group ID
Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. | | **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. | -| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. | +| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. | | **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | - Consider whether to track the following user account control flags: diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 22ae105d96..b39135ee00 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -276,7 +276,7 @@ For 4742(S): A computer account was changed. | **Display Name** is not -
**User Principal Name** is not -
**Home Directory** is not -
**Home Drive** is not -
**Script Path** is not -
**Profile Path** is not -
**User Workstations** is not -
**Account Expires** is not -
**Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. | | **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. | | **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following:
**516** for domain controllers
**521** for read only domain controllers (RODCs)
**515** for servers and workstations (domain computers)
Other values should be monitored. | -| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. | +| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. | | **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | - Consider whether to track the following account control flags: diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index 74ffbb09b0..efdf01da8a 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -116,7 +116,7 @@ Separate events will be generated for “Registry” and “File system” polic | Job | Port | FilterConnectionPort | | | ALPC Port | Semaphore | Adapter | | -- **Object Name: ** +- **Object Name:** - Key – if “Registry” Global Object Access Auditing policy was changed. @@ -128,7 +128,7 @@ Separate events will be generated for “Registry” and “File system” polic - **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index e62c824d10..62ced88fe8 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -44,7 +44,7 @@ There is no example of this event in this document. *Security ID:%7* -*New Flags:%8 * +*New Flags:%8* ***Required Server Roles:*** Active Directory domain controller. diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index f74c140ce4..34454c6d14 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -159,7 +159,7 @@ This event doesn't generate for Active Directory objects. - **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index cc73362f36..d385a72649 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -152,7 +152,7 @@ Resource attributes for file or folder can be changed, for example, using Window - **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index f8dcd9f29b..3be7e9bec3 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -156,7 +156,7 @@ This event always generates, regardless of the object’s [SACL](https://msdn.mi - **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index 81e6052b16..c7f46521ae 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -141,7 +141,7 @@ This event generates every time network share object was modified. - **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index 696faaadce..f5ec73669e 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -177,7 +177,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. - ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index 4d84e4bb68..c1f8d98680 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -52,7 +52,7 @@ There is no example of this event in this document. > > *Layer Name:%9* > -> *Layer Run-Time ID:%10 * +> *Layer Run-Time ID:%10* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 25faaeb212..699a093def 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -52,7 +52,7 @@ There is no example of this event in this document. > > *Layer Name:%9* > -> *Layer Run-Time ID:%10 * +> *Layer Run-Time ID:%10* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index d018fdee5e..7a379132bc 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -30,7 +30,7 @@ There is no example of this event in this document. *BranchCache: Received an incorrectly formatted response while discovering availability of content.* -*IP address of the client that sent this response:%1 * +*IP address of the client that sent this response:%1* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index 9f647bcec8..1ce4c083dd 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: Received invalid data from a peer. Data discarded. * +*BranchCache: Received invalid data from a peer. Data discarded.* *IP address of the client that sent this data:%1* diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index 5002d2167c..dde20455d3 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. * +*BranchCache: The message to the hosted cache offering it data is incorrectly formatted.* *IP address of the client that sent this message: %1* diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index 29629cb6a7..e8020581ad 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data. * +*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data.* *Domain name of the hosted cache is:%1* diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index 0505b241b2..43228f26be 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. * +*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.* *Domain name of the hosted cache:%1* diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index 8f28ea3891..e1f76dbf69 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: A service connection point object could not be parsed. * +*BranchCache: A service connection point object could not be parsed.* *SCP object GUID: %1* diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 2b5551a0bb..92bc4c7650 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' GET /api/users/{id}/alerts ``` -**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) ** +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)** ## Request headers diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 341c605bbb..ca042a7e99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine GET /api/users/{id}/machines ``` -**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) ** +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)** ## Request headers diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index 4fcca719b6..ef5a46869a 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -102,7 +102,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf | 565 | Access was granted to an already existing object type. | | 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. | | 569 | The resource manager in Authorization Manager attempted to create a client context. | -| 570 | A client attempted to access an object.
**Note: ** An event will be generated for every attempted operation on the object. | +| 570 | A client attempted to access an object.
**Note:** An event will be generated for every attempted operation on the object. | ## Security considerations diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index c06a9f2d2f..c1445cd23f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -54,10 +54,10 @@ As a cloud service, it is required that computers have access to the internet an | *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com| | *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com| | *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com| -| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net | +| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net | | *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs | -| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | -| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com| +| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | +| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: *vortex-win.data.microsoft.com* settings-win.data.microsoft.com| ## Validate connections between your network and the cloud diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 6fa4d92a72..a3834e3625 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -50,11 +50,11 @@ The following table contains information about the events that you can use to de | 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.| | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| | 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| -| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules ** enforcement mode were enabled. | -| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| +| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| | 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| -| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. | -| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| +| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| | 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| | 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| | 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index 8e77d3e330..d3c403d633 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -30,7 +30,7 @@ This topic for IT professionals provides links to procedural topics about creati | Topic | Description | | - | - | | [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.| -| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only ** within your IT environment by using AppLocker.| +| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.| | [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.| | [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.| | [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.| From bd852f1b071700ed0186b4e668e2f7cea9298ec7 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 15 Jul 2019 15:55:14 +0500 Subject: [PATCH 106/311] Updated script line There was typo in the script variable and has been fixed. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4084 --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 3fe994764f..641e5878eb 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -208,7 +208,7 @@ You can also disable Windows Defender Credential Guard by using the [Windows Def DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot ``` > [!IMPORTANT] -> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. +> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. #### Disable Windows Defender Credential Guard for a virtual machine From 7205ec071f061b5db00d2245357abbcdd43a5104 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Mon, 15 Jul 2019 13:29:40 -0700 Subject: [PATCH 107/311] Update security-compliance-toolkit-10.md Updated link for Security blog since we moved it --- .../threat-protection/security-compliance-toolkit-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index c2c3f86318..7036973802 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -49,7 +49,7 @@ The Security Compliance Toolkit consists of: - Local Group Policy Object (LGPO) tool -You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/). +You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines). ## What is the Policy Analyzer tool? From 203aefd3a2ab6064194d1da41978f44bb2b4cf2c Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Mon, 15 Jul 2019 16:31:24 -0500 Subject: [PATCH 108/311] Update windows/deployment/update/waas-delivery-optimization-reference.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 652a143a93..164db3333a 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -106,7 +106,7 @@ Download mode dictates which download sources clients are allowed to use when do | --- | --- | | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.| -| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and Active Directory Domain Services sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | +| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and Active Directory Domain Services sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other methods to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | From 6cab2580cfde0853323f131314004de39dc3ab1c Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 16 Jul 2019 23:42:05 +0500 Subject: [PATCH 109/311] * was mistakenly there in the command Made a correction as * was mistakenly shown in the command. --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 641e5878eb..49f533818e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -115,7 +115,7 @@ You can also enable Windows Defender Credential Guard by using the [Windows Defe DG_Readiness_Tool_v3.5.ps1 -Enable -AutoReboot ``` > [!IMPORTANT] -> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. +> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. ### Review Windows Defender Credential Guard performance From f28e55c14725310c7f5ad92a83b3ced73f00e6c8 Mon Sep 17 00:00:00 2001 From: Brent Kendall Date: Tue, 16 Jul 2019 14:17:09 -0700 Subject: [PATCH 110/311] Made PKID instructions more accurate Previously, the requirements made it sound like the PKID should be entered into the SMBIOS, but it doesn't go there. So, I changed it to say the PKID (created by the OA3 Tool) should be submitted with the CBR report (not injected into the BIOS). --- .../windows-autopilot/autopilot-device-guidelines.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md index 2997787bd1..a081a6f68e 100644 --- a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md +++ b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md @@ -28,8 +28,8 @@ All devices used with Windows Autopilot should meet the [minimum hardware requir The following additional best practices ensure that devices can easily be provisioned by organizations as part of the Windows Autopilot deployment process: - Ensure that the TPM 2.0 is enabled and in a good state (not in Reduced Functionality Mode) by default on devices intended for Windows Autopilot self-deploying mode. -- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) or PKID + SmbiosSystemSerialNumber into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h). -- The OEM uploads 4K Hardware Hashes obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner. +- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h). +- The OEM uploads 4K Hardware Hashes that include the Product Key IDs (PKIDs) obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner. - As a best practice, Microsoft requires that OEM shipping drivers are published to Windows Update within 30 days of the CBR being submitted, and system firmware and driver updates are published to Windows Update within 14 days - The OEM ensures that the PKID provisioned in the SMBIOS is passed on to the channel. From 9494a283428b4a784e68901afcda7f6a4faba351 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 16 Jul 2019 23:45:57 +0200 Subject: [PATCH 111/311] Update windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 2d6089ad5e..233354f110 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -138,7 +138,7 @@ cscript.exe SetConfig.vbs SecurityChip Active When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). -We added these five actions to the task sequence: +We have added these five actions to the task sequence: - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. - **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. From ec4aacc9ca9313d97404aa4e4331f6af552ae8f9 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 17 Jul 2019 15:30:47 -0400 Subject: [PATCH 112/311] resolves #4409 --- .../wd-app-guard-overview.md | 66 +------------------ 1 file changed, 1 insertion(+), 65 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 4aadf6d205..bbec01b199 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -39,71 +39,7 @@ Application Guard has been created to target several types of systems: ## Frequently Asked Questions -| | | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Can I enable Application Guard on machines equipped with 4GB RAM? | -| **A:** | We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | -| | HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | -| | HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. | -| | HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB. | - -
- - -| | | -|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Can employees download documents from the Application Guard Edge session onto host devices? | -| **A:** | In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.

In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. | - -
- - -| | | -|--------|------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Can employees copy and paste between the host device and the Application Guard Edge session? | -| **A:** | Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. | - -
- - -| | | -|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Why don't employees see their Favorites in the Application Guard Edge session? | -| **A:** | To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. | - -
- - -| | | -|--------|---------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Why aren’t employees able to see their Extensions in the Application Guard Edge session? | -| **A:** | Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. | - -
- - -| | | -|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | How do I configure WDAG to work with my network proxy (IP-Literal Addresses)? | -| **A:** | WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher. | - -
- - -| | | -|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? | -| **A:** | This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature. | - -
- - -| | | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | What is the WDAGUtilityAccount local account? | -| **A:** | This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. | - -
+Please see [Frequently asked questions - Windows Defender Application Guard](faq-wd-app-guard.md) for common user-submitted questions. ## Related topics From 75ecca9636b52818499780cd723d6b397fc3ccbb Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 17 Jul 2019 17:31:56 -0500 Subject: [PATCH 113/311] Update and rename configure-mssp-support-windows-defender-advanced-threat-protection.md to configure-mssp-support.md --- ...rotection.md => configure-mssp-support.md} | 30 ++++++++----------- 1 file changed, 12 insertions(+), 18 deletions(-) rename windows/security/threat-protection/windows-defender-atp/{configure-mssp-support-windows-defender-advanced-threat-protection.md => configure-mssp-support.md} (92%) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md similarity index 92% rename from windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md index 738c8f0548..7cf8f93bca 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md @@ -153,34 +153,28 @@ You'll need to create an application and grant it permissions to fetch alerts fr 2. Select **Azure Active Directory** > **App registrations**. -3. Click **New application registration**. +3. Click **New registration**. 4. Specify the following values: - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name) - - Application type: Web app / API - - Sign-on URL: `https://SiemMsspConnector` + - Supported account types: Account in this organizational directory only + - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name) -5. Click **Create**. The application is displayed in the list of applications you own. +5. Click **Register**. The application is displayed in the list of applications you own. -6. Select the application, then click **Settings** > **Properties**. +6. Select the application, then click **Overview**. -7. Copy the value from the **Application ID** field. +7. Copy the value from the **Application (client) ID** field to a safe place, you will need this on the next step. -8. Change the value in the **App ID URI** to: `https:///SiemMsspConnector` (replace \ with the tenant name. +8. Select **Certificate & secrets** in the new application panel. -9. Ensure that the **Multi-tenanted** field is set to **Yes**. - -10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`. - -11. Click **Save**. - -12. Select **Keys** and specify the following values: +9. Click **New client secret**. - Description: Enter a description for the key. - Expires: Select **In 1 year** -13. Click **Save**. Save the value is a safe place, you'll need this +10. Click **Add**, copy the value of the client secret to a safe place, you will need this on the next step. ### Step 2: Get access and refresh tokens from your customer's tenant This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow. @@ -249,9 +243,9 @@ After providing your credentials, you'll need to grant consent to the applicatio 6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId ` - - Replace \ with the Application ID you got from the previous step. - - Replace \ with the application key you created from the previous step. - - Replace \ with your customer's tenant ID. + - Replace \ with the **Application (client) ID** you got from the previous step. + - Replace \ with the **Client Secret** you created from the previous step. + - Replace \ with your customer's **Tenant ID**. 7. You'll be asked to provide your credentials and consent. Ignore the page redirect. From 4c9748fd846996a71e8830098673453bfcc5c28f Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 17 Jul 2019 20:32:01 -0500 Subject: [PATCH 114/311] Update apply-a-basic-audit-policy-on-a-file-or-folder.md --- ...ly-a-basic-audit-policy-on-a-file-or-folder.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 6622f7fc55..13f762f32c 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -36,6 +36,21 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit successful events, click **Success.** - To audit failure events, click **Fail.** - To audit all events, click **All.** +6. In the **Applies to** box, indicate to which object or objects the audit of events will apply, can be to: + - **This folder only.** + - **This folder, subfolders and files.** + - **This folder and subfolders.** + - **This folder and files.** + - **Subfolders and files only.** + - **Subfolders only** + - **Files only.** +7. By default the selected **Basic Permissions** to Audit are the following: + - **Read & Execute.** + - **List folder contents.** + - **Read.** + - You can additionally select the audit of **Full control**, **Modify** and/or **Write** permissions. With your desired combination. + + > **Important:**  Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.   From d16c927ac178164847a5a755406ed9f4dc170ccc Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 09:05:30 +0530 Subject: [PATCH 115/311] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 008876e723..181c402c03 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -56,7 +56,7 @@ This can only be done in Group Policy. > >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -0. Download the latest Administrative templates for windows 10 v1809 from below Microsoft official site +1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576). **https://www.microsoft.com/en-us/download/details.aspx?id=57576** From d85aa5f07ab0d47adfcfa68584f67b2db1e610e6 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 09:06:17 +0530 Subject: [PATCH 116/311] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 181c402c03..3713800e19 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -57,7 +57,6 @@ This can only be done in Group Policy. >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576). - **https://www.microsoft.com/en-us/download/details.aspx?id=57576** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. From b3fe93ffa9006fd63e1377add4b1e109bae34cf2 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 09:06:55 +0530 Subject: [PATCH 117/311] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 3713800e19..ab49b98816 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -58,7 +58,6 @@ This can only be done in Group Policy. 1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576). - 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. From 98f883237f567ac2f183010d00e42cd6a838c108 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 09:07:35 +0530 Subject: [PATCH 118/311] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index ab49b98816..9ace2c3612 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -95,7 +95,7 @@ This can only be done in Group Policy. **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** **"DisableNotifications"=dword:00000001** -8. Corresponding registry key for **Hide not-critical notifications** +8. Use the following registry key and DWORD value to **Hide not-critical notifications** **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** **"DisableEnhancedNotifications"=dword:00000001** From ada58811038bd9e36805a5aecd83fa20551be230 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 09:08:21 +0530 Subject: [PATCH 119/311] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 9ace2c3612..4ddd16a1f3 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -90,7 +90,7 @@ This can only be done in Group Policy. 6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**. -7. Corresponding registry key for **Hide all notifications** +7. Use the following registry key and DWORD value to **Hide all notifications**. **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** **"DisableNotifications"=dword:00000001** From 4af3d5650c05e419ec2dd6a9ff5ff5a07e4db3a9 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Thu, 18 Jul 2019 01:24:10 -0400 Subject: [PATCH 120/311] fix: Replace syntax with langauge code 2 --- .../mdm/windowslicensing-csp.md | 12 +- .../mdm/windowssecurityauditing-csp.md | 2 +- .../customize-and-export-start-layout.md | 2 +- .../settings-that-can-be-locked-down.md | 2 +- ...v-application-template-schema-reference.md | 18 +-- ...anage-administrative-backup-and-restore.md | 4 +- ...plates-using-windows-powershell-and-wmi.md | 6 +- ...synchronizing-microsoft-office-with-uev.md | 2 +- .../assign-applications-using-roles-in-mdt.md | 4 +- ...d-environment-for-windows-10-deployment.md | 4 +- .../configure-mdt-deployment-share-rules.md | 10 +- .../configure-mdt-for-userexit-scripts.md | 4 +- .../create-a-windows-10-reference-image.md | 26 ++-- .../deploy-a-windows-10-image-using-mdt.md | 10 +- ...ntegrate-configuration-manager-with-mdt.md | 4 +- ...prepare-for-windows-deployment-with-mdt.md | 2 +- ...s-7-computer-with-a-windows-10-computer.md | 2 +- ...ows-10-deployment-in-a-test-environment.md | 2 +- .../use-web-services-in-mdt.md | 4 +- ...0-deployment-with-configuration-manager.md | 4 +- ...f-windows-10-with-configuration-manager.md | 2 +- windows/deployment/deploy-windows-to-go.md | 22 ++-- ...se-management-strategies-and-deployment.md | 2 +- .../usmt/offline-migration-reference.md | 4 +- .../usmt/understanding-migration-xml-files.md | 16 +-- .../deployment/usmt/usmt-best-practices.md | 2 +- .../deployment/usmt/usmt-configxml-file.md | 4 +- .../usmt/usmt-conflicts-and-precedence.md | 8 +- .../usmt/usmt-custom-xml-examples.md | 6 +- .../usmt/usmt-hard-link-migration-store.md | 2 +- .../usmt/usmt-include-files-and-settings.md | 18 +-- windows/deployment/usmt/usmt-log-files.md | 10 +- .../usmt/usmt-reroute-files-and-settings.md | 6 +- .../usmt/usmt-xml-elements-library.md | 122 +++++++++--------- .../deployment/usmt/xml-file-requirements.md | 6 +- .../use-vamt-in-windows-powershell.md | 2 +- .../windows-deployment-scenarios-and-tools.md | 4 +- .../additional-mitigations.md | 8 +- ...redential-guard-not-protected-scenarios.md | 10 +- .../credential-guard-scripts.md | 4 +- .../bitlocker/bitlocker-basic-deployment.md | 32 ++--- ...tlocker-how-to-deploy-on-windows-server.md | 12 +- .../bitlocker-how-to-enable-network-unlock.md | 2 +- .../bitlocker-recovery-guide-plan.md | 17 ++- ...ve-encryption-tools-to-manage-bitlocker.md | 30 ++--- ...nd-storage-area-networks-with-bitlocker.md | 18 +-- ...arding-to-assist-in-intrusion-detection.md | 5 +- ...r-policies-by-using-set-applockerpolicy.md | 2 +- ...to-end-ipsec-connections-by-using-ikev2.md | 6 +- ...-administration-with-windows-powershell.md | 76 +++++------ 50 files changed, 290 insertions(+), 292 deletions(-) diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index f5372d05f6..58a5040b72 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -196,7 +196,7 @@ Values: **CheckApplicability** -``` syntax +```xml @@ -223,7 +223,7 @@ Values: **Edition** -``` syntax +```xml @@ -241,7 +241,7 @@ Values: **LicenseKeyType** -``` syntax +```xml @@ -259,7 +259,7 @@ Values: **Status** -``` syntax +```xml @@ -277,7 +277,7 @@ Values: **UpgradeEditionWithProductKey** -``` syntax +```xml @@ -304,7 +304,7 @@ Values: **UpgradeEditionWithLicense** -``` syntax +```xml diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md index ea9dd8e10a..ffd68aa965 100644 --- a/windows/client-management/mdm/windowssecurityauditing-csp.md +++ b/windows/client-management/mdm/windowssecurityauditing-csp.md @@ -39,7 +39,7 @@ Supported operations are Get and Replace. Enable logging of audit events. -``` syntax +```xml diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index aa221c4b9e..7ac4b1ff90 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -176,7 +176,7 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed 2. [Export the Start layout](#export-the-start-layout). 3. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows: - ``` syntax + ```xml ``` diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md index 5603c46bfa..4ea4c7f814 100644 --- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md +++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md @@ -462,7 +462,7 @@ Quick action buttons are locked down in exactly the same way as Settings pages/g You can specify the quick actions as follows: -``` syntax +```xml diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 299ba40be7..156e4af29b 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -241,7 +241,7 @@ Version identifies the version of the settings location template for administrat **Hint:** You can save notes about version changes using XML comment tags ``, for example: -``` syntax +```xml @@ -195,7 +195,7 @@ This table describes the behavior in the following example .xml file. -``` syntax +```xml File Migration Test @@ -231,7 +231,7 @@ This table describes the behavior in the following example .xml file. The behavior for this custom .xml file is described within the <`displayName`> tags in the code. -``` syntax +```xml diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 100e1e1f04..bbcdb94333 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -209,7 +209,7 @@ You must use the **/nocompress** option with the **/HardLink** option. The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use<createhardlink>** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete. -``` syntax +```xml diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index 89b7d8fa3a..8d0ba60945 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -37,7 +37,7 @@ In this topic: The following .xml file migrates a single registry key. -``` syntax +```xml Component to migrate only registry value string @@ -63,7 +63,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer. - ``` syntax + ```xml Component to migrate all Engineering Drafts Documents including subfolders @@ -82,7 +82,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts. - ``` syntax + ```xml Component to migrate all Engineering Drafts Documents without subfolders @@ -103,7 +103,7 @@ The following examples show how to migrate a folder from a specific drive, and f The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated. -``` syntax +```xml Component to migrate all Engineering Drafts Documents folder on any drive on the computer @@ -123,7 +123,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated. -``` syntax +```xml Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive @@ -146,7 +146,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer. -``` syntax +```xml All .mp3 files to My Documents @@ -176,7 +176,7 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer. - ``` syntax + ```xml Component to migrate all Engineering Drafts Documents @@ -195,13 +195,13 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the <pattern> element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated. - ``` syntax + ```xml C:\* [Sample.doc] ``` To migrate the Sample.doc file from any drive on the computer, use <script> as the following example shows. If multiple files exist with the same name, all files with this name are migrated. - ``` syntax + ```xml ``` diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index fad90a25bf..daba5ef2e2 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -294,7 +294,7 @@ To migrate these files you author the following migration XML: However, upon testing the migration you notice that the “New Text Document.txt” file isn’t included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: -``` syntax +```xml @@ -315,13 +315,13 @@ Analysis of this XML section reveals the migunit that was created when the migra An analysis of the XML elements reference topic reveals that the <pattern> tag needs to be modified as follows: -``` syntax +```xml c:\data\* [*] ``` When the migration is preformed again with the modified tag, the diagnostic log reveals the following: -``` syntax +```xml @@ -396,7 +396,7 @@ You author the following migration XML: However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: -``` syntax +```xml @@ -453,7 +453,7 @@ Upon reviewing the diagnostic log, you confirm that the files are still migratin Your revised migration XML script excludes the files from migrating, as confirmed in the diagnostic log: -``` syntax +```xml diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index 4ea1caaac3..ea0c442a2a 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -31,7 +31,7 @@ In this topic: The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. -``` syntax +```xml Engineering Drafts Documents to Personal Folder @@ -60,7 +60,7 @@ The following custom .xml file migrates the directories and files from C:\\Engin The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer. -``` syntax +```xml All .mp3 files to My Documents @@ -88,7 +88,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. -``` syntax +```xml Sample.doc into My Documents diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index 13fcf0effc..d64010f54e 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -138,7 +138,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -212,7 +212,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang] DWORD @@ -275,7 +275,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang] DWORD @@ -455,7 +455,7 @@ For example, In the code sample below, the <condition> elements, A and B, are joined together by the AND operator because they are in separate <conditions> sections. For example: -``` syntax +```xml A @@ -468,7 +468,7 @@ In the code sample below, the <condition> elements, A and B, are joined to However, in the code sample below, the <condition> elements, A and B, are joined together by the OR operator because they are in the same <conditions> section. -``` syntax +```xml A @@ -826,7 +826,7 @@ For example: ~~~ For example: -``` syntax +```xml MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","") ``` ~~~ @@ -914,7 +914,7 @@ For example: ~~~ For example: -``` syntax +```xml MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%") %CSIDL_FAVORITES%\* [*] @@ -1055,7 +1055,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml MigXmlHelper.IsNative64Bit() @@ -1152,13 +1152,13 @@ The following functions generate patterns out of the content of an object. These ~~~ For example: -``` syntax +```xml ``` and -``` syntax +```xml ``` ~~~ @@ -1243,7 +1243,7 @@ and ~~~ For example: -``` syntax +```xml @@ -1365,7 +1365,7 @@ The following functions change the content of objects as they are migrated. Thes ~~~ For example: -``` syntax +```xml HKCU\Control Panel\Desktop [ScreenSaveUsePassword] @@ -1622,7 +1622,7 @@ Syntax: The following code sample shows how the <description> element defines the "My custom component" description.: -``` syntax +```xml My custom component ``` @@ -1677,7 +1677,7 @@ Syntax: For example: -``` syntax +```xml HKCU\Software\Lotus\123\99.0\DDE Preferences\* [*] @@ -1807,7 +1807,7 @@ Syntax: The following example is from the MigApp.xml file. -``` syntax +```xml MigXmlHelper.DoesFileVersionMatch("%Lotus123InstPath%\123w.exe","ProductVersion","9.*") @@ -1878,7 +1878,7 @@ Syntax: For example: -``` syntax +```xml MigXmlHelper.DoesObjectExist("Registry","HKCU\Software\Adobe\Photoshop\8.0") @@ -1889,7 +1889,7 @@ For example: and -``` syntax +```xml @@ -1945,7 +1945,7 @@ Syntax: For example: -``` syntax +```xml Command Prompt settings ``` @@ -2012,7 +2012,7 @@ Syntax: In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example: -``` syntax +```xml @@ -2022,7 +2022,7 @@ In this scenario, you want to generate the location of objects at run time depen Then you can use an include rule as follows. You can use any of the [<script> functions](#scriptfunctions) to perform similar tasks. -``` syntax +```xml %INSTALLPATH%\ [*.xyz] @@ -2032,7 +2032,7 @@ Then you can use an include rule as follows. You can use any of the [<script& Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\]. -``` syntax +```xml @@ -2050,7 +2050,7 @@ Second, you can also filter registry values that contain data that you need. The In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following <include> rule in an .xml file: -``` syntax +```xml %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File1.txt] @@ -2064,7 +2064,7 @@ In this scenario, you want to migrate five files named File1.txt, File2.txt, and Instead of typing the path five times, you can create a variable for the location as follows: -``` syntax +```xml %SYSTEMDRIVE%\data\userdata\dir1\dir2 @@ -2074,7 +2074,7 @@ Instead of typing the path five times, you can create a variable for the locatio Then, you can specify the variable in an <include> rule as follows: -``` syntax +```xml %DATAPATH% [File1.txt] @@ -2133,7 +2133,7 @@ Syntax: For example, from the MigUser.xml file: -``` syntax +```xml %CSIDL_MYMUSIC%\* [*] @@ -2190,7 +2190,7 @@ Syntax: Example: -``` syntax +```xml @@ -2297,7 +2297,7 @@ Syntax: For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element: -``` syntax +```xml doc @@ -2305,7 +2305,7 @@ For example, if you want to migrate all \*.doc files from the source computer, s is the same as specifying the following code below the <rules> element: -``` syntax +```xml @@ -2418,7 +2418,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml My Video @@ -2501,7 +2501,7 @@ The following functions return a Boolean value. You can use them to migrate cert For example: - ``` syntax + ```xml %CSIDL_COMMON_VIDEO%\* [*] @@ -2517,7 +2517,7 @@ The following functions return a Boolean value. You can use them to migrate cert In the following example, HKCU\\Control Panel\\International \[Locale\] will be included in the store, but it will not be migrated to the destination computer: - ``` syntax + ```xml HKCU\Control Panel\International [Locale] @@ -2634,7 +2634,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -2695,7 +2695,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %CSIDL_APPDATA%\Microsoft\Office\ [Access10.pip] @@ -2740,7 +2740,7 @@ The following functions change the location of objects as they are migrated when ~~~ For example: -``` syntax +```xml HKCU\Keyboard Layout\Toggle [] @@ -2817,7 +2817,7 @@ For example: ~~~ For example: -``` syntax +```xml %CSIDL_COMMON_FAVORITES%\* [*] @@ -2923,7 +2923,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml @@ -2948,7 +2948,7 @@ These functions control how collisions are resolved. For example: - ``` syntax + ```xml HKCU\Software\Microsoft\Office\9.0\PhotoDraw\ [MyPictures] @@ -3037,7 +3037,7 @@ These functions control how collisions are resolved. For example: - ``` syntax + ```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Publisher [UpgradeVersion] @@ -3097,7 +3097,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml ``` @@ -3138,7 +3138,7 @@ This filter helper function can be used to filter the migration of files based o -``` syntax +```xml File_size @@ -3194,7 +3194,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -3230,7 +3230,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml My Music @@ -3273,7 +3273,7 @@ This is an internal USMT element. Do not use this element. You can use this element to specify multiple objects. You can specify multiple <pattern> elements for each <objectSet> element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with <script> instead. GenerateDrivePatterns is basically the same as a <pattern> rule, without the drive letter specification. For example, the following two lines of code are similar: -``` syntax +```xml C:\Folder\* [Sample.doc] ``` @@ -3336,13 +3336,13 @@ For example: - To migrate a single registry key: - ``` syntax + ```xml HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent] ``` - To migrate the EngineeringDrafts folder and any subfolders from the C: drive: - ``` syntax + ```xml C:\EngineeringDrafts\* [*] ``` @@ -3352,13 +3352,13 @@ For example: - To migrate the Sample.doc file from C:\\EngineeringDrafts: - ``` syntax + ```xml C:\EngineeringDrafts\ [Sample.doc] ``` - To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated. - ``` syntax + ```xml C:\* [Sample.doc] ``` @@ -3484,7 +3484,7 @@ Syntax: The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file: -``` syntax +```xml Start Menu @@ -3571,7 +3571,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml My Music @@ -3679,7 +3679,7 @@ Examples: To migrate the Sample.doc file from any drive on the source computer, use <script> as follows. If multiple files exist with the same name, all such files will get migrated. -``` syntax +```xml ``` @@ -3744,7 +3744,7 @@ These functions return either a string or a pattern. ~~~ For example: -``` syntax +```xml @@ -3849,7 +3849,7 @@ If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called whil The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected. -``` syntax +```xml @@ -3915,7 +3915,7 @@ This helper function invokes the document finder to scan the system for all file -``` syntax +```xml MigDocUser @@ -3942,7 +3942,7 @@ The following scripts have no return value. You can use the following errors wit - **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example: - ``` syntax + ```xml @@ -3952,7 +3952,7 @@ The following scripts have no return value. You can use the following errors wit - **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example: - ``` syntax + ```xml @@ -3960,7 +3960,7 @@ The following scripts have no return value. You can use the following errors wit - **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example: - ``` syntax + ```xml @@ -3970,7 +3970,7 @@ The following scripts have no return value. You can use the following errors wit - **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example: - ``` syntax + ```xml @@ -4020,7 +4020,7 @@ Syntax: For example: -``` syntax +```xml %CSIDL_COMMON_APPDATA%\QuickTime @@ -4045,7 +4045,7 @@ Syntax: The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md). -``` syntax +```xml Test @@ -4116,7 +4116,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml HKLM\Software @@ -4168,7 +4168,7 @@ Syntax: For example: -``` syntax +```xml 4.* ``` diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index 8baca0f103..89576c00a4 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -20,20 +20,20 @@ When creating custom .xml files, note the following requirements: - **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file: - ``` syntax + ```xml ``` - **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file: - ``` syntax + ```xml ``` - **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax: - ``` syntax + ```xml My Application ``` diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 034bbfc2c8..cc4e0d99a9 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -36,7 +36,7 @@ The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to p cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0” ``` - Import the VAMT PowerShell module. To import the module, type the following at a command prompt: - ``` syntax + ```powershell Import-Module .\VAMT.psd1 ``` Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`. diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index dfab99ad78..31a483c26e 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -43,7 +43,7 @@ Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -Source D:\Sources\SxS -LimitAccess ``` @@ -132,7 +132,7 @@ Figure 6. The updated Volume Activation Management Tool. VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type: -``` syntax +```powershell Get-VamtProduct ``` diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index c67ea0ab51..870cc58a84 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -71,7 +71,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t **Enrolling devices in a certificate** Run the following command: -``` syntax +```powershell CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -87,7 +87,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` @@ -96,7 +96,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` @@ -143,7 +143,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 2e1a83d9b7..582af34a67 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -96,7 +96,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t **Enrolling devices in a certificate** Run the following command: -``` syntax +```powershell CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -112,7 +112,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` @@ -121,7 +121,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` @@ -172,7 +172,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## @@ -363,7 +363,7 @@ write-host "There are no issuance policies which are not mapped to groups" Save the script file as set-IssuancePolicyToGroupLink.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md index 0b6d13f777..dae9193c68 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md @@ -25,7 +25,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## @@ -216,7 +216,7 @@ write-host "There are no issuance policies which are not mapped to groups" Save the script file as set-IssuancePolicyToGroupLink.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 8029b9b1b9..acd70ac9ea 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -206,7 +206,7 @@ This command returns the volumes on the target, current encryption status and vo For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the computer when prompted to complete the encryption process. -``` syntax +```powershell manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` @@ -237,7 +237,7 @@ Data volumes use the same syntax for encryption as operating system volumes but A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. -``` syntax +```powershell manage-bde -protectors -add -pw C: manage-bde -on C: ``` @@ -382,13 +382,13 @@ Occasionally, all protectors may not be shown when using Get-BitLockerVo If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below: -``` syntax +```powershell $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector. Using this information, we can then remove the key protector for a specific volume using the command: -``` syntax +```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` > **Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. @@ -398,19 +398,19 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. To enable BitLocker with just the TPM protector. This can be done using the command: -``` syntax +```powershell Enable-BitLocker C: ``` The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. -``` syntax +```powershell Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` ### Data volume Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins. -``` syntax +```powershell $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw @@ -423,12 +423,12 @@ The ADAccountOrGroup protector is an Active Directory SID-based protector. This To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. -``` syntax +```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: -``` syntax +```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` > **Note:**  Use of this command requires the RSAT-AD-PowerShell feature. @@ -437,7 +437,7 @@ get-aduser -filter {samaccountname -eq "administrator"} In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: -``` syntax +```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" ``` > **Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. @@ -469,7 +469,7 @@ Administrators who prefer a command line interface can utilize manage-bde to che To check the status of a volume using manage-bde, use the following command: -``` syntax +```powershell manage-bde -status ``` > **Note:**  If no volume letter is associated with the -status command, all volumes on the computer display their status. @@ -480,7 +480,7 @@ Windows PowerShell commands offer another way to query BitLocker status for volu Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command: -``` syntax +```powershell Get-BitLockerVolume -Verbose | fl ``` This command will display information about the encryption method, volume type, key protectors, etc. @@ -506,12 +506,12 @@ Once decryption is complete, the drive will update its status in the control pan Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: -``` syntax +```powershell manage-bde -off C: ``` This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command: -``` syntax +```powershell manage-bde -status C: ``` ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets @@ -520,12 +520,12 @@ Decryption with Windows PowerShell cmdlets is straightforward, similar to manage Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is: -``` syntax +```powershell Disable-BitLocker ``` If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: -``` syntax +```powershell Disable-BitLocker -MountPoint E:,F:,G: ``` ## See also diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 70ba14d6a6..f8d1a6e1f9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -52,14 +52,14 @@ The `servermanager` Windows PowerShell module can use either the `Install-Window By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell. -``` syntax +```powershell Install-WindowsFeature BitLocker -WhatIf ``` The results of this command show that only the BitLocker Drive Encryption feature installs using this command. To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command: -``` syntax +```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl ``` @@ -75,7 +75,7 @@ The result of this command displays the following list of all the administration The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is: -``` syntax +```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart ``` @@ -85,7 +85,7 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools - The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. -``` syntax +```powershell Get-WindowsOptionalFeature -Online | ft ``` @@ -93,13 +93,13 @@ From this output, we can see that there are three BitLocker related optional fea To install BitLocker using the `dism` module, use the following command: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All ``` This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All ``` ## More information diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 6545ca0992..49b3e4f60f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -313,7 +313,7 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many - Verify the clients were rebooted after applying the policy. - Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer: - ``` syntax + ```powershell manage-bde –protectors –get C: ``` >**Note:** Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index f21beec5e9..bde16da8e3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -278,26 +278,25 @@ You can reset the recovery password in two ways: 1. Remove the previous recovery password - ``` syntax + ```powershell Manage-bde –protectors –delete C: –type RecoveryPassword ``` 2. Add the new recovery password - ``` syntax + ```powershell Manage-bde –protectors –add C: -RecoveryPassword - ``` 3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. - ``` syntax + ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword - ``` + 4. Backup the new recovery password to AD DS - ``` syntax + ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} ``` >**Warning:**  You must include the braces in the ID string. @@ -315,7 +314,7 @@ You can reset the recovery password in two ways: You can use the following sample script to create a VBScript file to reset the recovery passwords. -``` syntax +```vb ' Target drive letter strDriveLetter = "c:" ' Target computer name @@ -404,7 +403,7 @@ The following sample script exports all previously-saved key packages from AD D You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS. -``` syntax +```vb ' -------------------------------------------------------------------------------- ' Usage ' -------------------------------------------------------------------------------- @@ -551,7 +550,7 @@ The following sample script exports a new key package from an unlocked, encrypte **cscript GetBitLockerKeyPackage.vbs -?** -``` syntax +```vb ' -------------------------------------------------------------------------------- ' Usage ' -------------------------------------------------------------------------------- diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index 30fea18843..20ab73acfb 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -46,7 +46,7 @@ Listed below are examples of basic valid commands for operating system volumes. A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: -``` syntax +```powershell manage-bde -status ``` This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: @@ -55,7 +55,7 @@ This command returns the volumes on the target, current encryption status, encry The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. -``` syntax +```powershell manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` @@ -64,7 +64,7 @@ manage-bde -on C: An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command: -``` syntax +```powershell manage-bde -protectors -add C: -pw -sid ``` @@ -72,13 +72,13 @@ This command will require you to enter and then confirm the password protector b On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is: -``` syntax +```powershell manage-bde -on C: ``` This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command: -``` syntax +```powershell manage-bde -protectors -get ``` ### Using manage-bde with data volumes @@ -87,7 +87,7 @@ Data volumes use the same syntax for encryption as operating system volumes but A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. -``` syntax +```powershell manage-bde -protectors -add -pw C: manage-bde -on C: ``` @@ -257,7 +257,7 @@ If you want to remove the existing protectors prior to provisioning BitLocker on A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below: -``` syntax +```powershell $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` @@ -266,7 +266,7 @@ Using this, you can display the information in the $keyprotectors variable to de Using this information, you can then remove the key protector for a specific volume using the command: -``` syntax +```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` @@ -278,13 +278,13 @@ Using the BitLocker Windows PowerShell cmdlets is similar to working with the ma The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: -``` syntax +```powershell Enable-BitLocker C: - ``` + In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. -``` syntax +```powershell Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` @@ -293,7 +293,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. -``` syntax +```powershell $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw @@ -306,7 +306,7 @@ The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2 To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. -``` syntax +```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` @@ -314,7 +314,7 @@ For users who wish to use the SID for the account or group, the first step is to >**Note:**  Use of this command requires the RSAT-AD-PowerShell feature. -``` syntax +```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` @@ -322,7 +322,7 @@ get-aduser -filter {samaccountname -eq "administrator"} The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: -``` syntax +```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 ``` diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index e19f192e4c..01c9fe213f 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -66,13 +66,13 @@ BitLocker encryption is available for disks before or after addition to a cluste 2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. 3. Identify the name of the cluster with Windows PowerShell. - ``` syntax + ```powershell Get-Cluster - ``` + 4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: - ``` syntax + ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` @@ -88,32 +88,32 @@ When the cluster service owns a disk resource already, it needs to be set into m 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" ``` 3. Put the physical disk resource into maintenance mode using Windows PowerShell. - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` 4. Identify the name of the cluster with Windows PowerShell. - ``` syntax + ```powershell Get-Cluster ``` 5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: - ``` syntax + ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. 6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode: - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource ``` @@ -146,7 +146,7 @@ You can also use manage-bde to enable BitLocker on clustered volumes. The steps 6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**". CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below. -``` syntax +```powershell manage-bde -status "C:\ClusterStorage\volume1" ``` diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 44a4ae63d3..300f56c569 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -413,7 +413,7 @@ Here are the minimum steps for WEF to operate: ## Appendix E – Annotated baseline subscription event query -``` syntax +```xml @@ -578,8 +578,7 @@ Here are the minimum steps for WEF to operate: ## Appendix F – Annotated Suspect Subscription Event Query -``` syntax - +```xml diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 7ee34ff838..575ad0d393 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -41,6 +41,6 @@ You can also manually merge AppLocker policies. For the procedure to do this, se Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path. -``` syntax +```powershell C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge ``` diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 9c6966b525..5ded02bd51 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -80,7 +80,7 @@ This script does the following: Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. -``` syntax +```powershell # Create a Security Group for the computers that will get the policy $pathname = (Get-ADDomain).distinguishedname New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" ` @@ -120,7 +120,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. -``` syntax +```powershell #Set up the certificate $certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" $myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop @@ -173,7 +173,7 @@ Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: 6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file: - ``` syntax + ```xml ERROR_IPSEC_IKE_NO_CERT 32 diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 79ee3e58bd..4daaa5d367 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -67,7 +67,7 @@ netsh advfirewall set allprofiles state on **Windows PowerShell** -``` syntax +```powershell Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True ``` @@ -88,7 +88,7 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile Windows PowerShell -``` syntax +```powershell Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log ``` @@ -140,7 +140,7 @@ netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program= Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow ``` @@ -157,7 +157,7 @@ netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name ``` @@ -169,7 +169,7 @@ The following performs the same actions as the previous example (by adding a Tel Windows PowerShell -``` syntax +```powershell $gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo Save-NetGPO –GPOSession $gpo @@ -191,7 +191,7 @@ netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2 Windows PowerShell -``` syntax +```powershell Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2 ``` @@ -205,7 +205,7 @@ In the following example, we assume the query returns a single firewall rule, wh Windows PowerShell -``` syntax +```powershell Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction –eq “Inbound” -and $_.Action –eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2 ``` @@ -213,7 +213,7 @@ You can also query for rules using the wildcard character. The following example Windows PowerShell -``` syntax +```powershell Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule ``` @@ -223,7 +223,7 @@ In the following example, we add both inbound and outbound Telnet firewall rules Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” ``` @@ -232,7 +232,7 @@ If the group is not specified at rule creation time, the rule can be added to th Windows PowerShell -``` syntax +```powershell $rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet” $rule.Group = “Telnet Management” $rule | Set-NetFirewallRule @@ -250,7 +250,7 @@ netsh advfirewall firewall set rule group="Windows Defender Firewall remote mana Windows PowerShell -``` syntax +```powershell Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True ``` @@ -258,7 +258,7 @@ There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by g Windows PowerShell -``` syntax +```powershell Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose ``` @@ -276,7 +276,7 @@ netsh advfirewall firewall delete rule name=“Allow Web 80” Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Allow Web 80” ``` @@ -284,7 +284,7 @@ Like with other cmdlets, you can also query for rules to be removed. Here, all b Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –Action Block ``` @@ -292,7 +292,7 @@ Note that it may be safer to query the rules with the **Get** command and save i Windows PowerShell -``` syntax +```powershell $x = Get-NetFirewallRule –Action Block $x $x[0-3] | Remove-NetFirewallRule @@ -306,7 +306,7 @@ The following example returns all firewall rules of the persistent store on a de Windows PowerShell -``` syntax +```powershell Get-NetFirewallRule –CimSession RemoteDevice ``` @@ -314,7 +314,7 @@ We can perform any modifications or view rules on remote devices by simply usin Windows PowerShell -``` syntax +```powershell $RemoteSession = New-CimSession –ComputerName RemoteDevice Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm ``` @@ -342,7 +342,7 @@ netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint Windows PowerShell -``` syntax +```powershell New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name ``` @@ -365,7 +365,7 @@ netsh advfirewall consec add rule name="Require Outbound Authentication" endpoin Windows PowerShell -``` syntax +```powershell $AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP –AHHash SHA1 -ESPHash SHA1 -Encryption DES3 $QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM –PolicyStore domain.contoso.com\gpo_name New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore domain.contoso.com\gpo_name @@ -379,7 +379,7 @@ You can leverage IKEv2 capabilities in Windows Server 2012 by simply specifying Windows PowerShell -``` syntax +```powershell New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway ``` @@ -395,7 +395,7 @@ Copying individual rules is a task that is not possible through the Netsh interf Windows PowerShell -``` syntax +```powershell $Rule = Get-NetIPsecRule –DisplayName “Require Inbound Authentication” $Rule | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name $Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name @@ -407,7 +407,7 @@ To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAc Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue ``` @@ -415,7 +415,7 @@ Note that the use of wildcards can also suppress errors, but they could potentia Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” ``` @@ -423,7 +423,7 @@ When using wildcards, if you want to double-check the set of rules that is match Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –WhatIf ``` @@ -431,7 +431,7 @@ If you only want to delete some of the matched rules, you can use the *–Confir Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Confirm ``` @@ -439,7 +439,7 @@ You can also just perform the whole operation, displaying the name of each rule Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose ``` @@ -457,7 +457,7 @@ netsh advfirewall consec show rule name=all Windows PowerShell -``` syntax +```powershell Show-NetIPsecRule –PolicyStore ActiveStore ``` @@ -473,7 +473,7 @@ netsh advfirewall monitor show mmsa all Windows PowerShell -``` syntax +```powershell Get-NetIPsecMainModeSA ``` @@ -485,7 +485,7 @@ For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is sp Windows PowerShell -``` syntax +```powershell Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore ``` @@ -506,7 +506,7 @@ netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profi Windows PowerShell -``` syntax +```powershell $kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos $Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation @@ -524,7 +524,7 @@ netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0. Windows PowerShell -``` syntax +```powershell $QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3 $QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” -Proposal $QMProposal New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name @@ -548,7 +548,7 @@ netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in pro Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow ``` @@ -562,7 +562,7 @@ netsh advfirewall consec add rule name="Authenticate Both Computer and User" end Windows PowerShell -``` syntax +```powershell $mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos $mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM $P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop @@ -593,7 +593,7 @@ The following example shows you how to create an SDDL string that represents sec Windows PowerShell -``` syntax +```powershell $user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”) $SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value $secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)" @@ -603,7 +603,7 @@ By using the previous scriptlet, you can also get the SDDL string for a secure c Windows PowerShell -``` syntax +```powershell $secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)" ``` @@ -622,7 +622,7 @@ netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Gr Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\Server_Isolation ``` @@ -634,7 +634,7 @@ In this example, we set the global IPsec setting to only allow transport mode tr Windows PowerShell -``` syntax +```powershell Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup ``` @@ -653,7 +653,7 @@ netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in sec Windows PowerShell -``` syntax +```powershell New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation ``` From ce42927cabd759d49fed0c22b302e44e586b2c0d Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 11:49:39 +0530 Subject: [PATCH 121/311] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 4ddd16a1f3..c85241effb 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -58,7 +58,7 @@ This can only be done in Group Policy. 1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576). -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. From 5c507fb6bf8243eb1af1bb026072a64840f3c8ee Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 11:50:19 +0530 Subject: [PATCH 122/311] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index c85241effb..cb14c4f7bd 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -77,7 +77,6 @@ This can only be done in Group Policy. >[!IMPORTANT] - >### Requirements > >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. From febe7c706ae43898a0d1aef263195d325e89ef6e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 11:51:12 +0530 Subject: [PATCH 123/311] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index cb14c4f7bd..67bbc627e5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -76,7 +76,6 @@ You can hide all notifications that are sourced from the Windows Security app. T This can only be done in Group Policy. >[!IMPORTANT] - >### Requirements > >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. From 59dc426cb9a9f20946d8ede98b9cee68fcd40d03 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 19 Jul 2019 09:54:18 +0500 Subject: [PATCH 124/311] Data protection for user profile data As the user has reported that if user profile data is in any other drive instead of Windows installed profile location WDAG give an error. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4377 --- .../enable-controlled-folders-exploit-guard.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 29ed15335f..938a3a3512 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -53,6 +53,8 @@ For more information about disabling local list merging, see [Prevent or allow u >If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. >If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. +>If you are protecting user profile data, it is recommended that user profile should be on default Windows installation drive. + ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. From 9744468a7a4843e3cc28426d833e05f14e96ef0e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 19 Jul 2019 11:27:14 +0500 Subject: [PATCH 125/311] Google Drive Config for WIP Added a use case where user can block Google Drive not to sync WIP protected files. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4342 --- .../testing-scenarios-for-wip.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 08af5d2456..c076d6d52c 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -172,6 +172,17 @@ You can try any of the processes included in these scenarios, but you should foc + + Stop Google Drive to sync WIP protected files and folders. + +
    +
  • In silent configuration add Google Drive in Protected Apps and set it to Deny. This way Google Drive will not sync WIP protected files and folders.
    • +
  • Google Drive details
    • + Publisher=O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US + File=GOOGLEDRIVESYNC.EXE +
+ + >[!NOTE] From 4d6191054dd6c7718c0e5364670e8962427bf57c Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 20 Jul 2019 00:14:24 +0500 Subject: [PATCH 126/311] Update windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../windows-information-protection/testing-scenarios-for-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index c076d6d52c..48b64f7054 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -173,7 +173,7 @@ You can try any of the processes included in these scenarios, but you should foc - Stop Google Drive to sync WIP protected files and folders. + Stop Google Drive from syncing WIP protected files and folders.