From a8ac2c2e24dde3052424337fb00e45708f60af9e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 14 Dec 2016 09:49:34 -0800 Subject: [PATCH 01/39] Adding new topic --- ...ended-office-365-configurations-for-wip.md | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 windows/keep-secure/recommended-office-365-configurations-for-wip.md diff --git a/windows/keep-secure/recommended-office-365-configurations-for-wip.md b/windows/keep-secure/recommended-office-365-configurations-for-wip.md new file mode 100644 index 0000000000..15765e4001 --- /dev/null +++ b/windows/keep-secure/recommended-office-365-configurations-for-wip.md @@ -0,0 +1,23 @@ +--- +title: Recommended Office 365 Exchange Online and Outlook configuration with Windows Information Protection (WIP) (Windows 10) +description: Recommendations about how to configure Office 365 Exchange Online and Outlook while using Windows Information Protection (WIP). +ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032 +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, configure Office 365 with WIP, WIP and Office 365 Mail +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +--- + +# Recommended Office 365 Exchange Online and Outlook configuration with Windows Information Protection (WIP) +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile + +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). + +Because Office 365 Exchange Online and Outlook can be used both personally and as part of your enterprise, we recommend the following configuration: + + From c31463c686270581f0de029370773593c1258727 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 14 Dec 2016 13:08:14 -0800 Subject: [PATCH 02/39] Added content --- ...ended-office-365-configurations-for-wip.md | 50 +++++++++++++++++-- 1 file changed, 46 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/recommended-office-365-configurations-for-wip.md b/windows/keep-secure/recommended-office-365-configurations-for-wip.md index 15765e4001..7b3e62ed95 100644 --- a/windows/keep-secure/recommended-office-365-configurations-for-wip.md +++ b/windows/keep-secure/recommended-office-365-configurations-for-wip.md @@ -1,6 +1,6 @@ --- -title: Recommended Office 365 Exchange Online and Outlook configuration with Windows Information Protection (WIP) (Windows 10) -description: Recommendations about how to configure Office 365 Exchange Online and Outlook while using Windows Information Protection (WIP). +title: Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP) (Windows 10) +description: Recommendations about how to configure Office 365 Mail and Calendar apps, including Outlook Web Access (OWA) and the various client apps, with Windows Information Protection (WIP). ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032 keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, configure Office 365 with WIP, WIP and Office 365 Mail ms.prod: w10 @@ -10,7 +10,7 @@ ms.pagetype: security localizationpriority: high --- -# Recommended Office 365 Exchange Online and Outlook configuration with Windows Information Protection (WIP) +# Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP) **Applies to:** - Windows 10, version 1607 @@ -18,6 +18,48 @@ localizationpriority: high >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). -Because Office 365 Exchange Online and Outlook can be used both personally and as part of your enterprise, we recommend the following configuration: +Because the Office 365 Mail and Calendar apps, including Outlook Web Access (OWA) and the various client apps, can be used both personally and as part of your organization, we recommend the following configurations: + + + + + + + + + + + + + + + + + + + + + + + + +
OptionOWA behaviorOffice 365 behavior
Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app.Disabled.Both Outlook 2016 and the Office 365 Mail app behave properly, regardless of how you've configured outlook.office.com in your network settings.
An employee's mailbox is automatically marked as corporate data.
Don't configure outlook.office.com in any of your networking settings.All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data.
Do any of the following: +
    +
  • Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.
    • +
  • Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.
    • +
  • Add the following URLs to the Neutral Resources network element in your WIP policy: +
      +
    • outlook.office365.com
      • +
    • outlook.office.com
      • +
    • outlook-sdf.office.com
      • +
    • attachment.outlook.office.net
      • +
    +
    • +
+ 		Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal.
Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy.All mailboxes are automatically marked as work. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data.
+ + + + From 0d3b4bc505f49bbace9c88c80b5e35a196058628 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 14 Dec 2016 13:21:55 -0800 Subject: [PATCH 03/39] Adding content for new topic --- windows/keep-secure/TOC.md | 1 + .../change-history-for-keep-windows-10-secure.md | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 0676b4a600..877577e1f7 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -34,6 +34,7 @@ ### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) +#### [Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) #### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) #### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 759d44b4af..10d1e0391a 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -12,6 +12,12 @@ author: brianlic-msft # Change history for Keep Windows 10 secure This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## December 2016 +|New or changed topic |Description | +|---------------------|------------| +|[Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) |New | + + ## November 2016 | New or changed topic | Description | | --- | --- | From 0af960919aad09541db1288a1033a530d03969fe Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 15 Dec 2016 07:10:52 -0800 Subject: [PATCH 04/39] Pulling topics into higher level for easier discoverability --- windows/keep-secure/TOC.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 877577e1f7..069962cc43 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -32,12 +32,12 @@ #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) ### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) -#### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) #### [Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) -#### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) -#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) +### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) +### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) +### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) ## [VPN technical guide](vpn-guide.md) From b9ea659603c2d30e7502eca74e504f7fd979cf1c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 15 Dec 2016 07:23:07 -0800 Subject: [PATCH 05/39] Adding new, and moving around old, content --- .../guidance-and-best-practices-wip.md | 1 - ...recommended-network-definitions-for-wip.md | 23 +++++++++++++++++++ ...ended-office-365-configurations-for-wip.md | 3 +-- 3 files changed, 24 insertions(+), 3 deletions(-) create mode 100644 windows/keep-secure/recommended-network-definitions-for-wip.md diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md index b91386f0c0..93a995e948 100644 --- a/windows/keep-secure/guidance-and-best-practices-wip.md +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -22,7 +22,6 @@ This section includes info about the enlightened Microsoft apps, including how t ## In this section |Topic |Description | |------|------------| -|[Windows Information Protection (WIP) overview](wip-enterprise-overview.md) |High-level overview info about why to use WIP, the enterprise scenarios, and how to turn it off. | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. | |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | |[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. | diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md new file mode 100644 index 0000000000..f56c785ace --- /dev/null +++ b/windows/keep-secure/recommended-network-definitions-for-wip.md @@ -0,0 +1,23 @@ +--- +title: Recommended Enterprise Cloud and Neutral network settings with Windows Information Protection (WIP) (Windows 10) +description: Recommendations about additions to make to the Enterprise Cloud and Neutral network settings with Windows Information Protection (WIP). +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral resources, WIP and Enterprise Cloud Resources +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +--- + +# Recommended Enterprise Cloud and Neutral network settings with Windows Information Protection (WIP) + +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile + +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). + +We recommend that you update your network settings for both the Enteprise Cloud and Neutral resources. + +## Recommended Enterprise Cloud Resources \ No newline at end of file diff --git a/windows/keep-secure/recommended-office-365-configurations-for-wip.md b/windows/keep-secure/recommended-office-365-configurations-for-wip.md index 7b3e62ed95..b243ede2f4 100644 --- a/windows/keep-secure/recommended-office-365-configurations-for-wip.md +++ b/windows/keep-secure/recommended-office-365-configurations-for-wip.md @@ -1,8 +1,7 @@ --- title: Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP) (Windows 10) description: Recommendations about how to configure Office 365 Mail and Calendar apps, including Outlook Web Access (OWA) and the various client apps, with Windows Information Protection (WIP). -ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032 -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, configure Office 365 with WIP, WIP and Office 365 Mail +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Office 2016 configuration, WIP and Office 365 Mail app ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library From cd49604ff0e8e3da99275c2050a88cd7b80b1d18 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 15 Dec 2016 07:36:17 -0800 Subject: [PATCH 06/39] Adding new, and moving around old, content --- windows/keep-secure/TOC.md | 3 ++- windows/keep-secure/guidance-and-best-practices-wip.md | 9 +++++---- .../recommended-network-definitions-for-wip.md | 2 +- 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 069962cc43..244b54bbcd 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -33,8 +33,9 @@ #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) ### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) -#### [Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) +#### [Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) +#### [Recommended Enterprise Cloud and Neutral network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) ### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) ### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) ### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md index 93a995e948..22f75b6d06 100644 --- a/windows/keep-secure/guidance-and-best-practices-wip.md +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -22,7 +22,8 @@ This section includes info about the enlightened Microsoft apps, including how t ## In this section |Topic |Description | |------|------------| -|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. | -|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | -|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. | -|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). | \ No newline at end of file +|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | +|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behavior. | +|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |An explanation about enlightened and unenlightened app behavior with Windows Information Protection (WIP). | +|[Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) |A list of recommended Windows Information Protection (WIP) configurations for use with Office 2016 and the Office 365 Mail and Calendar apps. | +|[Recommended Enterprise Cloud and Neutral network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |A list of recommended URLs to add to your network settings for both the Enteprise Cloud and Neutral resources. | \ No newline at end of file diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md index f56c785ace..5637879022 100644 --- a/windows/keep-secure/recommended-network-definitions-for-wip.md +++ b/windows/keep-secure/recommended-network-definitions-for-wip.md @@ -18,6 +18,6 @@ localizationpriority: high >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). -We recommend that you update your network settings for both the Enteprise Cloud and Neutral resources. +We recommend that you add the following URLs to your network settings for both the Enteprise Cloud and Neutral resources. ## Recommended Enterprise Cloud Resources \ No newline at end of file From 5f15a940e652fee38951a7e4411ca48045a893bf Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 15 Dec 2016 08:17:23 -0800 Subject: [PATCH 07/39] Adding new content --- windows/keep-secure/TOC.md | 2 +- ...ange-history-for-keep-windows-10-secure.md | 1 + ...recommended-network-definitions-for-wip.md | 25 +++++++++++++++---- 3 files changed, 22 insertions(+), 6 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 244b54bbcd..ddbf1133a1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -35,7 +35,7 @@ #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) #### [Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) -#### [Recommended Enterprise Cloud and Neutral network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) +#### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) ### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) ### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) ### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 10d1e0391a..dd10a80171 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic |Description | |---------------------|------------| |[Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) |New | +|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New | ## November 2016 diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md index 5637879022..43a247515b 100644 --- a/windows/keep-secure/recommended-network-definitions-for-wip.md +++ b/windows/keep-secure/recommended-network-definitions-for-wip.md @@ -1,7 +1,7 @@ --- -title: Recommended Enterprise Cloud and Neutral network settings with Windows Information Protection (WIP) (Windows 10) -description: Recommendations about additions to make to the Enterprise Cloud and Neutral network settings with Windows Information Protection (WIP). -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral resources, WIP and Enterprise Cloud Resources +title: Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) (Windows 10) +description: Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings used with Windows Information Protection (WIP). +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral Resources, WIP and Enterprise Cloud Resources ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high --- -# Recommended Enterprise Cloud and Neutral network settings with Windows Information Protection (WIP) +# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) **Applies to:** @@ -20,4 +20,19 @@ localizationpriority: high We recommend that you add the following URLs to your network settings for both the Enteprise Cloud and Neutral resources. -## Recommended Enterprise Cloud Resources \ No newline at end of file +## Recommended Enterprise Cloud Resources +This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on what you use in your organization. + +|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
(Replace "contoso" with your domain name(s) | +|-----------------------------|---------------------------------------------------------------------| +|Office 365 for Business |
  • contoso.sharepoint.com
  • contoso-my.sharepoint.com
  • contoso-files.sharepoint.com
  • tasks.office.com
  • lists.office.com
  • collabdb.com
  • www.collabdb.com
  • protection.office.com
  • meet.lync.com
  • teams.microsoft.com
| +|Yammer |
  • www.yammer.com
  • yammer.com
  • persona.yammer.com
| +|Microsoft Dynamics |contoso.crm.dynamics.com | +|Visual Studio Online |contoso.visualstudio.com | +|Power BI |contoso.powerbi.com | + +## Recommended Neutral Resources +This table includes the recommended URLs to add to your Neutral Resources network setting, based on what you use in your organization. + +|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
(Replace "contoso" with your domain name(s) | +|-----------------------------|---------------------------------------------------------------------| \ No newline at end of file From c44ba3a77e43ea1ec27843cbc37c101993ce9944 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 15 Dec 2016 08:33:03 -0800 Subject: [PATCH 08/39] Adding content --- .../recommended-network-definitions-for-wip.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md index 43a247515b..501704692d 100644 --- a/windows/keep-secure/recommended-network-definitions-for-wip.md +++ b/windows/keep-secure/recommended-network-definitions-for-wip.md @@ -21,7 +21,7 @@ localizationpriority: high We recommend that you add the following URLs to your network settings for both the Enteprise Cloud and Neutral resources. ## Recommended Enterprise Cloud Resources -This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on what you use in your organization. +This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization. |If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
(Replace "contoso" with your domain name(s) | |-----------------------------|---------------------------------------------------------------------| @@ -32,7 +32,8 @@ This table includes the recommended URLs to add to your Enterprise Cloud Resourc |Power BI |contoso.powerbi.com | ## Recommended Neutral Resources -This table includes the recommended URLs to add to your Neutral Resources network setting, based on what you use in your organization. - -|If your organization uses... |Add these entries to your Enterprise Cloud Resources network setting
(Replace "contoso" with your domain name(s) | -|-----------------------------|---------------------------------------------------------------------| \ No newline at end of file +We recommended adding these URLs if you use the Neutral Resources network setting with Windows Information Protection (WIP). +
    +
  • login.microsoftonline.com
    • +
  • login.windows.net
    • +
\ No newline at end of file From 66ff7ff0e57629dbbc120486655b7822109eceac Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 15 Dec 2016 08:49:55 -0800 Subject: [PATCH 09/39] Adding content --- windows/keep-secure/guidance-and-best-practices-wip.md | 6 +++--- .../keep-secure/recommended-network-definitions-for-wip.md | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md index 22f75b6d06..58c2677dd5 100644 --- a/windows/keep-secure/guidance-and-best-practices-wip.md +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -23,7 +23,7 @@ This section includes info about the enlightened Microsoft apps, including how t |Topic |Description | |------|------------| |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | -|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behavior. | +|[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behaviors. | |[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |An explanation about enlightened and unenlightened app behavior with Windows Information Protection (WIP). | -|[Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) |A list of recommended Windows Information Protection (WIP) configurations for use with Office 2016 and the Office 365 Mail and Calendar apps. | -|[Recommended Enterprise Cloud and Neutral network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |A list of recommended URLs to add to your network settings for both the Enteprise Cloud and Neutral resources. | \ No newline at end of file +|[Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) |Recommended Windows Information Protection (WIP) configurations for use with Office 2016 and the Office 365 Mail and Calendar apps. | +|[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). | \ No newline at end of file diff --git a/windows/keep-secure/recommended-network-definitions-for-wip.md b/windows/keep-secure/recommended-network-definitions-for-wip.md index 501704692d..c87c52e3e3 100644 --- a/windows/keep-secure/recommended-network-definitions-for-wip.md +++ b/windows/keep-secure/recommended-network-definitions-for-wip.md @@ -1,6 +1,6 @@ --- title: Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP) (Windows 10) -description: Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings used with Windows Information Protection (WIP). +description: Recommended URLs to add to your Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Neutral Resources, WIP and Enterprise Cloud Resources ms.prod: w10 ms.mktglfcycl: explore @@ -18,7 +18,7 @@ localizationpriority: high >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). -We recommend that you add the following URLs to your network settings for both the Enteprise Cloud and Neutral resources. +We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). ## Recommended Enterprise Cloud Resources This table includes the recommended URLs to add to your Enterprise Cloud Resources network setting, based on the apps you use in your organization. From aa5e8d8841080472077f0cdaab6adfcb06bb927f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 15 Dec 2016 09:19:27 -0800 Subject: [PATCH 10/39] Re-ordered for easier access --- windows/keep-secure/TOC.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index ddbf1133a1..440bcf0ee1 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -31,14 +31,14 @@ ##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) +### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) +### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) +### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) ### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) #### [Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) -### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) -### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) -### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) ## [VPN technical guide](vpn-guide.md) From 9e72a2d1123b448210b1f4c14e1826579052964b Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 15 Dec 2016 13:55:37 -0800 Subject: [PATCH 11/39] stage --- ...-deployment-surface-hub-device-accounts.md | 49 +++++++++---------- 1 file changed, 23 insertions(+), 26 deletions(-) diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 571a848679..cd9d8cb6de 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -84,7 +84,10 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow Set-MsolUser -UserPrincipalName 'HUB01@contoso.com' -PasswordNeverExpires $true ``` -7. The device account needs to have a valid Office 365 (O365) license, or Exchange and Skype for Business will not work. If you have the license, you need to assign a usage location to your device account—this determines what license SKUs are available for your account. +7. Surface Hub requires a license for Skype for Business functionality. + - Your Surface Hub account requires a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. + - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. + - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). Next, you can use `Get-MsolAccountSku` to retrieve a list of available SKUs for your O365 tenant. @@ -98,15 +101,6 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow 8. Enable the device account with Skype for Business. - In order to enable Skype for Business, your environment will need to meet the following prerequisites: - - - You'll need to have Lync Online (Plan 2) or higher in your O365 plan. The plan needs to support conferencing capability. - - If you need Enterprise Voice (PSTN telephony) using telephony service providers for the Surface Hub, you need Lync Online (Plan 3). - - Your tenant users must have Exchange mailboxes. - - Your device account needs a Lync Online (Plan 2) or Lync Online (Plan 3) license, but it does not require an Exchange Online license. - - - - Start by creating a remote PowerShell session from a PC. ```PowerShell @@ -115,29 +109,32 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow Import-PSSession $cssess -AllowClobber ``` - - To enable your Surface Hub account for Skype for Business Server, run this cmdlet: - - ```PowerShell - Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool - "sippoolbl20a04.infra.lync.com" -SipAddressType EmailAddress - ``` - - If you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet: + - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*): ```PowerShell Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool* + OR by setting a variable + $strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool + ``` + + - Enable the Surface Hub account with the following cmdlet: + + ```PowerShell + Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress + OR using the $strRegistarPool variable from above + Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool $strRegistrarPool -SipAddressType EmailAddress ``` -9. Assign Skype for Business license to your Surface Hub account. +Alternatively, You can assign a license to the Surface Hub through the Office 365 administrators portal: + +1. Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app. +1. Click on Users and Groups and then Add users, reset passwords, and more. +1. Select the Surface Hub account, and then click or tap the pen icon, which means edit. +1. Click on the Licenses option. +1. In the Assign licenses section, you need to select an appropriate license that meets the requirements in step 7 depending on your licensing and what you've decided in terms of needing Enterprise Voice. +1. Click Save and you're done. - Once you've completed the preceding steps to enable your Surface Hub account in Skype for Business Online, you need to assign a license to the Surface Hub. Using the O365 administrative portal, assign either a Skype for Business Online (Plan 2) or a Skype for Business Online (Plan 3) to the device. - - Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app. - - Click on **Users and Groups** and then **Add users, reset passwords, and more**. - - Select the Surface Hub account, and then click or tap the pen icon, which means edit. - - Click on the **Licenses** option. - - In the **Assign licenses** section, you need to select Skype for Business (Plan 2) or Skype for Business (Plan 3), depending on your licensing and what you've decided in terms of needing Enterprise Voice. You'll have to use a Plan 3 license if you want to use Enterprise Voice on your Surface Hub. - - Click **Save** and you're done. >[!NOTE] >It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here. From 6ea9d4a73f7f7a094831ba8492011111fa4ed00b Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 15 Dec 2016 14:13:55 -0800 Subject: [PATCH 12/39] format issues --- .../online-deployment-surface-hub-device-accounts.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index cd9d8cb6de..db37cfd52e 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -127,12 +127,12 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow Alternatively, You can assign a license to the Surface Hub through the Office 365 administrators portal: -1. Login as a tenant administrator, open the O365 Administrative Portal, and click on the Admin app. -1. Click on Users and Groups and then Add users, reset passwords, and more. +1. Sign in as a tenant administrator, open the O365 Administrative Portal, and click the Admin app. +1. Click **Users and Groups** and then **Add users, reset passwords, and more**. 1. Select the Surface Hub account, and then click or tap the pen icon, which means edit. -1. Click on the Licenses option. -1. In the Assign licenses section, you need to select an appropriate license that meets the requirements in step 7 depending on your licensing and what you've decided in terms of needing Enterprise Voice. -1. Click Save and you're done. +1. Click the **Licenses** option. +1. In the **Assign licenses** section, select an appropriate license that meets the requirements in step 7 depending on your licensing and what you've decided in terms of needing Enterprise Voice. +1. Click **Save** and you're done. From 0dffa461c03dbd0979d7a2c300f2041740a9a7af Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 15 Dec 2016 14:14:25 -0800 Subject: [PATCH 13/39] format --- .../online-deployment-surface-hub-device-accounts.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index db37cfd52e..322eda7c1b 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -109,7 +109,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow Import-PSSession $cssess -AllowClobber ``` - - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*): + - Next, if you aren't sure what value to use for the `RegistrarPool` parameter in your environment, you can get the value from an existing Skype for Business user using this cmdlet (for example, *alice@contoso.com*): ```PowerShell Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool* @@ -117,7 +117,7 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow $strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool ``` - - Enable the Surface Hub account with the following cmdlet: + - Enable the Surface Hub account with the following cmdlet: ```PowerShell Enable-CsMeetingRoom -Identity 'HUB01@contoso.com' -RegistrarPool yourRegistrarPool -SipAddressType EmailAddress From 6a17b54dde837ead8703db5e5beed2983a9d179f Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 15 Dec 2016 14:22:25 -0800 Subject: [PATCH 14/39] log --- .../online-deployment-surface-hub-device-accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index 322eda7c1b..e42598a51d 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -139,7 +139,7 @@ Alternatively, You can assign a license to the Surface Hub through the Office 36 >[!NOTE] >It's also possible to use the Windows Azure Active Directory Module for Windows PowerShell to run the cmdlets needed to assign one of these licenses, but that's not covered here. -For validation, you should be able to use any Skype for Business client (PC, Android, etc) to log in to this account. +For validation, you should be able to use any Skype for Business client (PC, Android, etc) to sign in to this account. From 62a58189d88a9d5373cda77cefa2a8ccdaa20074 Mon Sep 17 00:00:00 2001 From: Karthika Raman Date: Wed, 4 Jan 2017 14:54:26 -0800 Subject: [PATCH 15/39] adding new exit codes +link to auth proxy blog post --- windows/deploy/upgrade-analytics-get-started.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index f8f05c26b8..f286a4ecad 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -1,4 +1,4 @@ ---- +--- title: Get started with Upgrade Analytics (Windows 10) description: Explains how to get started with Upgrade Analytics. ms.prod: w10 @@ -53,7 +53,7 @@ If you are not using OMS: After you’ve signed in to Operations Management Suite and added the Upgrade Analytics solution to your workspace, complete the following tasks to establish communication and enable data sharing between user computers, Microsoft secure data centers, and Upgrade Analytics. -## Generate your commercial ID key +## Generate your commercial ID key Microsoft uses a unique commercial ID to map information from user computers to your OMS workspace. Generate your commercial ID key in OMS and then deploy it to user computers. @@ -77,7 +77,7 @@ For Upgrade Analytics to receive and display upgrade readiness data from Microso To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this. -Note: The compatibility update KB runs under the computer’s system account and does not support user authenticated proxies. +Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post]()to learn what you need to do to run it under the logged on user account. | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| @@ -137,7 +137,7 @@ The Upgrade Analytics deployment script does the following: To run the Upgrade Analytics deployment script: -1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is inteded to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization. +1. Download the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and extract UpgradeAnalytics.zip. Inside, there are two folders: Pilot and Deployment. The Pilot folder contains advanced logging that can help troubleshoot issues and is intended to be run from an elevated command prompt. The Deployment folder offers a lightweight script intended for broad deployment through ConfigMgr or other software deployment system. We recommend manually running the Pilot version of the script on 5-10 machines to verify that everything is configured correctly. Once you have confirmed that data is flowing successfully, proceed to run the Deployment version throughout your organization. 2. Edit the following parameters in RunConfig.bat: @@ -165,7 +165,7 @@ To run the Upgrade Analytics deployment script: 4. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system. -The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered. +The deployment script displays the following exit codes to let you know if it was successful, or if an error was encountered.
@@ -200,6 +200,9 @@ The deployment script displays the following exit codes to let you know if it wa 26The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs. 27The script is not running under System account. The Upgrade Analytics configuration script must be run as system. 28Could not create log file at the specified logPath. +29 Connectivity check failed. and the most likely cause is the updates required for authentication proxy are not installed. Install the cumulative updates on the machine and enable the authentication proxy settings through registry settings. You can find the instructions and the updates here: [Win 7](https://support.microsoft.com/en-us/kb/3192403), [Win 8.1](https://support.microsoft.com/en-us/kb/3192404), [Win 10 Build 1511 (TH2)](https://support.microsoft.com/en-us/kb/3192441). For information on running the deployment script in environments that use authentication proxy, see [this blog post] (). +30This means that the connectivity check failed, and the most likely cause is that the registry key is not set correctly. For instructions on setting the registry keys, see [Win 7](https://support.microsoft.com/en-us/kb/3192403), [Win 8.1](https://support.microsoft.com/en-us/kb/3192404), [Win 10 Build 1511 (TH2)](https://support.microsoft.com/en-us/kb/3192441). For information on running the deployment script in environments that use authentication proxy, see [this blog post] (). +30There is already an instance of CompatTelRunner.exe running on the machine. Check the Windows Task Manager to verify that the CompatTelRunner.exe is no longer running before running the script again. You may also have a scheduled task that is running the script, so you should verify to make sure that you don't have Upgrade Analytics scripts scheduled to run at the same time.
@@ -207,4 +210,3 @@ The deployment script displays the following exit codes to let you know if it wa ## Seeing data from computers in Upgrade Analytics After data is sent from computers to Microsoft, it generally takes 48 hours for the data to populate in Upgrade Analytics. The compatibility update KB takes several minutes to run. If the KB does not get a chance to finish running or if the computers are inaccessible (turned off or sleeping for example), data will take longer to populate in Upgrade Analytics. For this reason, you can expect most your computers to be populated in OMS in about 1-2 weeks after deploying the KB and configuration to user computers. - From ac09296fa1adb2e2f57d6bccaefa9bee5c234d09 Mon Sep 17 00:00:00 2001 From: Karthika Raman Date: Thu, 5 Jan 2017 15:38:45 -0800 Subject: [PATCH 16/39] more changes --- .../deploy/upgrade-analytics-get-started.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index f286a4ecad..5dc8cc72d9 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -81,10 +81,10 @@ Note: The compatibility update KB runs under the computer’s system account. If | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| -| `https://v10.vortex-win.data.microsoft.com/collect/v1` | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. | -| `https://settings-win.data.microsoft.com/settings` | Enables the compatibility update KB to send data to Microsoft. | -| `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc/extended` | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. | -| `https://vortex.data.microsoft.com/health/keepalive`
`https://settings.data.microsoft.com/qos`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` | These endpoints are used to validate that user computers are sharing data with Microsoft. | +| `https://v10.vortex-win.data.microsoft.com/collect/v1`(Windows 10)

`https://Vortex-win.data.microsoft.com/health/keepalive` (Windows 7, and Windows 8.1) | Connected User Experience and Telemetry component endpoint. User computers send data to Microsoft through this endpoint. | +| `https://settings.data.microsoft.com/qos` (Windows 7, Windows 8.1 and Windows 10) | Enables the compatibility update KB to send data to Microsoft. | +| `https://go.microsoft.com/fwlink/?LinkID=544713`
`https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc` (Windows 7, Windows 8.1 and Windows 10) | This service provides driver information about whether there will be a driver available post-upgrade for the hardware on the system. | + ## Deploy the compatibility update and related KBs @@ -178,19 +178,18 @@ The deployment script displays the following exit codes to let you know if it wa 4Error when logging to file. $logMode = 2. 5Error when logging to console and file. $logMode = unknown. 6The commercialID parameter is set to unknown. Modify the script. -7Function -CheckCommercialId: Unexpected failure. 8Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. 9Error when writing CommercialId to registry. 10Error when writing CommercialDataOptIn to registry. 11Function -SetupCommercialId: Unexpected failure. 12Can’t connect to Microsoft – Vortex. Check your network/proxy settings. -13Can’t connect to Microsoft – setting. Check your network/proxy settings. -14Can’t connect to Microsoft – compatexchange. Check your network/proxy settings. -15Error connecting to Microsoft. Check your network/proxy settings. +13Can’t connect to Microsoft – setting. Verify that the required endpoints are whitelisted correctly. +14Can’t connect to Microsoft – compatexchange. Verify that the required endpoints are whitelisted. +15Error connecting to Microsoft:Unexpected failure. 16Machine requires reboot. 17Function -CheckRebootRequired: Unexpected failure. 18Outdated compatibility update KB package. Update via Windows Update/WSUS. -19This machine doesn’t have the proper KBs installed. Make sure you have recent compatibility update KB downloaded. +19The compatibility update failed with unexpected exception. 20Error writing RequestAllAppraiserVersions registry key. 21Function – SetRequestAllAppraiserVersions: Unexpected failure. 22RunAppraiser failed with unexpected exception. @@ -200,9 +199,10 @@ The deployment script displays the following exit codes to let you know if it wa 26The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs. 27The script is not running under System account. The Upgrade Analytics configuration script must be run as system. 28Could not create log file at the specified logPath. -29 Connectivity check failed. and the most likely cause is the updates required for authentication proxy are not installed. Install the cumulative updates on the machine and enable the authentication proxy settings through registry settings. You can find the instructions and the updates here: [Win 7](https://support.microsoft.com/en-us/kb/3192403), [Win 8.1](https://support.microsoft.com/en-us/kb/3192404), [Win 10 Build 1511 (TH2)](https://support.microsoft.com/en-us/kb/3192441). For information on running the deployment script in environments that use authentication proxy, see [this blog post] (). -30This means that the connectivity check failed, and the most likely cause is that the registry key is not set correctly. For instructions on setting the registry keys, see [Win 7](https://support.microsoft.com/en-us/kb/3192403), [Win 8.1](https://support.microsoft.com/en-us/kb/3192404), [Win 10 Build 1511 (TH2)](https://support.microsoft.com/en-us/kb/3192441). For information on running the deployment script in environments that use authentication proxy, see [this blog post] (). -30There is already an instance of CompatTelRunner.exe running on the machine. Check the Windows Task Manager to verify that the CompatTelRunner.exe is no longer running before running the script again. You may also have a scheduled task that is running the script, so you should verify to make sure that you don't have Upgrade Analytics scripts scheduled to run at the same time. +29 Connectivity check failed for proxy authentication. Install the cumulative updates on the machine and enable the authentication proxy settings : [Win 7](https://support.microsoft.com/en-us/kb/3192403), [Win 8.1](https://support.microsoft.com/en-us/kb/3192404), [Win 10 Build 1511 (TH2)](https://support.microsoft.com/en-us/kb/3192441). +For more information on authentication proxy support, see [this blog post] (). +30This means that the connectivity check failed, and the most likely cause is that the proxy setting is not enabled correctly. For instructions on setting the registry keys, see [Win 7](https://support.microsoft.com/en-us/kb/3192403), [Win 8.1](https://support.microsoft.com/en-us/kb/3192404), [Win 10 Build 1511 (TH2)](https://support.microsoft.com/en-us/kb/3192441). For more information on authentication proxy support, see [this blog post] (). +30There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. This could be because a scheduled task was running when the script was run, or a second instance of the script was launched before the first one was completed. From ae07b92b52fbf1bcb0550a7ddcd0ea53be955d05 Mon Sep 17 00:00:00 2001 From: rikot Date: Fri, 6 Jan 2017 13:21:54 -0500 Subject: [PATCH 17/39] Update save-bitlocker-key-surface-hub.md --- devices/surface-hub/save-bitlocker-key-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/save-bitlocker-key-surface-hub.md b/devices/surface-hub/save-bitlocker-key-surface-hub.md index 461864a1aa..2354de0f40 100644 --- a/devices/surface-hub/save-bitlocker-key-surface-hub.md +++ b/devices/surface-hub/save-bitlocker-key-surface-hub.md @@ -24,7 +24,7 @@ There are several ways to manage your BitLocker key on the Surface Hub. 2. If you’ve joined the Surface Hub to Azure Active Directory (Azure AD), the BitLocker key will be stored under the account that was used to join the device. -3. If you’re using a local admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive. +3. If you’re using an admin account to manage the device, you can save the BitLocker key by going to the **Settings** app and navigating to **Update & security** > **Recovery**. Insert a USB drive and select the option to save the BitLocker key. The key will be saved to a text file on the USB drive. ## Related topics From 2185bb4e38ae7faade2fd180a277c45dac632d54 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 6 Jan 2017 15:02:37 -0800 Subject: [PATCH 18/39] Removed innacurate para This para said the Interactive logon: Display user information when session is locked setting would prevent displaying logon name but that's not true in Win 10. --- .../interactive-logon-do-not-display-last-user-name.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md index 0177def043..5af92d1bcf 100644 --- a/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md +++ b/windows/keep-secure/interactive-logon-do-not-display-last-user-name.md @@ -34,8 +34,6 @@ If this policy is disabled, the full name of the last user to log on is displaye Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. -Depending on your security policy, you might also want to enable the [Interactive logon: Display user information when the session is locked](interactive-logon-display-user-information-when-the-session-is-locked.md) policy, which will prevent the Windows operating system from displaying the logon name when the session is locked or started. - ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options From 0847b63aac49fcaccaee2177b3eaa0328e0d8d5b Mon Sep 17 00:00:00 2001 From: Karthika Raman Date: Fri, 6 Jan 2017 16:03:09 -0800 Subject: [PATCH 19/39] adding fix for exit codes --- .../deploy/upgrade-analytics-get-started.md | 69 ++++++++++--------- 1 file changed, 35 insertions(+), 34 deletions(-) diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index 5dc8cc72d9..55c480daba 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -77,7 +77,7 @@ For Upgrade Analytics to receive and display upgrade readiness data from Microso To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this. -Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post]()to learn what you need to do to run it under the logged on user account. +Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688)to learn what you need to do to run it under the logged on user account. | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| @@ -170,39 +170,40 @@ The deployment script displays the following exit codes to let you know if it wa
-
Exit codeMeaning -
0Success -
1Unexpected error occurred while executing the script -
2Error when logging to console. $logMode = 0. -
3Error when logging to console and file. $logMode = 1. -
4Error when logging to file. $logMode = 2. -
5Error when logging to console and file. $logMode = unknown. -
6The commercialID parameter is set to unknown. Modify the script. -
8Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. -
9Error when writing CommercialId to registry. -
10Error when writing CommercialDataOptIn to registry. -
11Function -SetupCommercialId: Unexpected failure. -
12Can’t connect to Microsoft – Vortex. Check your network/proxy settings. -
13Can’t connect to Microsoft – setting. Verify that the required endpoints are whitelisted correctly. -
14Can’t connect to Microsoft – compatexchange. Verify that the required endpoints are whitelisted. -
15Error connecting to Microsoft:Unexpected failure. -
16Machine requires reboot. -
17Function -CheckRebootRequired: Unexpected failure. -
18Outdated compatibility update KB package. Update via Windows Update/WSUS. -
19The compatibility update failed with unexpected exception. -
20Error writing RequestAllAppraiserVersions registry key. -
21Function – SetRequestAllAppraiserVersions: Unexpected failure. -
22RunAppraiser failed with unexpected exception. -
23Error finding system variable %WINDIR%. -
24SetIEDataOptIn failed when writing IEDataOptIn to registry. -
25SetIEDataOptIn failed with unexpected exception. -
26The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs. -
27The script is not running under System account. The Upgrade Analytics configuration script must be run as system. -
28Could not create log file at the specified logPath. -
29 Connectivity check failed for proxy authentication. Install the cumulative updates on the machine and enable the authentication proxy settings : [Win 7](https://support.microsoft.com/en-us/kb/3192403), [Win 8.1](https://support.microsoft.com/en-us/kb/3192404), [Win 10 Build 1511 (TH2)](https://support.microsoft.com/en-us/kb/3192441). -For more information on authentication proxy support, see [this blog post] (). -
30This means that the connectivity check failed, and the most likely cause is that the proxy setting is not enabled correctly. For instructions on setting the registry keys, see [Win 7](https://support.microsoft.com/en-us/kb/3192403), [Win 8.1](https://support.microsoft.com/en-us/kb/3192404), [Win 10 Build 1511 (TH2)](https://support.microsoft.com/en-us/kb/3192441). For more information on authentication proxy support, see [this blog post] (). -
30There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. This could be because a scheduled task was running when the script was run, or a second instance of the script was launched before the first one was completed. +
Exit codeMeaningSuggest fix +
0Success +
1Unexpected error occurred while executing the script The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again. +
2Error when logging to console. $logMode = 0. Try changing the $logMode value to **1** and try again. +
3Error when logging to console and file. $logMode = 1.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. +
4Error when logging to file. $logMode = 2.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. +
5Error when logging to console and file. $logMode = unknown.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. +
6The commercialID parameter is set to unknown. Modify the script.Set the value for CommercialID in runconfig.bat file. +
8Failure to create registry key path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection. Verify that the configuration script has access to this location. +
9Error when writing CommercialId to registry.Verify that the configuration script has access to this location. +
10Error when writing CommercialDataOptIn to registry.Verify that the configuration script has access to this location. +
11Function -SetupCommercialId: Unexpected failure.Verify that the configuration script has access to this location. +
12Can’t connect to Microsoft – Vortex. Check your network/proxy settings.Verify that the required endpoints are whitelisted correctly. +
13Can’t connect to Microsoft – setting. Verify that the required endpoints are whitelisted correctly. +
14Can’t connect to Microsoft – compatexchange. Verify that the required endpoints are whitelisted. +
15Error connecting to Microsoft:Unexpected failure. +
16Machine requires reboot. The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. +
17Function -CheckRebootRequired: Unexpected failure.he reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. +
18Outdated compatibility update KB package. Update via Windows Update/WSUS. +The configuration script detected a version of the Compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Analytics solution. Use the latest version of the Compatibility update for Windows 7 SP1/Windows 8.1. On Windows 10, the Compatibility update is part of the cumulative updates and is not available as a separate package. +
19The compatibility update failed with unexpected exception. The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again. +
20Error writing RequestAllAppraiserVersions registry key. This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. +
21Function – SetRequestAllAppraiserVersions: Unexpected failure.This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. +
22RunAppraiser failed with unexpected exception. Check %windr%\System32 directory for a file called CompatTelRunner.exe. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file. +
23Error finding system variable %WINDIR%. Make sure that this environment variable is available on the machine. +
24SetIEDataOptIn failed when writing IEDataOptIn to registry. Verify that the deployment script in running in a context that has access to the registry key. +
25SetIEDataOptIn failed with unexpected exception. The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again. +
26The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs. +
27The script is not running under System account.The Upgrade Analytics configuration script must be run as system. +
28Could not create log file at the specified logPath. Make sure the deployment script has access to the location specified in the logPath parameter. +
29 Connectivity check failed for proxy authentication. Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). +
30Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled. The `DisableEnterpriseAuthProxy` is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` to **0** (not disabled).For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). +
30There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. Use the Windows Task Manager to check if CompatTelRunner.exe is running, and wait until it has completed to rerun the script. +**The Upgrade Analytics task is scheduled to run daily at 3 a.m.**
From fa6f1b0bcfea848058fc0d638e13b68b441908e9 Mon Sep 17 00:00:00 2001 From: Karthika Raman Date: Mon, 9 Jan 2017 09:17:22 -0800 Subject: [PATCH 20/39] fixing typo in the column --- windows/deploy/upgrade-analytics-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index cf7fe652bc..e2d2633d84 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -170,7 +170,7 @@ The deployment script displays the following exit codes to let you know if it wa
- - + From 2f6e83a834bc03f1849ad08e7f652682fdf66ff2 Mon Sep 17 00:00:00 2001 From: Justinha Date: Mon, 9 Jan 2017 14:52:37 -0800 Subject: [PATCH 28/39] added new topic for abstract of Cred theft mitigation guide on DLC --- windows/keep-secure/TOC.md | 1 + .../keep-secure/images/security-stages.png | Bin 0 -> 16614 bytes ...dential-theft-mitigation-guide-abstract.md | 67 ++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 windows/keep-secure/images/security-stages.png create mode 100644 windows/keep-secure/windows-credential-theft-mitigation-guide-abstract.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index f063fa884b..52b2dc6ca2 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -871,4 +871,5 @@ ### [Microsoft Passport guide](microsoft-passport-guide.md) ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ### [Windows 10 security overview](windows-10-security-guide.md) +### [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) ## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) diff --git a/windows/keep-secure/images/security-stages.png b/windows/keep-secure/images/security-stages.png new file mode 100644 index 0000000000000000000000000000000000000000..249ced9d4b5bf6099d2d35c109d5b4c5c9bf38e8 GIT binary patch literal 16614 zcmX|pWmsEHv^9kyEmA1Oi$ie@?(XjH1PSi$E(MCaySrQQ65QS0-Qmmo-22@hnVgd+ zGiPMW+I!8Ma0NMWFZr3a1>yx9BxDZs;_|GHA z&1W+~SwSeM+8D%FLs-cD7dr_}M<^(izW+X-hHOhrpr8aiB}D{P-1N>ezj&dWzJKJm zv{en2mA~k}RkG)}`L!LFosZv^l18 zoODvNU`32UmW+)t{^oSob<=B6Jr!N=+`p6q6o)T+p*eq-?v>Zo>Yb0`qBYy2h zf)6{L;T?Kh`JgzhFPYVmu=rYsl@7MoXBsa675(uIw44s8SmB@n&;gqPsVTw6N*!ji z_+h^sav)FZu{pdwC7#5O+jM;umbgQzCJQBg&vb=WQL{aDNp38Jwd(4&RzKwG8=HZl z1v(yN`qc#+1!+a-4BGmXo&4m3pmR4jUwSYEnys8dL?{KfOq~a_%Y?QzbWUDOv|=2z zO^GIlA25Xw(Q6e{c;X~dIjVnSGMfh<14Y)CKe~oaLfqerLR`qxLL{tYU4SxZ9@KBZ z=I~eHerg$cLX^RWF#!sUjA84xx3d)~E^HFX(;j$Ypn=E9loB1KGB&S!ks0b&{~E{0 z&emaL;I;)5>YI|fs8p4UGBMn3#EADvHN#r-<6$RqD5xq;;1>P451k}gDDW&?!X*L0 z%tP#z9uDA3W9qwC7aHF6xM8q~#o)_gHFZcz@va@TQu3GaItCm3N&)t#u%Qbj+Rsl) zq0r;xGnzV_oW$T9mizH#DD}65Z&)wbm+MKEsUc2{kIyJ7PLGw(VGBmw=baY6Sqav7 z7sQnEBzYkG7%5KZZ?LU)B;G&yOXqeo?sCowEQk>kCqH1Y{|!TAfdL1dYumn}SzYk{ zaWk%;Zchab=Sc|($fphphRYke7KaXFn)ZA9Q=8jyW33{H^CW`=>`Igk>`ITTxy{Wl z&vvTb^WQYx`P=2T71S1OQTU_=`NLfJ2PU1@W{vh93MB)s_ipkNj*30blNh9372|ND zf&8scb7UtV^8&$R4f`}nd~ZrPfc}^IytDcVdK}N$N-g-DWZs|mcLf^dY1Evg)sekm zb?Ru4=ItihMO4c}C)T7lS49G@C$AmzTv`lnGxdkL;ku73PG(+Y zHK%6GS}s44hAtqLU=?c{Oah@j5d{b&$aU7*1a4d-LFbx2Wpl z;(Ybp9wj+8!FHE~bmIpLm}GtzJ&^xdMSr4me?$U-sz0H~o9}wEhBLvxg)V18JP`MH z`^Sz`q<<=1f4ULlO%W3HO_n>Abcj+nRy1Fon-yiwT)oM_&eqBXA3pQL>+u(~z?iu- z0r0oxh?KWLLuh=iL zksto%=>RG%zxgGlXZvd+EKa>2(hbRzsBC`kpJk2OYn=s>;NyQ>99YMgyl#&-X218c zE9hj(==rqE)zd7$E{Der$&1y+sAFZ8QpuObtm$-|FBv}-TZ#_o)}XNGUp)@K?h5ar zgy#QVA?W0MSnayLRrquefIY_)1ktV=qDzbWvt35 zR{E%gaYx^Msi*$QTDIQb9Klb^CmbdwtwnC{eRsZ}M}t0Gto9y>8^)mO1A@{r9VdGBJ>MN|MpE*#*S(4OYo&Bn@A~kr z*vd&6!hNa9D6Rzbz)h!*XQI<;&a3jU*{e^Zy{1%fm7F#pMb~(){q_z~<8Ls))~Ua- zG2@?ro_w6m&!u*f^<_;Zx^(P8HWI;pM{0i39&?Xjrm-yZOeyZl5XDSr5d7HVHwu}B zo$fiK<)qPi@G1}kQiheM`d(Dyz2i*H6_n7NX}!n|6xC9vfgz5K-ysD7Mv=T zUDdt4%H;oOBN;HMfp)Vj{e%l7{BZVlRCU#paUSlT5R|<4b@}9y=#qd9zdDzv@#2*d z3RpzTbrVYH$g)WP-yTS|TS#?;PAHKul~dW!ap}G+b;5tElu{gZK3$ah)IL?heg#NR zjzV7J{-|gW)=g1}N7vQVUw1Ya_0X=QwGr>7aD98dnKr4MM!k1e({$(zn<2P!RMYAi9Wa&iAK-v8K~(eu_3 zVO*cu^THZuh7iGWi=#eqwvO-jXQ#u}W@43|r+2Kwy42SIoXQ|K~rz|B|=Y# z)#S7~WlE2Z$WT>tyQQGf1+gm-Yn;sM;IwDF1V5m5A{Uz6rytP>nnfSJc;t0q)!*=tZPE-K+uf$%n#xY_LrkUV7B<0kFD&lZRF@Ca;n|mPp_~~yME}p- zrodXezujH}cd*eQz~=NMyq1kuEE9^fI^sVkE^V&M^NgSiy&UlJO@EOtCt`ef1@e$Y zJG|xh`P9O1Q#rv+RyvD=>PB?bWxG)w5U@m8)+O+X)vaGV2+1f<6;lg$K?Wl&?munU z#@E(I-K@_S0=9p|v&{PDN418zJVBbPq_y;#N#HQr7mI<%e4ZI4_@e!AYHvCtuyb|7 zb*Ea%m7aNYNZ5r9_NoH@c7P~u7M?cr5Dj6B2G>0$MQ$+lVPV0fCZJp;INC)nQ_Z^N zbF>S52-B4fBU1`8N#Xjha~AVxlu*aVMk)%O&u4@s^EMdXpF1sucK^boWG|~oVO%NI zE!Xnok`xcd>JX1%;5Y`Au|3)D+xFY(ES3RQQbwTy!+NbymwswkWO5a2eZ#0~(%mR! z!2|cXzb_n}VL(s?wBcA~TTEE^ipe>@my;-co$^3?!DBRT({O^$x-3_{RJ>{-1`CY3 z3iJ{gQ$d1jdZi2>XBajZ4oij9rIEUO{4Zv@U-PMyXt>4_5tC3D3_@ul97c$ok2X>P zY)_@R$WQJTA{e|&lq0s(FF8^>R33~l#n-!+;=|=?l+J36y;IiHbwg-BRgt!wAdof` z(=6{3;Zq*#($>P~ai&(CX*|F*C+jm(7fZWRmNH0UN9wNc>xFs(q}Ry<$3L2IreUQF zDvHZ`L5~&_6-vShqdzRA(<^lU^&Vsn{d{cI?I8aaOi#!T%}e6P9yC*O_q6EOng`Pt zDO$FEWTanwm3RcLimM;@FVPYLR0G5KQkJZKKYJ(xi|Bue`CgmEI8(@Bk7w4as*yy8 zXw8%>nO6okil7&=8{5e3{fpGD!AvcVuS(3e(f)WaM*zikx5jO9GvG)gnU3?Q0D8!o zl~~WTnua-gp6*k6Dul|e$NDB2P38MAUC+y9DKANd!M>{LB42v}VSi}U03`=q3*=vU;RY;+gk z(i99Gc@?g3>P=5NNK+;MWk74ZG93+2(V88e$&#{sr&elUYZgyiTmZ9MvfoBXvA!h+D)X9yRIsJ zjB}^eFc#qM>+74-S)&K#=I0X zLV`U6C@To2GV|F^Qwc0~`BhF@EcHp2p&9*j;xiCKsTGUSu}M?fvF$-T;^1O`3}H(a zaZ5H7%kvTNaIL>FJ?qUU=+md3=ySYQ;E97E3jXWx8kO@x-J^ zE11w(GxO;&85VWP4>@m)ZB@=U=f|=^q*!Q`=e^sbWs`_`KQBT4R?lSwoNU$bp(GTA zH)o1w9J9Q~VeBPL1pPan%_UM_4LX*sGK%^HjiQJVr2@ej9#qO!3l(1$z=amacU9pk z!k-oa zYAYlH932cstLNiepQyK{K(!#Q5a1cVfrRHe6L(1NA42=NxS}(txDmX6?PtkYf$F8i z+V^CCiXBWZ(PyafmTT=ys^_!$X)_L>t%~rd^{xokWftAd?}nUQtgmN{jqoE4(5*RK~@H6#u;{?tuv zch~xx{1K-4Ch~)&c7Mas{Jpc&Yl7H(_LGl(7izt`v z0NfpX4BNgT%>zubjjhvFTA88;ds}jt>B@^mp_IsqYiA~&cqDpiiAA}iGpiN788@K0 z7gV#5DJZ`sQu4rU}90*?r0epQ*Nb3*34?` z77*Ss4oALH=14MbfDKr&eKkS1RHA)WA1cknf=AS)@%KzfKYrkZQWU9pE(>iCJN`5$ z`}bD^1Q2ltPT}>=V-6OwcYa)Nh2xGG6j+>&NnYlU+S7KV1eXGr;!M>^cef(+9c{f7 z3=ZjQx-L~Hl!P^=h!T!fDm1J~$gZZaC#!VHXeBF9txWk}d!(i6wp{*rpd!%`KDVm_ z#l>FtIh@}{M<_pt!qrmlVM4|Km8RP`WM^zN>4{VEbV31XeMX+N@DH^%A!ml0MP?cu z^L<_3fEh3tG*a5%sY`5;~0EM!o_C%P<8aE62x2P`*X zgW`|{T9UbKLhP7KcH>+h@->Ecb?_LXHwp^(-LnO^vDqM@4oV0ce)j#~X1-l%o5VfS zOmqlSA2I!5fVxW5zxP$uM7(Jx94mZQ6M6|%>|{m+|Er^6VDzKl)<}d%*)x5hjIlou z@2=KN%6g+K9~%2c+1Sbe#sbPq?%`9J-TNPXCgsx=_PW+>a^wP4`ScL0w|n%a5!qCs z=<*d=XeuL{=-dju%9FXR+*xfzP-4<%TQp%>TA>j}v*Zd1;Fu2OpyoUdDDAVRxYdpF zO&&=Qqi)DZ^M|TP_pon@=FRnD_ls^0lNhc9NV_Y8+8m;}^ybs3?CEod#Gvo4xX<&P zh3hVy&Fb(uv@WO2+UX>^%Mc;%B+aC`ztelKKwZCuQ>Ir{*cjDMq56^WazPm9BPx$1 zNqcF_;r@r(no!eP&LuG~M~$@ov|LF&>{jE1A@L$gqC1abea!bP=aLs@T@+(s=o%fk zy;M(Z)S`Os$Nc*F$C^F-@$th&6+3szN)WHQ)7n=A(-&CV*13xwrXLJl_PnY(grkHh zIP#eRQa?G?2;Ojf5ODckW2ss4M-@`9`{m9P-u!3DPENdE*Yj#Y4NO*<3^(tbLDiAgJobf+Ub$;Prq+=nS_sDi!8~z-Hx%60t$G!K z@q0`2PiK`{s;4!IiLn1tUEnO|qgYoz*oMJ#^Am0`^R$UTAIHyQT5NY(ifO@etIzQC zC=;lYD2NB!lO?yQUSX-^fcT2WP8udUq)(O3OU%bC*zOg$!VUgPy!ZZsI|<;sTo_DspHMHu?FF=fmd!6v?lbd$e-wKauvXW98=VY;Q)7r09-9D2RHP~@~?La~1 zT`@(a*Dlxq zP<_wb)W1Gdm@LEx$}g*j;x1)l7_i;Cei_zbi2$n$$`tlixxLnjJf{Z4z?YEu*P=!Vg>}VT`-gIN?UyKD^4I-4=BFj1mz~_rYxhn`B_Wil@fo77BfTb2xWP zbz4<;C#*v6N#^PZcT2pG+l-4t@vf`bWx)aQ^BD$sc_0%mJ75d;6rCs(W0-t}MsLLG zrBy4dF`j!2g95($44Exdm_^IWA#Rx>#Uej%*z!!x{sp(pVXQcNnKlUwPrw0ZdoUh6 zCVk%iZCYaeW}?}8Y5KYE+uhAUUzI_q`-0v|gN^RV!$z~!x{lXDW=(<56p5R3MZKH- z+jL=KbtfD*_@j>ySG^ju(JqjBYtSUPGlgXKc-Qs^-LltgDb?WXZ0G>Qpj_03kz zWr(4spy0*C<)zm~xO2>qDzQI!!E1j+my=$KVj&e!qI_NE6}XfuY+`^j%bQYr(ZwA+ zVEJ^X?x?PQj?8|k@3T~Qd=8+-RGsBrn+FwC7qT> zXKf0N9W?(G!_U@AP*XrpL;C1-&KWv0^0bRCDkRjbfDLf3;~*DJPaH^RhMhmc4FCR1 zPNw^6u!Aqy9$=vMFt1&OZp0FHy%!qdbb}b4I!`Nay?VoYu=JX=gPG1$;XquS-ZH{m z$m78N@)ouXYY7rJHJ+Mpk*|Zb2e#8I)>PK9cI(d9P?#FJjH1P>5@y!(a=lOlipJ00 zT8EQq+0KfYyrVj}Z26xCuNKj^ww)w5u)d7$pH|<7ePmPXl`_5T(#vlcxa@`>!kt{V&!YhJgv2gn%#1I!Euw@d(v59{F5#fb>Qt# z1yz1{@Lq2qvb}wDIvWl*H|If`%|_f`>xKSMsh~WZ zjc`qndOlTxgY{h zt34dqZ9O#A|Hy1O_wQeD;4jmK79tPg`*4nMO_A}fzCT0ie9f`LaOMW zN|ldjleWRBRnw5rTeK};E*Mn3*LC{`z3=nQes6IqYFC!Wzi@@S>pcrv%obiQEeh0z z;NadVSr6~)ObBe0bJ}#fMq~)8*BH{Q=m%BPy}WFUS+W|yy|!TN{0XURq}33}Ld*A8 zE#hM;sD0wKuHRku-oWTU{p*c<-4^SB1?1{Ejn4i@vDf&sp4)oJGWlKMezoflr<5+c zx`!I&sHG}m6Q-ORHaCYX)_kUq$69K)cRJgZ!V+}+fC4pVYv*fX=4vVNszt2tzq?9q zj@}hmBMGU0?Z?#Ln96lqP=!k#!zq+BE3OA34IQ_@sloF6mDc95V&aj>3=6ya5y|vp zEyra=`o4{nKalmk=N`|RPrKh6Ezh(f#gsn=uqwG-Emu||DP*^KAo9PSn(2+=;?sv* zIW<+Zzu&eu+J1kLJlKC(Bp+I%$>vyekkUw}xy?l^7ATP;?Qoa%?MwaBuXMg*awiJc z>vt)2ItE|a#Y{Q?3k=ZnGvEQUTYE+=udczY;XHJ;PL}*N_(M+*l(1weVf*}KwMURC zIS`)>bR{@v3zwUFe-PUHRKBJ|9Zq+|gQM8UQMu(e02~KJB2+#v#-HqCG2M*pM)UQ8 zm9(_ncA~Qk;KpCNKStAdI8TbwH=UPR7ffU_wVrQha4w(MJ!cNUlIh&ZydbslXm+8Z zWHw8c`6wK!i|*{Z`;}Do^%Nw-v+NIn=aaWz| z-<$3*sy83AUc48_eeqqZ2>M69qH7urU+wn>(o@#B)^uYjUyk7ybNQuo@tcKA%IA0W zb@8kpRtz7==6{`+TmHwpBgIQd@n%7Pj`ib!qY=(Wd=FkgwcccX_4FU$y3m>yrtJtJ zr@~r*Z`h=(fU_W5D*W_?j7X|VCU($B&;*9a(Do9OEwnE#8^uZk$BNH0iHlqe=AR!| zP7#Xr4}_1gv%+d2&r^ZwC>yh-27J?5#t)c8+fV-5UnvCZt+hwWJ)i1_$+aUXtm)E3 zkVvS~;Rt)bPWq5STkNIR;L`eI++QN>Z=EIOg-=f3kXfwuWjhz_3s=@>a*y-l2ZIO9Y;X z_UTMW<3M0eyK{josbyX7IbTmYtT{1jeCVsBZGpKzI`RSMTi`$T6yn)B1OI~**c@W5 zr1y=Ftv7zE5Jg)~`Z2PSNd z#(ooTdJX+Hd#h5&yU-HS7pEdop!%wYfI zJM*3WhHl#xF;Ieps^bZmW&{lTT{IpLH#EH&?dc}mazZO`+NQ#&9ono|yan_09T0?j zFqW^oj)2zk_?tU+@Id~{7rw2QHGUmmm#3v`2;uLuzWlL_ER(_T>~Waa=Fnv zae8D+@b~(SQ{sGOr1iPM3bWh`j9oCNv8&??Iya zQRupcv1wdQv@Y}|Iy_t@6-PIup#&$*EDPMj6tLcx{vIgJ(nuyFagIcw3fsjp2w756aLLHD5-UgA6^@=w%i5V3X~try`3 z@&^weRsc39c5r^wAkgdL)FjonFrHK?_`>B*&Cd&|;Vc-_6ncEcubQWZ~O?wYwSv5kkg@y@D@+ zBH>twcLzTy{eFEQl7V&p&RK%AwAL~>$z9iA6%mj+J^=#v<9E5pbW>^7-tQLF-**Vh z0^w7E8h(hv`#?}{Ytsdas&7sHwrZH|E|TWU=S`pdpI#yrn;w7Yu42a{)W4}uv`^j} zw`am|7r5Xve&qmr>{?kei-0?? zGRAIX5Oa#fw5_f;F>$@{_xeV;JnFla_%6FPl8Hog*F-ay@ree?A}$ZMb^1-VNe6#j z@{IEGM@z~bf^xZ{Zsrph=SiNQ)%Usd@NQwC6Up{u!(IG(PCW#j;NTB$?O^uMF_>B|vrX1;D*dz z%tGnhL{rC!8Ws@6q;4Wbe{s%qnWR`cUNyfrk2~F>WRqVdXf&C6s$u7CDj12AGXR=R zXvlNw$`dKDiNn1E?$_N(eC?sCQiWFRWI8!x=?akTXBW453NqHXDlBkHdxl7){#elGuF?e_=sCyAbW;IhG&cRte(M4!%o$8)hF2@B;S z_zZ`GP2V=awlE6=njdy=|* zfnD-ctVf@|`%y*P3Vw^U12n8oQ@1r18H^qTeg)Ler7BZRR86&eyL%%qNyoC*!Khg~ zkQN|KZachur9V2g)K!dTeyqxZ{RWH$3p+q}r`c?*k|X07D^>%$;N`Cqffn)Kg zR7b69DU9kvB^Z#ZWG0J686KIQc-`>TLTZ4hKv0>xTx)^W^jeI+RM{eg!F+QTtt(;n zD^9x<{W*(MIUT0D@rLE!-r$^WG?XCF2K?97BbC^h+=$6Acfyt z)i$xSOoR!#{`xlUO>3>-NE$;!XMfpfx5FIa2xWo`advI^y0++(!iEbpcA;220+ z4-O9n942UsMhzeF0{t3JjEXREfg>2xb#T`CLD)_5I%7ylO^%lhV;%+UD}Zpr%|P9} zt$&;4X9^l6W7to6ki_zZp7`+h8CYrrdq{>JWj6v}EO8w(;Y~>}3@2oZ+z6vRTal<> z3vs+eCDE0{M_B<`5!r5wLvN|VG*b3*Xrh!!z$SYnS+(hqj5=}+4Xn-(hzf`;QT~R5 zP_rAN1`$nSC}`qx78CV<(*6Cz-uolc?>`EDbH;LgWhEyuO<%RD(?i>_4L}DJt|uu8 zu4)KEi|vv%in#K341XVnrSmZFX6k$*C2#C4nuYD3z4uYJGupS?=1ja^)iQ2UfG_1I zQr9Z3w4D0a0G^~4BhA_DMG;*$={oG4u-WGy0r6?GgI(5vFk}1f}@f(c} zqXA-5esCBu8ut$$7%{d75zRPBv!$-yF!#S+Rat>`9$0Z=J8^Lsh}P^2xCJ$Rp)F!a zm8l(OiA)0KhSUDeCa(u{hxCVYi2W!QnEL9pows!-$w|$aqsDzaQ|=l3{-yc{*r)Hy ze8{EO>>F#D7lHk`uxN8$N4X;X=-N|$SPaJldbzW$SjlJ3m0^6HT4v5GIHUp4@z=)shTxRU}~_j<$gtMgFevx;se&5E^2u+)sDh{ zU0nviSYKsWu>ixH%CQD6_NRHstkt&=mI%Z_`LoTGP7w*W>`N}i(l6i7wbERAj-C;G zs`41WhJVnepnWXHxuKw`c1%w&@x&WeUTuWgbk6@oZ=)DXq->k>@#PY9?Bleq2%uJC zq%!{_2KX)~m`eH&+u{$)l~s_rO)*3u8kC^0wB;!_hF3fwealZZ+CXR?dIm_Q9iys__r&ApCP&a!v_Kh0IR)%9 zScJ%x6*ORtG1WUNyhoGHR3C=t8Yu9<#~i~W6QPl7sfR{uKg~lm!|F)5yLeF0vs|@9yW=eC;=>Q%5_$MJOK+}Pii$);c z&uE7|m39z<5K92%USkey}E zASoU598#nih8P34;iS@x;M|SRe(e7AaqLnwI#fdTMN+DS(LIyuS%nZd89Cv3XPe$! zhGMT#+-@bC-)={-C53Bms_|SVx^zIMk+=B&wl-!yoB?v93SwM>fYyX6cAsfFi`n3* z>YM!L+{=CC*;XV`u}IQlCB>;=vSULr0Cz~Y1cYyK%DW$T3QWkt|K0Ex$uY0U-DwQc z_E!3baOUr!x}{o@I0$39x1c#(fYx^f*_#pbz&~3s9$_QTI$04@+bjqVh)r|Ss$31n0-5ZL+(ZLI=-7%?BxW8XUM)>EJJXa8&acI+AxLBK z0|1l~(a-cd71{{Y#d{teK0x(+PYLfY^nI)wJ1|ep3 zmq^I~U3aZ)3@^hBZwx&rEGDno3GolWkFHHElkvNnG8Sh%=5iL^Z&L(4N6@CY>Sch3 z$R!dcT)944y}k(5S~>r@3XVI3gN*RBWT{gw+;u!*8nDVsm?alBki#<}-=RskV_C8L zlkKWsi*MhXfEN8|tbO3vWE8F%@~otAlD=yO7lc2W)2J&`!AZ14FtSm&yX#58!GEOr zImF1Au2-TxFk_8+$gXnCu9AKsw}9;A%q=)3b!&i)#S~rp&pVewZhAe_;y74u2ZacAB@#yDg_UX&{MrQxd9l^eak`u+d-yK5j zM6T&xPqYXF$Qn^JQzF|F$?KxpY-StYeOL6RYZC7n-IZV@jB8BQsp^Bd*fXAQdQwWQ zA0NF=CV~27RW%mZ7{BEb@5fpq*yZiUXB!qQX>F5nOW&XxOu|Snka;UPr+}&26-EOk zVa>5Qf5mH{mxzKGCFnUzv-+5_ESc)Ie+d7MmR#0WLjL~C;x;p^+xmb@p3$+Ux*7De z|J!^=Q|*l@Nl7bacL;%JQ9XBX0)LD@r^&kH70pQU9a-beQher{#?7w`el&E*4)iX& zrdPkl*D%~9B?VPE*Cs1xHs2VnuD^&MQK}QdmD(9}+6MR;AKz<*wyfPw9)1^Hj77KO zv%%CVy2g-i|71~fk`SZVDAcF{K3Wy6`wbqIldr;+hUtqu^xEHQ z*3v50$m(7d@;|zy^b2Y@fBwd2U9Po=4Mr)HkX+u#UYN3{MW|#1>F!bial0A;%Pv`k z5`@-l>6iP+Zu6=wWPeM}N@Oyoz}yk318!TH8bf@YN@QWatxR{UfD3D+X`j$~dPo1w zS8>cp9M;M{5Pze#3i2riMlHIku9uGbF-tSIy-Ip*O)yr(N?S%ow;^s*U3mZ@e`)?c zSqN!|%@I+G;Gyyvk^J$Wy2Z>wqr8`O|U=9{xKEoF1}8Ra;PDeEM)M#JZk2s<0; z#&JGA>12A>OKuEhc{@G6G~a|3lBrZZZbc7mE5s`+mgXH4gFFc>u5o(t@+Qp_qZr1~ zw@zVQqq&IN?Kd^q#zqT@B*)15Q_14KD(dWNz6Wu|?Rc?x43GxM3Z?NlJ?gYQ+Ds#9 z_2ZzXtZ{oS1W+*^U$Ot^!oD4;nTjP3^^G%$D~_D&rEcszNXfkaW$udBVtz&~A6#mr z9j#=#uQ8*UMEMNYsrDOpLFX5cE1oo-!L=|lkbT61hY_gtIR*JDPtz8>y;o%hdrZJP zLp_Is`2}3+U}hP3dw=-MPf*U!aQ+?lawA(!4OBrR-FDGU6sTV=55RkO>)0!Gi_@_^ zuGwDmxM|^FI%x@Vt^o1s&y=wJj<6tIcCdlRUsNanKu)=+y*PZ!PZieA1#zz=y;QAj z*)`b=&1ksvc4uH$m2sDS$4^lG$g}1PSMM(8arO3GQq#r4lkBtJL$@A8i8SZ^`8R3M zl13+FhXd{@-GJU-mcIP#loyUJt_E9FKOZTn_L3^HD-gkttCkM*t4BqS zaA!6HuSPyXwQ5ipQmo{>r8Q_YQ5n&hBLpAKg|I^Hl_Y@>z5E3EH&^1-L+x1w08TB> z#yGlF)41)aA;Veg!e`Q7Rwoz8cvBcA$o8k2$2NVbO%7YGeis8|DBR)I(P+@H=06g# zei8w69;llgSs=bwbvswR)=(P@=SI>>6^=7xXW?wmt6@nZPAxnGyO>K^Kf@KX5R95| z($^$pxVymr%}{fEi*e%`)wqqCo3v0>=cuIiJc`$#mQKA(8M72cE{E?$lIsnmkA({- zZr4iw7vH`$n+@L!4v8_=4w+(;zG&KaI@TO&*JO%l|3e0yN~~$r$|a~;;-q7qP>&L+ zkxN%`n6xo4YTK1_#JH@U^zYq4?%auMLlR_!Z)peL|M1x66t>V}- zu2dFel6m@hcl8@rO?-o|%oM;HKp0`3KGN(Fk=iv*&l_r1n{Z$|`_D42Yc|WXya|)UrcW@`iEq;#oM&6tMNkMeU}UuJgL(@o{QBdcsjNMJ{zih_V64*PwT)MdzKS_ zF?77Mtk<%#S+<@-preCF07qokFI5yRGdR-~Ga6SGx-@EPe&Qr&vkT=*>7kuD(W3ekLIssSKtxWwc&J03AW^pf)4+x=?xa?1yo}i^1kde*a+=z zNEZ`qrmr)Ek#C^xN8i!o7}gn=yfcikNvZ)o8jkz|!99nVCg=)gEGe{X6**dQE9GYV z(Z$1dtShS-%K4!!3xvR&=*m7^tHd1O0JTP~!#q{+$zLb=v;&VHkf4}G?CY>%gMfKJ zqM_^~i<~6n%w~_JnQko_ABmdU_iDrVcxJU})OLYwR$D|y_&3UYETF{6(HPL(J1I6~ zuV5`{x9$|yHN6dB&5DQs?O8opFE??rKI*A=+j1}?jY~w^xiWWiP}(4-{aYbbxe|U5 zsz9ZRC6Ge;KyocZx9}h4@NJS0Q=|e4BH%CAyk^dc(ix?OoY$dII+8wcUS z6+sQ<$W44reGbL-8!xpHvWL$%ZMluX(Em_j&{@zNj-3w4AwV2yEa^kSDXe`?7Z-<7 z*{XQljM6d@2T;y3Fs9KAOo@@5F*et!vM}!?`m{%OHb(VKz0AXM&Yq_}9TrOmv*$6( zgD4_gOKc$$u*FIb*@#$&vi%45&gU?V0(<;$OTaz=2)!cH=Ym7rW*CxC^7^UFH^3!C zVbB|43-?$hg!1Rm=n1R!_146qqg<%@&#~_;`Ye-<5zuMm(YwBM1W2u4WrX{x9oP0& z6V250;8C0e>m8c)?*XXp&9p` z+5S|dFxR7ROvQnmAYF}ml%HbA5%h=k6*mtGW&DvcMOo4)+(yZ>?Q+L-evv2V|2vNu zNHmr!2*(1OHZuP0#-i+%^w&?}M}BkmXq~+MEF>7-;)XmCd2s9}`}2Hd0aBr*`u-hJ zalJ=a-Zd_vZC1~A^W_1F@T3$pUxzWp<i>M`#Liv#Z&r zc{ei#2vaO+{--6!rXI0y!9T|Gr0}t~HK!WQbcIpZj-7Ir=BOhTZ*Q4rRBs26-f#E9 zysdK{xP-2*ZN(&hn&0g@YVpW0>H!kb5mN8>A_h~?Fx0PQbKqGhvq*wy?F7C|*Icz0 z`JE$5&aNiq*%tkiww>ZkL;I_6SMJaK4-FfAB18$!4aNdRRKefAZCJcEK7mSM2&UYx=X?L;v zQ1@-R_NSR&PcAP65maEMSxEOb^QYm(>Mqbw#@rD&gB38f3b{oLn;YAfEl61fJ{wsC z>~BEh@m{R_6zL7d$;DK;`>MG1=5<2x69t7jBT9jy66z&dZg?s?-kEfAG&`sDKI%Rc z`24;Hr&wdS|C|?9Vh!2po4)ZE*FFcNFocCL#kW!FnwR`lCbr{=%HN4R;u{cmI!fhJ zfKo5k82!J52)7ATS=MY6bpN+N*a=c;OlO_vQUA$%HK!HWg?zBr0t2)kxp@_5zOGK7 zBKnt^E6$88Dsv`BZ(|R#rGSVJLNx0R6ue2;cDhbHs(Un7q|b?A{CY4#7it>S+|nX= z46YCDB-l_qrHeYuLB)168ohX9l+&BtY-B4DQWv=-6QG3aHQGyZp2vb+RUxXF9 z(8emA^k8ZP1J9Tls(YKlXXSu)R%Uav#8sbR0YF}dt0JN2_!1x&bz35KhUj3k&NmOK zVP^x=#m_po6e`^4IOw_)NbO3qQIq?>ScoUUT$QBz98g+*IMX(?cPP$Z6Dbugu%tykJs$9Pgn^OkP5%T9dz@rktM?KA1$qIJl- P37{lJ Date: Mon, 9 Jan 2017 14:55:46 -0800 Subject: [PATCH 29/39] fixed typos --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 52b2dc6ca2..99abea5c99 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -871,5 +871,5 @@ ### [Microsoft Passport guide](microsoft-passport-guide.md) ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ### [Windows 10 security overview](windows-10-security-guide.md) -### [Windows 10 Credential Theft Mitigation Guide Abstract](windows-credential-theft-mitigation-guide-abstract.md) +### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) ## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) From dc8dddb0cb3873c179edf07b098cda5e42944e9d Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Mon, 9 Jan 2017 15:35:20 -0800 Subject: [PATCH 30/39] changes topics in plan and deploy --- windows/deploy/change-history-for-deploy-windows-10.md | 5 +++++ .../change-history-for-plan-for-windows-10-deployment.md | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/windows/deploy/change-history-for-deploy-windows-10.md b/windows/deploy/change-history-for-deploy-windows-10.md index f7e67993e5..b244f70c5c 100644 --- a/windows/deploy/change-history-for-deploy-windows-10.md +++ b/windows/deploy/change-history-for-deploy-windows-10.md @@ -11,6 +11,11 @@ author: greg-lindsay # Change history for Deploy Windows 10 This topic lists new and updated topics in the [Deploy Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## January 2017 +| New or changed topic | Description | +|----------------------|-------------| +| [Get started with Upgrade Analytics](upgrade-analytics-get-started.md) | Updated exit code table with suggested fixes, and added link to the Upgrade Analytics blog | + ## October 2016 | New or changed topic | Description | |----------------------|-------------| diff --git a/windows/plan/change-history-for-plan-for-windows-10-deployment.md b/windows/plan/change-history-for-plan-for-windows-10-deployment.md index db42adde11..6d43bdcb7f 100644 --- a/windows/plan/change-history-for-plan-for-windows-10-deployment.md +++ b/windows/plan/change-history-for-plan-for-windows-10-deployment.md @@ -13,6 +13,11 @@ author: TrudyHa This topic lists new and updated topics in the [Plan for Windows 10 deployment](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). +## January 2017 +| New or changed topic | Description | +|----------------------|-------------| +| [Windows 10 Infrastructure Requirements](windows-10-infrastructure-requirements.md) | Added link for Windows Server 2008 R2 and Windows 7 activation and a link to Windows Server 2016 Volume Activation Tips | + ## September 2016 | New or changed topic | Description | From 090ecb8f828b41ccd6b091363ed8951a95de6bc0 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Mon, 9 Jan 2017 16:08:30 -0800 Subject: [PATCH 31/39] Fixed a link to an outside website --- windows/keep-secure/smart-card-architecture.md | 2 +- .../keep-secure/smart-card-smart-cards-for-windows-service.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/smart-card-architecture.md b/windows/keep-secure/smart-card-architecture.md index 84d38741cf..41b2dcc225 100644 --- a/windows/keep-secure/smart-card-architecture.md +++ b/windows/keep-secure/smart-card-architecture.md @@ -74,7 +74,7 @@ Credential providers must be registered on a computer running Windows, and they ## Smart card subsystem architecture -Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](http://www.pcscworkgroup.com/specifications/overview.php). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware. +Vendors provide smart cards and smart card readers, and in many cases the vendors are different for the smart card and the smart card reader. Drivers for smart card readers are written to the [Personal Computer/Smart Card (PC/SC) standard](https://www.pcscworkgroup.com/). Each smart card must have a Credential Service Provider (CSP) that uses the CryptoAPI interfaces to enable cryptographic operations, and the WinSCard APIs to enable communications with smart card hardware. ### Base CSP and smart card minidriver architecture diff --git a/windows/keep-secure/smart-card-smart-cards-for-windows-service.md b/windows/keep-secure/smart-card-smart-cards-for-windows-service.md index a0c0edd3dc..1c4f17a7f2 100644 --- a/windows/keep-secure/smart-card-smart-cards-for-windows-service.md +++ b/windows/keep-secure/smart-card-smart-cards-for-windows-service.md @@ -14,7 +14,7 @@ Applies To: Windows 10, Windows Server 2016 This topic for the IT professional and smart card developers describes how the Smart Cards for Windows service (formerly called Smart Card Resource Manager) manages readers and application interactions. -The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications Overview](http://www.pcscworkgroup.com/specifications/overview.php). +The Smart Cards for Windows service provides the basic infrastructure for all other smart card components as it manages smart card readers and application interactions on the computer. It is fully compliant with the specifications set by the PC/SC Workgroup. For information about these specifications, see the [PC/SC Workgroup Specifications website](https://www.pcscworkgroup.com/). The Smart Cards for Windows service runs in the context of a local service, and it is implemented as a shared service of the services host (svchost) process. The Smart Cards for Windows service, Scardsvr, has the following service description: From bbb8d609c4f6905d4be7531af2c297b14b105f61 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 10 Jan 2017 12:58:25 -0800 Subject: [PATCH 32/39] isaiah feedback --- ...ine-deployment-surface-hub-device-accounts.md | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md index e42598a51d..d823adf130 100644 --- a/devices/surface-hub/online-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/online-deployment-surface-hub-device-accounts.md @@ -54,13 +54,10 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow $easPolicy = New-MobileDeviceMailboxPolicy -Name “SurfaceHubs” -PasswordEnabled $false ``` - Once you have a compatible policy, then you will need to apply the policy to the device account. However, policies can only be applied to user accounts and not resource mailboxes. You need to convert the mailbox into a user type, apply the policy, and then convert it back into a mailbox—you may need to re-enable it and set the password again too. + Once you have a compatible policy, then you will need to apply the policy to the device account. ```PowerShell - Set-Mailbox 'HUB01@contoso.com' -Type Regular Set-CASMailbox 'HUB01@contoso.com' -ActiveSyncMailboxPolicy $easPolicy.Id - Set-Mailbox 'HUB01@contoso.com' -Type Room - Set-Mailbox 'HUB01@contoso.com' -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) -EnableRoomMailboxAccount $true ``` 4. Various Exchange properties must be set on the device account to improve the meeting experience. You can see which properties need to be set in the [Exchange properties](exchange-properties-for-surface-hub-device-accounts.md) section. @@ -113,7 +110,9 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow ```PowerShell Get-CsOnlineUser -Identity ‘alice@contoso.com’| fl *registrarpool* + ``` OR by setting a variable + ```PowerShell $strRegistrarPool = (Get-CsOnlineUser -Identity ‘alice@contoso.com’).RegistrarPool ``` @@ -128,11 +127,10 @@ If you have a pure, online (O365) deployment, then you can [use the provided Pow Alternatively, You can assign a license to the Surface Hub through the Office 365 administrators portal: 1. Sign in as a tenant administrator, open the O365 Administrative Portal, and click the Admin app. -1. Click **Users and Groups** and then **Add users, reset passwords, and more**. -1. Select the Surface Hub account, and then click or tap the pen icon, which means edit. -1. Click the **Licenses** option. -1. In the **Assign licenses** section, select an appropriate license that meets the requirements in step 7 depending on your licensing and what you've decided in terms of needing Enterprise Voice. -1. Click **Save** and you're done. +1. Click **Users** > **Active users**. +1. Select the Surface Hub account. Under **Product licenses** (or **Assigned Licenses** if you’re using the old admin center), click **Edit**. +1. Select an appropriate license that meets the requirements in Step 7. +1. Click **Save**. From ab1fe0d1e617c875acc260816df60b88fb705d7f Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Tue, 10 Jan 2017 13:04:32 -0800 Subject: [PATCH 33/39] added to change history --- devices/surface-hub/change-history-surface-hub.md | 1 + 1 file changed, 1 insertion(+) diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md index f85267c41d..81f40741b7 100644 --- a/devices/surface-hub/change-history-surface-hub.md +++ b/devices/surface-hub/change-history-surface-hub.md @@ -19,6 +19,7 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac | New or changed topic | Description | | --- | --- | | [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md) | Added graphics cards verified to work with 84" Surface Hubs and added information about the lengths of cables. | +| [Online deployment](online-deployment-surface-hub-device-accounts.md) | Updated procedures for adding a device account for your Microsoft Surface Hub when you have a pure, online deployment. | ## December 2016 From fb6eb0cd890a3bf2e30ee7ec0451c4c0dbf84fe1 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Tue, 10 Jan 2017 14:01:32 -0800 Subject: [PATCH 34/39] change telemetry to sensor data --- ...ript-windows-defender-advanced-threat-protection.md | 2 +- ...ints-windows-defender-advanced-threat-protection.md | 2 +- ...rnet-windows-defender-advanced-threat-protection.md | 2 +- ...ines-windows-defender-advanced-threat-protection.md | 10 +++++----- ...ents-windows-defender-advanced-threat-protection.md | 2 +- ...ding-windows-defender-advanced-threat-protection.md | 4 ++-- .../windows-defender-advanced-threat-protection.md | 4 ++-- 7 files changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md index a2643013c6..50903ddc26 100644 --- a/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-script-windows-defender-advanced-threat-protection.md @@ -45,7 +45,7 @@ You can also manually onboard individual endpoints to Windows Defender ATP. You 5. Press the **Enter** key or click **OK**. -For for information on how you can manually validate that the endpoint is compliant and correctly reports telemetry see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). +For for information on how you can manually validate that the endpoint is compliant and correctly reports sensor data see, [Troubleshoot Windows Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md). ## Configure sample collection settings For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis. diff --git a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md index 18864595b3..cca969958e 100644 --- a/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-windows-defender-advanced-threat-protection.md @@ -21,7 +21,7 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -Endpoints in your organization must be configured so that the Windows Defender ATP service can get telemetry from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization. +Endpoints in your organization must be configured so that the Windows Defender ATP service can get sensor data from them. There are various methods and deployment tools that you can use to configure the endpoints in your organization. Windows Defender ATP supports the following deployment tools and methods: diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md index c24886d168..38a3f1edc2 100644 --- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -22,7 +22,7 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service. +The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. The embedded Windows Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Windows Defender ATP cloud service. diff --git a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md index eec0ada5a4..bc3e8df73d 100644 --- a/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/investigate-machines-windows-defender-advanced-threat-protection.md @@ -21,12 +21,12 @@ localizationpriority: high - Windows 10 Pro Education - Windows Defender Advanced Threat Protection (Windows Defender ATP) -The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting telemetry in your network. +The **Machines view** shows a list of the machines in your network, the corresponding number of active alerts for each machine categorized by alert severity levels, and the number of active malware detections. This view allows you to identify machines with the highest risk at a glance, and keep track of all the machines that are reporting sensor data in your network. Use the Machines view in these two main scenarios: - **During onboarding** - - During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report telemetry. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported telemetry, or download the complete endpoint list as a CSV file for offline analysis. + - During the onboarding process, the Machines view gradually gets populated with endpoints as they begin to report sensor data. Use this view to track your onboarded endpoints as they appear. Use the available features to sort and filer to see which endpoints have most recently reported sensor data, or download the complete endpoint list as a CSV file for offline analysis. - **Day-to-day work** - The **Machines view** enables you to identify machines that are most at risk in a glance. High-risk machines are those with the greatest number and highest-severity alerts. By sorting the machines by risk, you'll be able to identify the most vulnerable machines and take action on them. @@ -34,7 +34,7 @@ The Machines view contains the following columns: - **Machine name** - the name or GUID of the machine - **Domain** - the domain the machine belongs to -- **Last seen** - when the machine last reported telemetry +- **Last seen** - when the machine last reported sensor data - **Internal IP** - the local internal Internet Protocol (IP) address of the machine - **Active Alerts** - the number of alerts reported by the machine by severity - **Active malware detections** - the number of active malware detections reported by the machine @@ -59,7 +59,7 @@ You can filter the view by the following time periods: - 6 months > [!NOTE] -> When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported telemetry within the last 24-hour period. +> When you select a time period, the list will only display machines that reported within the selected time period. For example, selecting 1 day will only display a list of machines that reported sensor data within the last 24-hour period. The threat category filter lets you filter the view by the following categories: @@ -94,7 +94,7 @@ When you investigate a specific machine, you'll see: - **Alerts related to this machine** - **Machine timeline** -The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting telemetry to the Windows Defender ATP service. +The machine details, IP, and reporting sections display some attributes of the machine such as its name, domain, OS, IP address, and how long it's been reporting sensor data to the Windows Defender ATP service. The **Alerts related to this machine** section provides a list of alerts that are associated with the machine. This list is a simplified version of the [Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md), and shows the date that the alert was detected, a short description of the alert, the alert's severity, the alert's threat category, and the alert's status in the queue. diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md index a3358422cb..55a3242e78 100644 --- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -61,7 +61,7 @@ Before you configure endpoints, the telemetry and diagnostics service must be en ### Telemetry and diagnostics settings You must ensure that the telemetry and diagnostics service is enabled on all the endpoints in your organization. -By default, this service is enabled, but it's good practice to check to ensure that you'll get telemetry from them. +By default, this service is enabled, but it's good practice to check to ensure that you'll get sensor data from them. **Use the command line to check the Windows 10 telemetry and diagnostics service startup type**: diff --git a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md index 1cb5843937..e95197be01 100644 --- a/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md @@ -1,7 +1,7 @@ --- title: Troubleshoot Windows Defender ATP onboarding issues description: Troubleshoot issues that might arise during the onboarding of endpoints or to the Windows Defender ATP service. -keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, telemetry and diagnostics +keywords: troubleshoot onboarding, onboarding issues, event viewer, data collection and preview builds, sensor data and diagnostics search.product: eADQiWindows 10XVcnh ms.prod: w10 ms.mktglfcycl: deploy @@ -214,7 +214,7 @@ First, you should check that the service is set to start automatically when Wind ### Ensure the endpoint has an Internet connection -The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report telemetry and communicate with the Windows Defender ATP service. +The Window Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Windows Defender ATP service. WinHTTP is independent of the Internet browsing proxy settings and other user context applications and must be able to detect the proxy servers that are available in your particular environment. diff --git a/windows/keep-secure/windows-defender-advanced-threat-protection.md b/windows/keep-secure/windows-defender-advanced-threat-protection.md index 169cf8daa0..3dc835c6a2 100644 --- a/windows/keep-secure/windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/windows-defender-advanced-threat-protection.md @@ -32,7 +32,7 @@ Windows Defender ATP uses the following combination of technology built into Win - **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system (for example, process, registry, file, and network communications) - and sends this telemetry to your private, isolated, cloud instance of Windows Defender ATP. + and sends this sensor data to your private, isolated, cloud instance of Windows Defender ATP. - **Cloud security analytics**: Leveraging big-data, machine-learning, and @@ -47,7 +47,7 @@ Windows Defender ATP uses the following combination of technology built into Win and augmented by threat intelligence provided by partners, threat intelligence enables Windows Defender ATP to identify attacker tools, techniques, and procedures, and generate alerts when these - are observed in collected telemetry. + are observed in collected sensor data. The following diagram shows these Windows Defender ATP service components: From 99998a10ee6c484022a8e56184da4ce5bfd95d8f Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 10 Jan 2017 16:24:33 -0800 Subject: [PATCH 35/39] New SSO topic --- windows/keep-secure/TOC.md | 1 + ...n-on-sso-over-vpn-and-wi-fi-connections.md | 76 +++++++++++++++++++ 2 files changed, 77 insertions(+) create mode 100644 windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 99abea5c99..ee6d27ee47 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -872,4 +872,5 @@ ### [Windows 10 Mobile security guide](windows-10-mobile-security-guide.md) ### [Windows 10 security overview](windows-10-security-guide.md) ### [Windows 10 credential theft mitigation guide abstract](windows-credential-theft-mitigation-guide-abstract.md) +### [How to use single sign-on (SSO) over VPN and Wi-Fi connections](how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md) ## [Change history for Keep Windows 10 secure](change-history-for-keep-windows-10-secure.md) diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md new file mode 100644 index 0000000000..a65fe6f219 --- /dev/null +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -0,0 +1,76 @@ +--- +title: How to use single sign on (SSO) over VPN and Wi-Fi connections (Windows 10) +description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: brianlic-msft +--- + +# How to use single sign on (SSO) over VPN and Wi-Fi connections + +This topic explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The scenario is: + +- You connect to a network using Wi-Fi or VPN. +- You want to use the credentials that you use for the WiFi or VPN authentication to also authenticate requests to access a domain resource you are connecting to, without being prompted for your domain credentials separately. + +For example, you want to connect to a corporate network and access an internal website that requires Windows integrated authentication. + +At a high level, the way this works is that the credentials that are used for the connection authentication are put in Credential Manager as the default credentials for the logon session. +Credential Manager is a place where credentials in the OS are can be stored for specific domain resources based on the targetname of the resource. +For VPN, the VPN stack saves its credential as the session default. +For WiFi, EAP does it. + +The credentials are put in Credential Manager as a "*Session" credential. +A "*Session" credential implies that it is valid for the current user session. +The credentials are also cleaned up when the WiFi or VPN connection is disconnected. + +When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so WinInit.exe can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. +For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations). + +WinInit.exe will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. +If the app is not UWP, it does not matter. +But if it is a UWP app, it will look at the device capability for Enterprise Authentication. +If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. + +## Intranet zone + +For the Intranet zone, by default it only allows single-label names, such as Http://finance. +If the resource that needs to be accessed has multiple domain labels, then the workaround is to use the [Registry CSP](https://msdn.microsoft.com/library/windows/hardware/dn904964.aspx). + +### Setting the ZoneMap + +The ZoneMap is controlled using a registry that can be set through MDM. +By default, single-label names such as http://finance are already in the intranet zone. +For multi-label names, such as http://finance.net, the ZoneMap needs to be updated. + +## MDM Policy + +OMA URI example: + +./Vendor/MSFT/Registry/HKU/S-1-5-21-2702878673-795188819-444038987-2781/Software/Microsoft/Windows/CurrentVersion/Internet%20Settings/ZoneMap/Domains/``/* as an Integer Value of 1 for each of the domains that you want to SSO into from your device. This adds the specified domains to the Intranet Zone of the Edge browser. + +## Credential requirements + +For VPN, the following types of credentials will be added to credential manager after authentication: + +- Username and password +- Certificate-based authentication: + - TPM KSP Certificate + - Software KSP Certificates + - Smart Card Certificate + - Passport for Work Certificate + +The username should also include a domain that can be reached over the connection (VPN or WiFi). + +## User certificate templates + +If the credentials are certificate-based, then the elements in the following table need to be configured for the certificate templates to ensure they can also be used for Kerberos client authentication. + +| TEmplate element | Configuration | +|------------------|---------------| +| SubjectName | The user’s distinguished name (DN) where the domain components of the distinguished name reflects the internal DNS namespace when the SubjectAlternativeName does not have the fully qualified UPN required to find the domain controller.
This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located. | +| SubjectAlternativeName | The user’s fully qualified UPN where a domain name component of the user’s UPN matches the organizations internal domain’s DNS namespace.
This requirement is particularly relevant in multi-forest environments as it ensures a domain controller can be located when the SubjectName does not have the DN required to find the domain controller. | +| Key Storage Provider (KSP) | If the device is joined to Azure AD, a discrete SSO certificate is used. This certificate must be issued using the PassportForWork CSP. | +| EnhancedKeyUsage | One or more of the following EKUs is required:
- Client Authentication (for the VPN)
- EAP Filtering OID (for PassportForWork)
- SmartCardLogon (for Azure AD joined devices)
If the domain controllers require smart card EKU either:
- SmartCardLogon
- id-pkinit-KPClientAuth (1.3.6.1.5.2.3.4)
Otherwise:
- TLS/SSL Client Authentication (1.3.6.1.5.5.7.3.2) | From 8e8e10d3e4ef7acaacfabb78229fa135336fd099 Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 10 Jan 2017 16:28:59 -0800 Subject: [PATCH 36/39] fixed formatting --- ...o-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index a65fe6f219..37f2385dd6 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -22,8 +22,8 @@ Credential Manager is a place where credentials in the OS are can be stored for For VPN, the VPN stack saves its credential as the session default. For WiFi, EAP does it. -The credentials are put in Credential Manager as a "*Session" credential. -A "*Session" credential implies that it is valid for the current user session. +The credentials are put in Credential Manager as a "`*Session`" credential. +A "`*Session`" credential implies that it is valid for the current user session. The credentials are also cleaned up when the WiFi or VPN connection is disconnected. When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so WinInit.exe can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. From c37bcd00dae66178f885158a762ff93938889fd9 Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 10 Jan 2017 17:09:11 -0800 Subject: [PATCH 37/39] added link --- .../windows-credential-theft-mitigation-guide-abstract.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/windows-credential-theft-mitigation-guide-abstract.md b/windows/keep-secure/windows-credential-theft-mitigation-guide-abstract.md index 0386127ed4..44a10d1bbe 100644 --- a/windows/keep-secure/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/keep-secure/windows-credential-theft-mitigation-guide-abstract.md @@ -14,7 +14,7 @@ author: justinha **Applies to** - Windows 10 -This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the Microsoft Download Center. +This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](http://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows 10 credential theft mitigation guide.docx). This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages: - Identify high-value assets From 6af8392cd15adcbb847cc3a97742cc4e8abc3be3 Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 10 Jan 2017 17:19:27 -0800 Subject: [PATCH 38/39] fixed author --- ...o-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index 37f2385dd6..827fe72de7 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -1,11 +1,11 @@ --- title: How to use single sign on (SSO) over VPN and Wi-Fi connections (Windows 10) -description: Describes the best practices, location, values, and security considerations for the Accounts Guest account status security policy setting. +description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -author: brianlic-msft +author: justinha --- # How to use single sign on (SSO) over VPN and Wi-Fi connections From a354df4713e55e85ddc9f8011bde0528c67ad98a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 11 Jan 2017 08:18:25 -0800 Subject: [PATCH 39/39] Fixed branding --- windows/keep-secure/using-owa-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md index 7610b5120a..f4046b30a6 100644 --- a/windows/keep-secure/using-owa-with-wip.md +++ b/windows/keep-secure/using-owa-with-wip.md @@ -27,7 +27,7 @@ Because Outlook Web Access (OWA) can be used both personally and as part of your |Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. | >[!NOTE] ->These limitations don’t apply to Outlook 2016 or to the Office365 Mail and Calendar apps. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings. +>These limitations don’t apply to Outlook 2016 or to the Office 365 Mail and Calendar apps. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings.
Exit codeMeaningSuggest fix +
Exit codeMeaningSuggested fix
0Success
1Unexpected error occurred while executing the script The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again.
2Error when logging to console. $logMode = 0. Try changing the $logMode value to **1** and try again. From 310c015f321801221e47dc4b502a8ea4297028fb Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Mon, 9 Jan 2017 10:24:08 -0800 Subject: [PATCH 21/39] bbb --- .../deploy/upgrade-analytics-get-started.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index e2d2633d84..957c73cd4d 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -77,7 +77,7 @@ For Upgrade Analytics to receive and display upgrade readiness data from Microso To enable data sharing, whitelist the following endpoints. Note that you may need to get approval from your security group to do this. -Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688)to learn what you need to do to run it under the logged on user account. +Note: The compatibility update KB runs under the computer’s system account. If you are using user authenticated proxies, read [this blog post](https://go.microsoft.com/fwlink/?linkid=838688) to learn what you need to do to run it under the logged on user account. | **Endpoint** | **Function** | |---------------------------------------------------------|-----------| @@ -92,8 +92,8 @@ The compatibility update KB scans your computers and enables application usage t | **Operating System** | **KBs** | |----------------------|-----------------------------------------------------------------------------| -| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. | -| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see
[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2952664 must be installed before you can download and install KB3150513. | +| Windows 8.1 | [KB 2976978](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2976978)
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see

[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2976978 must be installed before you can download and install KB3150513. | +| Windows 7 SP1 | [KB2952664](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB2952664)
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues may be encountered when the latest Windows operating system is installed.
For more information about this KB, see

[KB 3150513](https://catalog.update.microsoft.com/v7/site/Search.aspx?q=3150513)
Provides updated configuration and definitions for compatibility diagnostics performed on the system.
For more information about this KB, see
NOTE: KB2952664 must be installed before you can download and install KB3150513. | IMPORTANT: Restart user computers after you install the compatibility update KBs for the first time. @@ -172,7 +172,7 @@ The deployment script displays the following exit codes to let you know if it wa
Exit codeMeaningSuggested fix
0Success -
1Unexpected error occurred while executing the script The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again. +
1Unexpected error occurred while executing the script The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
2Error when logging to console. $logMode = 0. Try changing the $logMode value to **1** and try again.
3Error when logging to console and file. $logMode = 1.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location.
4Error when logging to file. $logMode = 2.Verify that you have set the logPath parameter in RunConfig.bat, and that the configuration script has access to connect and write to this location. @@ -187,21 +187,21 @@ The deployment script displays the following exit codes to let you know if it wa
14Can’t connect to Microsoft – compatexchange. Verify that the required endpoints are whitelisted.
15Error connecting to Microsoft:Unexpected failure.
16Machine requires reboot. The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. -
17Function -CheckRebootRequired: Unexpected failure.he reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script. +
17Function -CheckRebootRequired: Unexpected failure.The reboot is required to complete the installation of the compatibility update and related KBs. Reboot the machine before running the Upgrade Analytics deployment script.
18Outdated compatibility update KB package. Update via Windows Update/WSUS. The configuration script detected a version of the Compatibility update module that is older than the minimum required to correctly collect the data required by Upgrade Analytics solution. Use the latest version of the Compatibility update for Windows 7 SP1/Windows 8.1. -
19The compatibility update failed with unexpected exception. The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again. +
19The compatibility update failed with unexpected exception. The files in the deployment script are likely corrupted. Download the [latest script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) from the download center and try again.
20Error writing RequestAllAppraiserVersions registry key. This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location.
21Function – SetRequestAllAppraiserVersions: Unexpected failure.This registry key is required for data collection to work correctly. Verify that the configuration script has access to this location. -
22RunAppraiser failed with unexpected exception. Check %windr%\System32 directory for a file called CompatTelRunner.exe. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file. +
22RunAppraiser failed with unexpected exception. Check %windir%\System32 directory for a file called CompatTelRunner.exe. If the file does not exist, reinstall the required compatibility updates which include this file, and check your organization group policy to make sure it does not remove this file.
23Error finding system variable %WINDIR%. Make sure that this environment variable is available on the machine.
24SetIEDataOptIn failed when writing IEDataOptIn to registry. Verify that the deployment script in running in a context that has access to the registry key.
25SetIEDataOptIn failed with unexpected exception. The files in the deployment script are likely corrupted. Download the latest script from the [download center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409) and try again.
26The operating system is Server or LTSB SKU. The script does not support Server or LTSB SKUs.
27The script is not running under System account.The Upgrade Analytics configuration script must be run as system.
28Could not create log file at the specified logPath. Make sure the deployment script has access to the location specified in the logPath parameter. -
29 Connectivity check failed for proxy authentication. Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). -
30Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled. The `DisableEnterpriseAuthProxy` is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` to **0** (not disabled).For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). +
29 Connectivity check failed for proxy authentication. Install the cumulative updates on the machine and enable the `DisableEnterpriseAuthProxy` authentication proxy setting. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688). +
30Connectivity check failed. Registry key property `DisableEnterpriseAuthProxy` is not enabled. The `DisableEnterpriseAuthProxy` setting is enabled by default for Windows 7. For Windows 8.1 machines, set the `DisableEnterpriseAuthProxy` setting to **0** (not disabled). For more information on authentication proxy support, see [this blog post](https://go.microsoft.com/fwlink/?linkid=838688).
30There is more than one instance of the Upgrade Analytics data collector running at the same time on this machine. Use the Windows Task Manager to check if CompatTelRunner.exe is running, and wait until it has completed to rerun the script. **The Upgrade Analytics task is scheduled to run daily at 3 a.m.**
From 7140585fb09945976ae1fca92994e74a4400911c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 9 Jan 2017 10:53:45 -0800 Subject: [PATCH 22/39] Renaming file --- ...ended-office-365-configurations-for-wip.md | 4 +- windows/keep-secure/using-owa-with-wip.md | 64 +++++++++++++++++++ 2 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 windows/keep-secure/using-owa-with-wip.md diff --git a/windows/keep-secure/recommended-office-365-configurations-for-wip.md b/windows/keep-secure/recommended-office-365-configurations-for-wip.md index b243ede2f4..193528b36e 100644 --- a/windows/keep-secure/recommended-office-365-configurations-for-wip.md +++ b/windows/keep-secure/recommended-office-365-configurations-for-wip.md @@ -1,5 +1,5 @@ --- -title: Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP) (Windows 10) +title: Using Outlook Web Access with Windows Information Protection (WIP) (Windows 10) description: Recommendations about how to configure Office 365 Mail and Calendar apps, including Outlook Web Access (OWA) and the various client apps, with Windows Information Protection (WIP). keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Office 2016 configuration, WIP and Office 365 Mail app ms.prod: w10 @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high --- -# Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP) +# Using Outlook Web Access with Windows Information Protection (WIP) **Applies to:** - Windows 10, version 1607 diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md new file mode 100644 index 0000000000..b243ede2f4 --- /dev/null +++ b/windows/keep-secure/using-owa-with-wip.md @@ -0,0 +1,64 @@ +--- +title: Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP) (Windows 10) +description: Recommendations about how to configure Office 365 Mail and Calendar apps, including Outlook Web Access (OWA) and the various client apps, with Windows Information Protection (WIP). +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Office 2016 configuration, WIP and Office 365 Mail app +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +--- + +# Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP) +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile + +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). + +Because the Office 365 Mail and Calendar apps, including Outlook Web Access (OWA) and the various client apps, can be used both personally and as part of your organization, we recommend the following configurations: + + + + + + + + + + + + + + + + + + + + + + + + +
OptionOWA behaviorOffice 365 behavior
Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app.Disabled.Both Outlook 2016 and the Office 365 Mail app behave properly, regardless of how you've configured outlook.office.com in your network settings.
An employee's mailbox is automatically marked as corporate data.
Don't configure outlook.office.com in any of your networking settings.All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data.
Do any of the following: +
    +
  • Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.
    • +
  • Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.
    • +
  • Add the following URLs to the Neutral Resources network element in your WIP policy: +
      +
    • outlook.office365.com
      • +
    • outlook.office.com
      • +
    • outlook-sdf.office.com
      • +
    • attachment.outlook.office.net
      • +
    +
    • +
+ 		Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal.
Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy.All mailboxes are automatically marked as work. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data.
+ + + + + + From d11f74b061b3eb61f4f4fa880585b8f31eb707f8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 9 Jan 2017 11:05:46 -0800 Subject: [PATCH 23/39] Updated text --- windows/keep-secure/TOC.md | 2 +- ...ange-history-for-keep-windows-10-secure.md | 2 +- ...ended-office-365-configurations-for-wip.md | 64 ------------------- windows/keep-secure/using-owa-with-wip.md | 57 ++++------------- 4 files changed, 16 insertions(+), 109 deletions(-) delete mode 100644 windows/keep-secure/recommended-office-365-configurations-for-wip.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 3118984f33..6f4a4635e9 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -37,8 +37,8 @@ ### [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) #### [Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) -#### [Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) +#### [Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) ## [VPN technical guide](vpn-guide.md) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 705b515233..900762eca3 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -15,8 +15,8 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md ## January 2017 |New or changed topic |Description | |---------------------|------------| -|[Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) |New | |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New | +|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New | ## December 2016 |New or changed topic |Description | diff --git a/windows/keep-secure/recommended-office-365-configurations-for-wip.md b/windows/keep-secure/recommended-office-365-configurations-for-wip.md deleted file mode 100644 index 193528b36e..0000000000 --- a/windows/keep-secure/recommended-office-365-configurations-for-wip.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Using Outlook Web Access with Windows Information Protection (WIP) (Windows 10) -description: Recommendations about how to configure Office 365 Mail and Calendar apps, including Outlook Web Access (OWA) and the various client apps, with Windows Information Protection (WIP). -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Office 2016 configuration, WIP and Office 365 Mail app -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security -localizationpriority: high ---- - -# Using Outlook Web Access with Windows Information Protection (WIP) -**Applies to:** - -- Windows 10, version 1607 -- Windows 10 Mobile - ->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). - -Because the Office 365 Mail and Calendar apps, including Outlook Web Access (OWA) and the various client apps, can be used both personally and as part of your organization, we recommend the following configurations: - - - - - - - - - - - - - - - - - - - - - - - - -
OptionOWA behaviorOffice 365 behavior
Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app.Disabled.Both Outlook 2016 and the Office 365 Mail app behave properly, regardless of how you've configured outlook.office.com in your network settings.
An employee's mailbox is automatically marked as corporate data.
Don't configure outlook.office.com in any of your networking settings.All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data.
Do any of the following: -
    -
  • Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.
    • -
  • Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.
    • -
  • Add the following URLs to the Neutral Resources network element in your WIP policy: -
      -
    • outlook.office365.com
      • -
    • outlook.office.com
      • -
    • outlook-sdf.office.com
      • -
    • attachment.outlook.office.net
      • -
    -
    • -
- 		Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal.
Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy.All mailboxes are automatically marked as work. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data.
- - - - - - diff --git a/windows/keep-secure/using-owa-with-wip.md b/windows/keep-secure/using-owa-with-wip.md index b243ede2f4..7610b5120a 100644 --- a/windows/keep-secure/using-owa-with-wip.md +++ b/windows/keep-secure/using-owa-with-wip.md @@ -1,7 +1,7 @@ --- -title: Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP) (Windows 10) -description: Recommendations about how to configure Office 365 Mail and Calendar apps, including Outlook Web Access (OWA) and the various client apps, with Windows Information Protection (WIP). -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Office 2016 configuration, WIP and Office 365 Mail app +title: Using Outlook Web Access with Windows Information Protection (WIP) (Windows 10) +description: Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP). +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and OWA configuration ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -9,7 +9,7 @@ ms.pagetype: security localizationpriority: high --- -# Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP) +# Using Outlook Web Access with Windows Information Protection (WIP) **Applies to:** - Windows 10, version 1607 @@ -17,46 +17,17 @@ localizationpriority: high >Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). -Because the Office 365 Mail and Calendar apps, including Outlook Web Access (OWA) and the various client apps, can be used both personally and as part of your organization, we recommend the following configurations: - - - - - - - - - - - - - - - - - - - - - - - - -
OptionOWA behaviorOffice 365 behavior
Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app.Disabled.Both Outlook 2016 and the Office 365 Mail app behave properly, regardless of how you've configured outlook.office.com in your network settings.
An employee's mailbox is automatically marked as corporate data.
Don't configure outlook.office.com in any of your networking settings.All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data.
Do any of the following: -
    -
  • Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.
    • -
  • Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.
    • -
  • Add the following URLs to the Neutral Resources network element in your WIP policy: -
      -
    • outlook.office365.com
      • -
    • outlook.office.com
      • -
    • outlook-sdf.office.com
      • -
    • attachment.outlook.office.net
      • -
    -
    • -
- 		Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal.
Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy.All mailboxes are automatically marked as work. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data.
+Because Outlook Web Access (OWA) can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP): +|Option |OWA behavior | +|-------|-------------| +|Disable OWA. Employees can only use Microsoft Outlook 2016 or the Office 365 Mail app. | Disabled. | +|Don't configure outlook.office.com in any of your networking settings. |All mailboxes are automatically marked as personal. This means employees attempting to copy work content into OWA receive prompts and that files downloaded from OWA aren't automatically protected as corporate data. | +|Do all of the following:
  • Create a domain (such as mail.contoso.com, redirecting to outlook.office.com) that can be used by your employees to access work email.
  • Add the new domain to the Enterprise Cloud Resources network element in your WIP policy.
  • Add the following URLs to the Neutral Resources network element in your WIP policy:
    • outlook.office365.com
    • outlook.office.com
    • outlook-sdf.office.com
    • attachment.outlook.office.net
|Inbox content accessed through the new domain is automatically marked as corporate data, while content accessed through personal email is automatically marked as personal. | +|Add outlook.office.com to the Enterprise Cloud Resources network element in your WIP policy. |All mailboxes are automatically marked as corporate. This means any personal inboxes hosted on Office 365 are also automatically marked as corporate data. | + +>[!NOTE] +>These limitations don’t apply to Outlook 2016 or to the Office365 Mail and Calendar apps. These apps will work properly, marking an employee’s mailbox as corporate data, regardless of how you’ve configured outlook.office.com in your network settings. From 8586de369519cf63085fdd95f31a072a29d82479 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 9 Jan 2017 12:15:50 -0800 Subject: [PATCH 24/39] Updated topic title --- windows/keep-secure/guidance-and-best-practices-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md index 79877bd59e..d1babdcf0b 100644 --- a/windows/keep-secure/guidance-and-best-practices-wip.md +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -24,8 +24,8 @@ This section includes info about the enlightened Microsoft apps, including how t |------|------------| |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | |[Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)](app-behavior-with-wip.md) |Learn the difference between enlightened and unenlightened app behaviors. | -|[Recommended Office 365 Mail and Calendar apps configuration with Windows Information Protection (WIP)](recommended-office-365-configurations-for-wip.md) |Recommended Windows Information Protection (WIP) configurations for use with Office 2016 and the Office 365 Mail and Calendar apps. | |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |Recommended additions for the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP). | +|[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook Web Access (OWA) with Windows Information Protection (WIP). | >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). From 4f961fbf8ed745f7541185e89d8a0ea1370370f4 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Mon, 9 Jan 2017 12:17:17 -0800 Subject: [PATCH 25/39] remove redundant link --- windows/deploy/provisioning-packages.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deploy/provisioning-packages.md b/windows/deploy/provisioning-packages.md index 47223a7427..1e7493e331 100644 --- a/windows/deploy/provisioning-packages.md +++ b/windows/deploy/provisioning-packages.md @@ -124,7 +124,6 @@ Provisioning packages can be applied both during image deployment and during run - [Provision PCs with apps and certificates for initial deployments](provision-pcs-with-apps-and-certificates.md) - [Configure devices without MDM](../manage/configure-devices-without-mdm.md) - [Set up a shared or guest PC with Windows 10](../manage/set-up-shared-or-guest-pc.md) -- [Configure devices without MDM](../manage/configure-devices-without-mdm.md) - [Set up a device for anyone to use (kiosk mode)](../manage/set-up-a-device-for-anyone-to-use.md) - [Customize Windows 10 Start and taskbar with ICD and provisioning packages](../manage/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) - [Set up student PCs to join domain](https://technet.microsoft.com/edu/windows/set-up-students-pcs-to-join-domain) From c4f24bc964ddeb48cbc84ba5a91dad7cc4f57eab Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 9 Jan 2017 13:13:19 -0800 Subject: [PATCH 26/39] Removed text --- windows/keep-secure/guidance-and-best-practices-wip.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md index d1babdcf0b..ff64be6d0f 100644 --- a/windows/keep-secure/guidance-and-best-practices-wip.md +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -29,4 +29,3 @@ This section includes info about the enlightened Microsoft apps, including how t >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ->>>>>>> refs/remotes/origin/master From 42cd46ba82e90730ef92a43f511e4e19dba50ea5 Mon Sep 17 00:00:00 2001 From: Greig Sheridan Date: Tue, 10 Jan 2017 08:36:03 +1100 Subject: [PATCH 27/39] Corrected Energy Star typo: changed "50" to "S0" --- devices/surface-hub/use-room-control-system-with-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/use-room-control-system-with-surface-hub.md b/devices/surface-hub/use-room-control-system-with-surface-hub.md index 71051b3d27..06b5f7dd0a 100644 --- a/devices/surface-hub/use-room-control-system-with-surface-hub.md +++ b/devices/surface-hub/use-room-control-system-with-surface-hub.md @@ -184,7 +184,7 @@ In Replacement PC mode, the power states are only Ready and Off and only change

5

50

S0

Ready