From fd0654a2fc5932f30eb1ed084295ef93f66b5b83 Mon Sep 17 00:00:00 2001 From: Marcelo di Iorio Date: Thu, 13 Jun 2019 10:22:37 +0200 Subject: [PATCH 01/37] Update hello-hybrid-cert-whfb-settings-pki.md In line 114, shouldn't we say "Exchange Enrollment Agent (Offline request)"? --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 6e3126b3c7..d4233e1945 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -111,7 +111,7 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. +3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. From 30ff51b96e72101031d981c1522c93f787ad1865 Mon Sep 17 00:00:00 2001 From: Steve Burkett Date: Wed, 10 Jul 2019 14:04:40 +1200 Subject: [PATCH 02/37] Update hello-hybrid-aadj-sso-cert.md Couple of small corrections - Certificate Authorities now called Certificate Connectors in Intune portal; typo in NDES Connector test command. --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 4baae2e5a4..1c768a8f42 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -535,7 +535,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/). 2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**. ![Microsoft Intune Console](images/aadjcert/microsoftintuneconsole.png) -3. Select **Device Configuration**, and then select **Certificate Authority**. +3. Select **Device Configuration**, and then select **Certificate Connectors**. ![Intune Certificate Authority](images/aadjcert/intunedeviceconfigurationcertauthority.png) 4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section. ![Intune Download Certificate connector](images/aadjcert/intunedownloadcertconnector.png) @@ -610,7 +610,7 @@ Sign-in the NDES server with access equivalent to _domain admin_. 1. Open a command prompt. 2. Type the following command to confirm the NDES Connector's last connection time is current.
-```reg query hklm\software\Micosoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
+```reg query hklm\software\Microsoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
3. Close the command prompt. 4. Open **Internet Explorer**. 5. In the navigation bar, type
From bc78f83a1ff9f560bb7470061c6b414706c59a81 Mon Sep 17 00:00:00 2001 From: Steve Burkett Date: Wed, 10 Jul 2019 14:26:06 +1200 Subject: [PATCH 03/37] Update hello-hybrid-aadj-sso-cert.md Minor changes: corrected 1 x typo and 1 x bad formatting. --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 4baae2e5a4..50b9d742a4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -636,7 +636,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**. 9. Click **Create**. -### Create a SCEP Certificte Profile +### Create a SCEP Certificate Profile Sign-in a workstation with access equivalent to a _domain user_. 1. Sign-in to the [Azure Portal](https://portal.azure.com/). @@ -659,7 +659,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. ![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png) -15. Under **Extended key usage**, type **Smart Card Logon** under Name. Type **1.3.6.1.4.1.311.20.2.2 under **Object identifier**. Click **Add**. +15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile. From 5ad7318a5ee4f74efbebd3fd7974dd966154b9b2 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Thu, 25 Jul 2019 17:19:49 -0700 Subject: [PATCH 04/37] updated on-premises MFA guidance --- .../hello-cert-trust-deploy-mfa.md | 549 ------------------ .../hello-cert-trust-validate-deploy-mfa.md | 31 +- .../hello-hybrid-key-trust.md | 16 +- .../hello-key-trust-deploy-mfa.md | 549 ------------------ .../hello-key-trust-validate-deploy-mfa.md | 29 +- 5 files changed, 21 insertions(+), 1153 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md delete mode 100644 windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md deleted file mode 100644 index 30b809ce8c..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md +++ /dev/null @@ -1,549 +0,0 @@ ---- -title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business) -description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: mapalko -ms.author: mapalko -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 -ms.reviewer: ---- -# Configure or Deploy Multifactor Authentication Services - -**Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Certificate trust - - -On-premises deployments must use an on-premises MFA Server that provides an AD FS Multifactor authentication adapter. It can be an Azure Multi-Factor Authentication Server or a third-party MFA solution. - ->[!TIP] ->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. - -## Prerequisites - -The Azure MFA Server and User Portal servers have several prerequisites and must have connectivity to the Internet. - -### Primary MFA Server - -The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers. - -For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server. - -The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched. - -#### Enroll for Server Authentication - -The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. - -Sign-in the primary MFA server with _domain admin_ equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished. -9. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -#### Install the Web Server Role - -The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role. - -To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use. - -The following services are required: -* Common Parameters > Default Document. -* Common Parameters > Directory Browsing. -* Common Parameters > HTTP Errors. -* Common Parameters > Static Content. -* Health and Diagnostics > HTTP Logging. -* Performance > Static Content Compression. -* Security > Request Filtering. -* Security > Basic Authentication. -* Management Tools > IIS Management Console. -* Management Tools > IIS 6 Management Compatibility. -* Application Development > ASP.NET 4.5. - -#### Update the Server - -Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. - -#### Configure the IIS Server Certificate - -The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. - -Sign in the primary MFA server with _administrator_ equivalent credentials. -1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console -2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**. -3. In the **Actions** pane, click **Bindings**. -4. In the **Site Bindings** dialog, Click **Add**. -5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer. -6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**. - -#### Configure the Web Service’s Security - -The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the **Phonefactor Admins** security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the **Phonefactor Admins** security group. - -Sign in the domain controller with _domain administrator_ equivalent credentials. - -##### Create Phonefactor Admin group - -1. Open **Active Directory Users and Computers** -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**. -3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. -4. Click **OK**. - -##### Add accounts to the Phonefactor Admins group - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**. -3. Click the **Members** tab. -4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**. - * The computer account for the primary MFA Server - * Group or user account that will manage the User Portal server. - - -#### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) - -* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc). -* Confirm the host has all the available updates from Windows Update. -* Confirm you bound the server authentication certificate to the IIS web site. -* Confirm you created the Phonefactor Admins group. -* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal. - -### User Portal Server - -The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users. - -The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design. - -#### Enroll for Server Authentication - -Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers. - -For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server. - -Sign-in the User Portal server with _domain admin_ equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com). -9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com). -10. Click **Add**. Click **OK** when finished. -11. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -#### Install the Web Server Role - -To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not require this. - -#### Update the Server - -Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. - -#### Set the IIS Server Certificate - -To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server-certificate) section. - -#### Create WebServices SDK user account - -The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server. - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**. -3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**. -4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account. - -#### Add the MFA SDK user account to the Phonefactor Admins group - -Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK. - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactor Admins** security group and select Properties. -3. Click the Members tab. -4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**. - * The computer account for the primary MFA Server - * The Webservices SDK user account - * Group or user account that will manage the User Portal server. - - -#### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -* Confirm the hosts of the user portal are properly configure for load balancing and high-availability. -* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) - -* Confirm the Web Server Role was properly configured on all servers. -* Confirm all the hosts have the latest updates from Windows Update. -* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. - -## Installing Primary Azure MFA Server - -When you install Azure Multi-Factor Authentication Server, you have the following options: -1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS -2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments) - -See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options. - -Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server. - ->[!IMPORTANT] ->Only follow the above mention article to install Azure MFA Server. Once it is intstalled, continue configuration using this article. - -### Configuring Company Settings - -You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory. - -Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. -1. Start the **Multi-Factor Server** application -2. Click **Company Settings**. -3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list. -4. In **User defaults**, select **Phone Call** or **Text Message** - **Note:** You can use the mobile application; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile application multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help. -5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge. -6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration. -7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal. -8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists. -9. Under default PIN rules, Select the User can change PIN check box to enable users to change their PIN during multi-factor authentication and through the user portal. -10. Configure the minimum length for the PIN. -11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN. -12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid. -13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. - -![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png) - -### Configuring Email Settings and Content - -If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings. - -Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication. - -With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on. - -The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile application). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. - -If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile application for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal. - -#### Settings - -By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box. - -#### Content - -On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you. - -##### Edit the Content Settings - -The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab. - -Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. Click **Email** from the list of icons and click the **Email Content** tab. -3. Select an email template from the list of templates. Click **Edit**. -4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email. - ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png) - -5. Optionally, customize other options in the email template. -6. When finished editing the template, Click **Apply**. -7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes. -8. Click **Close** when you are done editing the email templates. - -### Configuring Directory Integration Settings and Synchronization - -Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory. - -It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names). - -#### MultiFactorAuthAdSync Service - -The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server. - -The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges. - -#### Settings - -Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. -3. Click the **Synchronization** tab. -4. Select **Use Active Directory**. -5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the check box to improve performance. - -#### Synchronization - -The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers. - -You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting. - -See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details. - -##### To add a synchronization item - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. -3. Select the **Synchronization** tab. -4. On the **Synchronization** tab, click **Add**. - ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png) - -5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list. -6. Select the group you are using for replication from the list of groups -7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups. -8. Select **Add new users and Update existing users**. -9. Select **Disable/Remove users no longer a member** and select **Disable** from the list. -10. Select the attributes appropriate for your environment for **Import phone** and **Backup**. -11. Select **Enabled** and select **Only New Users with Phone Number** from the list. -12. Select **Send email** and select **New and Updated Users**. - -##### Configure synchronization item defaults - -1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab. -2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN). - -##### Configure synchronization language defaults - -1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab. -2. Select the appropriate default language for these groups of users synchronized by these synchronization item. -3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**. - ->[!TIP] ->For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint). - -### Installing the MFA Web Services SDK - -The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store. - -Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. - -Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK. - -## Install Secondary MFA Servers - -Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit. - -Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated. - -Sign in the secondary MFA server with _domain administrator_ equivalent credentials. -1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**. - **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server. -2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**. -3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**. -4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group. -5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you downloaded the latest Azure MFA Server from the Azure Portal. -* Confirm the server has Internet connectivity. -* Confirm you installed and activated the Azure MFA Server. -* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc). -* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server. - * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups. - -* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account. -* Confirm you installed the Web Service SDK on the primary MFA server. -* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. - - -## Installing the User Portal Server - -You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users. - -### Copying the User Portal Installation file - -Sign in the primary MFA server with _local administrator_ equivalent credentials. -1. Open Windows Explorer. -2. Browse to the C:\Program Files\MultiFactor Authentication Server folder. -3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server. - -### Configure Virtual Directory name - -Sign in the User Portal server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step. -2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**. -3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time. -4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**. -5. Click **Close**. - -### Edit MFA User Portal config file - -Sign in the User Portal server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file. -2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. -3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. -4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. -5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made. - -### Create a DNS entry for the User Portal web site - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials. -1. Open the **DNS Management** console. -2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. -3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. -4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. -6. Close the **DNS Management** console. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the user portal application is properly installed on all user portal hosts -* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. -* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME -* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. -* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. -* Confirm you saved the changes to the web.config file. - -### Validating your work - -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal. - -### Configuring the User Portal - -The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. -User Portal Administrators may be set up and granted permission to add new users and update existing users. - -#### Settings - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the Multi-Factor Authentication Server console. -2. From the Multi-Factor Authentication Server window, click the User Portal icon. - ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png) - -3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. -The Multi-Factor Authentication Server uses this information when sending emails to users. -4. Select Allow users to log in and Allow user enrollment check boxes. -5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile application later once you have deployed the Mobile application web service). Select Automatically trigger user’s default method. -6. Select Allow users to select language. -7. Select Use security questions for fallback and select 4 from the Questions to answer list. - ->[!TIP] ->For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal). - -#### Administrators - -The User Portal Settings tab allows the administrator to install and configure the User Portal. -1. Open the Multi-Factor Authentication Server console. -2. From the Multi-Factor Authentication Server window, click the User Portal icon. -3. On the Administrators tab, Click Add -4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions. -5. Click Add. - ->[!TIP] ->For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**. - -#### Security Questions - -[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions. - -#### Trusted IPs - -The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry. - -## Configure the AD FS Server to use the MFA for multifactor authentication - -You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server. - -### Install the MFA AD FS Adapter - -Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server. - -### Edit the MFA AD FS Adapter config file on all ADFS Servers - -Sign in the primary AD FS server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file. -2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. -3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. -4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. -5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “ to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made. - -### Edit the AD FS Adapter Windows PowerShell cmdlet - -Sign in the primary AD FS server with _local administrator_ equivalent credentials. - -Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file. - -### Run the AD FS Adapter PowerShell cmdlet - -Sign in the primary AD FS server with local administrator equivalent credentials. - -Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**. - ->[!NOTE] ->You must restart the AD FS service for the registration to take effect. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the user portal application is properly installed on all user portal hosts -* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. -* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME -* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. -* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. -* Confirm you saved the changes to the web.config file. -* Confirm you restarted the AD FS Service after completing the configuration. - -## Test Multifactor Authentication - -Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete. - -1. In the **Multi-Factor Authentication** server, on the left, click **Users**. -2. In the list of users, select a user that is enabled and has a valid phone number to which you have access. -3. Click **Test**. -4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory. - -The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 13beb24a52..ff7f5deec6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -16,36 +16,19 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Validate and Deploy Multifactor Authentication Services (MFA) +# Validate and Deploy Multi-factor Authentication (MFA) **Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Certificate trust +- Windows 10, version 1703 or later +- On-premises deployment +- Certificate trust -Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. +Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. -Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected. -* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks. -* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom applications. This protection is even extended to your high-volume, mission-critical scenarios. -* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards. -* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification. +For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](https://docs.microsoft.com/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) -## On-Premises Azure MFA Server - -On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. - -### Infrastructure - -A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. - -Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. - ->[!IMPORTANT] ->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use installation instructions provided in the article. - -Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md). +Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-authentication-policies). ## Follow the Windows Hello for Business on premises certificate trust deployment guide 1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md index cdc50b7691..1f4f6b976d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md @@ -19,11 +19,11 @@ ms.reviewer: # Hybrid Azure AD joined Key Trust Deployment **Applies to** -- Windows 10, version 1703 or later -- Hybrid deployment -- Key trust - +- Windows 10, version 1703 or later +- Hybrid deployment +- Key trust + Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario. It is recommended that you review the Windows Hello for Business planning guide prior to using the deployment guide. The planning guide helps you make decisions by explaining the available options with each aspect of the deployment and explains the potential outcomes based on each of these decisions. You can review the [planning guide](https://docs.microsoft.com/windows/access-protection/hello-for-business/hello-planning-guide) and download the [planning worksheet](https://go.microsoft.com/fwlink/?linkid=852514). @@ -31,10 +31,11 @@ It is recommended that you review the Windows Hello for Business planning guide This deployment guide provides guidance for new deployments and customers who are already federated with Office 365. These two scenarios provide a baseline from which you can begin your deployment. ## New Deployment Baseline ## + The new deployment baseline helps organizations who are moving to Azure and Office 365 to include Windows Hello for Business as part of their deployments. This baseline is good for organizations who are looking to deploy proof of concepts as well as IT professionals who want to familiarize themselves Windows Hello for Business by deploying a lab environment. - + This baseline provides detailed procedures to move your environment from an on-premises only environment to a hybrid environment using Windows Hello for Business to authenticate to Azure Active Directory and to your on-premises Active Directory using a single Windows sign-in. - + Your next step is to familiarize yourself with the prerequisites needed for the deployment. Many of the prerequisites will be new for organizations and individuals pursuing the new deployment baseline. Organizations and individuals starting from the federated baseline will likely be familiar with most of the prerequisites, but should validate they are using the proper versions that include the latest updates. > [!div class="nextstepaction"] @@ -42,9 +43,8 @@ Your next step is to familiarize yourself with the prerequisites needed for the

-
- ## Follow the Windows Hello for Business hybrid key trust deployment guide + 1. Overview (*You are here*) 2. [Prerequisites](hello-hybrid-key-trust-prereqs.md) 3. [New Installation Baseline](hello-hybrid-key-new-install.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md deleted file mode 100644 index b2c377057f..0000000000 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md +++ /dev/null @@ -1,549 +0,0 @@ ---- -title: Configure or Deploy Multifactor Authentication Services (Windows Hello for Business) -description: How to Configure or Deploy Multifactor Authentication Services for Windows Hello for Business -keywords: identity, PIN, biometric, Hello, passport -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security, mobile -audience: ITPro -author: mapalko -ms.author: mapalko -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -localizationpriority: medium -ms.date: 08/19/2018 -ms.reviewer: ---- -# Configure or Deploy Multifactor Authentication Services - -**Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Key trust - - -On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter. - ->[!TIP] ->Please make sure you've read [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) before proceeding any further. - -## Prerequisites - -The Azure MFA Server and User Portal servers have several perquisites and must have connectivity to the Internet. - -### Primary MFA Server - -The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers. - -For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server. - -The primary MFA server is also responsible for synchronizing from Active Directory. Therefore, the primary MFA server should be domain joined and fully patched. - -#### Enroll for Server Authentication - -The communication between the primary MFA server, secondary MFA servers, User Portal servers, and the client is protected using TLS, which needs a server authentication certificate. - -Sign-in the primary MFA server with _domain admin_ equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (mfa.corp.contoso.com). Click **Add**. Click **OK** when finished. -9. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -#### Install the Web Server Role - -The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role. - -To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use. - -The following services are required: -* Common Parameters > Default Document. -* Common Parameters > Directory Browsing. -* Common Parameters > HTTP Errors. -* Common Parameters > Static Content. -* Health and Diagnostics > HTTP Logging. -* Performance > Static Content Compression. -* Security > Request Filtering. -* Security > Basic Authentication. -* Management Tools > IIS Management Console. -* Management Tools > IIS 6 Management Compatibility. -* Application Development > ASP.NET 4.5. - -#### Update the Server - -Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. - -#### Configure the IIS Server’s Certificate - -The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate. - -Sign in the primary MFA server with _administrator_ equivalent credentials. -1. From **Administrators**, Start the **Internet Information Services (IIS) Manager** console -2. In the navigation pane, expand the node with the same name as the local computer. Expand **Settings** and select **Default Web Site**. -3. In the **Actions** pane, click **Bindings**. -4. In the **Site Bindings** dialog, Click **Add**. -5. In the **Add Site Binding** dialog, select **https** from the **Type** list. In the **SSL certificate** list, select the certificate with the name that matches the FQDN of the computer. -6. Click **OK**. Click **Close**. From the **Action** pane, click **Restart**. - -#### Configure the Web Service’s Security - -The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group. - -Sign in the domain controller with _domain administrator_ equivalent credentials. - -##### Create Phonefactor Admin group - -1. Open **Active Directory Users and Computers** -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **Group**. -3. In the **New Object – Group** dialog box, type **Phonefactor Admins** in Group name. -4. Click **OK**. - -##### Add accounts to the Phonefactor Admins group - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select Users. In the content pane. Right-click the **Phonefactor Admins** security group and select **Properties**. -3. Click the **Members** tab. -4. Click **Add**. Click **Object Types..** In the **Object Types** dialog box, select **Computers** and click **OK**. Enter the following user and/or computers accounts in the **Enter the object names to select** box and then click **OK**. - * The computer account for the primary MFA Server - * Group or user account that will manage the User Portal server. - - -#### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -* Confirm the hosts of the MFA service has enrolled a server authentication certificate with the proper names. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) - -* Confirm the Web Services Role was installed with the correct configuration (including Basic Authentication, ASP.NET 4.5, etc). -* Confirm the host has all the available updates from Windows Update. -* Confirm you bound the server authentication certificate to the IIS web site. -* Confirm you created the Phonefactor Admins group. -* Confirm you added the computer account hosting the MFA service to the Phonefactor Admins group and any user account who are responsible for administrating the MFA server or User Portal. - -### User Portal Server - -The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. User Portal Administrators may be set up and granted permission to add new users and update existing users. - -The User Portal web site uses the user database that is synchronized across the MFA Servers, which enables a design to support multiple web servers for the User Portal and those servers can support internal and external customers. While the user portal web site can be installed directly on the MFA server, it is recommended to install the User Portal on a server separate from the MFA Server to protect the MFA user database, as a layered, defense-in-depth security design. - -#### Enroll for Server Authentication - -Internal and external users use the User Portal to manage their multifactor authentication settings. To protect this communication, you need to enroll all User Portal servers with a server authentication certificate. You can use an enterprise certificate to protect communication to internal User Portal servers. - -For external User Portal servers, it is typical to request a server authentication certificate from a public certificate authority. Contact a public certificate authority for more information on requesting a certificate for public use. Follow the procedures below to enroll an enterprise certificate on your User Portal server. - -Sign-in the User Portal server with _domain admin_ equivalent credentials. -1. Start the Local Computer **Certificate Manager** (certlm.msc). -2. Expand the **Personal** node in the navigation pane. -3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**. -4. Click **Next** on the **Before You Begin** page. -5. Click **Next** on the **Select Certificate Enrollment Policy** page. -6. On the **Request Certificates** page, Select the **Internal Web Server** check box. -7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link. -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the primary MFA server and then click **Add** (app1.corp.contoso.com). -9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your User Portal service (mfaweb.corp.contoso.com). -10. Click **Add**. Click **OK** when finished. -11. Click **Enroll**. - -A server authentication certificate should appear in the computer’s Personal certificate store. - -#### Install the Web Server Role - -To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not require this. - -#### Update the Server - -Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work. These procedures install additional components that may need to be updated. - -#### Configure the IIS Server’s Certificate - -To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-servers-certificate) section. - -#### Create WebServices SDK user account - -The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server. - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**. -3. In the **New Object – User** dialog box, type **PFWSDK_\** in the **First name** and **User logon name** boxes, where *\* is the name of the primary MFA server running the Web Services SDK. Click **Next**. -4. Type a strong password and confirm it in the respective boxes. Clear **User must change password at next logon**. Click **Next**. Click **Finish** to create the user account. - -#### Add the MFA SDK user account to the Phonefactor Admins group - -Adding the WebServices SDK user account to the Phonefactor Admins group provides the user account with the proper authorization needed to access the configuration data on the primary MFA server using the WebServices SDK. - -1. Open **Active Directory Users and Computers**. -2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Select **Users**. In the content pane. Right-click the **Phonefactors Admin** security group and select Properties. -3. Click the Members tab. -4. Click **Add**. Click **Object Types..** Type the PFWSDK_\ user name in the **Enter the object names to select** box and then click **OK**. - * The computer account for the primary MFA Server - * The Webservices SDK user account - * Group or user account that will manage the User Portal server. - - -#### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: - -* Confirm the hosts of the user portal are properly configure for load balancing and high-availability. -* Confirm the hosts of the user portal have enrolled a server authentication certificate with the proper names. - * Record the expiration date of the certificate and set a renewal reminder at least six weeks before it expires that includes the: - * Certificate serial number - * Certificate thumbprint - * Common name of the certificate - * Subject alternate name of the certificate - * Name of the physical host server - * The issued date - * The expiration date - * Issuing CA Vendor (if a third-party certificate) - -* Confirm the Web Server Role was properly configured on all servers. -* Confirm all the hosts have the latest updates from Windows Update. -* Confirm you created the web service SDK domain account and the account is a member of the Phonefactor Admins group. - -## Installing Primary Azure MFA Server - -When you install Azure Multi-Factor Authentication Server, you have the following options: -1. Install Azure Multi-Factor Authentication Server locally on the same server as AD FS -2. Install the Azure Multi-Factor Authentication adapter locally on the AD FS server, and then install Multi-Factor Authentication Server on a different computer (preferred deployment for production environments) - -See [Configure Azure Multi-Factor Authentication Server to work with AD FS in Windows Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12) to view detailed installation and configuration options. - -Sign-in the federation server with _Domain Admin_ equivalent credentials and follow [To install and configure the Azure Multi-Factor Authentication server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#to-install-and-configure-the-azure-multi-factor-authentication-server) for an express setup with the configuration wizard. You can re-run the authentication wizard by selecting it from the Tools menu on the server. - ->[!IMPORTANT] ->Only follow the above mention article to install Azure MFA Server. Once it is installed, continue configuration using this article. - -### Configuring Company Settings - -You need to configure the MFA server with the default settings it applies to each user account when it is imported or synchronized from Active Directory. - -Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. -1. Start the **Multi-Factor Server** application -2. Click **Company Settings**. -3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list. -4. In **User defaults**, select **Phone Call** or **Text Message** - **Note:** You can use mobile application; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile application multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help. -5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge. -6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration. -7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal. -8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists. -9. Under default PIN rules, Select the User can change PIN check box to enable users to change their PIN during multi-factor authentication and through the user portal. -10. Configure the minimum length for the PIN. -11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN. -12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid. -13. Select the **PIN history** check box if you want to remember previously used PINs for the user. PIN History stores old PINs for each user. Users are not allowed to reset their PIN to any value stored in their PIN History. When cleared, no PIN History is stored. The default value is 5 and range is 1 to 10. - -![Azure MFA Server Company settings configured](images/hello-mfa-company-settings.png) - -### Configuring Email Settings and Content - -If you are deploying in a lab or proof-of-concept, then you have the option of skipping this step. In a production environment, ideally, you’ll want to setup the Azure Multifactor Authentication Server and its user portal web interface prior to sending the email. The email gives your users time to visit the user portal and configure the multi-factor settings. - -Now that you have imported or synchronized with your Azure Multi-Factor Authentication server, it is advised that you send your users an email that informs them that they have been enrolled in multi-factor authentication. - -With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on. - -The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile application). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication. - -If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile application for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal. - -#### Settings - -By clicking the email icon on the left you can setup the settings for sending these emails. This is where you can enter the SMTP information of your mail server and it allows you to send a blanket wide email by adding a check to the Send mails to users check box. - -#### Content - -On the Email Content tab, you will see all of the various email templates that are available to choose from. So, depending on how you have configured your users to use multi-factor authentication, you can choose the template that best suits you. - -##### Edit the Content Settings - -The Azure MFA server does not send emails, even when configured to do so, until you configured the sender information for each email template listed in the Content tab. - -Sign-in the primary MFA server with MFA _administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. Click **Email** from the list of icons and click the **Email Content** tab. -3. Select an email template from the list of templates. Click **Edit**. -4. In the **Edit Email** dialog, in the **From** text box, type the email address of the person or group that should appear to have sent the email. - ![Edit email dialog within content settings](images/hello-mfa-content-edit-email.png) - -5. Optionally, customize other options in the email template. -6. When finished editing the template, Click **Apply**. -7. Click **Next** to move to the next email in the list. Repeat steps 4 and 6 to edit the changes. -8. Click **Close** when you are done editing the email templates. - -### Configuring Directory Integration Settings and Synchronization - -Synchronization keeps the Multi-Factor Authentication user database synchronized with the users in Active Directory or another LDAP Lightweight Directory Access Protocol directory. The process is similar to Importing Users from Active Directory, but periodically polls for Active Directory user and security group changes to process. It also provides for disabling or removing users removed from a container or security group and removing users deleted from Active Directory. - -It is important to use a different group memberships for synchronizing users from Active Directory and for enabling Windows Hello for Business. Keeping the group memberships separated enables you to synchronize users and configure MFA options without immediately deploying Windows Hello for Business to that user. This deployment approach provides the maximum flexibility, which gives users the ability to configure their settings before they provision Windows Hello for Business. To start provisioning, simply add the group used for synchronization to the Windows Hello for Business Users group (or equivalent if you use custom names). - -#### MultiFactorAuthAdSync Service - -The MultiFactorAuthAdSync service is a Windows service that performs the periodic polling of Active Directory. It is installed in a Stopped state and is started by the MultiFactorAuth service when configured to run. If you have a multi-server Multi-Factor Authentication configuration, the MultiFactorAuthAdSync may only be run on a single server. - -The MultiFactorAuthAdSync service uses the DirSync LDAP server extension provided by Microsoft to efficiently poll for changes. This DirSync control caller must have the "directory get changes" right and DS-Replication-Get-Changes extended control access right. By default, these rights are assigned to the Administrator and LocalSystem accounts on domain controllers. The MultiFactorAuthAdSync service is configured to run as LocalSystem by default. Therefore, it is simplest to run the service on a domain controller. The service can run as an account with lesser permissions if you configure it to always perform a full synchronization. This is less efficient, but requires less account privileges. - -#### Settings - -Configuring the directory synchronization between Active Directory and the Azure MFA server is easy. - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. -3. Click the **Synchronization** tab. -4. Select **Use Active Directory**. -5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the check box to improve performance. - -#### Synchronization - -The MFA server uses synchronization items to synchronize users from Active Directory to the MFA server database. Synchronization items enables you to synchronize a collection of users based security groups or Active Directory containers. - -You can configure synchronization items based on different criteria and filters. For the purpose of configuring Windows Hello for Business, you need to create a synchronization item based membership of the Windows Hello for Business user group. This ensures the same users who receive Windows Hello for Business policy settings are the same users synchronized to the MFA server (and are the same users with permission to enroll in the certificate). This significantly simplifies deployment and troubleshooting. - -See [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint) for more details. - -##### To add a synchronization item - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the **Multi-Factor Authentication Server** console. -2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon. -3. Select the **Synchronization** tab. -4. On the **Synchronization** tab, click **Add**. - ![Azure MFA Server - add synchronization item screen](images/hello-mfa-sync-item.png) - -5. In the **Add Synchronization Item** dialog, select **Security Groups** from the **View** list. -6. Select the group you are using for replication from the list of groups -7. Select **Selected Security Groups – Recursive** or, select **Security Group** from the **Import** list if you do not plan to nest groups. -8. Select **Add new users and Update existing users**. -9. Select **Disable/Remove users no longer a member** and select **Disable** from the list. -10. Select the attributes appropriate for your environment for **Import phone** and **Backup**. -11. Select **Enabled** and select **Only New Users with Phone Number** from the list. -12. Select **Send email** and select **New and Updated Users**. - -##### Configure synchronization item defaults - -1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Method Defaults** tab. -2. Select the default second factor authentication method. For example, if the second factor of authentication is a text message, select **Text message**. Select if the direction of text message authentication and if the authentication should use a one-time password or one-time password and PIN (Ensure users are configured to create a PIN if the default second factor of communication requires a PIN). - -##### Configure synchronization language defaults - -1. When creating a new or editing a synchronization item from the Multi-Factor Authentication Server, select the **Language Defaults** tab. -2. Select the appropriate default language for these groups of users synchronized by these synchronization item. -3. If creating a new synchronization item, click **Add** to save the item. If editing an existing synchronization item, click **Apply** and then click **Close**. - ->[!TIP] ->For more information on these settings and the behaviors they control, see [Directory integration between Azure MFA Server and Active Directory](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-dirint). - -### Installing the MFA Web Services SDK - -The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK. The Web Service SDK is an IIS (Internet Information Server) web service that provides an interface for integrating the full features of the Multi-Factor Authentication Server into most any application. The Web Service SDK uses the Multi-Factor Authentication Server as the data store. - -Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed. - -Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK. - -## Install Secondary MFA Servers - -Additional MFA servers provided redundancy of the MFA configuration. The MFA server models uses one primary MFA server with multiple secondary servers. Servers within the same group establish communication with the primary server for that group. The primary server replicates to each of the secondary servers. You can use groups to partition the data stored on different servers, for example you can create a group for each domain, forest, or organizational unit. - -Follow the same procedures for installing the primary MFA server software for each additional server. Remember that each server must be activated. - -Sign in the secondary MFA server with _domain administrator_ equivalent credentials. -1. Once the Multi-Factor Authentication Server console starts, you must configure the current server’s replication group membership. You have the option to join an existing group or create a new group. When joining an existing group, the server becomes a secondary server in the existing replication group. When creating a new group, the server becomes the primary server of that replication group. Click **OK**. - **Note:** Group membership cannot be changed after activation. If a server was joined to the wrong group, it must be activated again to join a different group. Please contact support for assistance with deactivating and reactivating a server. -2. The console asks you if you want to enable replication by running the **Multi-Server Configuration Wizard**. Click **Yes**. -3. In the **Multi-Server Configuration Wizard**, leave **Active Directory** selected and clear **Certificates**. Click **Next**. -4. On the **Active Directory** page, the wizard determines what configuration is needed to enable replication. Typically, the wizard recommends adding the computer account for the current server to the **PhoneFactor Admin** group. Click **Next** to add the computer account to the group. -5. On the **Multi-Server Configuration Complete** page, click **Finish** to reboot the computer to update its group membership. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm you downloaded the latest Azure MFA Server from the Azure Portal. -* Confirm the server has Internet connectivity. -* Confirm you installed and activated the Azure MFA Server. -* Confirm your Azure MFA Server configuration meets your organization’s needs (Company Settings, Email Settings, etc). -* Confirm you created Directory Synchronization items based on your deployment to synchronize users from Active Directory to the Azure MFA server. - * For example, you have security groups representing each collection of users that represent a phase of your deployment and a corresponding synchronization item for each of those groups. - -* Confirm the Azure MFA server properly communicates with the Azure MFA cloud service by testing multifactor authentication with a newly synchronized user account. -* Confirm you installed the Web Service SDK on the primary MFA server. -* Confirm your MFA servers have adequate redundancy, should you need to promote a secondary server to the primary server. - - -## Installing the User Portal Server - -You previously configured the User Portal settings on the primary MFA server. The User Portal web application communicates to the primary MFA server using the Web Services SDK to retrieve these settings. This configuration is ideal to ensure you can scale up the User Portal application to meet the needs of your internal users. - -### Copying the User Portal Installation file - -Sign in the primary MFA server with _local administrator_ equivalent credentials. -1. Open Windows Explorer. -2. Browse to the C:\Program Files\MultiFactor Authentication Server folder. -3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server. - -### Configure Virtual Directory name - -Sign in the User Portal server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to the folder to which you saved the installation file from the previous step. -2. Run the **MultiFactorAuthenticationUserPortalSetup64.msi**. The installation package asks if you want to download **Visual Studio C++ Redistributable for Visual Studio 2015**. Click **Yes**. When prompted, select **Save As**. The downloaded file is missing its file extension. **Save the file with a .exe extension and install the runtime**. -3. Run the installation package again. The installer package asks about the C++ runtime again; however, this is for the X64 version (the previous prompt was for x86). Click **Yes** to download the installation package and select **Save As** so you can save the downloaded file with a .exe extension. **Install** the run time. -4. Run the User Portal installation package. On the **Select Installation Address** page, use the default settings for **Site** and **Application Pool** settings. You can modify the Virtual directory to use a name that is more fitting for the environment, such as **mfa** (This virtual directory must match the virtual directory specified in the User Portal settings). Click **Next**. -5. Click **Close**. - -### Edit MFA User Portal config file - -Sign in the User Portal server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to C:\inetpub\wwwroot\MultiFactorAuth (or appropriate directory based on the virtual directory name) and edit the **web.config** file. -2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. -3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. -4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. -5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made. - -### Create a DNS entry for the User Portal web site - -Sign-in the domain controller or administrative workstation with _Domain Admin_ equivalent credentials. -1. Open the **DNS Management** console. -2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**. -3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. -4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. -5. In the **name** box, type the host name of the User Portal, such as *mfaweb* (this name must match the name of the certificate used to secure communication to the User Portal). In the IP address box, type the load balanced **IP address** of the User Portal. Click **Add Host**. -6. Close the **DNS Management** console. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the user portal application is properly installed on all user portal hosts -* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. -* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME -* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. -* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. -* Confirm you saved the changes to the web.config file. - -### Validating your work - -Windows Hello for Business is a distributed system, which on the surface appears complex and difficult. The key to a successful Windows Hello for Business deployment is to validate phases of work prior to moving to the next phase. - -Using a web browser, navigate to the URL provided in the *pf_up_pfwssdk_PfWsSdk* named value in the web.config file of any one of the user portal servers. The URL should be protected by a server authentication certificate and should prompt you for authentication. Authenticate to the web site using the username and password provided in the web.config file. Successful authentication and page view confirms the Web SDK configured on the primary MFA server is correctly configured and ready to work with the user portal. - -### Configuring the User Portal - -The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal. The User Portal is an IIS Internet Information Server web site that allows users to enroll in Multi-Factor Authentication and maintain their accounts. A user may change their phone number, change their PIN, or bypass Multi-Factor Authentication during their next sign on. Users will log in to the User Portal using their normal username and password and will either complete a Multi-Factor Authentication call or answer security questions to complete their authentication. If user enrollment is allowed, a user will configure their phone number and PIN the first time they log in to the User Portal. -User Portal Administrators may be set up and granted permission to add new users and update existing users. - -#### Settings - -Sign in the primary MFA server with _MFA administrator_ equivalent credentials. -1. Open the Multi-Factor Authentication Server console. -2. From the Multi-Factor Authentication Server window, click the User Portal icon. - ![Azure MFA Server - User Portal settings](images/hello-mfa-user-portal-settings.png) - -3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`. -The Multi-Factor Authentication Server uses this information when sending emails to users. -4. Select Allow users to log in and Allow user enrollment check boxes. -5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile application later once you have deployed the Mobile application web service). Select Automatically trigger user’s default method. -6. Select Allow users to select language. -7. Select Use security questions for fallback and select 4 from the Questions to answer list. - ->[!TIP] ->For more information on these settings and the behaviors they control, see [Deploy the user portal for the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal). - -#### Administrators - -The User Portal Settings tab allows the administrator to install and configure the User Portal. -1. Open the Multi-Factor Authentication Server console. -2. From the Multi-Factor Authentication Server window, click the User Portal icon. -3. On the Administrators tab, Click Add -4. In the Add Administrator dialog, Click Select User… to pick a user to install and manage the User Portal. Use the default permissions. -5. Click Add. - ->[!TIP] ->For more information on these settings and the behaviors they control, read the **Multi-Factor Authentication Server Help content**. - -#### Security Questions - -[Security questions](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#security-questions) for the User Portal may be customized to meet your requirements. The questions defined here will be offered as options for each of the four security questions a user is prompted to configure during their first log on to User Portal. The order of the questions is important since the first four items in the list will be used as defaults for the four security questions. - -#### Trusted IPs - -The [Trusted IPs](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-portal#trusted-ips) tab allows you to skip Multi-Factor Authentication for User Portal log ins originating from specific IPs. For example, if users use the User Portal from the office and from home, you may decide you don't want their phones ringing for Multi-Factor Authentication while at the office. For this, you would specify the office subnet as a trusted IP entry. - -## Configure the AD FS Server to use the MFA for multifactor authentication - -You need to configure the AD FS server to use the MFA server. You do this by Installing the MFA Adapter on the primary AD FS Server. - -### Install the MFA AD FS Adapter - -Follow [Install a standalone instance of the AD FS adapter by using the Web Service SDK](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-adfs-w2k12#install-a-standalone-instance-of-the-ad-fs-adapter-by-using-the-web-service-sdk). You should follow this instructions on all AD FS servers. You can find the files needed on the MFA server. - -### Edit the MFA AD FS Adapter config file on all ADFS Servers - -Sign in the primary AD FS server with _local administrator_ equivalent credentials. -1. Open Windows Explorer and browse to **C:\inetpub\wwwroot\MultiFactorAuth** (or appropriate directory based on the virtual directory name) and edit the **MultiFactorAuthenticationAdfsAdapter.config** file. -2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**. -3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username. -4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group. -5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “ to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. ). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made. - -### Edit the AD FS Adapter Windows PowerShell cmdlet - -Sign in the primary AD FS server with _local administrator_ equivalent credentials. - -Edit the **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script adding `-ConfigurationFilePath ` to the end of the `Register-AdfsAuthenticationProvider` command where **\** is the full path to the **MultiFactorAuthenticationAdfsAdapter.config** file. - -### Run the AD FS Adapter PowerShell cmdlet - -Sign in the primary AD FS server with local administrator equivalent credentials. - -Run **Register-MultiFactorAuthenticationAdfsAdapter.ps1** script in PowerShell to register the adapter. The adapter is registered as **WindowsAzureMultiFactorAuthentication**. - ->[!NOTE] ->You must restart the AD FS service for the registration to take effect. - -### Review - -Before you continue with the deployment, validate your deployment progress by reviewing the following items: -* Confirm the user portal application is properly installed on all user portal hosts -* Confirm the USE_WEB_SERVICE_SDK named value has a value equal to true. -* Confirm the WEB_SERVICE_SDK_AUTHENTICATION_USERNAME named value has the username of the web service SDK domain account previously created and that the user name is represented as DOMAIN\USERNAME -* Confirm the WEB_SERVICES_SDK_AUTHENTICATION_PASSWORD named value has the correct password for the web service SDK domain account. -* Confirm the pfup_pfwssdk_PfWsSdk named value has value that matches the URL of for the SDK service installed on the primary MFA server. -* Confirm you saved the changes to the web.config file. -* Confirm you restarted the AD FS Service after completing the configuration. - -## Test AD FS with the Multifactor Authentication connector - -Now, you should test your Azure Multi-Factor Authentication server configuration before proceeding any further in the deployment. The AD FS and Azure Multi-Factor Authentication server configurations are complete. - -1. In the **Multi-Factor Authentication** server, on the left, click **Users**. -2. In the list of users, select a user that is enabled and has a valid phone number to which you have access. -3. Click **Test**. -4. In the **Test User** dialog, provide the user’s password to authenticate the user to Active Directory. - -The Multi-Factor Authentication server communicates with the Azure MFA cloud service to perform a second factor authentication for the user. The Azure MFA cloud service contacts the phone number provided and asks for the user to perform the second factor authentication configured for the user. Successfully providing the second factor should result in the Multi-factor authentication server showing a success dialog. - - -## Follow the Windows Hello for Business on premises certificate trust deployment guide -1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) -2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md) -3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) -4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) -5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 19a03daf36..3a6d0c85ac 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -19,33 +19,16 @@ ms.reviewer: # Validate and Deploy Multifactor Authentication Services (MFA) **Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Key trust +- Windows 10, version 1703 or later +- On-premises deployment +- Key trust -Windows Hello for Business requires all users perform an additional factor of authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory. +Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. -Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected. -* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks. -* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom applications. This protection is even extended to your high-volume, mission-critical scenarios. -* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards. -* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification. +For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](https://docs.microsoft.com/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) -## On-Premises Azure MFA Server - -On-premises deployments, both key and certificate trust, use the Azure MFA server where the credentials are not synchronized to Azure Active Directory. - -### Infrastructure - -A lab or proof-of-concept environment does not need high-availability or scalability. However, a production environment needs both of these. Ensure your environment considers and incorporates these factors, as necessary. All production environments should have a minimum of two MFA servers—one primary and one secondary server. The environment should have a minimum of two User Portal Servers that are load balanced using hardware or Windows Network Load Balancing. - -Please follow [Download the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#download-the-azure-multi-factor-authentication-server) to download Azure MFA server. - ->[!IMPORTANT] ->Make sure to validate the requirements for Azure MFA server, as outlined in [Install and Configure the Azure Multi-Factor Authentication Server](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server#install-and-configure-the-azure-multi-factor-authentication-server) before proceeding. Do not use installation instructions provided in the article. - -Once you have validated all the requirements, please proceed to [Configure or Deploy Multifactor Authentication Services](hello-key-trust-deploy-mfa.md). +Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-authentication-policies). ## Follow the Windows Hello for Business on premises certificate trust deployment guide 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) From 5cccb47f892319f26a0fd6f70f0dba97fe549cb0 Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Thu, 25 Jul 2019 17:24:13 -0700 Subject: [PATCH 05/37] updated on-premises MFA title --- .../hello-for-business/hello-key-trust-validate-deploy-mfa.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 3a6d0c85ac..68bf86f2c9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Validate and Deploy Multifactor Authentication Services (MFA) +# Validate and Deploy Multi-factor Authentication (MFA) **Applies to** From 0360abdc64d509b039f4ee8334806a55497a2f55 Mon Sep 17 00:00:00 2001 From: Mapalko Date: Mon, 29 Jul 2019 15:48:27 -0700 Subject: [PATCH 06/37] small change --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 68ee7e67cf..112eae89f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -47,7 +47,7 @@ There are six major categories you need to consider for a Windows Hello for Busi ### Baseline Prerequisites -Windows Hello for Business has a few baseline prerequisites with which you can begin. These baseline prerequisites are provided in the worksheet. +Windows Hello for Business has a few baseline prerequisites with which you can begin. These baseline prerequisites are provided in the worksheet. ### Deployment Options From 290c88e7a56a718d63221e3909403b6adcb4723e Mon Sep 17 00:00:00 2001 From: Steve Burkett Date: Wed, 31 Jul 2019 12:31:49 +1200 Subject: [PATCH 07/37] Fix: Corrected template name in CA As per SquirrelAssassin's comment, the name of the template is incorrect in this section, it's correct in the Creating an Enrollment Agent certificate for Group Managed Service Accounts section above it. --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 1629f3eb9a..1cf7fcb2cd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -114,7 +114,7 @@ Sign-in a certificate authority or management workstations with *Domain Admin* e 1. Open the **Certificate Authority** management console. 2. Right-click **Certificate Templates** and click **Manage**. -3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent** template in the details pane and click **Duplicate Template**. +3. In the **Certificate Template** console, right-click the **Exchange Enrollment Agent (Offline request)** template in the details pane and click **Duplicate Template**. 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. 5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs. 6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**. From df8957e269c898a0a693bb715011ce7772190df5 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 31 Jul 2019 12:58:06 +0300 Subject: [PATCH 08/37] added info about scripted way of restoring https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2938 --- .../restore-quarantined-files-windows-defender-antivirus.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index 8c57a43727..a405558187 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -29,6 +29,9 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y 3. Under **Quarantined threats**, click **See full history**. 4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.) +> [!NOTE] +> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV. + ## Related topics - [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) From 7490eaefa265d52ef158bb4ac6d0195e0fae43c3 Mon Sep 17 00:00:00 2001 From: John Wirtala Date: Wed, 31 Jul 2019 10:11:30 -0700 Subject: [PATCH 09/37] Moved Block Installation and Usage of removable Storage up under Prevent section. Added material Added how to create custom alerts and detection rules under response section --- .../control-usb-devices-using-intune.md | 98 +++++++++++-------- 1 file changed, 56 insertions(+), 42 deletions(-) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 537c68720b..9a39484151 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -32,8 +32,8 @@ Microsoft recommends [a layered approach to securing removable media](https://ak - Granular configuration to deny write access to removable disks and approve or deny devices by USB vendor code, product code, device IDs, or a combination. - Flexible policy assignment of device installation settings based on an individual or group of Azure Active Directory (Azure AD) users and devices. -![Create device configuration profile] -These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection. +>[!Note] +>These threat reduction measures help prevent malware from coming into your environment. To protect enterprise data from leaving your environment, you can also configure data loss prevention measures. For example, on Windows 10 devices you can configure [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) and [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure), which will encrypt company data even if it is stored on a personal device, or use the [Storage/RemovableDiskDenyWriteAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-storage#storage-removablediskdenywriteaccess) to deny write access to removable disks. Additionally, you can [classify and protect files on Windows devices](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/information-protection-in-windows-overview) (including their mounted USB devices) by using Windows Defender ATP and Azure Information Protection. ## Prevent threats from removable storage @@ -155,46 +155,6 @@ If you want to prevent a device class or certain devices, you can use the preven >[!Note] >The prevent device installation policies take precedence over the allow device installation policies. -### Security Baseline - -The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP. Configuration settings for baseline are located here in the edit profile page of the configuration settings. - -![Baselines](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/baselines.png) - -### Bluetooth - -Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked. - -![Bluetooth](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/bluetooth.png) - - - - -## Detect plug and play connected events - -You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. -For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). -Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). - -## Respond to threats - -Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. - ->[!NOTE] ->Always test and refine these settings with a pilot group of users and devices first before applying them in production. - -The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals. -For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). - -| Control | Description | -|----------|-------------| -| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage | -| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware | -| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware | - ->[!NOTE] ->Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. - ### Block installation and usage of removable storage 1. Sign in to the [Microsoft Azure portal](https://portal.azure.com/). @@ -235,6 +195,60 @@ Windows Defender ATP blocks installation and usage of prohibited peripherals by - [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows) can block any device with a matching hardware ID or setup class. - [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) with a custom profile in Intune. You can [prevent installation of specific device IDs](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdeviceids) or [prevent specific device classes](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation#deviceinstallation-preventinstallationofmatchingdevicesetupclasses). +### Security Baseline + +The Microsoft Defender Advanced Threat Protection (ATP) baseline settings, represent the recommended configuration for ATP. Configuration settings for baseline are located here in the edit profile page of the configuration settings. + +![Baselines](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/baselines.png) + +### Bluetooth + +Using Intune, you can limited the services that can use Bluetooth through the “Bluetooth allowed services”. The default state of “Bluetooth allowed services” settings means everything is allowed. As soon as a service is added, that becomes the allowed list. If the customer adds the Keyboards and Mice values, and don’t add the file transfer GUIDs, file transfer should be blocked. + +![Bluetooth](https://github.com/MicrosoftDocs/windows-docs-pr/blob/v-jowirt-updates/windows/security/threat-protection/windows-defender-antivirus/images/bluetooth.png) + +## Detect plug and play connected events + +You can view plug and play connected events in Windows Defender ATP advanced hunting to identify suspicious usage activity or perform internal investigations. +For examples of Windows Defender ATP advanced hunting queries, see the [Windows Defender ATP hunting queries GitHub repo](https://github.com/Microsoft/WindowsDefenderATP-Hunting-Queries). +Based on any Windows Defender ATP event, including the plug and play events, you can create custom alerts using the Windows Defender ATP [custom detection rule feature](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/custom-detection-rules). + +## Respond to threats + +Windows Defender ATP can prevent USB peripherals from being used on devices to help prevent external threats. It does this by using the properties reported by USB peripherals to determine whether or not they can be installed and used on the device. + +>[!NOTE] +>Always test and refine these settings with a pilot group of users and devices first before applying them in production. + +The following table describes the ways Windows Defender ATP can help prevent installation and usage of USB peripherals. +For more information about controlling USB devices, see the [Microsoft Secure blog "WDATP has protections for USB and removable devices"](https://aka.ms/devicecontrolblog). + +| Control | Description | +|----------|-------------| +| [Block installation and usage of removable storage](#block-installation-and-usage-of-removable-storage) | Users can't install or use removable storage | +| [Only allow installation and usage of specifically approved peripherals](#only-allow-installation-and-usage-of-specifically-approved-peripherals) | Users can only install and use approved peripherals that report specific properties in their firmware | +| [Prevent installation of specifically prohibited peripherals](#prevent-installation-of-specifically-prohibited-peripherals) | Users can't install or use prohibited peripherals that report specific properties in their firmware | + +>[!NOTE] +>Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. + +### Custom Alerts and Response Actions + +You can create custom alerts and response actions with the WDATP Connector and the Custom Detection Rules: + +**Wdatp Connector response Actions:** + +**Investigate:** Initiate investigations, collect investigation package, and isolate a machine. + +**Threat Scanning** on USB devices + +**Restrict execution of all applications** on the machine except a predefined set +MDATP connector is one of over 200 pre-defined connectors including Outlook, Teams, Slack, etc. Custom connectors can be built. +- [More information on WDATP Connector Response Actions](https://docs.microsoft.com/en-us/connectors/wdatp/) + +**Custom Detection Rules Response Action:** +Both machine and file level actions can be applied. +- [More information on Custom Detection Rules Response Actions](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) ## Related topics From 63f5ac9601f6e1beaab910eaa843f18d19670090 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 1 Aug 2019 12:43:41 -0700 Subject: [PATCH 10/37] adding images --- .../images/devicehostcontroller.jpg | Bin 0 -> 45079 bytes .../images/devicesbyconnection.png | Bin 0 -> 6885 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/device-control/images/devicehostcontroller.jpg create mode 100644 windows/security/threat-protection/device-control/images/devicesbyconnection.png diff --git a/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg b/windows/security/threat-protection/device-control/images/devicehostcontroller.jpg new file mode 100644 index 0000000000000000000000000000000000000000..fd0666ef4c6cbda273ee0461f7d35be6b0a7da08 GIT binary patch literal 45079 zcmeFZcT|&EyEhzrK}1ABWgsI}MZiHIBPCH$5iv$AAbk+20WwI3gp36c7+?Safq@7} zQ3RwV)I_Nwy^{cm)KF6>Ng(aL=RD^;=Xsv@TkCtzyS}s5_s0p@>n6#adzX9f-@dNj z^}8Y-6MqLCxpl+r2585Q9iU%;KahAFWCGf?bLU@A;ISKc?%BU*&+grO4({8xcmJV- zhYm>`l#q}-eDsLqVd=vX5=Uf@NXr~Me*E|$DY+A}$4(qQcKq017um53_|EP<2lnha za7FYlt4SBckGhhA#MSIL7*LbfY$!i;D3MY*a@_8@4o#9 z4oUzgR38ED+_7ud&fUBIYBg{+2KXGbTYAsY(?4C=D`VlbPs#U~&a=dv{mNI%zZ}2U z&r-Sg`04Wl2W90>oIItfrhew^IbA({$j_GyOs-wOVS3Z-*8K+$Ev+6|+c-aQadmU| z@bvQ!2n-4i34QT0A~Nb#bWBq6>y*^AH|ZIzbNdTHD&c zc6=Kc92y=O9V1hwre|j7=IINIOYF7vjZF@hx3&FOzjlCj{jFPn@7cffOB(3c&fU9r z?cVoSzjo{l0?IDw-Fr^|wD;&0i+xVMGD)HQV$DaRR_3ZB*`_Fz+K)~GtZr(0w5DX-|Uv{ign6Jw(qg-W9?c=C6E$MSa zAw$HzY-`0^@Hkvp-soHORndUr(V@L@bhSb}ta9tz7_GtCFoY~*a{L@lPT?ZuPGMWH z`+0dH>9Oh2=U$_msLF}-x%7S+u9g_I)^5mUiX>m}*zn0I_1K1`aK>v&(6ril2(@^) zXL;Lrb#t;RHTz1O_dGs%_51{iypFBrY8(acTjD^{?om9omC-ntBxK~7oSjs=Rv!t1mT@&cJ= z>GO3NW>MsUV`f@5-lU6ZqTOPUGtcnuKI`kp?(X<+DaY@Kx=|%vaNRyJh;S$qy#7|= zwWSX(uk_EJ4&R_ls4ZTNTgf?)hWfpclB)Vw&VSq)y#4#ar||~TxqzvC{HxW)`|ekf zL?hJ=l`#ie0@s>4jk>`!f8#_ksP?k#M)y71!+5hF*RRBJbUI~PzR?&pU}}j$Yu}2` zs{Gy5RV8bm!gYMB8jGZ)ZXYfDMtQsQJu%;l;OOG<&~2?@GEPWMd0LB;=AlGKQ)8&p zh{~~Me(xl`+vBNkFBi6P4m43tjJ3d<#|F_PFr%VPn-8I0K@x69Cv{OjgD+l%-Y9+z zNhy6Cj(21J z3=#J@^@y;LOH&~k)*?2;L|9Id#_R0}kKuXT&H$+so{GB&nQd!^%Ox6H*)9p>lb{1H z$pXjL^^wum1A1QtlEsCQA1Pe>4DCvrAJe`aWUisyM91OdV$gTpcV=V#j+Ykjq@%j_ z8aG+>W1fnNgXc#W->A!GshZb&C-lSS(|?Xu#$<9(G$|qX#k&c#T|XL9@GdapeZ78a z--KgF;W!-Y`xKu({<9dA?GQXRfDvZGXa)O*A6O;v_M%>iL9C2BB9&jZHG9W7HkrZq z3=!uRkB&PR_K2QnF@Z_v$I}=o0_75)#x{i;^#y2GB0V<1KK%{)MqyFD z#D#}J&GhST3_mdofK|40qT&LJI|=hb|Vb&|Ac(FISp}Ed5gvqLKmFN84oP3pWbuK;_{wj zukY^cH_NaAoym>)Zz-*b0p`I}Yt+XiJ^QY1Pnx#qTJD5rny*T~r|i9!&f1fj<4Ekx z<{Y@HV!1ol<~nLE*dBYSm||Q4D%{S`(iKKj^&{ zh{i!%#GuE&L4RKhz-|ev#GubN#GvUV2~*OL=0LEX?a5!Tb*%BU8-k$Gc!75v?`^hz zwc=4EPxrKYgsAl(bdf*=W?=ZZ2AE@=+`?XxOD&cY-20=fYaQE*;=sm5LQq&^Nw<*w z<~r7Wo{CTvgZjbD1fGKRS~Y4*SPfKY2~@bOeI1iZR7GuvzY&9Gb<052tWJbm0Nt~$ zGr!Kda9fKT6p}TFR5mCZ)Byy&WfJb#OC z&Looa$OLBS7yWMKAYA0xj3>{#L*cnRYKNN$;iS5E14-QVdo6Irg zr?+#LyP-p3kXLoI-htBO)sc>J5jIf`ffIu+18}`O0Gmg{IETa_%Fyjse?~U4V=uGH zUKREQAdWBMGpcST8RN$CgC1aOxeoXS<(d8H0Hkj~&N5z(W!pL1sbYC2)6tbVjpan3 z^VrIdybU?u*eXiMqL+2>SEzFM+-;gNDK$YL&$0R_Y7akC!w!s|!8kC#nP)ZzcP&b7 zSJ8IEltvq0b$axDX_t}XJoX)IxfKv175Gm#VCm8A&rhYCklG(RfpWv)VGMYp_BwOPIGGt1Thnw0CtQ}tQBLJ>k_{D`VG zfYPHqPYuK$ktohXIxAfr$lZH}4WnVxc*s`&pS1%r?Je$Ki$QHf;c1*$H&e2R3M^aE zWauM1&2t+Qh0yz5t;0H0IJkP76;>6 z5_#%o$(EynEBT8yPrN>GA>|=I6)-tnDW+G-)6Dvz;IYo56u3{~XI7pMxuWMvMMEKn zpA;+xxoO_Ag~S-vR2xHYW(Qrn?q6%VkG>UVm8m?;t@R0mM51qG>kOP8-hgAxhpTF% z7^UZ@b%2Ta`Ni;ZboKticnGQ7TBWCzZ|Fi|Z*R?Tw28x2u-(?d*FQQp4y;Zg$2L37 zUpbt7l4_bLx)v@&mk$iRkM%k;Fpb(Pb=c$stYxGT#)^X%yjQf?La$#0zc#4^rX~Mj zSFtJCuVwYy*>?T1gLV@HlE_>P!gDbRxlUo+><8w28Qowiv}Xc<3Ac`65`Aq@4BBBU z2E~?TVx8Z#K(Zl@N1ETOx9Zg+cxGxtR{~O?*vb%1F1jRroF>{;L3}s!b8+E)O8c8} z@XJR(+%7un_jHrFD5O$v1SJ=XLA|SmqMg8;ku&|LS2k6aQ9Dv*m&BlTz6SuVaR3VS z|MSa{l4JjK#y$A|V0<5iBH)s5AOfjZu%roh&TL;8D_dk6KS`Y$`W10-;VyJzaAO0L3B3kv zcS|_IIm8ic-&Tki^t{tiq?EvWko}_=l(Pm{aC=fog6oRk!{)zva4syaKWa&3S$`YP zIEEl@>KC0J$+=l3>U|o+9}UHP`~0uXxeuPQ#AgNti`WoMFE7m&%RUzNjG4BAR-O{- zv$ab6yLIIAF^f9axnTZgCFdE3i4S233%{)q#GuMQM{&HtCW2@ei&$8;6mB>KtK8t- z9@sK)sU&_8gFvN@Q`E*n^lcWGLrrHJO!tg-2kU#v>R%vrh}tyFZ-hw)ApGjskS5wL zUh^Z|!%?)}+okPyU!(O_hjR_<)FRT8(`{`429id z5O2;eC|shUJlQPX@fE>v)9iOyTis6AbzEmi4Fxx08k%s8g#m^*gT4YjqIV#PYJEDx zaV7X+P+o&p<|OP{|DvBTN=dk0f-@QLDaf|=K5svdSx4i5?=b5!%|Dg*1&Kkf&CV{h z(%=rncSNmSYRY%p)u;3agbH4CkP!vbOZMsWNTt2L)wkC|yMh_fL=?mTcIo zjZFR+ix_zOTy^YKYB@UE?s{4jBS7kiqkAe5HmnsOA$P5AJohTArT2utX`1UKUtbIY zvsJB0Ec^N75DyfFExR_%P;h=WKd70gnn;{hULn^f)LJq25rYygxZ<(;G~sdX_zI$S z%}WgGQ+zw3`B8A)jbm@AVECYVvc98%V3r)jPq1rEYc_V>rku2D4}BgI-FVMijr;@l zvprQN}2uB4WNKldm&Adkt74Usf%En*6u#B;@nLO_R;51~=#d zV`7j?v@#sWuuLC%;(7yem+8p4S5u-f#du$`h#%!(kCZabGjgqS)BVR$StneiCO#Yq zzQI{;kqgxYAK5%mEn!S@kJAkfY;A-TaLJYVT8}QjnMCi))yh|@lnyxJ3S9pjVink^ z=nNQt4%ve?nUd%|u!z9EM_;RdKK@iGBotoXFaSCD>b)X2NHqO04m`yuEA{x~@MR|J zj$R7%L2dt3q>C67q5#QPoC@EfVUY;HmGKpWXd0#*z_?!Lf`x0 zErtXp88=prk(ntnu0otT3w0~jo~6l+(k1Ijnog@uRwo%KlQ=GwLhcyui;!E$kf0gw z;@e=i_z9vdn|}a}G8jt?dWLF%zoRULqFT)Bi!~x>$C_{B;eSnV4{THZC}{!R01U1R zu;!%A0k~Ku{U_$+{r#G=V$jsR;1{B(&R&764PaIu`xm@A!`($Q=>7XZxr;_{qVO5O z)U~XI{VSY+S?`Umh(RWEbdiK6mKS6EncGwO_p1J(`K1WaarIZQe{W$K&_dIHg{ohT z*FXMeT?v1005bVs(dhpX9RCqv|EIVAb8ms2_kU*cf5W=HjeWVjqyZ7Ar{T1PCYq$b zEqc=57d;Z$ePCQG=O8KPtld6=#w04dmxu7-uFxv^T9n#eId{#%NpdqL3|j1u7lVuk zO^&IGf<)2-3BMYzA;@W>8wtm;qxm>dlpaRH(Kx(|w5A(eENVP225np_Ua)y_IXC7E z=&w?WY|Bt>f2BL-?QK-#wmvKxY3HWah;+pulmMBZ``gdpIK`tQM!u}H7OG-j>BzXv z(0N75!2Er}6B4Z~OBX?=O)F+jVPs5(ejM;AdmPnKGh{^f4-)YODVzA(Ahpa~+T>N@ z6P9hqIW6e=xudW@%ASQQ3c`o91TNo$y=l$80YSyqpIKjg#2`=9B@TeZnxq=0;5h9? z+r!VD8Hw{V7moS%&waqSVOWpB(!r3=rw&*CnjjbTBog@=AL7h6$^ZCC5Fa0pGkONl zEXU`G+QMv~292r48}QTM79=Mv3@c^!c=SRCF^rt3CS`ykbE>wuLY~F)ut*1OQp59h zez(-GP0_q(+g?|_WinxUJfe#)oiJ%QbqCoKkU)uj#F{UEABSif!E-|IWQFL>Wf2SM zc8y)y-sPvC#>8i8-N$mFSO!{fluP#;dKq&1gtFTdVuh>yY|~q!Mb7FIK!LX&k*inQ znsfYQYa61#09OH%7i?NVFCjZ|L`w+hK6uK4o}kie}OR03+L1BbRrby{lC&10Uy9 z=GYm`4U)4Qw05}ela^YqIi0SEsuVGCRB!Uy>!cq9{15rvrv*P<9Oob+(6F#V%94KF zlhGcgpK3`xadkV?dWFga=$|-XQW;cY_~%h`!Lz}Z~~o@Wm|;1=yWyK@D>uh zx~~e0FYuy{cbL+|AVo6P(2cuX0ox_&oKiqEhgyE}S2)MDwTCMYt_+kme@riyn1G$`ILcy5{#JzS>eCJsXq3gRRjndQ&wQC#6=FmR|?pXk2YSK zG9&djWUYtu=|Oy^P{_1Y5tc&x6+iluB!C73e2N`a>LTAvS`AOY^UZJL)Py}z46owK z@L^f+X~{72^8Qu2K18<9*3r=u>Fo{JsD@qZ3Zqc!t=5V0rkb zilLR&fJWFu%;Uah;Nrg!(qj`;ooMwPWaUDdNJliBK8<*0(;JJvT}RC;@pvDm7js3W zk9;Yqzh4cW+T%DIAz)@n(a4V|s8#pv*;W82_S$zry9*6;DK9TDGS*k9Hhu!|;#t5| z`m}kRyJ{Vjzv$=S5Ns?Oge0X};AwC?yI^;xncO*jEGtIItB`YPXC9z{) zvJ-y;p+gpRt&)&UIM*#1FcALYGr=v6RUCq|8+scRv8wsbJVA}(jd*AwA99hL-yqTVud2Q2KL390YNkH?@PJj17Kvf` z4ptR6?&)g_pE8d1{x!AkW8#wMJk^Sn(S7Y~b`LwEOixe_zxyz{S( z%#bx2r)_eovD(7ZCQv#*bI;9M>kY}{bf^rkDEkbH^S)%u7U(8%{-cwK+<}4>rc3Op+YorXG zuC1ju+RI?GfO%Vcc?e+SjJm(-_k7Kri4^WDq0DvPrIvTc?ZwR^A~MyZyuPh9>Bk#r40H*Hy1~+*-f;0$!QQ zU_2n;BZ4~4msCH*_&F*qUPK>bNwrAej(QmE8K1Q6K4^W;95p*$1$`RQ7Y@WO=rCLf+GR#%pxQR9NH-!y(RymI^nR$a zU?D*uwT9W={G_py!LFQxqV!sw&-5H=GM$E&d}6!CmAQ++4X;0Xl;#TKH6og!JO?V*w@Z8L?&u;LobzQg64GgP+*9uI2HR})en z_bMrmAv~jks1wac} zGl55`$@_&Q)1VJqI!#HsI$v~h-*m;64`ZCTlup5Jt2FJE)sjUUuTQN(KXit12{~9riP1)cQN^<)}y+7yzGSi4wUxVVT1uAWA-${pcQ8%`|9&x5a@y zxjD!?dz^EppnY2X`R1gSaHavDhA4-~4hVCH2hJK*VK2#qPJ0(6kX)Jd_WEgVdEFjJ zj1v;c3HcFm&i(Pjy$U3C!9JwbZ`fv?Wh+_B)KS01qaB4y87ag0LxcA4SB!x<=*@}M zh~!>GBGi;j$rghudI}2>Q?rBB1bgLMLysFp-^|~84+i7$rfI>{psi29sExb5KW9gJ zvMs$~dq54J^-+@=_HcaHmPVa6_W-}Dn}VW5X470CS_u$x_&r8F(QRC`8SI+Q|7l{; z``x5TX+FNtS@KULRxYd2T9LkbPra90us$f_<$b5G(85@~tp;j@5I>jq_T)wGDNO57 za<}ekL!0QSp|FXO&+N4CE!%|nqR>}Bs zXf>)8D^*n{yHFRI3CS#MMSmN;zsNtG;f2NE*B$&qSW&G{gJn^BO^X)R7E+Oz7u=bWcqf*uIoZ@I8m%Q@ScB@QB zBd+CoTo1%Rq@~fqAh}B3pgrt+H@MkxdO)}FwnITi+S8`!H{OZ)rduKmt4jdH6M~9- zu&$VUH&>qMEC3*F<7p{baw8d2Ftd7gZzrI-C>WmtpkQB*XLR(2vU^<^MVR%`n=?l~*B^eWi#W5+c!;oTrS{Xm={DF0|RVB;90EtCQgyaMJ~KY2tTtjH>Vf5ZSzJER&vU+MeykFHuH*a& z;*vM9C-b-%)JOn_QLDl`ccFwsZdlqDbn{W}Z?ha999-^w zU=o<$f8r1K{l_lyUpyWM0=;Y?;>8#m{*V9q_QASC%32b(ByGi@Q2_1xsEryK>yFXj zwNn5UR|fEdIgKEf|IL%#TIK*`Vq#vaVRj*_NM4iaga^>7#I z?&dsnzdDyKcv$;DPeE<)!J6c7T{kDhXpF!K1}~jENT1K<((2{MFaH2 z@6Mm}*bim$9sgLVX2zsZ5Aaam6OK?J930M_Yw+xvg=&*prg3kFa3m;NBYha=sj<56 z!4RyfL4}hMnCukhi`i}UUhmt4iE3S2bmgpnKwScCa#GYCrW@)Sox5lt8{x|dd;xx3 z9yw>xF!=}R>u>SIdmTWGbMhW_;gsa&LOdNYINy+{=3RL?ekGw?%@`ItYq>dH!%bwG ze2+0we;|B|HpeK|u_#z4F)q&S@&%oc#XM^r#6x zU7vBiy>oVpc6P>fJNe5t{h7d}?0TuY6&|vk7W@Rl0nQh?tv;bgEo;GGud%SP?{JnC zBL)4{<`{iR>@2evqng7(~l|`aBs9sRJr$U`e%;w zr%0#z1~=l)^u@RC97?jt*0$hPJjzWgvBG8o?P^O%1*gRD%0 zu!@BhFdRd>*FHOueU9IfL5SY?d1I`q#O-#4+3LvB;t#hN=~8RhPE9dLO$_2F5;h+R z)CN8A8NY|x>X0#ocO#c{+sT>A=z7u%t}$Re-wnP2-j6(`O98Z4x}%?lUN@_Z;NQzp zjzi%IYrl&@L6TS0<7@>EY@Oinrr_!~n+ic@F~aJ4`Bx=^!bj*{T1Yu|@8$zIF3g$9 zPjDzhkcY)12Qa%J zb~>~1>bUuk6A_0<>!`gMk0xvs8-!Ooe>4j|?~_{_W=5r8;zS=FiuQ81igw+L>8c#j z3^>qGk9>*an*DTkU9DXm3=!-ozVq9`Gr9lYlt?UZ6U+7V{M*re7jC{`blOx9SpwLo z6W9fmL(0D*=5IRxo28H5o1ww zMjOGU4U;$kO;JJ;SEDHRHzWE?LR2+L7A?Z?q8^b=1iHxR{djL<^~K5E{Z|eP*uzo_FxMED#5!l-5A)m;W27}iS0?dUH>vH zY`Wp%6l_&}+7K2cYmiM+AVkxNL3J^kKEz&rniyo6X_UdyseSBpUzqyC02KRk{Lu%1 zGKk(OGZ?^(2<4Dig-vw|je^h{)de0*i5^w-yRyP=?=>C2HKVV5(pc$5JK>v6(kk4N zeq|)LA{D8z3PaRluFf$&I;EH3Jb@51^9MdKRp}@M!wT?We|K)C9$=ATW-EVM+2iwTO{7 z3+LO^G4}{GhSBQN!c)o`)JN9l0l}0iE<&%nJ>B~d^g$0jtmf<*iF^8r-F!L!DzXym zQ(cfL{GG$maWwHRrs(=zd;BTG%`6$~_>+tXg!G%zZk3W=CS(|$+KT_~34sL0oa$Uj zyHIua-FQJ%*b0B(N733FN8Td8)qE=Y1%|J)9Qr%tZg**$QYyIOokzgaKR#-6dM_E_ zYS)DYVE($bpI{%`E%JLK31c1i@{~e0PBzV{$iCssr*~&HD@-H_e|G4%3)i3<>$us_ zj8RS!TeB_N&BuGAioJua^6NxMjOdnoNf9P<6@~?LIGteb@;fmo@?$@BWC@9tM9N+5 zLE@^66mQ0P=iF3aSWFIv8ra=ftYi+!Y56$E_J!}~(OSWhr7mH$x>+UOIKG7Gl`wWcD9Y{!i-~w8GWRl zWMv{XfyC3mHvr1(l%eV@gVC!)n-W>EH|HuVVxADLJx9jAIQ$h&|21>8=Qd!6(>6Z53Trmn$Fj2R+mt#vfy9wB zxprQYE;DCeTEs-jyHnViyrnSmc`6=m3m(g=}bi`(eC?dM0cf6ZjgIizthzd|`OGaWY61q5v;*6W4aMhJG86|1lXC8s(IkqN%voMB}1`=_zRue}!y zYRPn?#cB~EMc+@jT|ujI`TgmY-9-6erCQr^w<42yTbaUoYJLW4ON7n(BBV0YGIB%i zVC{I|Y5qKkFv!^8YfE*6j^5=3=-E~g60_83Kcy?v_Vp^kXVqq@QS_}vR~~pK^Ah6* zZd%^@?U2?*^!miaRgq(sD^tG(k?m&gk<5dQV73V;{yq1RP}Decqx+XdOHQ^wN0w1xA~^7? z8uT7g4HWc}@&gIiN^*Syr)V`E{~MR zuHPCueZkJQ{+C-(fTpqv{1Pnjg#9C{H8NJS!N9ZO*QU{PeV^c&{m`dk5a43xj1qW3 zrUr+jTnglu8%66SDN{V$qPsPbH?i{T(>Zi@Po`|V>9dXB#MezLs2Z=*gl`lxps@=?~Ly@lEmEKXJz<(TvdsuQeX!_H1{lYJJ5 zKNa`BF1Yk|uT0aLwcY3V-?L5_eZ?BAB}j{U!*vsEhRXaEeDmtU(BZ1$hgI3eQa4|~Qyko#-MtebCh8qJZVV%B z$k!Q$T(P2D@)t!7_8~NDfkCqkNg@<;*&H(B-;UPl-xLZ zQX)D-1iv%9(MzMsr{@NJ%9wP`@Q!Y@z_|)DImQ7F`*?08!H6~+-8%zIvYg6E8obo* zmIIQcPd#CI631WYAPheFNent}p~Jhg#JtNoocW6n!=>++3TY#%-~K?a81J4??CxG3 zu)0Dk8+5{D;YF~hjVn`@#2P|a>fnkc4gIO>RTp3GgMrs}Y0vOyGnQ2g;z(8fpg+G; zQvubM#PS@p?KMh+lux|NZ-FiJO1;L>sGE@Apwc}09bT4qS#Z?dszwVX2fHpp*i1$BU9epmVYOeZGkJ-iVP$EWVPcS^uR&pR z*-4~M@WfWAzgbyGV81YTi(&5+)#DG;d$w9(Ql>*Bxef*5p&vx&dDb%+=g+^A7whue zDf#pD`Xxm+i*+w-!{@l7IW0h}9M2|AY;p8{{v(KMv+uXfPQ3y8CzfzS2CQOjbocA; zr*Vwk0QYINC^#&tE)Mw)JM3sv@^SlcmNB85pH_VXku^LX|7V>t_Vb?LvRBYu!Lc?C z4MU7mZS(df7N3UlKiOYJqADBnhfw8eH$~V>ka|Hhe=_oYGs|!qK4B1n&zmv6HEmi; ztToFUnU7EnigfZ?NL1226VDPc!^%3Ym{tX6US{bUB#vyZUc3swvP#*7E&6hp6A^N@ zv3-*BQR)O*gH;%Zewb%G!Lp?;Lco-!CJL4OB&F-C$Pe1AQ}!mBgF zsWBOX*Fwk_ksMUMqWn{TRY6}<6`u3SwvdefTIi=Fm3Fw4#-)ukFk4BxH%YQfe@vQ} zEuF%qOa%>?+bpTNW=xI4h*)j91L?xJXwL6f!3kc3lXHl>UfaElP@6BR1+{)V;rtql z(`$iV5zo$rSEL;oXl;^4AoN<&C=1&8-n^P&gf`ZbKGtcTc zh{>BZMW~7p+0XBAz>!4B!JJRer6d>di8hm%+!^z3UDzk%fA_&?l3i25tXZFF}DkJjK_UKr^%>Xl}x>4;*>1qvIGa@>} zEozpJt0jvje@mKJH$-&Q&HEl7e1UZOJYv;3{BA?V+MG&o%-25?2u0Fc4NF$93 zeK8PFEa@Yc+O#I|H4$$({!QUw6pL-e9qp1}L8cGK7Lm;gd9NsoU%Bxd{3#sS!u4sr z8g_z|HR#%#>=I<4{p!5Y#T;JHt<1J@E&rkZTw0s)Qc#~ z6mLd;m=mhVraRJ>{&s;T*hjrmAV z-9Qi_8)e5w^@LDNSZh$7Pf4CiC@0IUz_76mNXzqBFW8cyW0KW+xf)sJ!=rFkT-PXp z62y7oNeP&xIHdd1m76_g0i%-KIC&ZfoX0SkB0hpdf!B5xDS?Ug}0&tI8|!} zxDdoy#~jQ;XH}@>WY#Q%^J!xITjiB=C^H#G#b}!>6l7};F(0J0o{}efY`-&DZ7lm! z3BKDhw5obNHbn-{eI)~rY-|hy4_c4Nd3z7-ufdNv;3llD|1T`Xs1K#)fA&J zf!WhPXxMl4d0n`*)}wOQ)|{|7H(G&RaQIBiso{^rAK3wo!zBf^hYQwB%O=F2{FT}u z>K_7}tAE6RLNs?_*K(%4>$mMC+pw@AmyF{#Qgtz1nZ!9qYV}&-XMU%4ROKQ^E@*_) z=V74ELBbW*C-TP|JGV29XJ9woH~|owq@f*)h9hyy4&ML# z?myK73ca(L7do2xPj7<%q0-BW|I-lW=D&`JXXC~q%FU>ZE2|z@Dmyw|7)4K4f+w9>qLb?drtQ&A(ZCN94{>?o3fYluR-fz(iB6ff?n7LeGLBL+QG%>d*(MCu3i ziT7wAC+9-KHVYw?T-ZUX)E2}ko&&gPbC~e3=e8^{RG5yPb!S@%LxJ-a{H*$_Ko-}J z{k>SFyTg7E{4|Y~wha#b>d-O0H#^uzx6*UbI4YS-os*hC)Ru2UH^_gE7K{WC(>zc` z@Gylcv#?)3Bu#w88hs%7UkrLH1r_EQVbq(kFYB@iD0!o4B+`G40qr6uJ-Gws8H`|8 z>e)J|7@9;+S%6O;0#!6Q_A|1uR&$PIzY37O%U0fO<vsm$FUU46Y4*Su(?9#k#2c(7V%_{CCWWX2R+Jl@v${xiN}>1scii{gI* z79elck-&p|_ts*X*W+0|nUZa(HC0(oC!^@V-ODNWR61(Jwc#<}2M0|94CXjL*s6(g z%CJ-EQCG5;`Oj|DWEA-#Gt(`(T)(iFNSGDA-SDrMt#r?zI9%gvucB*$7Prz*BMiCq zwtfaPo!a)s@tNOIuk;C4slE%@%J_^a%JkA$^REezV*u)2=v9g zj>1KKn{b>LM+chYfjo5v8HiaJ$Q6U6w%hFzn2C=lqtC+?$9XSIGan85p9u)6!LG3V zmCRhyC+b)3b7_8+zQS!4nE$*HguPnLj39)cPP6aa(dc(O@h2Q8x5OoYVW|qn@W4U;3V_WAfF6rLUfFPQry8L1d$1`xGL=AA86X zsyL`?Yp-oKbUbyM+F|r|%RZ{G8gPPM&ejiU&G&tz59!HcD;=l}COtK`)ej3r(^#5P zk?Ct*&Dcs-+Qe zg$<5dLCFpv;p(?UL*loT+C3I?8(59 z*$y5#Dtu^{AagLUlmleu(MxbVOQNi3ppj^>C)RGVC+%Wa|2_|u+bh^+KT&|npHTo# zzp|m`OtKV3j@Jd?gQ$8Hb0N zpFApmW>Q*nDg@XVdpR^$zyxs8u(e`sSX@!o;&!;%x` zPCCl@o%%yA*jfNag6{{|`yu+Dl-n*BmB5E+t}nuzyONy&`gTfz^!@lcv6g?9wjAn^ zbBL0aGE3O6oFq|*`FFby zaCC2-f^%CPIBLE=)?%n+^<8zfEqQpHVbW0Wml7<7ZEx~@q^@&X>d2L&#KO`mdi4u_ zy+p(78BG%2i|Z?I?TZi0g@cmPy`kRlv?W?#00TjBn*W_6BU=YQ|K><&0#LH3%8OQhq}*&3@Ul;TIt}IlnH??Dt+tR z<)sapyn84idQEN>VRBQ3?h4uR8DuRU#&UfNNYzzQaEw(zXpax zD`J_1>wuvj^BsMW)$Uly-kTFr-p{PtQWT%3k9Q< z>#Mb7f)*p$v=LIcowGi&%3WD5p-h}VrB=SDr}IiV-(L95#x^QmTmR0p ztYH~ooC3;l8zeHxp>kBuur>e#ozy}Nu;3CCH@UDyJl9a|#+HoRAAEi6F`E6h;t3%x zAPY7XSU;s{WuL)WzdN*A=J+7lBAtpl=Wb79C^s>bd%rT*!K4Rfs~m&j?7SjR{lHNV zJt|JAJ>XzKbk?pS)CZl6Z1`1*M$wNUGq&l3t-F=zUINp5+v*vR#8w$t;`_m|``vOl zCV!Gku~e|S+mPW7Ug^7Dp^sf@$1ECSnsCAj4a_yjkq1;BJ+Drl#-okfrxM3XEoQ%24SCVH1x`68_F8 zO=>{h$Qt!F==>rdpp0-S-jQ*el zBsu@e>%39NK1TT=G^HV<%8)>g6i%<)oCE{_f$j-{!wpimgl_`kYKIjtolKmP5H>|f&N=Lb9Z7H;t#SifK5lVH7T zq_HdrdR7J3e#LZ9<59+FtSD$slgLu} z?tAkZlUJ#f0r@v5nfN z&Tb*;OPG(}p|6uC!Mx(PfP_DRJnqopfBKO*tji5LVWD4R;=)+lOOE@~AbVEt zubx%oO&nV<2yTDPSilMF!ok8!t%hBk{Z;h}P!qqxg>C!E$$A~LePax2&>J6^@1SU3 zgXT`-tZE=T*wUdNDtsD~_G^P`N<0`6+qJ2Mf zl=cu#<=4W`kyZU8+klKkS2@W_DH0t!!;iDGY5_kBR~uXrSoyx4*y_})Fmc|KHTli1 z4x6V=#?iMJ5%-A76)4l7<*P_3q&wmJJQQvsD3-`I$Wt+>G^3LJ0q&iE0Z~{kjVq0jbE{= zeP*;#XgX`XaPk zZ-=vYF9nwK2FMgj$8Gf$^FrWT32wK2f&#V#Ok%=XVMpT+yGnS?>S-+g0~Di?Bucnd zrohF$r2>+hdcb8l?mVL|NX9q{7qA;oE#ZZN-%!|PK=itC5cK^tzuLJKx4s|ncK|Z5 zk6KI-wiGL#2Siz>!eDh#ec6Rj?PM+jGj*G&|S0zZ9x&`?j>?l-elbDNu4Y-llbM6xxm#6o| z-2Y5HJgkQ&$iW`Js{2B622N4JE_=2x6t^&tPOd2(bRAD>*AW) zx)&cx2gKVfD1Myt+b33OzIRS=-MmJxboYB`wsYUc^6Q&{Dq4&V?cPdm$9e&a`uK4Y zmO}c1&v+omwcH*qs!2Vus_8oTHG59YOhN6sXnqVx;Ur30s9mQw_eQg95xNGe!|ZIc zcl89(Sa7xra$V`l|6=dGqngayc2Q;=bsR)Q6h;s-ih>RzDs7}BGd2WdVxtDgSO5Vb zgOpGb9!I4QMnOTyKvcRkk=~LK5JXC(Mp`1FL~0TODI|H^Ki}_rzjwa(d-vJrtiAU- z>zuX!aOqmelPAA=-`9Oz*R8k!QjXWv15AoMGZ<;f!^VXeK+Pk-8Aa({_Kt!I5X|Eo zuO+a$l9)Rm^fDbkECz=V$2dFo!0+n6s>!kTe{Q2%d4B|>h+=tkrD470bb5bSpkPtj zQ13w7C3B$hO4^>hn0@Xz+MJdFkEV^x8}Bo1mO`vTeda^bZbmTfcPDk%4P?uaKk!bz z!damfuJcE}^B!WJ&jTbkGd&bSz{lLJ@>>w`c;=yj(=}}WoMu!q#h9Qg zVu|!$)QLYBcapx=>^2QwtQz0o@6wZkGktO;U8$x+`VdMHeYTD&w-&|nwVj#D;@?y}w&(?|OolZh0p4;M%B5te@dN*@GbA4_s{& zSKe_dqUN^D(`PbC7c+V$pm<~xbA&yzYL(#uhnLn&Q}380?ZAqYy)!fy zbti4?Izp5y!^s@H%Qme$9q5D47T{&PbTEdsi4d@6>6-X4b%?pQf1z?w-_Eo?`EYc} zvwG_~;%xZ@RJpKRjT=r870r%)W18?F$cR%G4K(!xhY9-ju#8U%&M|`qOF9FWYf=`! z`N;BV^yz=&+^fBp!?9+LRxem;Jk2Gj@)>swWLgD2^^451g6kt%O%I2hoPK>4U`IB~ z7*RiSaVj|G8aRL!ocbPb_uszJ2pPabfthv1wmhFIjlF&Bte1!WV9d|c15u7#ysVw?X=}Oy|fP& zj_6hL610-%tH7mI(`M6Pl(mo{2i%zU`8z|6o*UweMrX0thC=M}<8^_?x>r}a>yT7s z2K*eJ5lOVm&}^%142aA&Kq^%bABkAUDO8vP64Hfp8{I!!^qd85C8&RUuv;z=)J59E z__%|=EaxpFh${!m!AT8+Ok~HFM{IvotGanEHNAjXwQxZ_{Aq9)HUei)k^v_t3&djC z8erg%djI~&50>te-&$(PQU>*ow?R$+>s1r7F0{& zHU-R@6Yxf3o7yQ=7Xtv;qNU&g1FmfzRxC%1B31y67*V!|Jb5~OLRwfVbIEhLjzpxg zmxnqp*fG*G7xR`wEs?G_@UT+!+#so)8zZW>9HEW6vTWdf_|2VjSS|t7FZz-TC5IlGkQq}gpr|11j%*aQFFSA4kbe>V=WF(OiWYRS0@7nn)!=t2l zOfhanjvS?DSU51b06>VkWls9%L7OzjZL@wpBB|LF@}#rjs>>XGvr)bXc@hui3nk|} zRAJ+^)!wb-4Hyy}@?Kr5<_2+y)q3OKfV~PRDu3=@*9edN{o7;z_U%gp7#AuB2vaWy zpEe~Mu9lB%x!M&3apNQ|AioKMGNf_Gc55J#{Jb12qyM+*!j=IB<=sPN5&{?yK?4dC{clfO?LwFMr1F|t>lcf+KIeurm$sunz$mc> z#PV^54~c(!8ix9*X%H8pTVGXK7c(?%EKf63?D`nrq`E|0Qvd`1Pur4CK=CzOvi3F( zEc&mO?IEJhlg|b>U5o8WSJ9GX0xUCygU-~yz-rCd#~O~JgPjRg+VVyvW-n-e%!+zZ z)RixWfbddTGWoX+Rf*z|V3gZKq=;3{yk+{&CyiOgu_v3A6J7HuJkcerzBgT&|4E_$T7dy-YF#9d=YT?&I9;+h_NUZ3E#A#;@#M z-|UD#HN{&gx7bdp*rrM)(gE5Ey-^dvNZLS+EbNm)>8uQ~c+t{Co-2>`k(W&awc>(Y z*z@oUfnK{JExLjb#UsTx{uHuvfUqY?{`BiUkLkUFTT-*kqq4#&T2I}$sGE2oc*Huc z5vAi!Ochx--r)#B8;`b5(yr8+@SR8@k=PAkWs_>;5|l8itk5ldgwTy^nvRCqda_lP zoL)MINX7Fkj`X##sOWBTE*VYUw0LfSGe#CCoe ziPi7cXY(&+Uj!k}6m|7p9^(V;j`6@twR*E*=1^!|OmIE9N1*9@{~D_=BnRzly{hCBtG7tMG~p?t@(lr{9IX&iTn z#VQe?u+T}V8CbP77lqb_aZ87&TV*Kz$utm}|LSXC)tluPw>0hTLWOGQBqZFx16bAfxOe3 z#evFSKHp2ZcpiJyPs6ZX32SqEKhCg{R^If7nX2oUt9=Nu{19RGsb;T=J9D_&BLB_f z!b;^>%63Z&-Aqrv$Rgq+6HI4*EyXb!_9-JwWn6=QAfyE^Ulapy?!~H3`3m`risF%x zXV1F}T`})VTGP(uHV}t1&TR#kS`o)k?1WGaN$fsK^qO?6v(v)%)ct01{im!UfCDoKpy83&oFTXbIf0ppz7g14$uzk z?M~;d8jn1yKN%M{(W`!i$kl=P44T!ke~aVl&=-RHn_ zS$`I>Dgxj}uF<96=(4k7+oHzV2M-Os2X$h^RBoXmoh|rn%li z`b5(Pw(uuoflUxD+)tC9&wX$KH;E@o$ISq2noP}jb_T#WE~ zz%MZ?!?+AX3#ey_E2zgol&R9r3B;>f>eg9}rreV8p{Md}vp+!6jQ-}72tJ9XOo7~; z<}rRsAsqWVL8~w{S`*W$o9HCw7agPmNk?jd^rg z#;{9YujQ0nC<0F)MOd`JlZ?LLa~pf8s`7LhY67QanDE^;v?cx}vqjMbH%f!v0EB5w zKt(?=y-^m}>u^_ekZNb zmYj&E6bRGdQsdc-*Ofgv-6OHccvCR;efRw4khdO+aJbLt;Bw=pSfLEJee`9o8P^P&aWcE zs!#svP9KA%An>7NRS~csl+4)cOA~P=&cv6U=mtARMSZ2qzxvDo^q_X?u@G=AueSKIJwjTwvq6mCk*;8sifRO7c zr>%hps6U5Dw}5!W?nf(`+rJQak)(%xGPEA5h1MtiiQPBRl;N+fo;+g~3_bYlpedt4 zpommpsUtn;W!%87BoT@7ZI~K&97`!K=Zqi6*BM0-c5o3Wn!Q zNjqA7@QN)>d!Uqv8)e4z^32M8{W7b|S7L2m_Wxq%7iUljDu{L`!?1Yy(RAi^NgwqV zSj!%b@&^PflSkb&;Uj6caUoK#inV1W9J!|3JzM_N9(>O9U6bKi)Vg4I!-@H@n4q;RY2fhK0%%&C+6vUCPu2gORVp;c* zRHw5PQ7vv>LM-mU?c3eA;68!5cIG^)HVeNL1=Gdraej!G*0EK7*Dv2&np0Keo&j6u zlLFvd?$PUsuYlfASg`q8D0n}?2>?%ks$-V=fbs0L+r$ks;VBxvP>!U}q8=p|m1{RS zewAtht%OHO0q$wc< z+~kk~z;LO7ALhDN0`0XDR~|`&fBSLQ`m!E7dJKofD7FJh4eHW?8&!ey zIzj>W|4fVh7Zn|0c9N9Ha8)Pm?nibgEvUihKbGPI0QVh(rz1+AvaK%Ki2Z^}oP8?% zGIG?odmYcqB`iEzFzXS*rpK%iIrl1OO%$`W3r*?c%_-qV;5T(eCncyl(fp7OZw+eJ z4K6u;+~Mi+w4aLyLOL-J6{{r>GT&_^>|nb$9Wv<1Y0!+d;fNzwKn(birbjV%UXt=eks( zzDuyQ#PZ`imku57u)d^!Lpm$Clq=v$SG`?9LBCAZKC%Eaa@ypWs~ZdBX0ed|N(d)?@#B&kc4*`jmMHeYE{~ zIYv6w!1MIHjy87OJ+ZI46jl~H!p!C2;sB-0X*Sm0t3J9JW8Co_k$DC(EtAeXd;$l`p2AdKcwVhwmmW`~-#>{P-)4&VuJKty?9l^1twIgsd zFIP#oVa1^ktqa@>eFTXK?#LmBGB1^e`aMR^a3iFb+uc9zfPbz!VmN-xQ#?`h-q$HY zyC~bGz09>SwM6Jwh7^7>9yyr@P|F;t(3l7h0qak+cy_+t{|)Gxs)?RK8~z7P@1) z9srqx&+^XQ5+p>1y8EY07_+p^jRz*$UZm1(@3r|IQ(1Jjl}S8(*n;*~w9ty1lotoo8*84A6~WvD1SBnaMJL4oN8nrjPsw0nNfTQ6m+p2A#>p8 zr)^mzVFd5X4^T6*`*B{h$YTseo{=!GBC#B3B^}0tt36CM7%N76pp?s#D!s0Q+S=?k zkFlzrv-iP`YyqV=8XwtC9PRJ4f1J0`pfsv)jgY2sQ|yN(yTq`WejTNGG0vAS#f&a0 ze}klF`9B6|K$&M{W5QaGVgYUNY{D$CUIuJ=MizLTFD>USuOtVTPwb&Tx%q}6evp$8An zEEAhLc7;|i@w;I#9{@2`c%mf72=9w8Kbu1gilDUzOPoWEOjP^uc$wY0`)W?IN^!F$3w*$xBR>UYpQr`w@=TrQ5<2XanQ z=SeWM+@?oDGf)V(a)G-6J-WYTt8ay0%~7`wd`JOWL+1_s_fk~-k=F`%)V4-@)E&a6 z55p`!kER(=l}U8&fPLUZQb6a=8aQEg_u=@wW#*X+qu0(Xp)>k#03RN$ zqR}dYqYT&bjGncx%MQ-CC$}68aM}?a$zwFvNRho0uLVK~6TMV?jMVK>jgi&vNScgD;ngvpB#;>%^1jEg#23r!nzZ{{8lfQOQ7b8C@ zh^SMLsCmsXDL>kHR4ahvoG|Pt3=>)=AcbcRf*~?(rArfk)V7P{<6hf8dtaTBkFk9D zvEH%dSKe?(D4&?)mR^ksf71^YqVFU5O=Qk%Yo2J*v4UL|-*=s{33n*kNa9$NI&}24 zs((ccC&JBwa=7LXaId@`$!?19q&Gtwu(K)7ZeiH7$!!=?WryNuUR#QE^{TxXKar%@ znx?Uu`dj{p-_24+Q_T1UNB6kLbZJ~75FqCdD5Gk{nQZq%^!CFZiaS@83>UbU&0QOh z7~>B)AaIXoE}f8F^^%iB2Sf<%?|50HXD8Tpm~pggV?$%b)u*#PA3OaI$6zRikq=3S zVvC4#OaAaq@r5D!xvJQfkzmLAJB?}g+XKkD-tHtC$@URdQ|z+Rt^YHmJj?aWHI;s= zz5YM|Yhla4E&eRz)0t$}W}ZhboV~B5dM0C8fAPXwcWK|Zy5yc{RJ>}(GFFpDY(m|x z0fXuT1X2k$u`!M4uN)_?Hux-@*BEDYFEg$pMdMSbG3&Xik2Mr!*|7qf%fgb4KmXyp z6WK`}R8Gcn7bb7LBI8SaEwC|BsxSNDSGb98Qw!a%HB@}bngR00;K@iJE%Ul%8O0Ko z#7G^ROzRCsucy}IGlPudvO*q?_Nw;CMPp;2@ZU6FD)#0tx3Eo0rkhG0EwkRgC+1<& zDuXLBE`6K6Cx~%XR@IM@sq?g&UO(#c*xH*MX($#!<+>l?KOFN?K2VfDI^okIyhxs& zRwFrP+kOg&pLs@js$8WI2LC2SC*JXt7fy7$Dx00G9>`GjoNDmYjZ9DJPML|`u~7;j z7`qQNk|Whp9FK|#9$$CP&Mq=CzSMB(cN@{(q^&s^S#w#PWO$?j!;Q`Qc4&9iZRwBw zOOw@SE_}r+k$Y05qoadwg@&*xfXkrC0T32dW^AGOhw=nGAlet%Uxw~ zG1)q1y1yeG4h|j`Fzk4f!aKdNo}XhzRLV2I^2&E66SWPMQcHc@@{P1ZEn)t%N#vq( zTnth*W=q6X=J?q(qqD*S_i1$P)Y@RC;wx=!UL(o$!LwnXlp{C$Tt}aox-A7{ ztvuVH{ClH6(eLSXS6VE!(;$;s?(H2U&)r^*N-=qRe01xg1dcKrA}}o(s_d7uUlap$ z0Klz7u^mw5&aA;D!lD%BbX0iJ#R%UOtrK>Y16Q2`N+xShJ<`4O2=5&|__3uk4B@^0pOd^n`t$WtRivk7p>Iuf;il-NP~0`i%$VtKorhsnkKa6b zf|eoEn$V&g*G^n;PhZZv?4>O|wkuMa1=s?YQdx?PI-buu}_(j<~v|Wcc z7#kg60JiPqTeka8Pq(>xd>h~;5!wr$QaFiz zK;a6xHpp8hX2;GcEi z;Lke!R{NThjhFWgILA{XO~wz4&=Kg(9fkH!hpS8DwVzxRz0EXotTOn?cywoJj*ZqH z_pbY;BH4Om+nSPXpMH^xqo0pc#2L!#9}#L%eN=UROp(+fY+JjnPh)1_Vn)a0z~%$n zT)H_-99o3p)~}_oMKN4U43FOGiu@yCEor>SdUJr(48>Gzr~=?}8);-q=btD|V}ot} z$ho;Q8r_y3{Y$14h3VCwDR}14#<4P-IF{Y=0lR)~4Ui+EhK1i+aw}qoY4G}=&WlOg z2Q1gI-JM<|cxl!Xn$bgsAv7clJ&@IR-C(hi{Db>a)aT^9H?wzw2_mO;!wyJg8G;YR zf_sB@I#O9|z3P6#Cgv^E+f>-Y_&QmKvf>T4wH}woK=I|RWj_v4P28Nt)0OLcC+-ay zoHynS;>t9>-PvXO^11E+#6pckog^kmmFX_nEdUt*D7*ZD2(^mV&V~vzPGxxP=wHg< zgihg?qr&<{ofU{NNjrUr^m0Q~d5*ZAb)rx8Po~O%rQ#L|%(#3dc;G?VmwLlfWKM7- zM5Dp3H67sQl3jLp=WdKM+t1+KaljT(;4dqGstZp;Fiq!qzNOY`A;05;6RaX^yJ{p_tX@ z99>Y2tdyNjo+8lRkdYB9 zWQYWRU0W6IU!~ufRIyj(wHo=RU<@jr`D$5omR3ie`H>YU|2{1qbseYZ6QP~^+?na- zTRpU^Q;2aPk>TG(`nwD(u6C9qXTsov7xWi*VmDWE`Ax*FJiby{Rhuvj zL%Lcpp~Dp5#^Fq83}6$4RgMOt1sj*OgJ)7n-TF@Rm20D`2RY9-{u`I3Zb3FJGw7SW zOgkD~G~UYsLGhI)dJ9TJrpGSZn)ln)f*<%_ytF@Ve>BWpH`-mL`G?EP$PQHymHO7o zm4%NhUcOsg#qM%(4fALdp{oaq^J?lN-%Q(3uE)x4QJItv!#`tHj)+fJXY#Mi`d?ZAbEE7cQAupE3k5@a+|iVmm>MHS2r(bULpyc3pduS*{n(@PTH-w5!G%$%hy zoh2JohmV@#qA2?!Hq$gM^-Z!K;Qc_fTAht-&A9f+={hkvqAKCS;v=*rG3tPZ&@>H{uNLXKNr#hzi&@O&8UEK+or#n3Yq;E2O$O>`_JNz z|6=KJV9qg#c-5*gsHx~p!&mR*D|y$~tn%*UpYZflPx0T{yzg?Dga9z5ulZ@sMk9wR za7VkU8S&DhR=1@)cpmNp4%R5-!RYPQ6A~`L%^x&@Nw&M&Ukpz_#J&PYhQ#*+kpuH5 ze?PbJvFxH)eS#7P?P^q-j4UeIHS&>)6IN9+0!X19f?-)gC@RH_E?`vqj(CtKm6gYR zM0RRV^ROr1y#?@u&eO#@KX%dyc2A*q{wt#YL_>*h-;zGL^JEOGLy)`|pWZtT%II2= zdar1zZiH)q&^pz>Kz$AQgaoe7@iAnkf8*8;b9!c-_AjgK4AKUm$~UMM)Gsk_FBXpf zScAP$YnSx%#OoE7ZhIZb#E3O-NnpL+EC%jHq8P%FoH-58s$xcUjj+S}*ZRzX8uDU) z)Eg*_Gv&Tape<(b$p}T6?Yojy;sq_;HLKHhh(+hGf=(Hyt|iGjgb$N6Bg}@A4I4y= z9^#`0zY>B6uwROr@>N^=!<;><77(95>}pjbdm+6>LCL64d(RtaKu)Kfb76J^7Kyr= zsU!Zvyn4B-W!9xMjiye!sro%O0obUS=;}jPdq!w_&B~k3=4#rH(WvfJ5O8<;J#2v3 zpt;wZG7rDa&`uM-Oq0<|)V_riE`Po%E{^KsTXnxh8?%UN*J2mwRY-t?0wwd!0x_o< zsLxKv@|HQTv$odq9kaC_t(Yg3)c+KR)82l@3!+?eE0pvvd6Bp~RLgl~3zHM$$}Q#2 ztnoSXn1ZAkEl0)qI4{!7!^POE@HC2O_J$(po%h1sVs2_^Ol42nr%n=%xE34Y&C)g> zP;7qi3@35A_A(G252vOC@{3wBhO)KV7Cq=^DyyWr6s4TqAt&#B>xf%vhmyS^6qt`d zeebi_cyn}u!DX6VdT?FH1_5rRLH|dQ{S@Yg(K?ZVNS@CDH4NKLRvTMTipGW;=Z)sf zovC(pC4Gt{^EICflUMfW)Hh^u%T@3Ikad0l)1x-mykpn`_(;boc0pw1t7;SEGsWpR z3Mw5jX1ha0#yZQ}-BRlbfI!(Pb*4`F# zK}N+Ey|Oe5IP7KoGSaX2`oFmmJYHG5`fj7yXIVpr7z^$sD!A#fc+}cOli>P)QAz?L zJw~?>@kOJ{1WVb+Fvkynf3EOaM_9F}BOuuvDvUNgPSK;Afv^L~>ExC@Tgq8poVg~Q zt72!gw_#A5k7DMv_h*dEFYw3hs^7f1pA8X#+>jgj;15Ix{r5QwLnbm+*L~HZG1l z{z>7zt-^v#(XV(|>|}2rg|on1Zxz-0zezd9 z<$_s7=OW`ZG)yVeNn5lvD1F_SYdlq4;wiRa#9!y3f zd&pO;0lToMU9(&eF|?r^$|W4^TUZPxZs{8uVmoc}^NRQX#&mr8Mf{@sU^t^qIrgwv z^i!p3ScMahpmC!lY%M0mc>jc{seJMKA2!`tJGa4);5*XUV12G(a1*9+a;9DMJ-roi z57rj@us5w_hO(J00VLCs?F=WIuPIj-mM@~(J)9=WZd0}SYGpn?p8Se7^Fh#15a4?m z%U$u8tt-W{%JGF`#W8and*b&OlKnv$2|pGU%Y1%3Rzx~T7Cx*a z%XK@Ojoe)@F7}1K%EDEbCpFPeS<`u4w!nE&8r{DX$-oxMeyOMsr>oyyJV@<--ksl4 z6rObWlAY;;J|8S8#jEv`LS&cgb5;fYF5G+lAs&;# zZEjlEy0+|xPfgJ}f8krl>odW_yH4XCK*NE?aUh?zF1Y_z1JzCfE)6zKO}$l8|I?Zd z%6iGAQPR7BuVogD;F)*7gRZmI%`ufv_H2pIT-u_3bfNUbM?}*0yz*&F#kl{TyKaw#zeKm$i zL$OC2dpu`o0qz>IKIfxt&6;{-eLTK`Gtp0K667PSyzF?YElw9_@fSJ^?2CLvxQO~< z(U+KX_der5oqEE2^|#jY3fm0qt*9+oeV8Cz@B;}W?d#dliHYRt-tm5EwDx`>6y*7p zMm_d5=^H=oy_LM_>X+Hrx+?X;d^^?GhZE&F!Eep@HwdU|{kk$#FA@+Glz&G}=-pm| z{Vy+0RySm^uLa@DO?7A;A|c=g`bVr+*xsJsuYK!SQ_zx)8w0R?Bs*3}Yf_NJ^`#f( zGLTb`x(SBBRug*$(ES@I@&g&SthNbYOOOEt7R}JMhFLog?H*+JRgG(R+VQt!ZZ_+P zRBU{=5ZfW|X&)Bki{@wFX3I&J!4d$;mS}qay2%5eyOZ2;-l4v!mLHS6Y+uk4xvY~v zhL;F&!2kFe^e0jt0;`D8_zA=Y-E{Rh6w~g&W#xLaLUy1 zXX4V$2Hag3a7>~jgUami1wLlzf^byhOKWR#2TM9zL!%pUCG#K4{_$9Ap;fF*3{nf$ z!zapS(h!~Vw#aet zx+oQhHC1*7Zhrx&3Yw5~`5|=mJw#8U$tAW5z&`Hp58VHcPifMTYPY}yaHMeGp8ron z+7185BeVbUIV*n|kpJ`M|1XcZTCYq$`(s4PcuRrh>^J7FuH8XY&Fv8NK3J|GI&&%$ zJHe+i0bc-|NblCW{$pJ{^4WU&snfK>XLdpgFejS_nPd%4e!#XD)D30f6p_BgUl2ll zYfwVs&p=~Olp@g$9+7{w&MG@zDXjumKWfSZ42H+#--ros|JkXaO2GIpT!nw_?bTQ$ z%t;2vf;R8q~&Z9_s^x9mXBjqVV? zeQ)hhi9bc?p9r9JpDO%vgrOlGBZyJMq{=PyxE-5*fkzRJPF+WhrHc_W@( z=BK6`>ZD4-dH)nk@S-6i3m zBiJ8$9=Hkd@`M%n)piZ#*bA*J z-&CIFaO%jgQBy9o^nF>x-b*C4{t(vh8C`iJKbb!4_uZpkR9G4O`u=cGodFeMop@L+ z2SrqHba1NZ;0{+0-XH94&g;o2Exvs{x->4uenx($CoUOp>p5;ux#6~J#~K9IY)6L zu!o=q{z9;XXgO!pzDlMiFje|x7m-O%+yLA^hBi)R*j+y)tBLF&o6JSN$j#q^PO;?^lmOJEg0gEo^R* z>IcZvWubi@E_kFKz!Tn*w_j>0z7{&Gvo62uBw$jEOkQ@jrEseWfz)v53A#Wv2+ z-xps0dVqwD&OTLjXlIGLZOKKxV~J zc7zxlw<|&XI1tro!~*-oM^t~gdi>?E_VAKB%nl#z_kP3mNZ~nM;G5=tu&^L~d*<3u zCyKl`6@7gauk~AY@Y!9FPEUG&+I=>Hc;w?c^1r%`>)rpw#a*zjH)nkBjqMA#3111g zcZ3fcd6|FIM3g-Dz3Fq;CnGvD|IK0;nK|8$YQCRiSOb%tdN2N*%4;lZ-m_%FVPwQa zv-N-IX57hG+j$MsdJiRZ~*w{=3(9@nYM;s~<_7hKIw{nn79aY~5g0p?4~M zVQ4qL`)D`@f#YRMIs{HNVS24BUPc(&ZYb(iV4miCLcez~DqLM^$aQP6nHbjaLA=^e z4^$rZ3azX}-aw5(6u@G;QnhG#+5a+bM-w$Va>%Yh5;0}0S8;TET47bn-`x?n1&{h*tK=O2+=r*3beD~ z&w%U`)2AS(9fkOF$8>l7|LDJ2V%NT$`~U7Y{V!8W;ZY3bUsNeem%tfJI^S`a6F<1_ z^vLHqMf}H9W9om-S1ZYPWuDx5xi)^EJu7U(&h0mCEs|`Hz88@GbtYRu{ZANiB>@H2 zhPV7}a`*r48}qB~aHx$QJ3?voGgKb-VVoazJypOR(7K%_HEp*ZZV=a%oqHX|T~uM` z@I*0{ak2tV#{9XH(R)v)L_Rk()R&8yNA`4{)D_9||yT@59VU2x&wPF5A0_ z5UISlKL5J8Fv*yz(X>CU5PqBrpFQ-E$32OMjY0Wl3Ho#XqjExO7P6M#_Ehg~#{L_$ z3H9_{%$C5t20=5jMCH_3=>lYX^ZWGtPYRo-CkAWpyrm6(sKVf@YOC#XhQk#XSljcx zl1eq+NkZd~ zIi4m@;u7ooO$uI+eokdecGqUiA18PAQ|&VOdUW`HT?|XqG9?#H-zg%vhzpR2H-G!C{b1mE1KM~ zn!9qpJuqj)249bOalOo{JLeqJtJQc)n$j1=~{3d&%8xF{HYiLie>a2SkNa&jR!uO1qkGTLgN!A%VK?O|gz2qsH!91$uSsqj=pIPefh3 znHDb};HYLBGhXwVH6RvMmi@?J*=4|!Co<@Erm#oiKK5`K<>*)!8O1PHHWZ;CW!ke# z_Ix`w;m9j*P))hZaBY22@^+8&+0?F>W}ht*DjPL&!FXB31;vLCAxA`~grp~hejI;8 zM{x|*s6T{^N$kehq>kEF(-H*7>na2_Ot+k#`wj5)gtav&r*3kM(&KYTl`Pe;X8e>fZD5eOckIm{R$UE)W;d8|B$_;7lhw%MRl!mrSObn(d-}ht>Hm&+ zi0jfApGUE+ml!-t-?klh03p9=LHk3x^+vJ1Asf*)e&U3BijP`o+KUtTaD#;FX#vvy z1*UtdXjmlbmQJxm``0l;{uTW$+YK}a{;b6T**WFkv-5&=O@kzvEtfVA(t?j08ui#W zVC$AMTGL_vE-M2K>4>X2785Lw#Ukj9_cami#7?$5NBvl;$xJ#t(3ETNP~P$R*2 zS%PLbv=uKg#l=dw%fz?Mg9LkaY%E6VSX4MGs?Mkwcheg&l%>-qIUO(1`&2uiRaD?O zVydi)Hi39KDY6GAPW1qdM;d|Xx*)wPgN=z-wC>CaEce(YMPA^S-OienqK{YCSJPs+ zXYa9hK1DyUOwSYo2o}WS+=S&MJGSz@3EpOHL?tzn=u@JiCb(GHKt9*VGRp2EZE3ZS zBcsHmWNH_vfZc3?!w}L%T3Z^dA~lo%m9l8mf#{p|%RO!H4w_oyDfYNoTWaXq)wwk{ zzH>ch7;{#zkF~~S5hyyKW8Wu*W1{?yim0_2)Pyeopn7VJ_AW+b&(>rE)J}Di<8cN=4OB)u9No@Sc_HYq22G1WkyqHWImH9@%efZ zzyTebo_j20C@&5G0ZPX*L2x_`X-9+KfEgKfAXrb*<8Pu8sVyMm-Qmi8XOQyquu_FQ zh0AS3vj_r|2z6(wtQ;MC!_|I9cN~_29+U{)Js?k{tAYT|Ox(K~7ph#;C9ZH_SX%EL z89~K!E4d~Ixt7XMyJx^D4mhbhcExeWDEUzyVDnr0x1m=y^CE$VZyLAi_@u;z;t?kgIHB~TqofmIrmC18+A zHR8c`^{-cqQq{cGPlZx=_naZRvW!^p@5>09Ty$EUBgU;|dT{_6%i(e8O zI;FJ5OHrEuB#Al+Ajxl`l`q`F5_(H`nY9r|bNRc>{=%ekB*lX40Bn;w7uH`Z9aUIS7*Ab^BLdd{RJ)PlS?|3bJ`-a+m~<;_S^N@he12~Msp1L_N6U~vt%#TO);ETgqb0xrY3BOsvGWsVMVpUcbXumm;wXXR zD&QRYQ-2P%U8eW0(WlgHE~E0xnefW|K0;l#^_grutI5nzIcsIg0mc0TWNei&55MX3 zpIE#iY}2=?Qk;Fd6|gBr^V90B(MCa^6iPm0tby}=s}%L?%v}j@{hcmVl_v%r9Z>;}#gCw$d)N2KJZ_3u2R|VrgDQpVP zAFN!&So>HWD;yc?zA2b}(M-E8s1EPkQ-8Fa7@yV#bUB2T80T7X%ZEs3Lp}2A2;;-f zW15(B4gQhMEYzEDDGQu@ETxaWIpE+y?y73ksDuyjBzBnm>I6P__nrgQp1laG&=s!KUMteJv{tN^<+=%HZWN1MV%A-r@pZt{glX;T9zMz2nTh?J;2m%0!Fwsk z5PrH^=pv^%y^N9M+`AObzV?0@1c^49+4)>FlRoyle7Z!RKFnwlVA@hgVsbq#gX{x$ zbSbGk*qiF-lSt^0OMigAr~P_|+Q`2bn_oE_QZ$SSKUAofX|CILjhRikBq{oy&Zgg9 z)gL#1%X;m4R^*zDtEjQ7Wc^A*?QeoX)W+J8Hi^Eyrc4S^oKJFD$}t-`J7V8@;h+^$+UeTdCbkesl=@D@F-@3)L3AL=-9l!F+FFz-9*86 zmWHrYDzq;oiO;NjJXjpSeyMS{CQzOgo@sVBNhFgwVe-W_r-qy^L>jpEOdEG(C=SJV z;wtKiE6~yd5BH4=9oc{0WAPr$lOj5V-gQC#btOtKF(%b4Jumu!t+@7d%4BH?=tF~% zs?FPH{OOic7IlH`o);MyPU|^?6(c22o*5t}8NaQ@aRc@+7Iv547Qa6gWYGLoLrTXz zujO!wI9(q&l2n@A3E?UZixZ@dEQX;p|Le+y2Xn9J{G zh8C)ltX&37h*y}4ORl1Gw|lN0TB$xxw#sM}Xoj4v}O=WwAO^9nJ1jaA$tr zV{$Hf)yK!=1ym=J)lo7wE@gP^7bi`)AFDc3DznRTrDnwoE0Y&dy&^fd6u3jye^R!N ziW?><(IE||u2l_a`xPXkY2`B+b#*kargg`u)B)qBpGD}V)H(e(0om2n;UzQ2DX2eq zX~D$D@1^|)?s|Vxlt#sN;0eKY)){{8Rx?!zHdN^|do$LPI|EfX$$EfbG4ud9t>nNf zlO>v4%fnkfpUPFA0o=KJ?Ie>6p@L??d7D~n!vIcheB{eF+d z0;_7*LK&u1pMAd1AJD1oF7>Nkh}2xo=nuNF?Dbv@aU_E$*n6;>mOX10Ri0g6TS`1w z@AY(oh(EsYc z#jd`W1-htfpl&rfKzXjd+TSDu!~K4bry}#4-Q3K>Nuz;>;z49u?oq@>#G9MNm^73a zo_qA9uBMOWcx<%lsrCC%L8o`su^ne6R2$i4qtO;((B%FQ5Zjb3;9gp>x*_Ul$5E(L zivr2<9Tmh#Y`iRx-K~7-T}gib?!J;ktD6k+2JRa9#!o+gN}9T>m)tiE)K042$5;*l zC?CX@=BvpDMlQ8gYTU?>5T%#?l{KeHguX-aX;ei1)aj4RN3-U%xRs_Y%#q2910}&9 z1NJ&!PM-6O_Y9TBHINJzZBJNQ{46fvTeux(MgYQ~Wr@M`P`vg>{k7q1${fuz_#{qY&` zg9*DI%JxxO*DMb^cMJVG5a*&VFmaL@4j#m+`h=!1lb=Ox%&)TS{IATnY9nwj#!M=m zQm`#B$w-f`EobRJq<0SGWVeRk;#n$|s`=uqWo6|#^^rUFM(^d-%;lN&_{PV3QF^=^ zC*Oahv{7C;HM;XP*(I+tr-VaCu2*-5RPTJ+dnmxG>b7R56<3cg?dEl(#zA~@0s5fb zaFvf~sW1hd^gdR0+MBZNe3n9XvZKv%=$ob~p=S9^oeU@*c{t3l`5m*PP+VkJE#3U? zRUl$iB_}%f!4>=2%uYe=juUCEK~yAPlmuFafSzs2F)_8hKBOX-m#<7aLQhK<)1|h{ z5{r!@Ef6ia0rvAj+0O&&=mv8&a`+Y6HM_?P!P3^qv<$z8M3O08&pS<#x&qNWIDu^Y zL#(cCbB-?-LXv8FimKAh3OIvNzE3x{q7+%~??*6UX*RX>GC4szs z3JPAkbe}MvEprn;@YgLVRCFo5uoiaG!1N9z49l}KhRR#~X%XDV_2I0b>9R|GG9Ui> zN_X!Iloqv`qo)E36(gO8Kcw!x6IOj8si8-Zj$FGToxG=yM~izubh`>JCZM*?_P)v= zYw;5GdmK;gqwm3;=@rT7q>0k!?XBh>1&n9F$EVixsKm^}z8Ur4J6QddL^CTUemkKf zm*5~KZ^=;`VH((WIt^hph6;07qnPGIKd)`y`onm1I_CzhgSzv3dbG@rk8Y0I(OYbA zLmSXk(rjXur5A^8;Fbs-)b^m8vlTrOM9&!zeE$YqN**oNquQ_==M$lW8gN#1bq#HJ zHe}xz(!PsnYad66(wqwXZ_QnKP?Pt%wsor_;uXb;N1`I2B48DW$`UQIi?~!RYl`fF zkb{71S#T+9F$w}ggdoT!1cZoTPX&b{05z+(YMxCYZ zXw`)+4OL8Bt>&&+e64o0e07>4;4IR^xXzj%PshxtL~vD)56xcE67)9PDZ8ojU=fqk zaxZ#|aD7QK7?SdKt!9Z0&hqLL-pl1$fu#qR6mH71pdMT91g3y%ucGyVx~}ITpcVfL zz=+RD2#!dF3Y=k_L5k2UAA`#@!tpDMpc+538; z>d!ct`jXL#=dU)=D2-2r^=*Hki2yc5x@ z^{o`!W`C@xY;fbqM4hbZ@vUQvm!PUW2{L;5jixN|J>fk|^@X0iIo*yNuqzo%)?)|5 z$R-zgJc%9A$fyY|ti<+EH7ZcXDb4zq>lz-KoGLJVF=~xeeW`D3>G4jDx>x|fIsnq# zX~`9qyhd#WQ@tfawdIZ&8~=W|Lz3a#jokg$F-ipLNpw?EU~jNm z1rxH~t=-ciZ7K+R0Qp@Xi+hU<>u|;0H#yW~fZE%gCcPG&ZDi<6v71K^RC5_y2$LNP zLgtg?5=H;FfZ*C=r)M{3ZePY^bom<+F+r17$}FUAcW0x2r$lX3xg4HDX|=GZCFy_j zp#-z`QcY9Nbl#U5-#k8FO4csNMIAtQNkTn0>LsJE9;FG{K`lpWh6v~DFTf(DgT{N@nh&UM-NUkRygpb-VSRn+^BuDNay+z`f@2Mb zIar-oGGb894OCXJkq+aR@XqzNri-C8B z3sie0JZG|A4?$hhrbv}COXl{BBh@bS_W)18(-?7nS%g~d`f*))4O9jB0xd9I5=E}O zFgqdoCPzNnah+?#fZGT)vYxx>)|a`w#cG{;ur7+Nn`57R`ZRhJ&|UX+;0=oGCAXBD z$YsYyx5vC3u(GGrU52-K38t7A=VDLt<7i4_Y1fZTT(SW7V!kS3eSP+9;b8yR7-Twq zUEHiped262FfedvHD@~{Z$Xv-tAK*D}(krS7CE>i$djlPsl)U z+TqGB=!%xifOG@Ub9i7~n|gPW?T1m;J{=b%vGo@27e03hwA4I3`)b7}XQ(Qzs)lkor!V&I?bB0XWF7KZvL9#JjtFB{zJuIu+3m4Gaz1U7A5^XM zr!4DN-D)FH*@)Vz8pJf{Z8#k72~Ff{mfIqucTNuKhxB?!itTcb_9@?P2Eg2@Nq;g&Pojg^&(C}ZovkVw zMKEtwm+~*qG&DCadN>-i=b|PZn++aRr6pD4#(N--aTLC5820_jx@yKziX=V7$<*R2 z=rbpg&J)^g$B|jT7k(Mm*h=qZ)EYpQH)2HI3Vu~$8nQnY|u?Yt2 zB>Udt)Xa&WmVtD%lUA{4|J?nY;IE7Ng2=^U4i&R5ulJ9diL0c4mu})r5B<7~?oVFt zqm~VpDp26n{X~3cJWh2i#v(>b9CYw`ft@XOZxw+ z$@#PE?0{G9vw}E{WCzzZ4qQtew~u{q3uattIn2A$623{c&F~F^_n1;bYm5OFi&%Af zlW(y!)~WA5T=j<3=LSHoHvBM);{>w_ubzbFl%fHsbh1&fY4xPgm;KPUH0r`!y4AMF5 zuGS5qj_SFcBg1RvwkA!X(p8nr6Rn(Ci&N_ym8#ONG5p>r0PpoIF#;0iJrQQeJ}O#> zgUCaP{S8J^M`N$!XChKzJ+b(j=NJ;yn7Y`z8$4&0{s`A*${6;k|Aq`cKUCoY&VxZFMGAXv;CGjDEu6~dZsoUGa`OqeCD zmFiu6)i>|mMAv;4wcU{r^=K5AZ{=TO(=qyHznJzyk=;QEIw1XCJ6i9)$EAJ!T)U8m zMwf-#cW~s7*kC-51PQ=SvqsV1E==U@95A;kVnGv+F58S0S7sImqTuVr?Rl>u0`HIk zw^vxhex99o-lVadfy55ec2!inTkjH@0Z;E3E{M{1$pI}J7J5>OgOJ{(Qa_Iszv4`L ziWmE~P9jD)+0w4UTW)PH>@0;ik4T;7VQnnZ-&d*VAH@7OW8U3!(1c%1D9JcC( zp1`rJ&de{TY$9;;FM3r)dHP+IR6opirz_VQ?nq`2qiYVFMFnoxX_+P!o1I(+DW!v5 z$5Fxdx(ZfxG->&|a5bF@T4$k0w=eQ&Rkc8+sZ$*sWn)t~yC+rIA!)_u9|X9Xdg27l zc=?u(M{0PsSugkpVy<0C7uvRIDv72gzNBw^pS2%UeXerP&DZB~>qmGb9LP6j~Edw@9S})5m|v#!AfN>l{{668Z+pJ zN5Sms5*rIyqY9uEGW2ucy(BV#DaC?kZ3%)#IWM^eJ$&43q*!w9g&dMjl@mKWcD3$- z%nCLHyqaPAjqp1-O2zx$vm2lNaoN8!=o$cKJ;1`On>fXqA^2txammkc^d}(V=Bpx6N6BLdZ{XJmvN~HG@zC5X>jMMk~ZAj1Gy65*ak`;pA59x6xbCz?_f;V`Xsv7{k z>OPsAH*X%8r{}HOfiE#cRm9@K-lw(tza1Bh!}gk@irs^l&F#H4tO|_}vvTJiw#zvlp8#CyqfMb$fiiIQ;4)zYG|jrl=zqO!(+j=duxh&D~FgFAHSRV zP-KW0tj8Nc5~>pMauZLNzfe+I^nzSbZSW1!hJK@3_fgmGQV$pAodb0v#qK?2MB)w9 zxk@Xb-h<%HPmpF{$iDEhrvt`vkyxYZ7&PlxGr6#Jo*25n9u(g57MM*NNWQ4e*4u`Y zO`jjYFf*FYB3L7$%EM^e5|vWhC$bzqC`5mV=rRbI3?ZK9lr#^*7&ooLHalq$j0yX* zp@o8QU{@FB8v*$O?Z^%C@U|W>NxdNA&2xDom1aw&PhHxOW%rgBl-wGaS)+g<@dt*< zvl4p4wR|t=MV&rMhHlEu5GE`4ko?-Cm9!a%-xc%=nSL0V$4He!`*$zSlfVXZwo1Yq zVAXBdjM_V4%G96Pnn@dQY3gke1yYA`0P5b@IYAZDDu^%Pi6KU{Cy{8268i`ht9934 z$jHo%(a1vk5?`l0M@31@C->b-PV}!w`#>5$C_%j|*oPh&H%eqfg?>2?U5aRgvbIS7 z@5HA)IE=Juwvx9gS2sKoU_v$?c(Rlq=`8F>^p;*958O}>)`AR6&zhX9YRXL?VMjv` z@yRH*T5zgT79-AV>Q5EHUv3f)C2<{7iKe3y#h~$Buan!8?=%|3{UmD53KgQSSnmIq?r%qjH=sRe5I{A(6{3hs*~Vp9bI>oTjP%0_xrG zoQM{&I&XVQo=-PSQW=8q-31&~lGrPwNCum{;3vTc~NxOY?C*c7n$t^1h4ZrY|CTtO7GBzs7F9okHqTIEnC|OD5@k)-rb+6U%V5i2c_}1J9+uWeiaez zw@CfKMkckIADS1;DOp}oX6-o&_R~r!cCYWU;%f_!c^i^{=#-V%2X6B8oR4fbEKH>U zsI%dofa2M-vq}!nuvOIhQoCPsC?SeRpNS4aG+PcBCFtHau<5JR=|>rQ^3en4%rs2) zDgikS5IojiQyfm7!B_5+CRHIIY8setaIGf}V)tQoT_1co*RNCCU{*d_*nmzPwq|#U zP$u9(3lCgZD3jnF{yo&h$@Si)Vf%A<_#)=;NR$s^n{|OxDT!8HuIE z2Y}E2@}(dqD<|pW+B~}D_#k8xZo=^cmCpqu2RS9bxf5rx>yPt#xhrM$j^L9$_a}kU z^Zzp8uqOCd+T>4O{{%S%*$JD-K@i0qpS%F_7kWqU7fZ{)2t~&?K%fHy7@%4_b|U;U pCKJOHRV712S`@%F;S}XMF(e=g_)40!)uaozB7v*`@%1l^zX6TTp2`3K literal 0 HcmV?d00001 diff --git a/windows/security/threat-protection/device-control/images/devicesbyconnection.png b/windows/security/threat-protection/device-control/images/devicesbyconnection.png new file mode 100644 index 0000000000000000000000000000000000000000..089a1b70fe7b264758ef46b1d72a265dde2fd78c GIT binary patch literal 6885 zcmbW62T)UOm&Zd9M4HkhAfR+1KxjchI*5QYX#qsQ(7W`G0)k=!(n5(ylU^iL={+=Q z0wMGwMIeBp^tR#scHZ6ho86h6%}jE0a__nKKJ)y~`Td`px4PPD)Yn+90RRAM^+zgC z001Hx!uPqW#DvcQ1u!FFL*)5HO$ksocx#;yklHC~DFOiKSjtnYD}Fz4Toz-S7~R@%vU4&3z}rpd-f zJ+y_KYt2Jj&9!!>Y3p_3$00>dK_~llYx_NG;`a6g`~I9plKPv}MpnV%-K9KN^-JD1)i-xte(V&P`4f-(Oy9 zxudxzMx)aX1*BWupH(soA|>wUih;;2FjJMFIbo17x8zQLy^7u6Imv&5VNX8>IpG)8 zgFyf(qf)N{Bcrdl=}ke+;HIXzRKT#&<8B-YIn8PNTFta;0)~D322l{Ku3}f(P>HR% zFW@@IrYgA%m1Cm&*dP6ZjgiTM+>txGx-Hw)`m60TpTwp}ZHH8>bCRj1lA?(00X%T? z`ajsxY0OxSmfLq%R`$?<4h*AUNN!H$Jss}sdK>e~bM&*3Y#Odehbd;!Xgdlj-yh1t z8FWb65gfZCcoy$(-w5`8tl=o5Wg5)O`PGYPn7KaWBGS0U`>cOHt>xE2+2qeC`NPz0 z8c_)ekJHXIkCP=*7e4u$DA!FF`~HHM!S-vWnOk~1JJ;EDKgB(a1;bR!-SjNKyhg-d zq&4Cn7ZmEr;&l~M)a_$Zwb{5vbUM3;hOcWd%QT-MzVi(}^&3&GVv`Svbi4V??}m$h zw@z$qOIA+h;fm92C3U1&n15U8&v4}qYM+Ox4qx;7?JD(uCBUO5-4#z~8l3?Wk#v|C zI6U-dWv8BJYyq`(i#_H?LQpH5;tY_p*$GVgkPKaQpT{MW6}xB$|Hg=+V^FE~6urq*jFo z(nJdScdhWnpIz_&{MCl{S5a8H1G43L= z1U+J6W(8ovtY4uo17rmz4JGoZlTW#eZ)l89g*CMQim1t1hOMWan0~wj{^sm@k}#ZQd#MXZvR7HQP)Th&aS_aJvv^=cwZ$B zZ5JyfGf`6P+Qj2MV2IW=y<=_ruAHNT$+2Nv3=$jcxcYA4{1#ClwkY*t=@rC!bqD7E zq9?L|>R}vSYrW4i6siyTCH7H52LpO;Hp&n&A*sD+u#@E0$71p+ zs#KRWC+7u9*YGC2s)VE6S2a26n89)|zad#Fm>Sk~&ENHc35}cDfdKVpi3RoM6Y1JM z9el7s?UFRPkYO;*pdbU1bC^QELl`1V@+TJIO z&r8@l$#fov)d2HyIB)Eb7qi<=WsV$KYstkQ3@#Zsv*IU6}UKiLYOHXiD4wI(DxuP zM1dSgDNX&i@OnNNxd0eQE(KnJi3uASIUssOCoouowg^58#r@FyodMt`OX6YVD~rB7 z!EFPi!G|vvF91&X7Ac}6;L8eo*z{6J7p?qhxvS)>AP;6rIu+JwCgUzJ6TlFeiwHj1 zs+}k`%lEY{PiA^Tp#tL(flhHIp~aQWXo4LS{y>RfIHw{#G4d zuYpKr4i3I<3q!6@s6v%+IUp!i0#usIWXaVspa70x&fDKVrXK8{9n6^_}R53SLXPbt6pM za#dY{QP*Vu;9$bLWog19G#$?Z1p4px@?`{W-xovP>Q|ol8t^i<9!ay?PASrOy4&y8 zw8um(^1cR#L+wD#*N~skM$8UwLzz>B(G{5XpGZZUx`4fnsRKcyn;nE#RegLJ3gQy5 zo}2tE=$C3d!p9*s7u{?Da9ZkoKe}+v48J7`Q{%h6s{^R@U#WH< z{g2o43lk!5J~DI0#}$gVZ7qxp$=&yecXMDZMh-+Ly+*r)Luw9-a2p!7awqso4P#Tr zUIj4()zdnUmEDzox8@^TX#-3A@!sZ6%SDI>Y#>e2X`<{*@;kblJ*WCSD~dh)tEj^} zg!u)2Rl0TzK`7C@FzKMAz1wowcQoG1#1dk?nR5K2SJobY{q%!y@SgUYeNp5d?Y{lZ$JMAj#El$3(ej0vdm^4c5CV`P9EJN$!_5Y-itDzAsd{TomSIUhT-38Z;z(fUElheuzd}gr4moV)6CM z#%_0E4#vN_TGH#EpEd-jeWStjnd@y+S%vR)7&QR}!-7k9J8X1%n083N-a4uSJ&@yI z>SOW~wv-;T0igpATHK)pI`8?~V0vN#_L*t%I7rc);BzjfGvS6?`WEb5<_`J|(PN0}?G>KH zV1^=gn}2s%)P!(@un^RhILr1z34Q5}A2`wB}M*?f)LbCR4x` z@fb@IRA8aD?6*}t@yIxUF%xq1nS7ZavS0kUdC3X1MYp^m!WXI?>u4NTgC48N6`C5P zdJWFWUwdG7=2PN+$?jxu0|O|&ICrgYtvo@a!m7=AB!MWG0LZLQ*^KeGaw50Wfr)m6 zQU6g=K;Slt2q$l$>VuBU?XBolV~WgG<1wbEMNEut!|c7nf+c*h{T(pLu_PJS>*_sq zr=p^q^nxR)U+>6+;)Q-bRdDD7YVucK3yIce>ifNla>I@#6*zz_U`Zc3*F$ALHlo*+ zcE`DrIe6h+j#JzkteOS=Fr}R#s-&X4vQ7ys?l!pQnZ03&T9Y#~+=X*g6nVQ1;*86@ z>^_BR#@RUB6BIkJ8SUhlQOT<>_PN?mdbvV^!4{XKp6Apd@*^lxRNeOH_ z65Ot1#h4P9e!T>(ce!C^y+X*QU=E!1{%v6eKmUER(lZ==Td@G-_QmFP2*(LNlG+-d z5wa6#YSin*aoUfc5s>g14#|t;KcEa*njp117kss~ANU&Kk9DC)T0!)0dpqG>Hg~Rn>rNW}g|QktEr;q0urlr#?Qek_huN+KU%^73B3p z88U09bz_;ck6+GK4B5k_@nmLHA50^fDe+Py4OsD=$sB{zy^2(ZADl1F|E*wO}I z9u^Mcys`plDJe}!;Rs?_*Y3F9ram9xKEArb#;bXQv}g!=boyJCul~D62|)?kv?4NF zj6|1UPcLQr@B9Bt(1bk#5=No?s(RZ}BwcRwgQva}2}dtAVIQ^mz5@w`5W0VMfA;9) zK^rbIM~qc0gXUduYpK71gR|IYnyt6u`)&bc`k}sdb1TVCCOlvxO{}hgZMa3}^YlWf z3G+1M9&GKI`}vO^a9OmFkT_DXSWby6lg7eE_D$?wwlZ5C0P*-qR}({F_wDeRW_Fle zUu=?fKBLuc<)Q7MHaX^@dMgw=uXpg|Pt-MMJ~xJ#@!EIv-Mj13%yyu%Xz{8sXq})& z#+_&+r`FcS4cn5dMp0BpixqqZ^K%p__jf&k?Vfe)$hMd&m$|zK5~(>^=p(ztUI?W- zW=Tc|Xlh$hdfv!f@s}PJ#_{A)k@VTqB_?Elx8}$o+m@(ry=)(`H70gG0*(>w&NA|! zZ$bor!n<^Q?+J+^r)mULWz1r;Yh+fQMc1tFzHV>So)BELsw8G+%{7Gyg`B;80s-GC z(XZ>n{)AF{uf(vb#20Pn+CPl8vV{klms>5O>qM^7q8JG+h>-;)%&h{24s%*MGcXG> zRZUjEtR|Ym5!N5uGoo@3=|&s-a=t&w6<&-(ytcLIjSc!{-YCfaLR&aT@Sl<9;FCH3 zHMU*-et}niE5HRG$E7BB_Ggq96jS zgB^=6?pc?WQ*BMHYD1O@n!@SlYint1vrBuuK~Ac^V{-U=k^z0$2wBh7uW#x3czJp4 zQ_UOw(Em)Wv>W;;7o1jxpk;sX#k!YHsF)Pv*vk^#N2OqLIX+4{Qq03wgdX~DLE<$8 zTUAE*9lG;@6O#kQ)JypmNn%rOFKb~ZFZ~&Y1eQ~U!F?*eg{fh8!Bo5q)Z+33|GWHqF%K0M`v!EchTIou$#uP&>C0NOw+8O1& zI*R?!)0WU+HJ1HskDu1WFGvoQIB-h&{D&mLru&;d2RZ47kIQs0G+iAY-@2Bb)Tr6| z`yD{uW#BCc6hFZAJ*@WW^6%A-u*qyb5(WYvc6S~iVq-g?s_)=Q43X)}%wrRdt)mS#KIRwQeaouRNl$S9+R&!s&hu^-t(Sy!IO` zGs>&24TlYvglP0*p=NFy^diL78@2}~QRc}2#E#=XG9>@bKCN^( z8s)ZrzTW6B|LyPUiF}-X7g}At*~Ad;d1YwwPyKhac7o3QLg~--FEyHaPIF_utkY-d z9OgMTNv%*J6J@b!Cl(bW1IE@a;Q?8fO2pn30Qc$2m(a~-75^up5U@B4YkOp~DSH3!3IXn> zo_!1$nyhi+NgQK;)bz_=KdLYO!iyXu{g+s{o~jsxR9KMy5c6W}bsXhcI8uF?QM0PT z#MHYQ_o6NEZsb~Dy12aTbd0wx9a;WW+7h?9F+vrZT7!xeN5pgyZ;SMQOu>jsrktU~ z2TwpB`ai}$LOGGkc;*ZAXlEUCX}eqUmriK25PF~zY?{63pu9YD#QL&l-nz7RM~<<3 zh4e28)N*DkaMC(7WdlR5!LLvd!*VWHsQ-sRVjR~2NK`T8f+NBt2`=ydsii{nvFr1Q zrUod98~%D9?>2i}2IoCDW$nDj@jvT`h~S7P>F8{Q0mOhDev`g*m6es38m4&51&{jy zh7ahbqhCFDbq=1$5MrKupWuKOPirDbdmJcObYFk4qPeL>okvefDFIh(S1B#d!~eAb z=m17>e5TzSpIkR@x_OE&oKo+MkueE=f}iowUzPSCVxuNpG7B9cETivfP=NuA7|fRO zbgWoyh?5U-Enk(k-!!M|M{dRQ>CHIMZOT`0wLg`ctr$y=kp6mav`Tc}-!wXMh>YMr z91%%9_4}I0>MlKFRK0GYK0Cv>W^sW%N?47bRcEu^$vfJZF+4>sWm1>(ZNRf*n^syM z9h3JQ!hxr6Wq^cfyMn2wqfT8&{(RSSBR8iATR1CTAZ_rTHxZHV{i|A9{5(RObwewg z#KiBxy-OQqE4$-Nxb6m=4KMC3bWI28I85r8l5PE3Q!7MvW)#LGpawF7l$M;Zq(kC5 zd3&oEy?OP9UJaVbb0Ib0zX=a1c{tSyS~@Z-7(x+rnAJje1fyZWh^mt&)~&xixqNBa zF#WT;BA9jaQ=WETvpfUdi!W1KG9^{dm~PbO^+4YEzv$`<0YfxiV~BM{{-GiRq&XOJ zl_0S&$-k7QWb-y-JK}$U&p)t~n8#9lad-pZol|rJ^RSKOe^+amR~XdARN`{tE`BZZRPD5CUeBtm)LNxQsJFBPxMI&y9sB@w!GjAOW;Vn8wE`QD%2&XjN^$he5~ zZ!M;N@#|Hn&DzlGc4x!UvIo?oRdc zS9gEIL7YZKP;VhR!u_kI&~@yifPgC2ny3cngQs*Kv%i$GO2;a(E#`CY+C?2wC|=qf zLsm)!wtv8YKvSu^ULj=McnA=>2q>&2v9#eJNskk#9nMvYFcjDCOPp`Id%-& z^y2)7U2(l|2+noPb28pgkmKnYx%~JULnf!^3~qKjILGya=cLDE_tY3&!TXiubgl!^ z?C#eiH^fuc;<(1xy^Fc!gcUgRJgp!}$(0Kd6;UeEuOFvPdVe7?cjZK4*>|>M25oW- vTzw_{R?89)&&4Ys)M8Ebo|cvi7evB&+)b`tQhx}4O##$ZwN=WLEW`c-`YjnO literal 0 HcmV?d00001 From ed84e585292aefb03ff06686ac2db6b94145a78c Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Tue, 6 Aug 2019 00:38:11 -0400 Subject: [PATCH 11/37] fix: MD018/no-missing-space-atx No space after hash on atx style heading --- browsers/internet-explorer/TOC.md | 332 +++++++++--------- store-for-business/TOC.md | 2 +- store-for-business/education/TOC.md | 2 +- windows/release-information/TOC.md | 4 +- .../hello-for-business/toc.md | 4 +- windows/security/threat-protection/TOC.md | 4 +- .../TOC.md | 2 +- 7 files changed, 175 insertions(+), 175 deletions(-) diff --git a/browsers/internet-explorer/TOC.md b/browsers/internet-explorer/TOC.md index 0fed701c19..c2812cb730 100644 --- a/browsers/internet-explorer/TOC.md +++ b/browsers/internet-explorer/TOC.md @@ -1,188 +1,188 @@ -#[IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md) +# [IE11 Deployment Guide for IT Pros](ie11-deploy-guide/index.md) -##[Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md) +## [Change history for the Internet Explorer 11 (IE11) Deployment Guide](ie11-deploy-guide/change-history-for-internet-explorer-11.md) -##[System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md) +## [System requirements and language support for Internet Explorer 11](ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md) -##[List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md) +## [List of updated features and tools - Internet Explorer 11 (IE11)](ie11-deploy-guide/updated-features-and-tools-with-ie11.md) -##[Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md) -###[Customize Internet Explorer 11 installation packages](ie11-deploy-guide/customize-ie11-install-packages.md) -####[Using IEAK 11 to create packages](ie11-deploy-guide/using-ieak11-to-create-install-packages.md) -####[Create packages for multiple operating systems or languages](ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md) -####[Using .INF files to create packages](ie11-deploy-guide/using-inf-files-to-create-install-packages.md) -###[Choose how to install Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-install-ie11.md) -####[Install Internet Explorer 11 (IE11) - System Center 2012 R2 Configuration Manager](ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md) -####[Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)](ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md) -####[Install Internet Explorer 11 (IE11) - Microsoft Intune](ie11-deploy-guide/install-ie11-using-microsoft-intune.md) -####[Install Internet Explorer 11 (IE11) - Network](ie11-deploy-guide/install-ie11-using-the-network.md) -####[Install Internet Explorer 11 (IE11) - Operating system deployment systems](ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md) -####[Install Internet Explorer 11 (IE11) - Third-party tools](ie11-deploy-guide/install-ie11-using-third-party-tools.md) -###[Choose how to deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-deploy-ie11.md) -####[Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)](ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md) -####[Deploy Internet Explorer 11 using software distribution tools](ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md) -###[Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md) +## [Install and Deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/install-and-deploy-ie11.md) +### [Customize Internet Explorer 11 installation packages](ie11-deploy-guide/customize-ie11-install-packages.md) +#### [Using IEAK 11 to create packages](ie11-deploy-guide/using-ieak11-to-create-install-packages.md) +#### [Create packages for multiple operating systems or languages](ie11-deploy-guide/create-install-packages-for-multiple-operating-systems-or-languages.md) +#### [Using .INF files to create packages](ie11-deploy-guide/using-inf-files-to-create-install-packages.md) +### [Choose how to install Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-install-ie11.md) +#### [Install Internet Explorer 11 (IE11) - System Center 2012 R2 Configuration Manager](ie11-deploy-guide/install-ie11-using-system-center-configuration-manager.md) +#### [Install Internet Explorer 11 (IE11) - Windows Server Update Services (WSUS)](ie11-deploy-guide/install-ie11-using-windows-server-update-services-wsus.md) +#### [Install Internet Explorer 11 (IE11) - Microsoft Intune](ie11-deploy-guide/install-ie11-using-microsoft-intune.md) +#### [Install Internet Explorer 11 (IE11) - Network](ie11-deploy-guide/install-ie11-using-the-network.md) +#### [Install Internet Explorer 11 (IE11) - Operating system deployment systems](ie11-deploy-guide/install-ie11-using-operating-system-deployment-systems.md) +#### [Install Internet Explorer 11 (IE11) - Third-party tools](ie11-deploy-guide/install-ie11-using-third-party-tools.md) +### [Choose how to deploy Internet Explorer 11 (IE11)](ie11-deploy-guide/choose-how-to-deploy-ie11.md) +#### [Deploy Internet Explorer 11 using Automatic Version Synchronization (AVS)](ie11-deploy-guide/deploy-ie11-using-automatic-version-synchronization-avs.md) +#### [Deploy Internet Explorer 11 using software distribution tools](ie11-deploy-guide/deploy-ie11-using-software-distribution-tools.md) +### [Virtualization and compatibility with Internet Explorer 11](ie11-deploy-guide/virtualization-and-compatibility-with-ie11.md) -##[Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md) +## [Collect data using Enterprise Site Discovery](ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md) -##[Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md) -###[Tips and tricks to manage Internet Explorer compatibility](ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md) -###[Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md) -###[Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md) -###[Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md) -###[Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md) -###[Enterprise Mode schema v.1 guidance](ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md) -###[Check for a new Enterprise Mode site list xml file](ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md) -###[Turn on local control and logging for Enterprise Mode](ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md) -###[Use the Enterprise Mode Site List Manager](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md) -####[Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) -####[Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) -####[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) -####[Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) -####[Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) -####[Fix validation problems using the Enterprise Mode Site List Manager](ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) -####[Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) -####[Save your site list to XML in the Enterprise Mode Site List Manager](ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) -####[Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) -####[Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md) -####[Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) -####[Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) -###[Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md) -####[Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md) -#####[Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md) -#####[Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md) -####[Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md) -#####[Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md) -#####[Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md) -#####[Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md) -#####[Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md) -#####[Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md) -#####[View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md) -#####[View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md) -###[Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md) -###[Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) -###[Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md) -###[Remove sites from a local compatibility view list](ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md) -###[Turn off Enterprise Mode](ie11-deploy-guide/turn-off-enterprise-mode.md) +## [Enterprise Mode for Internet Explorer 11 (IE11)](ie11-deploy-guide/enterprise-mode-overview-for-ie11.md) +### [Tips and tricks to manage Internet Explorer compatibility](ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md) +### [Enterprise Mode and the Enterprise Mode Site List](ie11-deploy-guide/what-is-enterprise-mode.md) +### [Set up Enterprise Mode logging and data collection](ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md) +### [Turn on Enterprise Mode and use a site list](ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md) +### [Enterprise Mode schema v.2 guidance](ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md) +### [Enterprise Mode schema v.1 guidance](ie11-deploy-guide/enterprise-mode-schema-version-1-guidance.md) +### [Check for a new Enterprise Mode site list xml file](ie11-deploy-guide/check-for-new-enterprise-mode-site-list-xml-file.md) +### [Turn on local control and logging for Enterprise Mode](ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md) +### [Use the Enterprise Mode Site List Manager](ie11-deploy-guide/use-the-enterprise-mode-site-list-manager.md) +#### [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-2-enterprise-mode-tool.md) +#### [Add single sites to the Enterprise Mode site list using the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-single-sites-to-enterprise-mode-site-list-using-the-version-1-enterprise-mode-tool.md) +#### [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) +#### [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](ie11-deploy-guide/add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) +#### [Edit the Enterprise Mode site list using the Enterprise Mode Site List Manager](ie11-deploy-guide/edit-the-enterprise-mode-site-list-using-the-enterprise-mode-site-list-manager.md) +#### [Fix validation problems using the Enterprise Mode Site List Manager](ie11-deploy-guide/fix-validation-problems-using-the-enterprise-mode-site-list-manager.md) +#### [Search your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/search-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) +#### [Save your site list to XML in the Enterprise Mode Site List Manager](ie11-deploy-guide/save-your-site-list-to-xml-in-the-enterprise-mode-site-list-manager.md) +#### [Export your Enterprise Mode site list from the Enterprise Mode Site List Manager](ie11-deploy-guide/export-your-enterprise-mode-site-list-from-the-enterprise-mode-site-list-manager.md) +#### [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](ie11-deploy-guide/import-into-the-enterprise-mode-site-list-manager.md) +#### [Delete sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/delete-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) +#### [Remove all sites from your Enterprise Mode site list in the Enterprise Mode Site List Manager](ie11-deploy-guide/remove-all-sites-from-your-enterprise-mode-site-list-in-the-enterprise-mode-site-list-manager.md) +### [Use the Enterprise Mode Site List Portal](ie11-deploy-guide/use-the-enterprise-mode-portal.md) +#### [Set up the Enterprise Mode Site List Portal](ie11-deploy-guide/set-up-enterprise-mode-portal.md) +##### [Use the Settings page to finish setting up the Enterprise Mode Site List Portal](ie11-deploy-guide/configure-settings-enterprise-mode-portal.md) +##### [Add employees to the Enterprise Mode Site List Portal](ie11-deploy-guide/add-employees-enterprise-mode-portal.md) +#### [Workflow-based processes for employees using the Enterprise Mode Site List Portal](ie11-deploy-guide/workflow-processes-enterprise-mode-portal.md) +##### [Create a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/create-change-request-enterprise-mode-portal.md) +##### [Verify your changes using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-preprod-enterprise-mode-portal.md) +##### [Approve a change request using the Enterprise Mode Site List Portal](ie11-deploy-guide/approve-change-request-enterprise-mode-portal.md) +##### [Schedule approved change requests for production using the Enterprise Mode Site List Portal](ie11-deploy-guide/schedule-production-change-enterprise-mode-portal.md) +##### [Verify the change request update in the production environment using the Enterprise Mode Site List Portal](ie11-deploy-guide/verify-changes-production-enterprise-mode-portal.md) +##### [View the apps currently on the Enterprise Mode Site List](ie11-deploy-guide/view-apps-enterprise-mode-site-list.md) +##### [View the available Enterprise Mode reports from the Enterprise Mode Site List Portal](ie11-deploy-guide/view-enterprise-mode-reports-for-portal.md) +### [Using IE7 Enterprise Mode or IE8 Enterprise Mode](ie11-deploy-guide/using-enterprise-mode.md) +### [Fix web compatibility issues using document modes and the Enterprise Mode site list](ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md) +### [Remove sites from a local Enterprise Mode site list](ie11-deploy-guide/remove-sites-from-a-local-enterprise-mode-site-list.md) +### [Remove sites from a local compatibility view list](ie11-deploy-guide/remove-sites-from-a-local-compatibililty-view-list.md) +### [Turn off Enterprise Mode](ie11-deploy-guide/turn-off-enterprise-mode.md) -##[Group Policy and Internet Explorer 11 (IE11)](ie11-deploy-guide/group-policy-and-ie11.md) -###[Group Policy management tools](ie11-deploy-guide/group-policy-objects-and-ie11.md) -####[Group Policy and the Group Policy Management Console (GPMC)](ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md) -####[Group Policy and the Local Group Policy Editor](ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md) -####[Group Policy and Advanced Group Policy Management (AGPM)](ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md) -####[Group Policy and Windows Powershell](ie11-deploy-guide/group-policy-windows-powershell-ie11.md) -####[Group Policy and Shortcut Extensions](ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md) -###[New group policy settings for Internet Explorer 11](ie11-deploy-guide/new-group-policy-settings-for-ie11.md) -###[Set the default browser using Group Policy](ie11-deploy-guide/set-the-default-browser-using-group-policy.md) -###[ActiveX installation using group policy](ie11-deploy-guide/activex-installation-using-group-policy.md) -###[Group Policy and compatibility with Internet Explorer 11](ie11-deploy-guide/group-policy-compatibility-with-ie11.md) -###[Group policy preferences and Internet Explorer 11](ie11-deploy-guide/group-policy-preferences-and-ie11.md) -###[Administrative templates and Internet Explorer 11](ie11-deploy-guide/administrative-templates-and-ie11.md) -###[Enable and disable add-ons using administrative templates and group policy](ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md) +## [Group Policy and Internet Explorer 11 (IE11)](ie11-deploy-guide/group-policy-and-ie11.md) +### [Group Policy management tools](ie11-deploy-guide/group-policy-objects-and-ie11.md) +#### [Group Policy and the Group Policy Management Console (GPMC)](ie11-deploy-guide/group-policy-and-group-policy-mgmt-console-ie11.md) +#### [Group Policy and the Local Group Policy Editor](ie11-deploy-guide/group-policy-and-local-group-policy-editor-ie11.md) +#### [Group Policy and Advanced Group Policy Management (AGPM)](ie11-deploy-guide/group-policy-and-advanced-group-policy-mgmt-ie11.md) +#### [Group Policy and Windows Powershell](ie11-deploy-guide/group-policy-windows-powershell-ie11.md) +#### [Group Policy and Shortcut Extensions](ie11-deploy-guide/group-policy-shortcut-extensions-ie11.md) +### [New group policy settings for Internet Explorer 11](ie11-deploy-guide/new-group-policy-settings-for-ie11.md) +### [Set the default browser using Group Policy](ie11-deploy-guide/set-the-default-browser-using-group-policy.md) +### [ActiveX installation using group policy](ie11-deploy-guide/activex-installation-using-group-policy.md) +### [Group Policy and compatibility with Internet Explorer 11](ie11-deploy-guide/group-policy-compatibility-with-ie11.md) +### [Group policy preferences and Internet Explorer 11](ie11-deploy-guide/group-policy-preferences-and-ie11.md) +### [Administrative templates and Internet Explorer 11](ie11-deploy-guide/administrative-templates-and-ie11.md) +### [Enable and disable add-ons using administrative templates and group policy](ie11-deploy-guide/enable-and-disable-add-ons-using-administrative-templates-and-group-policy.md) -##[Manage Internet Explorer 11](ie11-deploy-guide/manage-ie11-overview.md) -###[Auto detect settings Internet Explorer 11](ie11-deploy-guide/auto-detect-settings-for-ie11.md) -###[Auto configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-configuration-settings-for-ie11.md) -###[Auto proxy configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md) +## [Manage Internet Explorer 11](ie11-deploy-guide/manage-ie11-overview.md) +### [Auto detect settings Internet Explorer 11](ie11-deploy-guide/auto-detect-settings-for-ie11.md) +### [Auto configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-configuration-settings-for-ie11.md) +### [Auto proxy configuration settings for Internet Explorer 11](ie11-deploy-guide/auto-proxy-configuration-settings-for-ie11.md) -##[Troubleshoot Internet Explorer 11 (IE11)](ie11-deploy-guide/troubleshoot-ie11.md) -###[Setup problems with Internet Explorer 11](ie11-deploy-guide/setup-problems-with-ie11.md) -###[Install problems with Internet Explorer 11](ie11-deploy-guide/install-problems-with-ie11.md) -###[Problems after installing Internet Explorer 11](ie11-deploy-guide/problems-after-installing-ie11.md) -###[Auto configuration and auto proxy problems with Internet Explorer 11](ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md) -###[User interface problems with Internet Explorer 11](ie11-deploy-guide/user-interface-problems-with-ie11.md) -###[Group Policy problems with Internet Explorer 11](ie11-deploy-guide/group-policy-problems-ie11.md) -###[.NET Framework problems with Internet Explorer 11](ie11-deploy-guide/net-framework-problems-with-ie11.md) -###[Enhanced Protected Mode problems with Internet Explorer](ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md) -###[Fix font rendering problems by turning off natural metrics](ie11-deploy-guide/turn-off-natural-metrics.md) -###[Intranet problems with Internet Explorer 11](ie11-deploy-guide/intranet-problems-and-ie11.md) -###[Browser cache changes and roaming profiles](ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md) +## [Troubleshoot Internet Explorer 11 (IE11)](ie11-deploy-guide/troubleshoot-ie11.md) +### [Setup problems with Internet Explorer 11](ie11-deploy-guide/setup-problems-with-ie11.md) +### [Install problems with Internet Explorer 11](ie11-deploy-guide/install-problems-with-ie11.md) +### [Problems after installing Internet Explorer 11](ie11-deploy-guide/problems-after-installing-ie11.md) +### [Auto configuration and auto proxy problems with Internet Explorer 11](ie11-deploy-guide/auto-configuration-and-auto-proxy-problems-with-ie11.md) +### [User interface problems with Internet Explorer 11](ie11-deploy-guide/user-interface-problems-with-ie11.md) +### [Group Policy problems with Internet Explorer 11](ie11-deploy-guide/group-policy-problems-ie11.md) +### [.NET Framework problems with Internet Explorer 11](ie11-deploy-guide/net-framework-problems-with-ie11.md) +### [Enhanced Protected Mode problems with Internet Explorer](ie11-deploy-guide/enhanced-protected-mode-problems-with-ie11.md) +### [Fix font rendering problems by turning off natural metrics](ie11-deploy-guide/turn-off-natural-metrics.md) +### [Intranet problems with Internet Explorer 11](ie11-deploy-guide/intranet-problems-and-ie11.md) +### [Browser cache changes and roaming profiles](ie11-deploy-guide/browser-cache-changes-and-roaming-profiles.md) -##[Out-of-date ActiveX control blocking](ie11-deploy-guide/out-of-date-activex-control-blocking.md) -###[Blocked out-of-date ActiveX controls](ie11-deploy-guide/blocked-out-of-date-activex-controls.md) +## [Out-of-date ActiveX control blocking](ie11-deploy-guide/out-of-date-activex-control-blocking.md) +### [Blocked out-of-date ActiveX controls](ie11-deploy-guide/blocked-out-of-date-activex-controls.md) -##[Deprecated document modes and Internet Explorer 11](ie11-deploy-guide/deprecated-document-modes.md) +## [Deprecated document modes and Internet Explorer 11](ie11-deploy-guide/deprecated-document-modes.md) -##[What is the Internet Explorer 11 Blocker Toolkit?](ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md) -###[Internet Explorer 11 delivery through automatic updates](ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) -###[Internet Explorer 11 Blocker Toolkit FAQ](ie11-faq/faq-ie11-blocker-toolkit.md) +## [What is the Internet Explorer 11 Blocker Toolkit?](ie11-deploy-guide/what-is-the-internet-explorer-11-blocker-toolkit.md) +### [Internet Explorer 11 delivery through automatic updates](ie11-deploy-guide/ie11-delivery-through-automatic-updates.md) +### [Internet Explorer 11 Blocker Toolkit FAQ](ie11-faq/faq-ie11-blocker-toolkit.md) -##[Missing Internet Explorer Maintenance settings for Internet Explorer 11](ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md) +## [Missing Internet Explorer Maintenance settings for Internet Explorer 11](ie11-deploy-guide/missing-internet-explorer-maintenance-settings-for-ie11.md) -##[Missing the Compatibility View Button](ie11-deploy-guide/missing-the-compatibility-view-button.md) +## [Missing the Compatibility View Button](ie11-deploy-guide/missing-the-compatibility-view-button.md) -##[Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md) +## [Deploy pinned websites using Microsoft Deployment Toolkit (MDT) 2013](ie11-deploy-guide/deploy-pinned-sites-using-mdt-2013.md) -#[IE11 Frequently Asked Questions (FAQ) Guide for IT Pros](ie11-faq/faq-for-it-pros-ie11.md) +# [IE11 Frequently Asked Questions (FAQ) Guide for IT Pros](ie11-faq/faq-for-it-pros-ie11.md) -#[Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](ie11-ieak/index.md) -##[What IEAK can do for you](ie11-ieak/what-ieak-can-do-for-you.md) -##[Internet Explorer Administration Kit (IEAK) information and downloads](ie11-ieak/ieak-information-and-downloads.md) -##[Before you start using IEAK 11](ie11-ieak/before-you-create-custom-pkgs-ieak11.md) -###[Hardware and software requirements for IEAK 11](ie11-ieak/hardware-and-software-reqs-ieak11.md) -###[Determine the licensing version and features to use in IEAK 11](ie11-ieak/licensing-version-and-features-ieak11.md) -###[Security features and IEAK 11](ie11-ieak/security-and-ieak11.md) -###[File types used or created by IEAK 11](ie11-ieak/file-types-ieak11.md) -###[Tasks and references to consider before creating and deploying custom packages using IEAK 11](ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md) -###[Create the build computer folder structure using IEAK 11](ie11-ieak/create-build-folder-structure-ieak11.md) -###[Set up auto detection for DHCP or DNS servers using IEAK 11](ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md) -###[Use proxy auto-configuration (.pac) files with IEAK 11](ie11-ieak/proxy-auto-config-examples.md) -###[Customize the toolbar button and Favorites List icons using IEAK 11](ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md) -###[Use the uninstallation .INF files to uninstall custom components](ie11-ieak/create-uninstall-inf-files-for-custom-components.md) -###[Add and approve ActiveX controls using the IEAK 11](ie11-ieak/add-and-approve-activex-controls-ieak11.md) -###[Register an uninstall app for custom components using IEAK 11](ie11-ieak/register-uninstall-app-ieak11.md) -###[Customize Automatic Search for Internet Explorer using IEAK 11](ie11-ieak/customize-automatic-search-for-ie.md) -###[Create multiple versions of your custom package using IEAK 11](ie11-ieak/create-multiple-browser-packages-ieak11.md) -###[Before you install your package over your network using IEAK 11](ie11-ieak/prep-network-install-with-ieak11.md) -###[Use the RSoP snap-in to review policy settings](ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md) -###[IEAK 11 - Frequently Asked Questions](ie11-faq/faq-ieak11.md) -###[Troubleshoot custom package and IEAK 11 problems](ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md) +# [Internet Explorer Administration Kit 11 (IEAK 11) - Administration Guide for IT Pros](ie11-ieak/index.md) +## [What IEAK can do for you](ie11-ieak/what-ieak-can-do-for-you.md) +## [Internet Explorer Administration Kit (IEAK) information and downloads](ie11-ieak/ieak-information-and-downloads.md) +## [Before you start using IEAK 11](ie11-ieak/before-you-create-custom-pkgs-ieak11.md) +### [Hardware and software requirements for IEAK 11](ie11-ieak/hardware-and-software-reqs-ieak11.md) +### [Determine the licensing version and features to use in IEAK 11](ie11-ieak/licensing-version-and-features-ieak11.md) +### [Security features and IEAK 11](ie11-ieak/security-and-ieak11.md) +### [File types used or created by IEAK 11](ie11-ieak/file-types-ieak11.md) +### [Tasks and references to consider before creating and deploying custom packages using IEAK 11](ie11-ieak/create-manage-deploy-custom-pkgs-ieak11.md) +### [Create the build computer folder structure using IEAK 11](ie11-ieak/create-build-folder-structure-ieak11.md) +### [Set up auto detection for DHCP or DNS servers using IEAK 11](ie11-ieak/auto-detection-dhcp-or-dns-servers-ieak11.md) +### [Use proxy auto-configuration (.pac) files with IEAK 11](ie11-ieak/proxy-auto-config-examples.md) +### [Customize the toolbar button and Favorites List icons using IEAK 11](ie11-ieak/guidelines-toolbar-and-favorites-list-ieak11.md) +### [Use the uninstallation .INF files to uninstall custom components](ie11-ieak/create-uninstall-inf-files-for-custom-components.md) +### [Add and approve ActiveX controls using the IEAK 11](ie11-ieak/add-and-approve-activex-controls-ieak11.md) +### [Register an uninstall app for custom components using IEAK 11](ie11-ieak/register-uninstall-app-ieak11.md) +### [Customize Automatic Search for Internet Explorer using IEAK 11](ie11-ieak/customize-automatic-search-for-ie.md) +### [Create multiple versions of your custom package using IEAK 11](ie11-ieak/create-multiple-browser-packages-ieak11.md) +### [Before you install your package over your network using IEAK 11](ie11-ieak/prep-network-install-with-ieak11.md) +### [Use the RSoP snap-in to review policy settings](ie11-ieak/rsop-snapin-for-policy-settings-ieak11.md) +### [IEAK 11 - Frequently Asked Questions](ie11-faq/faq-ieak11.md) +### [Troubleshoot custom package and IEAK 11 problems](ie11-ieak/troubleshooting-custom-browser-pkg-ieak11.md) -##[Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ie11-ieak/ieak11-wizard-custom-options.md) -###[Use the File Locations page in the IEAK 11 Wizard](ie11-ieak/file-locations-ieak11-wizard.md) -###[Use the Platform Selection page in the IEAK 11 Wizard](ie11-ieak/platform-selection-ieak11-wizard.md) -###[Use the Language Selection page in the IEAK 11 Wizard](ie11-ieak/language-selection-ieak11-wizard.md) -###[Use the Package Type Selection page in the IEAK 11 Wizard](ie11-ieak/pkg-type-selection-ieak11-wizard.md) -###[Use the Feature Selection page in the IEAK 11 Wizard](ie11-ieak/feature-selection-ieak11-wizard.md) -###[Use the Automatic Version Synchronization page in the IEAK 11 Wizard](ie11-ieak/auto-version-sync-ieak11-wizard.md) -###[Use the Custom Components page in the IEAK 11 Wizard](ie11-ieak/custom-components-ieak11-wizard.md) -###[Use the Internal Install page in the IEAK 11 Wizard](ie11-ieak/internal-install-ieak11-wizard.md) -###[Use the User Experience page in the IEAK 11 Wizard](ie11-ieak/user-experience-ieak11-wizard.md) -###[Use the Browser User Interface page in the IEAK 11 Wizard](ie11-ieak/browser-ui-ieak11-wizard.md) -###[Use the Search Providers page in the IEAK 11 Wizard](ie11-ieak/search-providers-ieak11-wizard.md) -###[Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md) -###[Use the Accelerators page in the IEAK 11 Wizard](ie11-ieak/accelerators-ieak11-wizard.md) -###[Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md) -###[Use the Browsing Options page in the IEAK 11 Wizard](ie11-ieak/browsing-options-ieak11-wizard.md) -###[Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md) -###[Use the Compatibility View page in the IEAK 11 Wizard](ie11-ieak/compat-view-ieak11-wizard.md) -###[Use the Connection Manager page in the IEAK 11 Wizard](ie11-ieak/connection-mgr-ieak11-wizard.md) -###[Use the Connection Settings page in the IEAK 11 Wizard](ie11-ieak/connection-settings-ieak11-wizard.md) -###[Use the Automatic Configuration page in the IEAK 11 Wizard](ie11-ieak/auto-config-ieak11-wizard.md) -###[Use the Proxy Settings page in the IEAK 11 Wizard](ie11-ieak/proxy-settings-ieak11-wizard.md) -###[Use the Security and Privacy Settings page in the IEAK 11 Wizard](ie11-ieak/security-and-privacy-settings-ieak11-wizard.md) -###[Use the Add a Root Certificate page in the IEAK 11 Wizard](ie11-ieak/add-root-certificate-ieak11-wizard.md) -###[Use the Programs page in the IEAK 11 Wizard](ie11-ieak/programs-ieak11-wizard.md) -###[Use the Additional Settings page in the IEAK 11 Wizard](ie11-ieak/additional-settings-ieak11-wizard.md) -###[Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](ie11-ieak/wizard-complete-ieak11-wizard.md) +## [Internet Explorer Administration Kit 11 (IEAK 11) Customization Wizard options](ie11-ieak/ieak11-wizard-custom-options.md) +### [Use the File Locations page in the IEAK 11 Wizard](ie11-ieak/file-locations-ieak11-wizard.md) +### [Use the Platform Selection page in the IEAK 11 Wizard](ie11-ieak/platform-selection-ieak11-wizard.md) +### [Use the Language Selection page in the IEAK 11 Wizard](ie11-ieak/language-selection-ieak11-wizard.md) +### [Use the Package Type Selection page in the IEAK 11 Wizard](ie11-ieak/pkg-type-selection-ieak11-wizard.md) +### [Use the Feature Selection page in the IEAK 11 Wizard](ie11-ieak/feature-selection-ieak11-wizard.md) +### [Use the Automatic Version Synchronization page in the IEAK 11 Wizard](ie11-ieak/auto-version-sync-ieak11-wizard.md) +### [Use the Custom Components page in the IEAK 11 Wizard](ie11-ieak/custom-components-ieak11-wizard.md) +### [Use the Internal Install page in the IEAK 11 Wizard](ie11-ieak/internal-install-ieak11-wizard.md) +### [Use the User Experience page in the IEAK 11 Wizard](ie11-ieak/user-experience-ieak11-wizard.md) +### [Use the Browser User Interface page in the IEAK 11 Wizard](ie11-ieak/browser-ui-ieak11-wizard.md) +### [Use the Search Providers page in the IEAK 11 Wizard](ie11-ieak/search-providers-ieak11-wizard.md) +### [Use the Important URLs - Home Page and Support page in the IEAK 11 Wizard](ie11-ieak/important-urls-home-page-and-support-ieak11-wizard.md) +### [Use the Accelerators page in the IEAK 11 Wizard](ie11-ieak/accelerators-ieak11-wizard.md) +### [Use the Favorites, Favorites Bar, and Feeds page in the IEAK 11 Wizard](ie11-ieak/favorites-favoritesbar-and-feeds-ieak11-wizard.md) +### [Use the Browsing Options page in the IEAK 11 Wizard](ie11-ieak/browsing-options-ieak11-wizard.md) +### [Use the First Run Wizard and Welcome Page Options page in the IEAK 11 Wizard](ie11-ieak/first-run-and-welcome-page-ieak11-wizard.md) +### [Use the Compatibility View page in the IEAK 11 Wizard](ie11-ieak/compat-view-ieak11-wizard.md) +### [Use the Connection Manager page in the IEAK 11 Wizard](ie11-ieak/connection-mgr-ieak11-wizard.md) +### [Use the Connection Settings page in the IEAK 11 Wizard](ie11-ieak/connection-settings-ieak11-wizard.md) +### [Use the Automatic Configuration page in the IEAK 11 Wizard](ie11-ieak/auto-config-ieak11-wizard.md) +### [Use the Proxy Settings page in the IEAK 11 Wizard](ie11-ieak/proxy-settings-ieak11-wizard.md) +### [Use the Security and Privacy Settings page in the IEAK 11 Wizard](ie11-ieak/security-and-privacy-settings-ieak11-wizard.md) +### [Use the Add a Root Certificate page in the IEAK 11 Wizard](ie11-ieak/add-root-certificate-ieak11-wizard.md) +### [Use the Programs page in the IEAK 11 Wizard](ie11-ieak/programs-ieak11-wizard.md) +### [Use the Additional Settings page in the IEAK 11 Wizard](ie11-ieak/additional-settings-ieak11-wizard.md) +### [Use the Wizard Complete - Next Steps page in the IEAK 11 Wizard](ie11-ieak/wizard-complete-ieak11-wizard.md) -##[Using Internet Settings (.INS) files with IEAK 11](ie11-ieak/using-internet-settings-ins-files.md) -###[Use the Branding .INS file to create custom branding and setup info](ie11-ieak/branding-ins-file-setting.md) -###[Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar](ie11-ieak/browsertoolbars-ins-file-setting.md) -###[Use the CabSigning .INS file to review the digital signatures for your apps](ie11-ieak/cabsigning-ins-file-setting.md) -###[Use the ConnectionSettings .INS file to review the network connections for install](ie11-ieak/connectionsettings-ins-file-setting.md) -###[Use the CustomBranding .INS file to specify the custom branding location](ie11-ieak/custombranding-ins-file-setting.md) -###[Use the ExtRegInf .INS file to specify installation files and mode](ie11-ieak/extreginf-ins-file-setting.md) -###[Use the FavoritesEx .INS file for your Favorites icon and URLs](ie11-ieak/favoritesex-ins-file-setting.md) -###[Use the HideCustom .INS file to hide GUIDs](ie11-ieak/hidecustom-ins-file-setting.md) -###[Use the ISP_Security .INS file to add your root certificate](ie11-ieak/isp-security-ins-file-setting.md) -###[Use the Media .INS file to specify your install media](ie11-ieak/media-ins-file-setting.md) -###[Use the Proxy .INS file to specify a proxy server](ie11-ieak/proxy-ins-file-setting.md) -###[Use the Security Imports .INS file to import security info](ie11-ieak/security-imports-ins-file-setting.md) -###[Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md) +## [Using Internet Settings (.INS) files with IEAK 11](ie11-ieak/using-internet-settings-ins-files.md) +### [Use the Branding .INS file to create custom branding and setup info](ie11-ieak/branding-ins-file-setting.md) +### [Use the BrowserToolbars .INS file to customize the Internet Explorer toolbar](ie11-ieak/browsertoolbars-ins-file-setting.md) +### [Use the CabSigning .INS file to review the digital signatures for your apps](ie11-ieak/cabsigning-ins-file-setting.md) +### [Use the ConnectionSettings .INS file to review the network connections for install](ie11-ieak/connectionsettings-ins-file-setting.md) +### [Use the CustomBranding .INS file to specify the custom branding location](ie11-ieak/custombranding-ins-file-setting.md) +### [Use the ExtRegInf .INS file to specify installation files and mode](ie11-ieak/extreginf-ins-file-setting.md) +### [Use the FavoritesEx .INS file for your Favorites icon and URLs](ie11-ieak/favoritesex-ins-file-setting.md) +### [Use the HideCustom .INS file to hide GUIDs](ie11-ieak/hidecustom-ins-file-setting.md) +### [Use the ISP_Security .INS file to add your root certificate](ie11-ieak/isp-security-ins-file-setting.md) +### [Use the Media .INS file to specify your install media](ie11-ieak/media-ins-file-setting.md) +### [Use the Proxy .INS file to specify a proxy server](ie11-ieak/proxy-ins-file-setting.md) +### [Use the Security Imports .INS file to import security info](ie11-ieak/security-imports-ins-file-setting.md) +### [Use the URL .INS file to use an auto-configured proxy server](ie11-ieak/url-ins-file-setting.md) -##[IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md) -###[IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md) -###[Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md) +## [IExpress Wizard for Windows Server 2008 R2 with SP1](ie11-ieak/iexpress-wizard-for-win-server.md) +### [IExpress Wizard command-line options](ie11-ieak/iexpress-command-line-options.md) +### [Internet Explorer Setup command-line options and return codes](ie11-ieak/ie-setup-command-line-options-and-return-codes.md) diff --git a/store-for-business/TOC.md b/store-for-business/TOC.md index c4fdb65355..fe8f3b7411 100644 --- a/store-for-business/TOC.md +++ b/store-for-business/TOC.md @@ -1,7 +1,7 @@ # [Microsoft Store for Business](index.md) ## [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) ## [Sign up and get started](sign-up-microsoft-store-for-business-overview.md) -###[Microsoft Store for Business and Microsoft Store for Education overview](microsoft-store-for-business-overview.md) +### [Microsoft Store for Business and Microsoft Store for Education overview](microsoft-store-for-business-overview.md) ### [Prerequisites for Microsoft Store for Business and Education](prerequisites-microsoft-store-for-business.md) ### [Sign up for Microsoft Store for Business or Microsoft Store for Education](sign-up-microsoft-store-for-business.md) ### [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md) diff --git a/store-for-business/education/TOC.md b/store-for-business/education/TOC.md index bf36f37baf..515b03dd25 100644 --- a/store-for-business/education/TOC.md +++ b/store-for-business/education/TOC.md @@ -1,7 +1,7 @@ # [Microsoft Store for Education](/microsoft-store/index?toc=/microsoft-store/education/toc.json) ## [What's new in Microsoft Store for Business and Education](/microsoft-store/whats-new-microsoft-store-business-education?toc=/microsoft-store/education/toc.json) ## [Sign up and get started](/microsoft-store/sign-up-microsoft-store-for-business-overview?toc=/microsoft-store/education/toc.json) -###[Microsoft Store for Business and Education overview](/microsoft-store/windows-store-for-business-overview?toc=/microsoft-store/education/toc.json) +### [Microsoft Store for Business and Education overview](/microsoft-store/windows-store-for-business-overview?toc=/microsoft-store/education/toc.json) ### [Prerequisites for Microsoft Store for Business and Education](/microsoft-store/prerequisites-microsoft-store-for-business?toc=/microsoft-store/education/toc.json) ### [Sign up for Microsoft Store for Business or Microsoft Store for Education](/microsoft-store/sign-up-microsoft-store-for-business?toc=/microsoft-store/education/toc.json) ### [Roles and permissions in the Microsoft Store for Business and Education](/microsoft-store/roles-and-permissions-microsoft-store-for-business?toc=/microsoft-store/education/toc.json) diff --git a/windows/release-information/TOC.md b/windows/release-information/TOC.md index c905dea447..41ca5d90c0 100644 --- a/windows/release-information/TOC.md +++ b/windows/release-information/TOC.md @@ -24,7 +24,7 @@ # Previous versions ## Windows 8.1 and Windows Server 2012 R2 ### [Known issues and notifications](status-windows-8.1-and-windows-server-2012-r2.yml) -###[Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml) +### [Resolved issues](resolved-issues-windows-8.1-and-windows-server-2012-r2.yml) ## Windows Server 2012 ### [Known issues and notifications](status-windows-server-2012.yml) ### [Resolved issues](resolved-issues-windows-server-2012.yml) @@ -33,4 +33,4 @@ ### [Resolved issues](resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml) ## Windows Server 2008 SP2 ### [Known issues and notifications](status-windows-server-2008-sp2.yml) -### [Resolved issues](resolved-issues-windows-server-2008-sp2.yml) \ No newline at end of file +### [Resolved issues](resolved-issues-windows-server-2008-sp2.yml) diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md index c286b36226..8bd5be542e 100644 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ b/windows/security/identity-protection/hello-for-business/toc.md @@ -1,6 +1,6 @@ # [Windows Hello for Business](hello-identity-verification.md) -##[Password-less Strategy](passwordless-strategy.md) +## [Password-less Strategy](passwordless-strategy.md) ## [Windows Hello for Business Overview](hello-overview.md) ## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md) @@ -63,4 +63,4 @@ ### [Windows Hello for Business Videos](hello-videos.md) ## [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md) -## [Event ID 300 - Windows Hello successfully created](hello-event-300.md) \ No newline at end of file +## [Event ID 300 - Windows Hello successfully created](hello-event-300.md) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 3535676cf8..9aeb3ca292 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -92,12 +92,12 @@ ##### [Investigate entities using Live response]() ###### [Investigate entities on machines](microsoft-defender-atp/live-response.md) -######[Live response command examples](microsoft-defender-atp/live-response-command-examples.md) +###### [Live response command examples](microsoft-defender-atp/live-response-command-examples.md) ### [Automated investigation and remediation]() #### [Automated investigation and remediation overview](microsoft-defender-atp/automated-investigations.md) #### [Learn about the automated investigation and remediation dashboard](microsoft-defender-atp/manage-auto-investigation.md) -#####[Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md) +##### [Manage actions related to automated investigation and remediation](microsoft-defender-atp/auto-investigation-action-center.md) ### [Secure score](microsoft-defender-atp/overview-secure-score.md) ### [Threat analytics](microsoft-defender-atp/threat-analytics.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index ac99737410..196c8dc9a2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -11,7 +11,7 @@ ## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md) ### [Types of devices](types-of-devices.md) -###Use WDAC with custom policies +### Use WDAC with custom policies #### [Create an initial default policy](create-initial-default-policy.md) #### [Create path-based rules](create-path-based-rules.md) #### [Microsoft recommended block rules](microsoft-recommended-block-rules.md) From 56068c987add34ef3e6e2b9aaf05d3db069dc207 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 6 Aug 2019 12:13:02 +0300 Subject: [PATCH 12/37] Update windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../restore-quarantined-files-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md index a405558187..68c4accc82 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md @@ -30,7 +30,7 @@ If Windows Defender Antivirus is configured to detect and remediate threats on y 4. Click an item you want to keep, then click **Restore**. (If you prefer to remove the item, you can click **Remove**.) > [!NOTE] -> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV. +> You can also use the dedicated command-line tool [mpcmdrun.exe](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/command-line-arguments-windows-defender-antivirus) to restore quarantined files in Windows Defender AV. ## Related topics From 0b9490ede531e0cbeaf7c438e39cd34870d0ee49 Mon Sep 17 00:00:00 2001 From: Mohamed Kamal Date: Tue, 6 Aug 2019 15:06:39 +0200 Subject: [PATCH 13/37] update step 4 --- ...-microsoft-advanced-group-policy-management-40.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md index dc69096e0f..090949bb7e 100644 --- a/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md +++ b/mdop/agpm/step-by-step-guide-for-microsoft-advanced-group-policy-management-40.md @@ -272,15 +272,17 @@ As an AGPM Administrator (Full Control), you designate the e-mail addresses of A **To configure e-mail notification for AGPM** -1. In the details pane, click the **Domain Delegation** tab. +1. In **Group Policy Management Editor** , navigate to the **Change Control** folder -2. In the **From e-mail address** field, type the e-mail alias for AGPM from which notifications should be sent. +2. In the details pane, click the **Domain Delegation** tab. -3. In the **To e-mail address** field, type the e-mail address for the user account to which you intend to assign the Approver role. +3. In the **From e-mail address** field, type the e-mail alias for AGPM from which notifications should be sent. -4. In the **SMTP server** field, type a valid SMTP mail server. +4. In the **To e-mail address** field, type the e-mail address for the user account to which you intend to assign the Approver role. -5. In the **User name** and **Password** fields, type the credentials of a user who has access to the SMTP service. Click **Apply**. +5. In the **SMTP server** field, type a valid SMTP mail server. + +6. In the **User name** and **Password** fields, type the credentials of a user who has access to the SMTP service. Click **Apply**. ### Step 5: Delegate access From c944a773c512873e5cd03c45e958ad945345c913 Mon Sep 17 00:00:00 2001 From: Mohamed Kamal Date: Wed, 7 Aug 2019 15:02:44 +0200 Subject: [PATCH 14/37] Update "Add Superseded Template step" https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3775 --- .../hello-for-business/hello-cert-trust-validate-pki.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 48fdad4ba0..2e79df76db 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -85,8 +85,8 @@ Sign-in to a certificate authority or management workstations with _Enterprise A 3. In the **Certificate Templates Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. 4. Click the **Superseded Templates** tab. Click **Add**. 5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. -6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **Add**. -7. From the **Add Superseded Template** dialog, select the **Kerberos Authentication** certificate template and click **Add**. +6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. Click **Add**. +7. From the **Add Superseded Template** dialog, select the **Kerberos Authentication** certificate template and click **OK**. Click **Add**. 8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. 9. Click **OK** and close the **Certificate Templates** console. From a6bb65cfbb97d399507a8de2d733796e7f8e165c Mon Sep 17 00:00:00 2001 From: Peter Smith Date: Wed, 7 Aug 2019 16:26:24 -0700 Subject: [PATCH 15/37] Make the multi-user case for automatic triggers more clear Devices with multiple always-on triggers can still only have one profile set to active out of all of the profiles for all of the users on the device. --- .../identity-protection/vpn/vpn-auto-trigger-profile.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 178333b713..3038aa0e34 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -59,7 +59,7 @@ Always On is a feature in Windows 10 which enables the active VPN profile to con When the trigger occurs, VPN tries to connect. If an error occurs or any user input is needed, the user is shown a toast notification for additional interaction. -When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. +When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile and therefore only one user will be able to use the Always On triggers. Preserving user Always On preference From 18e3f1c2e410235f161bb04bcd9855933fe8231f Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 8 Aug 2019 14:05:31 -0700 Subject: [PATCH 16/37] Update create-windows-firewall-rules-in-intune.md --- ...create-windows-firewall-rules-in-intune.md | 22 +------------------ 1 file changed, 1 insertion(+), 21 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index bf20974a75..3c68f15b7e 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -35,30 +35,10 @@ Select Windows Defender Firewall. ## Firewall rule components +The firewall rule configuration in Intune use the Windows 10 CSP for Firewall. For more information about the CSP, see [Firewall CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp) Following table has description for each field. -| Property | Type | Description | -|----------|------|-------------| -| DisplayName | String | The display name of the rule. Does not need to be unique. | -| Description | String | The description of the rule. | -| PackageFamilyName | String | The package family name of a Microsoft Store application that's affected by the firewall rule. | -| FilePath | String | The full file path of an app that's affected by the firewall rule. | -| FullyQualifiedBinaryName | String | The fully qualified binary name. | -| ServiceName | String | The name used in cases when a service, not an application, is sending or receiving traffic. | -| Protocol | Nullable Integer - default value is null which maps to All | 0-255 number representing the [IP protocol](https://www.wikipedia.org/wiki/List_of_IP_protocol_numbers) (TCP = 6, UDP = 17). If not specified, the default is All. | -| LocalPortRanges | String array | List of local port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. | -| RemotePortRanges | String array | List of remote port ranges. For example, "100-120", "200", "300-320". If not specified, the default is All. | -| LocalAddressRanges | String array | List of local addresses covered by the rule. Valid tokens include:
- "\*" indicates any local address. If present, this must be the only token included.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address.
- An IPv4 address range in the format of "start address - end address" with no spaces included.
- An IPv6 address range in the format of "start address - end address" with no spaces included.
Default is any address. | -| RemoteAddressRanges | String array | List of tokens specifying the remote addresses covered by the rule.Tokens are case insensitive. Valid tokens include:
- "\*" indicates any remote address. If present, this must be the only token included.
- "Defaultgateway"
- "DHCP"
- "DNS"
- "WINS"
- "Intranet"
- "RmtIntranet"
- "Internet"
- "Ply2Renders"
- "LocalSubnet" indicates any local address on the local subnet. This token is not case-sensitive.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address.
- An IPv4 address range in the format of "start address - end address" with no spaces included.
- An IPv6 address range in the format of "start address - end address" with no spaces included.
Default is any address. | -| ProfileTypes | WindowsFirewallNetworkProfileTypes | Specifies the profiles to which the rule belongs. If not specified, the default is All. | -| Action| StateManagementSetting | The action the rule enforces. If not specified, the default is Allowed. | -| TrafficDirection | WindowsFirewallRuleTrafficDirectionType | The traffic direction that the rule is enabled for. If not specified, the default is Out. | -| InterfaceTypes | WindowsFirewallRuleInterfaceTypes | The interface types of the rule. | -| EdgeTraversal | StateManagementSetting | Indicates whether edge traversal is enabled or disabled for this rule.
The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
New rules have the EdgeTraversal property disabled by default. | -| LocalUserAuthorizations | String | Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format. | - - ## Application Control connections for an app or program. Apps and programs can be specified either file path, package family name, or Windows service short name. From 27f3617e08b802cc59c61269782697bb4f5796b9 Mon Sep 17 00:00:00 2001 From: f00f <582746+f00f@users.noreply.github.com> Date: Fri, 9 Aug 2019 09:31:49 +0200 Subject: [PATCH 17/37] Fix formatting of XML sample block --- .../lock-down-windows-10-to-specific-apps.md | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md index 5d8414295c..2b237f1092 100644 --- a/windows/configuration/lock-down-windows-10-to-specific-apps.md +++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md @@ -172,18 +172,19 @@ Here are the predefined assigned access AppLocker rules for **desktop apps**: The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in. + ```xml -<AllAppsList> - <AllowedApps> - <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" /> - <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" /> - <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" /> - <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" /> - <App DesktopAppPath="%windir%\system32\mspaint.exe" /> - <App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt"/> - </AllowedApps> -</AllAppsList> + + + + + + + + + + + ``` ##### FileExplorerNamespaceRestrictions From 5c1bec8184c8f93518f7c14fa763ca839a25725f Mon Sep 17 00:00:00 2001 From: John Wirtala Date: Fri, 9 Aug 2019 15:00:28 -0700 Subject: [PATCH 18/37] Added related topics and items under allow installation area Added images and context under allow installation section. As well I added on link to the related topics section. --- .../device-control/control-usb-devices-using-intune.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index cd3817e3d5..8c67db295c 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -134,6 +134,14 @@ One way to approach allowing installation and usage of USB drives and other peri >2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). To enforce the policy for already installed devices, apply the prevent policies that have this setting. +When configuring the allow device installation policy, you will need to allow all parent attributes as well. You can view the parents of a device by opening device manager and view by connection. + +![Device by Connection](images/devicesbyconnection.png) + +In this example, the following classesneeded to be added: HID, Keboard, and {36fc9e60-c465-11cf-8056-444553540000}. More information on [Microsoft-provided USB drivers](https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/supported-usb-classes). + +![Device host controller](images/devicehostcontroller.jpg) + If you want to restrict to certain devices, remove the device setup class of the peripheral that you want to limit. Then add the device id that you want to add. For example, 1. Remove class USBDevice from the **allow installation of devices using drivers that match these device setup** @@ -256,6 +264,7 @@ Both machine and file level actions can be applied. - [Defender/AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-allowfullscanremovabledrivescanning) - [Policy/DeviceInstallation CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) - [Perform a custom scan of a removable device](https://aka.ms/scanusb) +- [Device Control PowerBI Template for custom reporting](https://github.com/microsoft/MDATP-PowerBI-Templates) - [BitLocker](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-overview) - [Windows Information Protection](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure) From ff2353241a790ac90de27554176c43d34391c27d Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 9 Aug 2019 16:49:35 -0700 Subject: [PATCH 19/37] Update create-windows-firewall-rules-in-intune.md --- .../create-windows-firewall-rules-in-intune.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 3c68f15b7e..cde7dc4fc5 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -14,7 +14,6 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/11/2019 --- # Create Windows Firewall rules in Intune @@ -35,9 +34,7 @@ Select Windows Defender Firewall. ## Firewall rule components -The firewall rule configuration in Intune use the Windows 10 CSP for Firewall. For more information about the CSP, see [Firewall CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp) -Following table has description for each field. - +The firewall rule configurations in Intune use the Windows 10 CSP for Firewall. For more information, see [Firewall CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/firewall-csp). ## Application Control connections for an app or program. From a0fc8a20188a44abedd77743460f7f6a17302b70 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Fri, 9 Aug 2019 16:54:19 -0700 Subject: [PATCH 20/37] new images --- .../device-control/images/devicevendorid.jpg | Bin 0 -> 24378 bytes .../device-control/images/sortbyconnection.jpg | Bin 0 -> 15475 bytes 2 files changed, 0 insertions(+), 0 deletions(-) create mode 100644 windows/security/threat-protection/device-control/images/devicevendorid.jpg create mode 100644 windows/security/threat-protection/device-control/images/sortbyconnection.jpg diff --git a/windows/security/threat-protection/device-control/images/devicevendorid.jpg b/windows/security/threat-protection/device-control/images/devicevendorid.jpg new file mode 100644 index 0000000000000000000000000000000000000000..10b636fc0dae01d92e87b7f824c1eb2e132b2b29 GIT binary patch literal 24378 zcmeFY2UJsQw>BC@#fFG91tA|6KoQtd6);gzQ4u2|AT?VMkP_HRhrrUUf`EXCfWU?* zU1?H7&z2%hh;#`hCX~=Z3XnqDU7qiJ?fm~a#$xMSRVPh<^YthL^}^DT2e^O?^p z`Y!qb*?;}YwJVS|e8shwMnZh0xTlQJwt=q(Y_8NRT0=y5|Cbj*5%IOO`q%H4>A9*OF^Cap0&Z8GAKFi)7pdZt9 zdG!0P-E#5=4=Eg1RZ~B4QcvH&@XT2w(@U4Hm|eYg-Rh3DjqP1Kd)NDJ?j8?3z5D|L zgMvds!=65S9u@r}CiZpmo0QbFx9J%(OiqE@_>fWZyx;z@#Eq6?hbe!?iw12bg zzh~I*|CcQLyJ7#ZivZaxwgsF#F)0Wf!dsh>D;<$t+!3dvCKeEs(oZ-tHI0h8c{!s|%$T4&_$A z79XNPLX_Qk$y9Zs5g^H%$C?=a;I0GP7aH`iom8W+E3m;AI0L*FB%Amdrks8|q$Krn z;B;9syiWv4ypzO%UJSH#P+0?p%tR1{V$=^~jqvCcwYu+fSNixqd*U&xR=M zh*!E0uk$q%m$)Yp!&~37H&TgS{qjYOGCTdpWu7S|EMlEUT(PEcE(E~23=yOYFM@Pf zhbM{=Ca>w?9%LJ&Pl+H;=RAmwB8aI7(s@#wV{3r(*q=Yr8qr6~c5v^*ZElBn7Cv2n zJ79^riQiljLHO2Cdi0{E2%;4)f&ds1B(_8yrW_Yj_~HNTqx8qc2IvPWm-O!4}bzUdI)@=$4ZcxLcb+ccO@xxh2kNGm$@XoqZRYt!|FUc*1K z!XiWvwuaxG3gJ*i#zfzP;FqB>BVNr>nfj%}W71Rl!<9K|lhzYhKm?ILFDrul>!MQ{ zi>mh42u{6wi&~8Dp*u{5pVoURvJmgP`E)YRh zZF9|(`j+C}c0BtaUE7`N#6zya=|D>g#+wvw{$h}&bo6p^|AdakoHm|Gg02EVwe!Es zomJAF8H?ILSs{j~$<}M-c2dW}{gMnI**r}3_wy1u zG+wg201r-Hssq?gC$qAqW6E~H@UFQ|fIIbVf#fEf_&Lh<_8>+~EF(z8 zPF9!e$5yPq)(@!+8&0;jlx3dbb#sU1f&y$V5#pzslD;h8PgL8i@s8r+7(JRBdwR2k zx5ux`*1~#IQKbT6{rMHDzjG{wG&Y-kbtZA;_;_vkra2m1Y5bJ;^IpIj%~J$H80nNG{orqDN-y<5hYDuusAQ`w3niyFFRG?7;;$9Ji zC@%v`p0VyHky54>urgbE&=PdR7!&1;#nJMf@qXHz9j^Z?PZ*BjK!tEy;jsr;1?m&Vd1F$Q4*~(_n7ftqGrMyTiOvg0lNeNF4O~o z+A+?`!}`t2fMkAZHcv}=X_{n!jxhk^l7Z1VWE(Ax7uETgf7F{Ku(fKyRyRd?zN>%E zr=$-ghlRo;V8R{(Rd^LO<(4254AfyJOC&Tp?6a{EZf^IAL$0uvHou&^ zNjPIeVvpk{GXu0H+(3oe#k!6!C^s~2X_(FC_w?d zVDksut5niy#6*|A>Lhu6SU&Vf793IT-S3@%$!(G+)W@5 z$}=At3v$`luDn-^(R+)Y=q2tP|1x*6`?tGS>Q!?}?QDvv7xkK_P2W{vb(|er zJMWF{b=CuAVBFL_&qvGaLz0{ixe}>v` z{18Gb9kgigGg|EFv^Ipo0=&lKWs{S)XW)*kBIjdrY{Od8%4}`G)Bf*L>|EM2G)>UM z-cxU4;R^T_;vbUk`mUyAs4Ho~0uZ?A!f?dFi#?@kQLic+XWYK@VQ6D}bNl0$ZnKi+ z&SD70q}3XR?xk-5w0)-A%ZioXsUf7Ac&Y;zBe*%2xmlCwOx;AxJh_Z7Mu)xsfqAYQ z;(vRnw7S&(tk%&~GGV!&hX!%6c7g~JjxMBdg<+Gzenxb96%b`8g81JbrmbKUeZSx( zJjy5Qz^o+E1L{eYw7e?kCB_-pvn&@BH0rD~W2po=MU^@VN1VjKvKj8ng=>Qkb1h3_g2-2dZVTA`l$60s_E=&2pd{A8s zx0cLX<_=KQ*kfyDVm$dT#3?#nz<6lJ(vHV9k}y0n`SJg>^|yij|KE6(8#Glho@dP4 z(5pQK+ykT&L7b1!)Brjyo#>b6dF9fxjB=>sqC*WZ7Lfts8!jBinxeo&jns#SQF z>@Yde9ii1VPD(#Ua1d^B3|<+hrwL_gZ6b)&f>A=D3+=<#K|TAxfj16qvw0^Cv;Ciy zHO?45*?=B&SbPoopL?OFn&uzSz89f-a_Y*T;lyhq6nO2)UcpAUmCSF1Z;R@CSqA3o z@rmq+;=u&vm-NaH)Ck&~$p;tjwnGZA-btZrh_F9Wx^9<5OJUI!+lIS zHhGKojE6aA2jV*M_nnflnpfUGl_DFO~mb7r3r~$&^dCoR?CiMHd}7ce8yq91KX0o zFa27DUOSFY2a|&&gOh5hIPGrdd(`dh6)efS&%pc)O&ir7H*2AL?B*IjAw6Po?TneR zA_x9dwt@_QVh@dNx)xY6?Sx=;t47_~p^oecV0JPJEnXGKb6`P^@+A}6&$6}59qgc; z@_zn%+Mel7a_z1q%?2w6_ccqeMzm{PMAuO790~-F6XmhjDDZjJ{cF`W4eUq4c z)EA!?iO2AG@z+Ws@vO*W46_*haNf9Vjd9W36BLyc5P$n%^8F_Rd=l>o6W5i_{bh2j z+VZ^eIrs{mWal1AFt6A8+O6k5`J%w>J8xj$tZ_1cul&?x$veF`$ng>mov%B+#NIs+ zmu2djmpO9uYwv7}-~~pFZTJVOJTm98NpJ_ID&hHzMlS4qL&hR@k?KXUA;E228Yhe}rni>TFSC2I-(eu(>T?#0CB$NL8XU*ivCDZp%7y z2d6Y}c~4_*Fsre*a7{{S&hT)9@yZkyCP*7>wn>eJsOS9SI+3W_6LEhzjd-sr8@Z~w z328jeJg&>Tev%vzA%1sE&j}_(9_UF7_D$B&%tLCePuapr+eUx|j|LE6-vwG98|<3=Jl?AQ$AUhQk(R?en@lc@4D$rAfkEZ-g< z*$@V}OR!tKe1sIfq#%P(f;ixnyui|U=q*W5U9&cMg)_meV zjf^sipL>>O>3CVQUfaFD^7+~;gWYRG`hQ0D!HzQ2UceMNgR5lJ_2pX$tb2u77p86h zthIPz$RcKJ+_Ne9MSAW{D3C^lo-;a~iaOMz!vUxRY0A4e`1}c2TE6!{X))pWYcI*O z*_7EDLL!e=H|^iT=1#Fd3Xxb=uq63%m!Huw*6s7M+uU_`Hv4563f7syE5Ra&D;rK7 zjl_^~vChhaKBZ;VN6Wkp+!f?i_cf#K?$po<5&kn>f7H|sy%;d9G!S{*bf#C+)NWYQcRdQ5x~I{> zT|Jh!w&n5(HcYt2UaR70WM*1$rUE5ij#)gw-ZBp~YV-6zpf;IxBPTS-ZmNLHF9M+uB-ZZO+QO zoK|-{itWRYlv6HstuExmzS^yx^Z0+c=Fn~;$X_PPH)l6SY&B-IxjUwSF|~L5{A|7j z#s~ii+mDi&h-3w|4%4{?(2R^li1znxS!+q&kBW`qx8<_k!qg71aoiYW6@So)84MZ zG5(a3t&6|xepSd=0a%&e&?yTd2>lhDzY&$lxe67AwVhXnLtBBv3mFB)p?TgK1>=*~ zPREV}iZ#))NXaLAZp=9j*<*kcyGsR zo9)ltUII3*Q3}}uCx`@j%v!eyLK}gEIv4){Vi@*L4xZB**jm*)Of8ushRKvhBOhi^ zXjvvK64O@2S)$TfokBP>4h+?-va+nuh=-_8Uogy-n4JMYGKEXx%5zLQg@Q0R>p6wb z1b7>_x=VW!ET=5TI7;ebU5ah+gZCSF2STEZZ7t4?Yg1Cxo@-(HZvdT@#%mQ|EyP6x zi7YdvkC82#Dw^sTnNCifTjJcleq?p85gLqJU*%jEK^p40LPSf-66Rkg<8WfD2qMW@ zGi`v<)4VH|A4bH;;ND^wYt8J+lNaAQy)D041_%#`iy+ybK*+gE46Ik&eIWKOryeY7 z{M&q*@sEL&*13D{_Wd3Ua+iOd1L$AB<+0Ijjcnm07*6L(^wn7Tojf?Z1L8Yy7fDEi zu7LYj2JmtOszearvvk2;?aOs*N*CUU z0F7RplbjSv6bl3i*~S0c=3F>W?GrCl8NO~Gx>WY@GmJY4JmrC0+~~;t<>1sXRD%;z z{g=ErUhDIAr$~SWOuv(a3*HM=5Oh4LsbQ)?ixlj)r~4?^`+)Jx@me^teu%T2A;7fg zI-@UgT*+C1IoPcA#(Hw?19#$Kp31e;jV^%V8@|RTP9M2Xu~jJTF;@M3LrM9^6F8wv zC2CqL^U(Aa?xTr|C`ypV8xE9#XtSL@FpNU$lDew#D@*^lm=Q6uMi7*0S+T8}jCHazchD?`1$$U8ziC%1YMNQaI%)Tr>YjSo z`zRYhYr>jc;<7_^0HVaAg8^_5eYX7Wa&k>U4k6;@tMNX{B2AcltOx!m$u+!gswNF} zCw}jq#Mq3yU;6KlG{FnLW@LJ@w=SuDNsXaIZc^A&s^2rkyM+~z!6l{8nY5T16arD5 z)|NCr>F6CqH`Xz)Ii;*OErM)J^heY!);4fqCLwY?Z8z=@;{wB$CH|1IvjA7vlm(^@ zoNHRF1D>$wvjXa?0qui@e)}j`L%fReDMBD=OgDdOI)N;R^s)i?3eKjI&;9fxT9-noP~8rS>G zW{jKE<)7etWfJ{{0t2mY_6!nQ;aWRi%bx11vGx1f84eiLpWiNH`M+L|T0rjn6>3cI zC~T=Xg^|X8>Wf=W{4)1XOvIm^~GFi>eMXRQ8Y zKMT3m0e>Pbh+P*!Rwj^KcA}7z%QF}gM&y8?Y&!%k&>w4`K<=MXP4NsqS2E@wQDEUI zMT&t9@i0|BK>aM3QVF%nJR{XP#UD7Bo7hHr876-rZTqph2GrWQ1~j-c6Wv9SA0R58CG29+R{Dg&<4tKo z3ZBifEglIy^)4OTbh-&MegB;#1k*v3OS7)5e%iWuUv9{_m0h(Ok$Hcd;$tSH(1HN0 zumcIA0__)A0@I#Tekpbg5#s9}{+-GS)uu$w!FV)_6e@AN7Pm%&{&a!=n6uZMrOpnl zeRhmtR9S|ixB0a)Uln47);vP3`#I=BxkEy6$C1u>m{w_SbK&nRz8A1-2d-gT!4aK^ z4qpM1!EA9rg9zqc;6M_zc|R-#nciSQneo&8Zuzm9Kh~k?+8X9G)m++=Mm}29N3pZ# z$FTfV1`Hc%LPIkV0F@ zUIN?+V0>r-*d5TnS#lnFx{cvYZtiPWa0xj%#`8R~wyJ4AjY=}bxme%;BEX$t579>R z$Kqjn_8mL$+ZSyS8t9qu!W3o%z6CS_?76F;VN+w}7u5JHSTTJ7M&`eN4I~utnAYSG zSmfPJo(Ki7U7TD+e*G^R<*?<0Z#m;~$R$WXo<7_GZUzhTK zGZItpdEPlU zzIABST1U=6r{3*zB_9(iRG^fXohs{EvI(TZp^hf$8;d6kk;yG^T!+6B7g5 zr}j02<)}bEFhX+PDqU=S;Ou>WW7^={9YM|pbo*k1YBU&$2Zq&#R9l#?Lq1g4h|(HW zd#-O^=k!x>6LGft!?$~IkRO+(b>dos8d9I^92(-8U#lO=8$!9nu*rd-tIv`KA#VjD z!=wPpWRs0i@J^^?lXW4%aY{AQtI^;ZsyOc#yzeX8MDt;KOfzG#Nd&2}lJFa%$Gn^W68*7KNcR$LriQ)t`GE>5MF)ic1gI;_%& z9VuP8l0ZYTilkT;vjty>vjuD-E)geKzs_D#7n|q#y?`G?YfU@Ro*y66(yHUmaF2}p z#5L)i;QJqK=@bgv%TnQrA+&a9Nyav;y#ysnU&A3Tpqi)Ilzgt;=LHi0VP$pZ0Msqq z33N#WM7v)M`AfedW@lzG?)Yqd(DNa8qOK5vXP)#y%y5M>HkaT~*byhk3-{z7lOsHO z%o>Jf4R>k|cYnG;t6GIyWEvI{f!8gsKtti3*(Vv4X!PY`bCN(y1aUlVp-_O)|73m| zHQSc{+Rb8hS>qa06_oWHcWC51W$Yfibt(Dt^7foAmC&)ko={997-A{kgI|CVR*V+R zJc77>PGrI*_R=K)-mLBN;SPZski;AA~%k$)$$jsHxR61-%tDtei6Yg z6^la=*~@(vRepco2!6;1R=bIKR{Q>xq6hW?*@s7MtwK#M2eC#=at=vT zz}kjqhYSBG=OLMD-l1&3K*Z4k)S}xroochZgoo?GpE0fax$K6$;Nso{39ku_whUri z3uL(g5$#i^y^-!w6&`{rhvI1|-v- z8N+|<+!(bxjI64Ld)g$o2ltyy&GbH(_UPX2hggNLMuG)Qr2*LkjfiN>K2)TV(rsgn zf(*hU>BPQvOS!JwaDMo&Wu~8n+ZknPqzHs*np0go^^{A+(0pAMF?E<6kASy0qHy=FbK}SCj!qUn8crcg zqxCs2YJ+MSA$>Wo6(>TSy*-#WY8h=6r0v?tW_GSNXmfXKB!+PW)pvz!cSbr|i`tOcyVXJmDz}y0=(pCJ71SH`*K75;Dnu8GUee7eU1(xQ6B!i{je|b{79T63ztTXx-T*FA-(0tUF zt0>k@hD^kQFt}@xZE#CGZvc62ny2pmA~5Mb~5B+9*b*YsO`LtC&e%qF@uk4m*iq<)`t5 z4j>{J$>rVd6#|+dK3w{?z32ZgcebVd!+Y3le2sbNs{5s%KIBl{_)Hg7zQWr#Wg|ag=n>m+|INRjQ73MGQ@ytVuvJs5l#+PcmJ6phvT>-@O zGDI(Bd10H;$GfM}-~{ojnXVt0AS2e~XVKmANqBfcsF&E0kxT3@cUY)=@G_3oo5j;M z!T(sx5=LM;*%}R;sgKi~;2-SxK&O*-nl;Afl$XLie|2oQnsoMJ3%5+1Wy!$2;D_^! z7Bl9{BOb!)jh#`LTZ!nnTFpmsjYW2XSWRRtPV%MWR=RL?+vn#d|SIL6Kq?` zYAhA{(^7AbX|Jt}GtrA{g3Vzk^BL*u=Z8*7vtKt*dYD3T=mTQQWQ?#8BnUAclh?bk zoOp%;?`rK}wLorm$@kYQqk((uq=S~Tl5fP!=J<@W4Of7f@yeP2Ox(0#^tBqJw8u2n zX5LYYhYvkuy2Z2R(wMDAenN2sn*~HRJYH>qc9T0Su4~J@m<>pW_4*(7gl1&h`*Ed+ zP}t_m@)r|hhWD4S4tBIlGkqJut+r6LH@zSOx$bDX=Z|@1nl6ac%e3t*`A7zvf818C z`$tS!iCXU>je)cxO> zZ))uh5ckO4wmlW>w^%Vmwe zDF6Js#^2M;F>A;2m$+HQKrk|9KR&_<28l;d=lVI7xViliQNCu6K>OCv?BM$Fh*o|E zLA=HkP1}lQEjp|}^=Fo(U z_Ly_|oljJG*7*&H;BW)ZJu@LZxjUE(zD!HZE(EK3qz{V?k_3Ip=*_274sDW|l}a(c z(bz0B285^!vg;JSN-Ab;BLd6~Wq{U0o}dEPmdKGh4?X8el+lm(w_sesZ+G;RZ*Yrs za-a#=1SJ+a(?AUj*o@8(LS?>1Gb1>*th$&e5fM8w=v^E>Z1(*{Cd`bu8`NeQ^EYTX z`m=EW-@z7cQ?R9@@-Sgbpn+8K<1@HQP)ue5j%|xN?-X*a2g)NiLOB;!;FRVufelfrmxG8#J7ij5M{)UK2E@?Q>njef5+6>Jy!@C70jbji{WnBiUFdrE$dB#kVVK z;))f|ywBiVxo2nP-IbZ5m{l&s^M<#41vjW_8VMO~)Sp{Qa6m4ejFIRlrEGq%oRaqD z7xFgZ=+SouCrH!z+R;9GJO@RG#-#0~FRyu`>LYz)KxHmD@ul>iLRq7itly@^v+lvY zfRp38{6{T{F6icm?ApyyWSf#ztAVn7BXaM=&S&p8G~(sth@_@vQe#Ln>4EXxY2R#VmzG#HGaSeZiM+Y}=Pc^x~aA|AZgk=RjlzHt)96vX_ zbxJJP$AVeJ#XW%m>^oyBQ0nEJ4)UH}yY=P^)cxdLC`+|RMK9N`E+sNu=eRI%w?1mL zkS8Obtm@U{DmHeiRa7=8gvNdu|09%!d98N|+-r%e9-NPh1fyN-(h2Az0Aah?MuPyo;Xl_M_=} zy*bON*v%C7_ZhP&=_*Qqhr8{W^Na={e0I?(@pnByqBFNt_{6KA^Hwl!ZFV1Cqs8#- zT4ZEU`J&UQR0B|iz0I!zTQJ8fT|TeuQG`Z+3ur7za4?>~5c&{RzxOg&gIh@88LskH zVK@B7!D!j%Y8N@EfNpr&X&ANP{UE3IT1zn2v#Qbqm^${1bT2y84Nu(T+`%$-68a@U z)93xBscBB3vSdC{qyg~E;t`&bW}va*qB zpHSlh0y-#&j?FxLI+r?8Z_9~L-#YToH0ggrk8VTm6G3Lh@_bhHUeT7ws5sS*V z(?yUk&lz(0+e;33-zq7e6?~jmyniX3-Ea|9iR0MXe8m%ih?oAJ*v=X?J;{H?aSDoNQ zqK?(9;9Y6tc&O*z&8fb=8shh7za7uyR{4P`piu+!mBJ?O?F zh`115nfURifeRTL^XWKGlmg+zA4o6!@#=wz8?QCP>7$rPH)*>?o;gJ69V3WZ0t9POro{6gUAK6<>jbPgAM z_yByf0fX6JKtuvoyu6U>vW*~eg7Ys!?|g**-`1A(&$fbt|B)nEXKf{W<0Y!AdWI0Z z*;B+7_!oH8V-q|piXr~A8nbut7H4qCs^L?^urx?djyv$%)6ZVv9#m-MXwY$_^49vM zYr&+cVBU4_7YZoTuT9e1AQPdxt8p<3H)BFSdK)&Ja#m;&j$JG1kyv>l zf@rKlgELC$7}9DAX)ToeR-adT-fO?f5zpF76(HezvyZt^dhhzP_b2+D!EZfNNEI}N zx~|IW;UxJ6O@n#@2c9vasyaQlF4pM+I#qMcNSC&R_ygQm)5P_XKG#8(H{HarV9DH$lJwpjAR57YlA6rF;JNcWkYI>p>n9Psz3hRuX7N^4 z5U5ri{idyb;8KX&8c z*7zzxLW-F)$B-m9@GG|AwUbfnD3zv@rhFZ}`g{P-R!Z_#yugvCvyL|m1kB4HxQk9R z_-(3e0o(Pu{H=5r$D)x)`A);*&np7-1ioIvXs6f0kv+c&5t|oL<4n+RbgV^m4GCuL zC$Jm`lD9D_ct^D7_Q5i-j)OPQt6(q=2U#*hXYZIM&YmAZ_lJG`eC5I&LIT>tLCM*% z2g!0VVm^Wiw^la;ESxys3`a2JQa%!=7g=E``Ezq|+Zt+rzaOdsOGxKF*ou-g{Y0Nm z^DbCStr)-SP|)>0di5`*Cr_R@b~iW3{d*icy=bfb$x`aN0;+1#2_f6Gi#?a#dQuo* zKV=%>nn$e^g5RCn|}ZEns5tkF3PJWU&J2oi^<=eaCYAB8}rh{N;dgTb=JDIk%TGKQy{ zwPAw>?79tdPgz!Q6@J{qJyN+DB!X=7#?CGC!?as01vw+ENV63 z+6gRFM{TOZk4l;BTv|_1ygq>5RUVR#F>M(>wGlorZyJ_b6{?}jC4N?CqN&-zL`3~1 z0{ki3xYR2Vy;)ZJ!J$ubqO9e!UKdTUen}Btk8_C-q=4OOEv~E>T@5^Ua+Tb_kyRLV zC^6G38O(&5nURhdqLE;goIez)FyY{(OC(O37kNoHJ?i@udW+_0;ClYilPsxzyB4?n zjo9Yi&E}&$T6&4kP$YTt4`uRZv4is-h6e0Nk7UZlpA7;uL8fp^73UApvFex zI{Ls(|J;yNw;ql%8c?h7_KvDIFSfh-whsrqrSVZhp;t?V4y^ntX#=^BW8c{(7i^fp z0)6(*{Mnd$et9L42-+0OC-{7_FA*08x?Ui{)$swi+cy+X2Mv0q1!3h4Pj?t-D;=+k zp8bw7BwA#u2=&I9wjZ3)`rg#D)t)u(FeP={m0tNxb1;OJ1ZVw0o3;a!V9rw3*q>87 zW|hXmUcn!{UNq>(9GfsOJHp3>>G3ce;U@C#+X&~R7!u-1q<9_H$@_W*SDVT@r0R*S zG%_;s3Fg9hplT;;*?sJX%@c3GZI+5r=HYnio{&|w)H~Qr3U@#Wlx=KGJqR;Vh7O{t zCtQRU4L()UO4IZeCVD<(l$f` zQ-WuRruLlzwxA7_KW1dKsZHFTp*rv><2d7%c~BXIql~kI`J8eqa)SD1hcjs-EF!^M zxPJhI?g+4K91AB&K-WN)h}~6|77I55?2GxWo6WFJeQ<=qVZ?wre9L7hJt~pA3GilZ z&A9{IfsK#2uTa~<@AJ67zYONfe{XUTFoGMwYHYbrm)3cQ$M`C_!bpse3+DFSXkK5@)`zWBY< zM2ijOdj0p6_{7tSoSU<(9%%YQr+k?$pZOM?$n0M@i1Lt|glnk2`RvirmGb7ckLYv{ zUgt?%*eBQy^oh(rfvxL_;!DiaEvY>Ss+96qQ~l4Os+T7CJDEn>pUNG;8U)mWbJVYd zJ7y!)sY|oM!rjBOG)>;bUXD8B{|QcH=3FYy0EzO4B^D3*X3n{*QwNu}A&neEbwC|L z0>(&-(aaWXeikJ2C1xbWEg0LI>_Ytm5=$ZyIy^iv=-)tKan%AWI;y4f;ghBDt|VMy z?wGzeQPNu>@(tTI+k4tI@GG4=(drw5?EU`s26~BSHu-MbFwP?;Q0e*!9O-0J^vziE zQoztmOstD7B4sMCmpaZz(j`*flM|m{Bae^ewLI-G%+M@G9%r*6vtM79u8SW+XS#F2 z<1LL9`|w%HRjW-~7;YJ|SjHsGxjQfI>m^M}ld+W$Jn!<+Y%<7Z74rixGtpgcx2#aP z6lO7!-!7Nb7Rd6H{+c8dc15x}5k$$x#Cm>!jO%1%KeIbL-;jTNGny3<%k_3U;%i2R zHm|L%wSlLQ3ccW4XnCVG)GNImScUtWDZ_)s#~bTnRIf>m34-(LoicZaU&lRrwwx%x6h}1QF&BI2-xJZaa<`xdAcli(uy_;RhL4dfjsWCIkQXU$ov=cMj3OBYXyxd zLp^4hXi&h$%bS29(hUTlHltWsk)uIIX}3ly51PH$k?dbMIn}4Jn2(%Iof@#BM7tZl z5!r#){dSQ9$D4NT`D*1$Esme?zS#oQagYqt?r)_o4B6NVIV|bzzJ(x;$je$e!d<$6UE)sM3PiiIGa=`lD^%D=?{p&A(4!~!{z_*d|m`$VW zAD~mRewV;Pumnwjb_Ny}Pv!vux5TY4%iP)mUgCYoO0B|~a~EgG+Wh0F$~_j|JeW$Q zHir`j5FXBLATti@j+vEAqb&vlsm?QIgZBLH(CWVMhb`lp?cYuJs`G^uMd1u>ioI;e zvgW)eBV%rdFwhqYuHDZ756|8Sx|Yl)!m}jt0(|l+5LxbxJXixpvt>f1MGkWLge+w| zwOakOqS|9~ z`tog?bk%fV5atxKKS|mcK8k~@@l1S6i;*$*tM8#NN?g9(uN+xf=QYM5s=0}*^rR^% zmGd#pu**Wd$Vdv~n`QTO2$5_X6`-hikK}3Y7j-n;C=>ggwp*>6l|?-bbMa z9hWfjfi!Bk;*=5bV#Ng0$+LpXHa1CS!_gRHoB-6bB#t6tU|O8Yoisna7wPNc*8N$t zi-}EYtHFKX`NSX477*Ry*n_oxEyqGOm7q6L@ogTK;ql6fA7)Q;op0a`I*s9Rvs{+- z7IQNOr6asc>s=*%Dnm1V(jYmaLfKO#(Z%<>FnH5^gUB`ju(sfQR;w;$vcw&}bqn62=o+GD$EEt0QVCyqt zHSHOS6p=Nr&2D=CoY0 zk2c?-AOB;rDcjr7p7WW$j3RuND1RYu5$lOrxpi5m@OAlo!QI3xDQN8AH{tORf7>Ad z`g8{e znZV?nv`zJyo-Q`XIS8H#`eD6sl{KGOjjJ{u1?J}YmHa9((ukZ`e2z% zY`}+N*Q72tI)bYjRIRR#dt{P0e?+5>YY5`@6lS!(+?!47MFRmc((VL zMz8Ic=^X=O7L93$s==D##99l_0{x~Fq4TCVsxi2epqa8Y+}e66mDp7}I+l}CR8W6@rH69@SlC&^CQ4oBx|D4~1XKtwJ+ zUKsqGl-V5+VAUAOXCyYn+gtM8=_wuax!yZ+Sp`EY?!#INJDo^Omxu&wM$L=JGkRNy z1CAy{nE!7O2)I8d9&RVEuPYF#1|T0;*O@!gmZE!{Oyo^d}Kc{ zl$;{_1tcZZy4TP+4!d{s@j2z#H9ZdR$3U^U=fjU?9$OD4X=`22(`m{yIC7Xtgd$g`!UKq zi{zb7`HGu<0m$TFO*Cv6`mXvQgO6@NQauh_5|c4?;w;(aNd6!4V7C5FMf&np-H zQ`NBQ9;caPdH7LZ$wa%trNkimLK%skIh-=ZGzJoIZ7kji(&_ltw!=KxGv|V8g zr^+*(TizGfUpU(0QjOR+&F@J+ipCf=`*~v|(5Lm%)}}eHz3-OI|0ZXi>95q-+-lOh zZ=I_&KfXo@gHN6~e~1v7NdL$)s~8}5(44FBumy1jw`vKc+y~CmU*MQSvt=#N zT_HCg1pd}xGj?ZxW}IDq2>R8rV2c=LwOw#9bxqol5*?|)F}*;~ey^NPzNWeIV;Dx* z{KFPxBo+*JyCDsi-=;ukwHrIlcx|nBmvCx?SFxJL#h#W8~>wB~-z@J2ZOI~6UK6cC4 zT%$}iv=+@tNx>pM;ARgB;c2ChaP&R}vE|KtHo-lrm3&N&^{Q?Ytb{GLLUa7qrA1V119s zEox?!BnfhS)QIV-0sZS-LwHu_A+P38dgq_Ppo}~N)fkZ#clAh?@M3q>uXlVGF8Z); z!Y+L=(%|f~J`BXAx8q>k%@YWrK{jj|Q)D5{S z4K>)t)Ol~rbdK*@wCWYG@&ecK>+gXOn>e;VEL@lf_|5A2Y$tjX@BrW(oWRknC!o(F z4^*^N;jjav8ax}K#PgRZs$CVP3Rd{%*;5|qQLPmZ)t9N zYX1CwQ|#Tc;KoXG#gyrn@hKC`eeh^TSq~^>!;x->*j&ci1=Kb&U6``Iz6F^e1o8!= zuR$NJ3hp27(_w^o9w`^9eIIq)*}P8}H171U8C&(zu#3BEtqeNn98xwN3;99(L40a| z)lFfqxrxrPIHTSpT`voxBpX3Nf$Vfcyy3;6bq8||Z}T&yKdKVDv6qn>*Ag3WDPET6 z4?jhprLSN|(=-d-XAdHcq~~#6Jn%GA5R9J*vSdQC%h?tgj`Nb|e8V8A`L&(%uVbdb z8zjgd@xXH`h60v%RnFrxZ(-7$n`5DgS7KCN&6TooZ#rE&8{MgmEMu+J#+w=$48PAH zTVarLA_9s|axgl^bei--&hU6_5Y770#!AQjan5SD2qH0amv5YRQawR$NHfV2m@F*< zX1&1-rCc4pet#tCpJkq7(ZVZ@#7!nx8~8ukx$>Z<&Mi(wTna69K`IDTML`*$DoX*& zMFA0cF@g&;2((g)7?G+#SiQI)yAe=RK#Z~o5dnb!vLyv&3Cd;^2!TY1CLl{ffGi}r z^yAHQrjPc`bmqPH$D4UGnYrJb-0ysMZt|UTzH@%Ra{y(h{jUI}e_%Vi7$X!G(TYP*Rid?6O9bCG8(Z zMxaSz8N>KxIfZW!Dy2u@hbXg5gWgD5P~>B$}w%f0>RIcU5p9D)YX z9H%^rpsU&I(1&i9VtXz7kU+}}wKB&&ITO2^;%NLbF$@>9-CFAzbU7lArSWREh`km* z+Yxv^tWPtOtbS3yd(cimWy80TX!hWO(kbE(0<=#>+|hVoK~H3y<2@w=zpA5lAq7S9 zET~^LM|>2fKBAeh*Z2VwE8Z}FuQDj|!mExTsGk!TY;yBumaVAO2E42jle4Bt>6kMD zpYhtjSA#AWww$PPT&?c0Kk6=jC6+I1C^UT2eMw_H(9sW+4Etd0atP@}?Q!$4 zSNZvG9n{VgaiNrc3TB7omqh*4M^@|?^?vy{M=RtttuWy$T&5v~Ud}ufXz~$ZTt{W*Z-?V*dU4+4OZoW#|IEHtlQt$J| zi@Mn%eua%CW~v2@eHD|TQk#w0;t4dzKRS^Kh-49^_W_SL>gJeWND^W7(;83J7uPFK z?~|_U4A#YoA8(=kwFK%_+mh21m()@~(@x9PcxlUpzCJB|p9HLHDhjU}fN> z>v+-~-AH#*VHo`Y-Pp`3ljU#G=f{3=$0%KYN14;~1WVSZxT>JrZ5oflN^Wx*9@SST z`krfIqWY5Z{lx2?&hzw$J6FDtHDnPDe0#<5=J@z0lDNr%<0*3!WBHy#CYc&XQ5kYl z@-#n~g{QVLdqV$>=Pe#qcc|a8S8fnPreF0O``OG+Cc<+ z24nkipcIF!4cv-cse&Y55IKNcI^d*GISUImLoE+w2Z)Msxa0K4>oPrwGZ{bsX+KEr z?1xkI1nB{Kvl?X}gt`XMH(8Tfu()_Z$vpSt;QlIjc>618)W{b=30EU#a1$yIROVY3 zl$NcNp9vy^f-S3B-i!Y@h}r!Ar~i+=d$ooY4o?M>FH^1CQp~xn2V`tY+I%Q>G1kOgP(3+3LGixCw+%hz`p!UXs9Z3!PWHm-7a|M8-Fpprue%?< z5MwHdd}fWl?s>%8FVDjNNL?B-+QJ?`r^m067x}(K^NlYq-iF@{)!6Aki&OVLM}&R5 z7WE0&$!>i@mx48Nm)xlKbz@L{OIblCGb?D?9K|&d->F$t;dGNY2q?~B_v@>}3Ou;i z9S7RjyDQO4z9%kf(>(=;V}Ds(B7C)?U1>}XmhJhsZoH_wD;26ZM*&zIx7kId@8w?0 z;Gc$~h{EPk<)ckh;m%R&97i3Axn0)bD{(>`bygyvm%;otBi~FVtK3ZR`Ae5li=a(m zbw~TmnO=IRZpS+rQ6iN&)w*jLqAkGpr9#Y7XKsBWOXez|Cdf~whq*u3x@I}>g2fyh z6D63L;MI007L-J~bx(TSxb=tCj@`BTmg9@8MaM(4YJvh}r58ZJWP(6EmRjm8DxED= zhI4H4*wbcDr8<_tblia^AjLE$Rnji91eNMl?unpzfHzSdQQsmPp3o{Qmz}uENdT}4 zFQ{A;@T8#sxMe*^%hm3!6H~=&E8mjXw+C9gyR+l<(=Xs{tyX_k+3uM7FoNw(wsH_rJ%tji=0M4pt z>+^_vMI+c~o5N&5T>RvZ2>nSmx0dV>>uTaUGz6eS=Z($;v(3Uex<2DCTk;PIU!=Kl zk$ODpbqF@elUJQ+=(T2zxPz*oB3sJM@tfc#%kRat*)2rBGx&_M%gARQ+=mr zhqc*`nI>@Tp`H}S&)PIx&^D-+g%Tot&x?v8^T;z*wyo%=pnm-hSE_Swpr3X1WJ7K2 zwuC_a%jpr;LDCOaawikU(ePkTtQyXfh3h}EF- zQ|&es{;rwN@1f{_Ha5C9y&FFvZGkS2=ET@W_fU3))v}%FU*V4*i#2xDP|5p7*&kiw z2A~X6(?o?zE-?7oFk%VP!SFvzoa83_ji9py29keL4cgrXyV|W>Dq1q-zoY~(Bx8p; zpiC>&#DnrlAYf?@tv{j+Qh~UzF60XEi*G-pf@6IyqKQieKbf%}qQnH7rPlDi@=_7B zWDa<1 ul!E~LaP$w;Kw0h&GW^n6IWg)>L}S_(09`y(( zOUX<*&ZP)BXQt+e;(*{h0uHbh*xY^I_rKn|)?Mqa`@ipcH#{sBY&OsLdA{T4``OA~ z(_5k-Lz@r<}IpQwy3G9 zsi|+>u}yvJ_N{7a+qAcB->IpkrL{#vXP36-t{s|Mn*Uy8%{u5e>o=%u*r1}RuBNW} z|NBsWg>Byq^Iv;y-I{%{wcFRM+rCCw2ZO_4Yc@c${ddCub*xzn&2i(V%_^#D&o;z?-g0yIzI)Hd_r9NhU{G*K zC_XIw+4IP#=$P2J*GX@ZQ&Rs-OV4`uK0Am0A@^fZaY<=e`R6YcHMMp14UONLzISwX zb@y<3`?!3;$mrPk#N^bpcwupASt12iR{xc24Q$>26zhLU_WzJ;J0#cI_3PKI-}J9s zYu1KBW8L=k8}=UExZ~87O?Mvc+;{BBX3f)yZwsqc_FG&PY5n%NT~+&lCErl|uW0{6 zvj3i7Pye?h`(J|n-*RzbTh^_CHgDZ_7z(DimKApp_CJS+#x)ffQ^4)KNtQ{wWp62a zgS)(9?2QTdCRVZZw?;@7>qeF0Ln-D3)%qvXO5}C0bTiU9-`Bk&UaI|532TE(XQuB< zSNtl4WG&c%*M=1qm527pf3#o_SlSLNjHy?50BGbF@=xuD@u9XBG$3(WnVBT(S@YHd zu~n8bib8uC5ZZ^|;QTRPs&Z9-N=+`CTqnUeb>%Mym=7&<2uz#(ej7-tktKr3ge9vH za^WbIJliN5Q^Km=J1MZe9`m$pSeO!4tAr&OYzMOQ@$nZ#^VyPqB}`*b5q~Ax+c*h9 zw`A=Dy7_Qb!r7lp^$*jr8nLDC!yY`)a<=&R@;oS1!rWP>fTPCbDb7rD)0rA@+yiPYK8=F%W?$@-bNeQC}v$a}|_k%;S z_`l3-UnyZa2t}n5wuML^R>F4qfwmnUmpfliAHV7QJia+JvUdNk@&ePh-v)&k-6?X3 z)5~C5w5`@te{C`TUA@6!rbv-f)H7A|T{E;-h8$tl6(o(El-BW{Dq(6t9#~9_ivYf3 znrc|m$#Lzn{CuZRv$DLPZpH3qiqVxv1Qt6|3H!F1O1W_Cr0JNa^Hm^CfQU=Ms4OvJ z^4|_ka&@OyDX~e;QP|8=gOWpGh=qM-cl_bntV1(!)lWA&B)1SHgO39&yu{YgcT*AS zC3Z?!#~H*z$jXdqFj!t%uOR6l8)4S!cK}X9xKk}p9fMt+6WsC(@f&xs&xA43tx$1P zW3dC_s0jX)b-*bY6`No1Fh|UjgohQR)V^`{U9n*=G0YWN3<6Preug|IdiiDKOhtu= zRrM>4E9u!5YqiVkZr_CQfRob-c;V_e+a&w=;&=PTK5!k7%WsR-HP84k6^d4!-d<8B zDHrQSq&nKOUn^lqlqx!or_Dr&JZgBNM4hExIHdj3<>Mq7yc2Pj|x0e~6zOvvcRQcI79D}g`XHb8ye8#zL`&7FNT>9pFp!;`P z&4?sh2`j&KSxVp4yz-E^$)NC_b-Y1A61`Vfqa>Cc-P~VE?$r7rKLk|qF$ttSsUD)2 z@2ym2WM(S(w|SUXAgQRVZ>s97q{pT1sz{}f4#*9au*d{{6}DcCZ;+xzBQx$krH0Rspfzg&1I-odn?2>? z`1%lc#8BKCm+FEtI2rl(13vXdFtOj9Ese&%`+laK0m9 zK;nogCf=55a8jH+9~nA6WSusgk#D3Gwc3Xq{W(By#XbY}i)Tih>UcVnEF({yIu3GI zcflYW4Yn4$7;$&VY_cI~Pe`uPg&z_TA;;3B=P@Y>pD{Vu29zH|e-Q6fbMt08@=LCt zfl*h1edaNqV^P$?!kiKoyWMETbYcd<)f05LebqC47OJ3)IEpLq0b|{Bd(Tt#m9T}r zouf`l*yE4L6#`9TS@D3_CJkKDY6dt0olIWrp@ zn`+Po0OU%Lhr|bvc9ct^YO!`^pjDPz1*%P!+9!t_^BA_`WLljH16&WJ){`vD#D*zV z0uO9=$4K$Ht98t+ldmd>OK8bt0@BYhd^;`#gZe(vN3{hK{+6Hkr&Aa#V;5EviCZ(* z%?+}`&Tme3N5@h1DS{2`ryb+xmsj#znxb~4^&D6Z*@GDIGL{jY^BP5z+LpiHBMQhh zE_6lYLvr^@e}<3HKYAFG5X4ZG?-bKxegxi@pX&JSONID=F0Cn8(&Zw9D=3vk#V@M* zzGHk>L6+l%Vcq7-WX243d&^G= zJ6Z|bZi$K=+C%Xa&GGt6#?#N8=?{@l$_y%~YOWLXnv>TA=qIE#ls%I}=7pUEyZ19m zr>T0c`wZ+Ry`tdmxm0QPAGm` z6okHz;{;^YDKAv?nPQPwng)0Lb%RcZTl#$)VFrk&%aYr{8qgbT26rxogjE{y#uU6| zid+BSn`lJvjN<+_aDb;W9~^s_T(WExr&nH_ag}H^_8=<}erM3Sg%(~l-6~L5HZrD*JtZ$y<%u>82_-(Ax+&QHY@kwQbsf4*wY%i5gxWacaBZhfUXxKMAHJWeCeoby?+y;hE>l$0F0!W_dz4=G_yXr_5^J_=n?R{Eu? zyzEP5z$*vK?+la1Gw^!%6T2C0IL#@Z7HKbjaoDjfhT!xGKzMkbUEuCoRzKE1hbYn) zKAxl*x6+KhPlCqsK%hL2@T=H3Qm%y)xaBhqB_3{fMPQomo$t-s+4$o&WGARZq&rTDurjD2s>wY5(%N2M+=UI(p!cyW^8Fu3LCau48ve3Iif zt@~H=J@v64#jVj&JNRgChRfp~(i(9bI2hSh7eT*8II3Cfq)5{czFicLl6hq0>TQ;Y zQ){dUQo<~zd7FUdOX8kPE6HD}SL(HD`;Rlr@waV*S8lmFG>l+$9Au~QN|+}=&h9<+ zvA+)=T}QQKiUwIF63BJ$0Iu-7vxtqv*wvmMhIpsIwdSOqfD#>y)~*)}I-M0sB|RAh zF5X)#&M096uOY{KHML?+5fF&EXZ{c~L&E%6?cbmOJ4y#>iT46 z9GvWSv7(r7)K;a0sU)X@PYid^&F?qLdgK>#Wn6OTpF)-vsohHjsDBjf_tt-B{YMY= z1wU?b9@p~$2tpdinETHl|NQO)ufjrIMH&i!a{f{q9%UO z-lJY%UCwfjLNB-Zj!~+>25eIaf|IeXjBIb8|kLrTT~od#ZgD?VGK@%gK6(uw1Z_M9J5wx0d@VQcYFJY%RaBHvNd z2DvBc`x%+M?eyMTWxz12~2-0GzBbx~_-K%iA!hZ45# zJ#U|}?9CiwS>e~!id@1eg5>kW`akrnG6ec$w1`Cs%kwWc#oqDTo#IE!LgW();S`b? zzF$E9gSpQtN2KS8$H}g_K8-l&`(<%QK;|lraYpfxVHmKkI^06zShI)N>SZQ@HWVpM zg#&XY7$wZ89CZ0LZX8nMF!r@dQDXx_4XCZVeBV8Il#=J1lk=&p=__mzm zEY7R$Nu?s5j<~)YLaVNjxva;@3!yp7jndDIqwRApw7D-I330DzoBEw}TABmWW}Zg# zU%+))`$<2CbajNkrrL0E$se2+!)#R6+LGB)69oCziV`+;({gNdd;%1LF5bOzJJ}7q zTD`$;@zzSM2Kv36$(u@;KPv!zF}<(uxNNe3eSGygMuUunN7Hs%`TWy9zkKi^*eX5h z^uaHwpO~$a8yyZVg6q=7>^Qcj933X23&>Ei9bRIiVDPgEq ziel*_a(kD(J0U=1J0f7EX5Z?o-${=e6^#n5r>L9>*(D{ca)JD~z`iJTc|vh3*4&+- zgb5U=Hc}&psxB@|8kyUw@9kJ&V|{qeK#=X`d1?3V2;Ir2@&+b+IG%h@?hn+z`-Lp< zRA0{gafLpRF#0Tz(xxT!0=xD1)r-Dg(Rb9mw(E+cChY%h+`wksXP6DC#q`{|>sdgN z-|&fpjoGV+I%_do=FIa6R@oj?zk6Qj{IU1;!$40@&CBa|dSrJYH1oz!HtGHZ zCae*?AeS2@4#zy0e=BOG2M3(2e_<{-=4n$!%I+bgpM1{A4VPF8@z2IGvoIFm>famh zr*Eb4GY#4Pw5?AYr>Gzv1n0eD+hU_wd5R`Ka9&&SoUt z8DiJhBjo17&5KIdP8BFkEhW$xSUy3BwExe9e$}if%O4 zR|*iPm)Wn%nRa?(Iq;PfZEiu#MDWyPmb9lZnck0gc25v~5dlyL8-p=o16) zr=%Md&!EurTa`mC_@5%Nb?Vl4^oz#Df8N`p>f93Q(kV21@Gw}-16x^iW}A!c0VqlT z%&vD+yj={8X#7ilU6IK=DRy=(>KW|{W~FAIadk{cqQ+~Lekwc@r``LA&RW^4=qdOBu?vaBfE!W{Y{C|cP-XP z(#@(@x>vi_O3?`5iAblGw~gS$uOeX;-sgHOwfeAO?|6El_bcDihAs>Ni6ZtHAUo^U zR5-U)QWpAidVAQ8S+ec^H{+Fu4z7zz;=`j1fixXT#>E6VT0L6wno5ohTUonBW-p8Pr0SN(GJ<1REyP^>OVN<0%O<(l z+-X2k;95&7q&%}nF(z$`XS@z}^G;Pp44QMUbu(wMXUW57`lP0lYyDGbd2Z7ZFgSTY z=b!n07WYOX`KS|j9PZE@gz96Q>0tfGCSFKz5a4!T=;{9{?kPo-aQlTbV>xZFiwP%W zCO||r=@8f}lE%tC-?}LnbM)Gt@aCK}HV~auK2Nfm4Y4hKnPX%fdf79E_C2X7(F05V zy&E)X8~{#xDPeVCocgw>;qV4iPqSd>eDptdeI z*(3AwZgcx*Vg(wu(@V^SA!Dad@Q@_^t#96~Y1Z$>6;EfH$cJ!7j>H5-&r%jrShHzw zga}jXp8C=Xq2<}%{OE(fuB*hV4uP0A=$B=fwpt>38DF_u^Z%Y+cU_EpU$H?diAu(P z@NcuUMk~H`;szk&U_}mJxqzJg^3+S*NH_<0X34L11~u#7y&a}YdbgFX(U;vzn4~nx zXAn05eSW5QV{|=5t4{Yt&oMvg&sytd;%OaF?M-8wSG?m9`*o)kv>^B&HRK)lxe)ST zZkce@3(qtS$UWKeCuZIOTdaiXZ_H9;koGh}nM9|+tTp!0-vdC!%0zjm@Y>y<{p2-4 z;70PiYlWA8kNchHo`coc33jqZ=Aj%3IK7(gR*JQ=`(S2NSso?8EgxZiWEjixsP|P2 zRIf1L&U0*-K8g237t4z6~Awh(A_~er}$HDA>Ln)7HsThp5ha) z-Y2z0*hDRB6e=oEd^grLR+TC$#$b0+-KJkK+ouo=6K+sFD}D|ooe2?k~2MIYiQs0gngTV~Pxr8>tN zao8R6VebQC;+J#$DzbA5z10UJf4HU;6#(Pq#K{o_|3=F`v@sAXI|8^0;4d=jIx#a9 z=JZE6i8F83^Ot_74-Sf^B>2e?ni^7PlD0{%PRFBbV=coS;~qpBzk!@D?*<#2KPBaG zZr+qiiibSB+sdPY!}dWl2~5s6=sqg-{%#WSW2N6o5zE~9j(5qMWA7TAb=$LQc1W+H zyL>9ijwQFZL(b2456G_r>-dbglvO8g#+9GT`ufFmf9{5+VrB_^&}rSg%=JTi_1`St zmLK?(T-o7CTWQpii^VlDDxUFh$@vT7L1|Md4*0W9DD7;n$ZYiii>K+Xweevb)(tek~v*pef!PpO)vInMeo&9ho!!_#Ypzkks$G7vec&pS;C2Xn3J%N17U5rN6#Ltj6_O?K zD|hDLnH>M|s=owJ;_d}HXZ*RC$9n?mc9Hp;j^*>@SA=Zm{@?K{)=)mdTk&J-B2^|a zdrI_CEIqU_q9 zyMnN`c+xuHS_9Qu6dhN3ya4VhV#}W~zr-~{*(iGC6D^KbOo?J0#K$$)`CjEPEd+LW zCS?w{#oy@r_$~581`BzY;g$7@Vkr_<>uc14X6^DThG1SEw!$Z6^`dJ3@o=ic~#ZOEX)zo;XO^DUSY%MZ9pwMU~Qa zTIcc+x_p9Id{H9qlosigeiAh#Ow&4tRc5yiK1x1c^+nqD;(V)q3`{#wkTmI zU-ZgAfZ_VEi#_yF$Ggsw)@NERv4zK$$Q0;0m+L!rsn z(X{6X!6!2gPZIhQthSmJ_<+0h53VZ%jKw>z0olWLnC<@VTZZ%_%DuHdL5BPm+$8sB zG|v6j=>+(Gtm>2t3-`tlS1>=&iKgwZt>Ub1c*d}UZ?Z^=LVHJ4B*B88a8>XALsDC= zFeuZ8K4A4b5JPR;i>j{-(-%Y}oDPk&sru;G#2SK+@RYFno~UfWXh(j@OoGGZ&u6+o zXC3ErAs3Y}NU>mjUN!=u22`Hbu+%%`xS)#Q{3v>rQ94IKYNjolKxZ%xid}0k+wcZF zzA$!Pe#JT$D~OK(0xZAm^z9`FdR`lquqyzRWF#)NRD!93ATUYil7ocYbGQ^9E%M+F zI$HJ=HS5=$?OWi530Pr@QhSRJK+*`kCN~JeBm23I`5>LXkG$vG{*^;Q`Oa21cT}tZ z$KLwRcavfelYt40;~%f0M##U0rP7np zBCF~h0 z;YKGU#&I19DV1OLF2Bh>H$*DozBxL(;IsInU7tORL>;0$=5cJ~$48pT5i9IAaE(qR zXb;FviI4nb83A_aj)w&$E2Zj4vc}-aI>eX)z=Vps5mD?CPE2WAG;1&LOps}Ms#ru! zh#%@VPl`CeQNoNxE^72|%caBQr(X8xoyKwYVI!WXy7YOPuOXEpQMd2+aA1S(7c#)m zPbhWpyDh6UAK!cvh%K0M&*#Jhv1fD1{5_r2S}B=Fs1$~`x`HfntlI1%ITTdUi6Y-e z$F@%!?18Y;4IL$OYW4ABlbmqkV#@&w`v|`50$CL$(^}k^YFsyGGmLBC?XLeD|Cm#U z$n!cCC^&AlNk%xA1Z7H!I#6|${gqwZm@v1@-m0MojC1M?^hAZccT*B;qdw__g`WdR zC5-mljXZSUUyY(@!KNn#%Ogj`j*9N-!S{B^wuy84*A$<~?&b4~7f?NUtFi=>ra-5R zl~iyLvKS#!b=u%iH*%Ms1<=4j7xfqnZf&vU=bX;i*f0cn2kaQT4?EJ6J**LJ8%4p2 z=#5C@D19F#OqZJQTatT=Oe&+WSS7$UK5Yly^=nVKYg}-I8TNWP`k>b>cOv!JA9qNX zx)Vh^`S!F;1a;%+u`YJ$F5c~-l^QeJ%=^%ONx=JxmbvZ8r2q)>&6+KA|hpegs z+G8cm`-}Oc{kP1{M|_3pI|ymJo9TsC9qgY%nnbCG*}K`qeR_xsuZ~HI zw@k??sCZ=;`$mp!wDh`t;t^gL{KSl$vZ<5f+N3*#0MeMy3px5K^5QC&-hr7q;g z@)R2$s?F~)RGR+nT1L1IAO!h=jp3*Sdo{r~dmDkCGkUhU@PoS|XK1`1`qwXgQnJ=# zThuHi*Np%dyFM>q-ZAW{{Dif@rmPD48e|@+4}>aLR0vl=7Gl8yc-O2TAeIq+?9w+D zO=9(jmXVQ5yAv%L&{lrCY7-DM(mAn$O$QV*&l%ME4>iPaEIi zsnZY=j)`Vs%$VF4Hn!wUJZ0;T%|76U6%)S}_zZ-7jh1T?g)^(YQwZcqeDO^{Z1Y5J z$InnHiO@&3xw5($^IRJbKbE8p3c(hlP^kN%@dA0E&rj0BJt1nD&ys9AQ#3%v2KQC* z7bI)giV7)4O}-PSA$R8x?wIG4TUSsizV8+B-(}PbBhb2q^O5?bHq`-Y8U(co?78U z-{gUPBct4Q{e!d~U&SP9Bp?m(6`l3E<1{}*>TAn9M3KXNij?OoK6%j{&0CZwtgx4; z7=@|4%?z-62ax%w1WSf0;eyEh7BKIzlHnqr=&Q~7G(Xn9p^dj_jclQI^Fxl{Ni)?D zB>SKMxyQ55e-Zz25i}3%rT3MvmuM_0ifB!qU0%*_{ECSIEyQP&jO#QE{3>{nCGmW6 z0DWrJt^9M?&UsuaF>o6QLA%>}`s=9LsBI;kqKP`&zogQNa6dytS&Na>F@t#U`)#=r z#zD`VK2ZYU8X7YS|8QF4FGZwg)=`w7ESy|(0=0^kFDsfLP|l!q1YX2Qzzj302OVlw z>zYUJa}V2=#ZI8)gnnDHSooSn5jWP}V!DXpZ;GrUITC_RxX0A1fg;=j%OykX6(B(O zp)QGoDYfTt!Lf--JL!wEZkqSbIuUfz3QEdZBAMx6e@6!Kaoq%zE{GE zTPwwIaQip)p0wO1dI3#BOO)JRv6FTdknh8FuozvvYN}p)kY-_Fc^P#z;PI+6Hg^YZ zMdFg-^##3y^bKj8N%(%u{2IAPa*d7t!wM!)kD~q zz31QA6EQ)WBA=wdfMBh1iH8#Ax4&M|oVk2OcI*%_j0{2Muwn23X{d>hiQ_g#Eq%6h zxRd2&NX<&muCEI%Mu~}OJ8YcliI3h*7y7T>NS2>#(i%8_%#=8LY#uCK9DgS}ffv@W zx0SYp^4nen5%)WD3a-kobS_sN96J74_CmxG7mqTsEP?E(R?RQ>B9apbjgH(;y%X>R zLpe&gyBVMgYrL}JOtu`%ii7>18m2UH>XQ<5jQinq*O2aA8Ta6Y?4E4M-2vzA zopGVsNx{L2++!|Qa}AB>ntX z?oGz5a+=GE@PRkVWR5wscb90hw^5LN&JtH=Na{v3cwPK6x+4BtfSs_nnYEimX5aX> zr;&{coVrkTi<1m?+Lq2oi*`1qt`Y}&Y+VkSETQLgewg3ZFLAP z)=9KA|IWL5K6?kAR%c_)4oG$U`N^@q`#p-6W+P8_x~(Vx;gd);5j)O^x=KXV=_K6o zdFAmi&D=>|7zFCHHDA;S%3?uzMAU$2AZ7LWWx%2#5VB|A%c9Y6wEUtO6b7kn22gDF z(1oOVG<Ri@C?+#=4socBob^g6$TT;0UD)WCa7{#A>$1)uizQB|mz-&YL z;^0HTqhR)Ce3Ao|J2d|tL=^J4c0V%N{TIRDNtT8<<(WnuPSf3^NucgrZ*6Op*}eSA zH^SEmoz#RDc9d6=XTH!8&?|j~%5%hrJ}3M0)bUibrpMs@bZOKwTw|)kpJPiZydP`P zZ$t{(ETmPsd2Lga$oGzTdY>vSYbQ9}yC=|u2nJ^v5%jQ-(6(aoYYJN^NK0EX_KMbI zbuS`jD`n^K@gq91Ok6gWs>89ITpIKlSF@|kKY1tW;N^r@l@n>$4&)&Mz8%z_whnin za%aZ{%jy^RwG&WSNe07|nSrXjh6qiS)yl3?7N~S*FRKv@7ky52iN@!nqV3Or0OD^) zx0Z_+SVq*YV!G#i4b!q`Mf=N0Zz5~J$6X18~IHtq4k%ce4J(lQ zOK+3}bTQQFu?CvD0nPNgL`Z$a-=XUnOi-8poJ(JTKPQ*mj1_0x>iQI_AU^1OR+9n_4i{>+3Y-EH`s2YXarSB zZL7=bWR(2P>ZO;-e1jv3PbDbT>DcUQK3WSOeLbojVP)s3b7_%x-pPe;P9i5tICcVZ ztP&eew`PeoKRCImJbaNIkJ)XBdu|($ z+4BxZ%*9|@Bv^Ihi_cmsnMv@+mO?K*5oKglH@cqj0^G|%l$!0V)ji3g3bSX(`={nc z!NpNfgBl~Nf6Rh{t4HtZK!-v1;&`g;F5m?=NFwIe)rIf#I1spRTKhibk=k;ab(3@_ zpfD{4V#VII>32iYt@`}~$q)RJFe)V_c7n1qLq0sY{ngaZ7fGfD?+@B@p7w%2soO=U z8ulhHzeo6Ib-uUC9NteIt(RoFi&5-iqCb!-Nor>r4-e|Ncgar*)XdPg0`*g)d`cX< z4NaTD2@(=5opK(0Wzd}N&PQs>uXcc@cwd<-`ssAT8S)`P?PW*j3}0|0D=BXNW43|k zSNDTiuQq62`Q?9aT)n&z6La9m{qQ$=3q>9mYDEqh+RchjtmExNywf6xsM_Y|XVu+b zBa;r1Hz}l;EU4SqU0J(NcwPtVnv6H*H%793^^NOv-=x=iOsz(?Q5U>e?K)EL3sbc{ zDF$90sdbM8_pjAE^>tG$(J{d|ZNhc2CnLT9)UWovv)@ z$m8AU26&`(yJyRWgz>il>(8@C@ucRePEf}9D7WFaMWVI_@iceK&k3;t-m%^HDqPRp z@&VVcp!z?s^uT&hSA>aUS_uxy&ws!kxt}oMmr{Hv>|n?pIOK~8-Oe7R8{A6gUQInZ zjWJ;E&&5v+3t!lyvg(rj(^E3cN|}$5^}df3^W6y$wI>e+yDQ>JtTPm>Ap@)#^{V$A z@@yL$g6L;#2v;{+J%2a<9rYt9kboKl*$!juHF9-vRD3Q0nIdT&vh1+e2z=`m@cCxn zW0|#a#}`yI6$U_@wT+*U8q-MC646WQ-Utt#mb#Z-i$n$zU(wsDX6Dw`T`NxSxN%}I zTM?|d@Ho|E%rpjkU)N zvp4qxixA33LAx?M-4UK>a003HITCnQTx!g&$x z*__q+V4zQG*M!q`B^@_g?Kt&Y4NG=y4LWHI_?cZsu$PQ90DO3UFA zjq>+R0b3AoUK-Mg{JIQcT{#K%P!9w2JUr=KNnWOJZHO)@HN4z}-5Pmh3T%`uFFXI1 z^wLj3y%lX=23C+44gwK;%51-&3UygL{#K(l)8?yR9{%Lg^-_wf>@FvjhH4ecH!n}x z(ALS_jQ;@FP961=umeO?x^HlvF;{2%*;f_FHsLaZ-W#XWLo1n5_$gsq(X{1K3JqfE zp&Dpg!F_nyrS6i=yxQ=F;=oT_Y&&oN{32>BHd-jYOhAi#UlR1hMetbaM$rJt^0mxa z*9xRqEx47OE5e;m}^t_=h!mS9WM2tE-xF2v5G&~vZCwhC7 zcO2*l)=+K9tyQb9k_w$^Uv4)*RahhSAV4&18Opea69ixztV#c=>bNN8rw?=+O1d;Y`<2TjXQZw~)68I7M_pA;E95}5fHK#o~mc{xeV}hCigXt%N zbS%cNF8xdDdQCXNN5r#^0r?{O4G40WWtwCG7lsz}%D|qe>GPia%`Y=hgYe8#5P?}Z zf&%VVVZXBbdN88bgEJc8uZV96=0%oOTm5`Wy6e41x7m{%WOSENBTG}Kr~2;|dh^9GIUjyP<6 zXPzGx{O7$PeFNVhT+bJjCLRNU;#d0Q z3s(q5V3lJFXSF|d0r@LH5$V*E%*4Egi2hr1Z#(7J_>}<`=(KTJ=RUctBX3FxQ-_rG zz z38ywh%Hx(_Vb!_ipoh`(KCH~awhNw(p({(DM&=ikupmQZfD%>^9RvPksfme_ykYh( zys2}kcq@aSF=Z5>Js$LI?n=c2ViIce@~A7OxUmi$4^fQv+!NnSrURbx06$-YOx1zx z);2@rXus*~VAu7>lU629-lOn8*lT_*mW8AWH2z4(J>d$SiAbSmDQAb++=edPzE?JB zP)^d4>x#!{&j}9+J}HYp5yc>~o>-X%@Cnzr<*%?6e*_2;!+aH=S#Y9LlqZ#($ev%ty;sm@%}a58P~)nn%(~cX z(B*w=;;FUsq2I}y85*cU-+$}yR5nCcBB1z?YkVFs-bf3aP~^?>1{aaw>LPh;5Iyr{ zvH$~t^!+@UUk3mm;lu~$JM-nPMegU)8=uYx_gAIJY&^|dGElvv92Gt)mImKcoq>)o z#?u_d$Tx+hbDYR)7o4rFzcu2WUnt~T| z;oqQYmUC1@6GZmp%4~WG`+myJ1lr=k?)O|m(?`ER4-b!bmC?!LkBUbfR#oRdybC)7 zxjt>=tp$jTAdwCbOQBmpc6b2IHLI6Ou^|0&`O7g>-9UO{dUp&K6*UUg+8ef z^5|iC(JXJNz!coAgxv^0)tLB-HR?#aqR*5>sXVZBOEfD;LyCj%+UqWAXko+2)ll=v zp`P>~u`s$6wQb7aKP6=@J1-Y?!mm2xj7}!)&oXXW>^W9$QxSM=ToRfnB%J`JhT%~? z?nGfM(=F$IO2yNMrLX4$o<2lH_Z0BtH$^X#-%o{?PQ;YR0xYhro3*)m(fT$agXO@B zTd8c+9Z!Yww3sS!+Y5Ws+!>MvCrHo3({L^*l`XUXMhe1*kS2tjy*AbT{X!MFR_8KC z`Q%ZN!SYBtr0{7=8FT@G}E!*!=2klAvWp@cnzR<>LT`-5m_JapC81 z>6$tu5!Ixcj`#wXeYTSGK7d z4=CDrWa+^dVSkY@9}W^QoWAjYr{gNdN@D(@NXX(%FIjq6u1}HVn1k-^M%iRL_3qgr zw#asxi5l4skF!d%!stvbx^w+f%8Mpv)*j%JmYRPE|9TU?f~i|Q$$QDtkv|ZlqwGyS zOp)Lm`afV>Cs-$T37MQ?;UJohdWh~15<*0-6TUFmFA_%2o0n>eQZgiPTOQ$91w@>l zn+3;Q`%;&G7F@cg2&Jsh9PsFo##*6)+cbv+7l)*M^q6`S%b=vmCiUZpCtDseHFjrE2=_oVk2;n((dD6X^j$E@=(eP1OR#0u9ak+h+i!UGp@^*$q_1u|mN=KI(+8GAfDm@}s* z`rayYETlE8+K1YH7j}-=?6=vki0goA&AhKPl}MW02x-zOx5a79BOzY>vbc&-y%-?d zE5A}ksnJ38yD$b_?rrMj&DkM)Gwf+2eZ?~Ba_S?Fnwy^Xgo zy#y%F1nU$T2)w{0l=z7EsLYP>)^d0c-jOb>zZ%(83+pTHGyj+Sb6V=cUklkh=l?Flsm63u~`HgY?R!8(62K#13wKGE7|D}dqA>c=0bx0Ql$>dukl)#@ptEA7jLZw3 zW*6zFM)rGgN>A?e68DsUaQ4%^4cGRIYPk~F@OA&0!5h04Pwe`B`=fF9(iO*jb=eTo zeZl1Z-|Mqdpf~OZ|6c#^C;z9g?|-jjTFdrp>*KRd++TGZO3o$!22`H@BD zLrGI_xK#Jxy5V?A-~JJ!FRTs^%vu0HNKbt9X-cYN;dzE49o*jOvnpH1hu3;qKn}fj z4qoGaX`-}~zkQ{HxIzO)aUl=V=O*(WKOXp3j6Zh7x&M!wEY}>&&iX@-%ak?3Rp#si zM%vZ`SpjDSJ!G{OOHqFf^1QsO*MajEapBO-*Pl0NmfV27`8E7%`!6bIPv-vDiu@~p S3A8-_T?Wkm*LfPszW)ne5Bg;Q literal 0 HcmV?d00001 From 4cc0773fe862e0a9f449fccefd48c02a39d8a179 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Tue, 6 Aug 2019 00:44:21 -0400 Subject: [PATCH 21/37] fix: MD019/no-multiple-space-atx Multiple spaces after hash on atx style heading --- .../install-ie11-using-microsoft-intune.md | 108 +- .../platform-selection-ieak11-wizard.md | 70 +- .../ie11-ieak/programs-ieak11-wizard.md | 78 +- ...-surface-devices-to-windows-10-with-mdt.md | 2 +- education/windows/s-mode-switch-to-edu.md | 2 +- ...lization-server-based-scenario-overview.md | 4 +- mdop/appv-v4/planning-for-server-security.md | 2 +- ...lanning-for-mbam-10-administrator-roles.md | 2 +- ...g-for-mbam-10-group-policy-requirements.md | 2 +- ...-for-mbam-20-administrator-roles-mbam-2.md | 2 +- ...bam-20-group-policy-requirements-mbam-2.md | 2 +- ...emplates-with-the-ue-v-template-gallery.md | 2 +- mdop/uev-v1/troubleshooting-ue-v-10.md | 4 +- .../troubleshooting-ue-v-2x-both-uevv2.md | 4 +- .../device-guard-signing-portal.md | 2 +- ...k-with-partner-microsoft-store-business.md | 2 +- .../mdm/win32compatibilityappraiser-csp.md | 2 +- .../reset-a-windows-10-mobile-device.md | 2 +- .../troubleshoot-inaccessible-boot-device.md | 22 +- windows/configuration/kiosk-xml.md | 2 +- .../demonstrate-deployment-on-vm.md | 1700 ++++++++--------- windows/privacy/gdpr-it-guidance.md | 2 +- .../credential-guard-known-issues.md | 2 +- .../hello-cert-trust-adfs.md | 2 +- .../hello-key-trust-adfs.md | 2 +- .../remote-credential-guard.md | 2 +- .../bitlocker-management-for-enterprises.md | 2 +- windows/security/threat-protection/TOC.md | 4 +- .../microsoft-defender-atp/alerts-queue.md | 2 +- .../api-portal-mapping.md | 2 +- .../configure-mssp-support.md | 2 +- .../run-detection-test.md | 2 +- .../troubleshoot-overview.md | 2 +- ...-ssp-based-including-secure-rpc-servers.md | 2 +- ...e-worm-targets-out-of-date-systems-wdsi.md | 2 +- .../ltsc/whats-new-windows-10-2019.md | 1262 ++++++------ .../whats-new-windows-10-version-1809.md | 2 +- 37 files changed, 1655 insertions(+), 1655 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md index e93450be88..25226f2ad0 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md +++ b/browsers/internet-explorer/ie11-deploy-guide/install-ie11-using-microsoft-intune.md @@ -1,54 +1,54 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune. -author: lomayor -ms.prod: ie11 -ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616 -ms.reviewer: -audience: itpro manager: dansimp -ms.author: lomayor -title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Install Internet Explorer 11 (IE11) using Microsoft Intune -Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805). - -## Adding and deploying the IE11 package -You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune. - - **To add the IE11 package** - -1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher. - -2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi). - -For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). - - **To automatically deploy and install the IE11 package** - -1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard. - -2. Deploy the package to any of your employee computers that are managed by Microsoft Intune. - -3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard. - -For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). - - **To let your employees install the IE11 package** - -1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups. - -2. Any employee in the assigned group can now install the package. - -For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808) - -  - -  - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to add and deploy the Internet Explorer 11 update using Microsoft Intune. +author: lomayor +ms.prod: ie11 +ms.assetid: b2dfc08c-78af-4c22-8867-7be3b92b1616 +ms.reviewer: +manager: dansimp +ms.author: lomayor +title: Install Internet Explorer 11 (IE11) using Microsoft Intune (Internet Explorer 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Install Internet Explorer 11 (IE11) using Microsoft Intune +Internet Explorer 11 is available as an update in Microsoft Intune. Microsoft Intune uses Windows cloud services to help you manage updates, monitor and protect your computers, provide remote assistance, track hardware and software inventory, and set security policies. For more information, see the [Documentation Library for Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301805). + +## Adding and deploying the IE11 package +You can add and then deploy the IE11 package to any computer that's managed by Microsoft Intune. + + **To add the IE11 package** + +1. From the Microsoft Intune administrator console, start the Microsoft Intune Software Publisher. + +2. Add your IE11 package as either an external link or as a Windows installer package (.exe or .msi). + +For more info about how to decide which one to use, and how to use it, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). + + **To automatically deploy and install the IE11 package** + +1. From the Microsoft Intune administrator console, start and run through the Deploy Software wizard. + +2. Deploy the package to any of your employee computers that are managed by Microsoft Intune. + +3. After the package is on your employee's computers, the installation process runs, based on what you set up in your wizard. + +For more info about this, see [Deploy and configure apps](https://go.microsoft.com/fwlink/p/?LinkId=301806). + + **To let your employees install the IE11 package** + +1. Install the package on your company's Microsoft Intune site, marking it as **Available** for the appropriate groups. + +2. Any employee in the assigned group can now install the package. + +For more info about this, see [Update apps using Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=301808) + +  + +  + + + diff --git a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md index efbae636fc..a3c0045275 100644 --- a/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/platform-selection-ieak11-wizard.md @@ -1,35 +1,35 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package. -author: lomayor -ms.prod: ie11 -ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218 -ms.reviewer: -audience: itpro manager: dansimp -ms.author: lomayor -title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Platform Selection page in the IEAK 11 Wizard -The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package. - -**To use the Platform Selection page** - -1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.

-You must create individual packages for each supported operating system.

-**Note**
To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md). - -2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Platform Selection page in the IEAK 11 Customization Wizard to pick the specs for your employee devices that will get the install package. +author: lomayor +ms.prod: ie11 +ms.assetid: 9cbf5abd-86f7-42b6-9810-0b606bbe8218 +ms.reviewer: +manager: dansimp +ms.author: lomayor +title: Use the Platform Selection page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Platform Selection page in the IEAK 11 Wizard +The **Platform Selection** page of the Internet Explorer Customization Wizard 11 lets you pick the operating system and architecture (32-bit or 64-bit) for the devices on which you’re going to install the custom installation package. + +**To use the Platform Selection page** + +1. Pick the operating system and architecture for the devices on which you’re going to install the custom package.

+You must create individual packages for each supported operating system.

+**Note**
To keep your settings across several operating system packages, you can specify the same destination folder. Then, after running the wizard, you can reuse the resulting .ins file. Any additional changes to the .ins file are saved. For more info about using .ins files, see [Using Internet Settings (.INS) files with IEAK 11](using-internet-settings-ins-files.md). For more info about adding in your .ins file, see [Use the File Locations page in the IEAK 11 Wizard](file-locations-ieak11-wizard.md). + +2. Click **Next** to go to the [Language Selection](language-selection-ieak11-wizard.md) page or **Back** to go to the [File Locations](file-locations-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md index a4d2c384bb..8b0ff1ece4 100644 --- a/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md +++ b/browsers/internet-explorer/ie11-ieak/programs-ieak11-wizard.md @@ -1,39 +1,39 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services. -author: lomayor -ms.prod: ie11 -ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc -ms.reviewer: -audience: itpro manager: dansimp -ms.author: lomayor -title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) -ms.sitesec: library -ms.date: 07/27/2017 ---- - - -# Use the Programs page in the IEAK 11 Wizard -The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer. - -**Important**
The customizations you make on this page only apply to Internet Explorer for the desktop. - -**To use the Programs page** - -1. Determine whether you want to customize your connection settings. You can pick: - - - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.

-OR-

- - - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings.

**Note**
If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes. - -2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page. - -  - -  - - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: How to use the Programs page in the IEAK 11 Customization Wizard to pick the default programs to use for Internet services. +author: lomayor +ms.prod: ie11 +ms.assetid: f715668f-a50d-4db0-b578-e6526fbfa1fc +ms.reviewer: +manager: dansimp +ms.author: lomayor +title: Use the Programs page in the IEAK 11 Wizard (Internet Explorer Administration Kit 11 for IT Pros) +ms.sitesec: library +ms.date: 07/27/2017 +--- + + +# Use the Programs page in the IEAK 11 Wizard +The **Programs** page of the Internet Explorer Customization Wizard 11 lets you pick the default programs to use for Internet services, like email, contact lists, and newsgroups, by importing settings from your computer. + +**Important**
The customizations you make on this page only apply to Internet Explorer for the desktop. + +**To use the Programs page** + +1. Determine whether you want to customize your connection settings. You can pick: + + - **Do not customize Program Settings.** Pick this option if you don’t want to set program associations for your employee’s devices.

-OR-

+ + - **Import the current Program Settings.** Pick this option to import the program associations from your device and use them as the preset for your employee’s program settings.

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. - -After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box. - -To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server). - -## Create a demo VM - -Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell. - -To use Windows Powershell we just need to know two things: - -1. The location of the Windows 10 ISO file. - - In the example, we assume the location is **c:\iso\win10-eval.iso**. -2. The name of the network interface that connects to the Internet. - - In the example, we use a Windows PowerShell command to determine this automatically. - -After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10. - -### Set ISO file location - -You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). -- When asked to select a platform, choose **64 bit**. - -After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). - -1. So that it is easier to type and remember, rename the file to **win10-eval.iso**. -2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**. -3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory. - -### Determine network adapter name - -The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt: - -```powershell -(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -``` - -The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name. - -For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**. - -### Use Windows PowerShell to create the demo VM - -All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands. - ->[!IMPORTANT] ->**VM switch**: a VM switch is how Hyper-V connects VMs to a network.

If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."

If you have never created an external VM switch before, then just run the commands below. - -```powershell -New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal -Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot -Start-VM -VMName WindowsAutopilot -``` - -After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager. - -See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM. - -

-PS C:\autopilot> dir c:\iso
-
-
-    Directory: C:\iso
-
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
--a----        3/12/2019   2:46 PM     4627343360 win10-eval.iso
-
-PS C:\autopilot> (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
-Ethernet
-PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
-
-Name              SwitchType NetAdapterInterfaceDescription
-----              ---------- ------------------------------
-AutopilotExternal External   Intel(R) Ethernet Connection (2) I218-LM
-
-PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
-
-Name             State CPUUsage(%) MemoryAssigned(M) Uptime   Status             Version
-----             ----- ----------- ----------------- ------   ------             -------
-WindowsAutopilot Off   0           0                 00:00:00 Operating normally 8.0
-
-PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
-PS C:\autopilot> Start-VM -VMName WindowsAutopilot
-PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
-PS C:\autopilot> dir
-
-    Directory: C:\autopilot
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
-d-----        3/12/2019   3:15 PM                VMData
-d-----        3/12/2019   3:42 PM                VMs
-
-PS C:\autopilot>
-
- -### Install Windows 10 - -Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples: - - ![Windows setup](images/winsetup1.png) - ![Windows setup](images/winsetup2.png) - ![Windows setup](images/winsetup3.png) - ![Windows setup](images/winsetup4.png) - ![Windows setup](images/winsetup5.png) - ![Windows setup](images/winsetup6.png) - ->After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: - - ![Windows setup](images/winsetup7.png) - -Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again. - - ![Windows setup](images/winsetup8.png) - -To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following: - -```powershell -Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install" -``` - -Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane. - -## Capture the hardware ID - ->NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool. - -Follow these steps to run the PS script: - -1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device: - - ```powershell - md c:\HWID - Set-Location c:\HWID - Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force - Install-Script -Name Get-WindowsAutopilotInfo -Force - $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" - Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv - ``` - -When you are prompted to install the NuGet package, choose **Yes**. - -See the sample output below. - -
-PS C:\> md c:\HWID
-
-    Directory: C:\
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
-d-----        3/14/2019  11:33 AM                HWID
-
-PS C:\> Set-Location c:\HWID
-PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
-PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
-
-NuGet provider is required to continue
-PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
- provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
-'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
- 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
-import the NuGet provider now?
-[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
-PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
-PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
-PS C:\HWID> dir
-
-    Directory: C:\HWID
-
-Mode                LastWriteTime         Length Name
-----                -------------         ------ ----
--a----        3/14/2019  11:33 AM           8184 AutopilotHWID.csv
-
-PS C:\HWID>
-
- -Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH. - -**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. - -![Serial number and hardware hash](images/hwid.png) - -You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). - -If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this. - ->[!NOTE] ->When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste. - -## Reset the VM back to Out-Of-Box-Experience (OOBE) - -With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE. - -On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**. -Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**. - -![Reset this PC final prompt](images/autopilot-reset-prompt.jpg) - -Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process. - -![Reset this PC screen capture](images/autopilot-reset-progress.jpg) - -## Verify subscription level - -For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example: - -**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune** - -![MDM and Intune](images/mdm-intune2.png) - -If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. - -To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5. - -![Reset this PC final prompt](images/aad-lic1.png) - -## Configure company branding - -If you already have company branding configured in Azure Active Directory, you can skip this step. - ->[!IMPORTANT] ->Make sure to sign-in with a Global Administrator account. - -Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE. - -![Configure company branding](images/branding.png) - -When you are finished, click **Save**. - ->[!NOTE] ->Changes to company branding can take up to 30 minutes to apply. - -## Configure Microsoft Intune auto-enrollment - -If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step. - -Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**. - -For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**. - -![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png) - -## Register your VM - -Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB. - -### Autopilot registration using Intune - -1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**. - - ![Intune device import](images/device-import.png) - - >[!NOTE] - >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. - -2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank. - - ![HWID CSV](images/hwid-csv.png) - - You should receive confirmation that the file is formatted correctly before uploading it, as shown above. - -3. Click **Import** and wait until the import process completes. This can take up to 15 minutes. - -4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example. - - ![Import HWID](images/import-vm.png) - -### Autopilot registration using MSfB - ->[!IMPORTANT] ->If you've already registered your VM (or device) using Intune, then skip this step. - -Optional: see the following video for an overview of the process. - -  - -> [!video https://www.youtube.com/embed/IpLIZU_j7Z0] - -First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one. - -Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page. - -Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: - -![Microsoft Store for Business](images/msfb.png) - -Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added. - -![Devices](images/msfb-device.png) - -## Create and assign a Windows Autopilot deployment profile - ->[!IMPORTANT] ->Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab: - -Pick one: -- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) -- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) - -### Create a Windows Autopilot deployment profile using Intune - ->[!NOTE] ->Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first: - -![Devices](images/intune-devices.png) - ->The example above lists both a physical device and a VM. Your list should only include only one of these. - -To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles** - -![Deployment profiles](images/deployment-profiles.png) - -Click on **Create profile**. - -![Create deployment profile](images/create-profile.png) - -On the **Create profile** blade, use the following values: - -| Setting | Value | -|---|---| -| Name | Autopilot Lab profile | -| Description | blank | -| Convert all targeted devices to Autopilot | No | -| Deployment mode | User-driven | -| Join to Azure AD as | Azure AD joined | - -Click on **Out-of-box experience (OOBE)** and configure the following settings: - -| Setting | Value | -|---|---| -| EULA | Hide | -| Privacy Settings | Hide | -| Hide change account options | Hide | -| User account type | Standard | -| Apply device name template | No | - -See the following example: - -![Deployment profile](images/profile.png) - -Click on **OK** and then click on **Create**. - ->If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile). - -#### Assign the profile - -Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading. - -To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**: - -![All groups](images/all-groups.png) - -Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type: - -Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group. - -![New group](images/new-group.png) - -Now click **Create** to finish creating the new group. - -Click on **All groups** and click **Refresh** to verify that your new group has been successfully created. - -With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results). - -From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile: - -![Lab profile](images/deployment-profiles2.png) - -Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**). - -![Include group](images/include-group.png) - -Click **Select** and then click **Save**. - -![Include group](images/include-group2.png) - -It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot). - -### Create a Windows Autopilot deployment profile using MSfB - -If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section. - -A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below. - -First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. - -Click **Manage** from the top menu, then click **Devices** from the left navigation tree. - -![MSfB manage](images/msfb-manage.png) - -Click the **Windows Autopilot Deployment Program** link in the **Devices** tile. - -To CREATE the profile: - -Select your device from the **Devices** list: - -![MSfB create](images/msfb-create1.png) - -On the Autopilot deployment dropdown menu, select **Create new profile**: - -![MSfB create](images/msfb-create2.png) - -Name the profile, choose your desired settings, and then click **Create**: - -![MSfB create](images/msfb-create3.png) - -The new profile is added to the Autopilot deployment list. - -To ASSIGN the profile: - -To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown: - -![MSfB assign](images/msfb-assign1.png) - -Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column: - -![MSfB assign](images/msfb-assign2.png) - ->[!IMPORTANT] ->The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. - -## See Windows Autopilot in action - -If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**: - -![Device status](images/device-status.png) - -Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up. - ->[!TIP] ->If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset). - -- Ensure your device has an internet connection. -- Turn on the device -- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). - -![OOBE sign-in page](images/autopilot-oobe.jpg) - -Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. - -![Device enabled](images/enabled-device.png) - -Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done. - -Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings. - -## Remove devices from Autopilot - -To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below. - -### Delete (deregister) Autopilot device - -You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu. - -![Delete device](images/delete-device1.png) - -Click **X** when challenged to complete the operation: - -![Delete device](images/delete-device2.png) - -This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. - -![Delete device](images/delete-device3.png) - -The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune. - -To remove the device from the Autopilot program, select the device and click Delete. - -![Delete device](images/delete-device4.png) - -A warning message appears reminding you to first remove the device from Intune, which we previously did. - -![Delete device](images/delete-device5.png) - -At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: - -![Delete device](images/delete-device6.png) - -Once the device no longer appears, you are free to reuse it for other purposes. - -If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button: - -![Delete device](images/delete-device7.png) - -## Appendix A: Verify support for Hyper-V - -Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. - -To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: - -
-C:>systeminfo
-
-...
-Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
-                           Virtualization Enabled In Firmware: Yes
-                           Second Level Address Translation: Yes
-                           Data Execution Prevention Available: Yes
-
- -In this example, the computer supports SLAT and Hyper-V. - ->If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. - -You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: - -
-C:>coreinfo -v
-
-Coreinfo v3.31 - Dump information on system CPU and memory topology
-Copyright (C) 2008-2014 Mark Russinovich
-Sysinternals - www.sysinternals.com
-
-Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
-Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
-Microcode signature: 0000001B
-HYPERVISOR      -       Hypervisor is present
-VMX             *       Supports Intel hardware-assisted virtualization
-EPT             *       Supports Intel extended page tables (SLAT)
-
- -Note: A 64-bit operating system is required to run Hyper-V. - -## Appendix B: Adding apps to your profile - -### Add a Win32 app - -#### Prepare the app for Intune - -Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool: - -1. The source folder for your application -2. The name of the setup executable file -3. The output folder for the new file - -For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app. - -Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi. - -Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: - -![Add app](images/app01.png) - -After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps. - -#### Create app in Intune - -Log into the Azure portal and select **Intune**. - -Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. - -![Add app](images/app02.png) - -Under **App Type**, select **Windows app (Win32)**: - -![Add app](images/app03.png) - -On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**: - -![Add app](images/app04.png) - -On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as: - -![Add app](images/app05.png) - -On the **Program Configuration** blade, supply the install and uninstall commands: - -Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q -Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q - -NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file. - -![Add app](images/app06.png) - -Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). - -Click **OK** to save your input and activate the **Requirements** blade. - -On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**: - -![Add app](images/app07.png) - -Next, configure the **Detection rules**. For our purposes, we will select manual format: - -![Add app](images/app08.png) - -Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule: - -![Add app](images/app09.png) - -Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. - -**Return codes**: For our purposes, leave the return codes at their default values: - -![Add app](images/app10.png) - -Click **OK** to exit. - -You may skip configuring the final **Scope (Tags)** blade. - -Click the **Add** button to finalize and save your app package. - -Once the indicator message says the addition has completed. - -![Add app](images/app11.png) - -You will be able to find your app in your app list: - -![Add app](images/app12.png) - -#### Assign the app to your Intune profile - -**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. - -In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: - -![Add app](images/app13.png) - -Select **Add Group** to open the **Add group** pane that is related to the app. - -For our purposes, select *8Required** from the **Assignment type** dropdown menu: - ->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. - -Select **Included Groups** and assign the groups you previously created that will use this app: - -![Add app](images/app14.png) - -![Add app](images/app15.png) - -In the **Select groups** pane, click the **Select** button. - -In the **Assign group** pane, select **OK**. - -In the **Add group** pane, select **OK**. - -In the app **Assignments** pane, select **Save**. - -![Add app](images/app16.png) - -At this point, you have completed steps to add a Win32 app to Intune. - -For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). - -### Add Office 365 - -#### Create app in Intune - -Log into the Azure portal and select **Intune**. - -Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. - -![Add app](images/app17.png) - -Under **App Type**, select **Office 365 Suite > Windows 10**: - -![Add app](images/app18.png) - -Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel: - -![Add app](images/app19.png) - -Click **OK**. - -In the **App Suite Information** pane, enter a unique suite name, and a suitable description. - ->Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. - -![Add app](images/app20.png) - -Click **OK**. - -In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**: - -![Add app](images/app21.png) - -Click **OK** and then click **Add**. - -#### Assign the app to your Intune profile - -**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. - -In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: - -![Add app](images/app22.png) - -Select **Add Group** to open the **Add group** pane that is related to the app. - -For our purposes, select **Required** from the **Assignment type** dropdown menu: - ->**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. - -Select **Included Groups** and assign the groups you previously created that will use this app: - -![Add app](images/app23.png) - -![Add app](images/app24.png) - -In the **Select groups** pane, click the **Select** button. - -In the **Assign group** pane, select **OK**. - -In the **Add group** pane, select **OK**. - -In the app **Assignments** pane, select **Save**. - -![Add app](images/app25.png) - -At this point, you have completed steps to add Office to Intune. - -For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365). - -If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: - -![Add app](images/app26.png) - -## Glossary - - - - - - - - - - - - - - -
OEMOriginal Equipment Manufacturer
CSVComma Separated Values
MPCMicrosoft Partner Center
CSPCloud Solution Provider
MSfBMicrosoft Store for Business
AADAzure Active Directory
4K HH4K Hardware Hash
CBRComputer Build Report
ECEnterprise Commerce (server)
DDSDevice Directory Service
OOBEOut of the Box Experience
VMVirtual Machine
+--- +title: Demonstrate Autopilot deployment +ms.reviewer: +manager: laurawi +description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment +keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: medium +ms.sitesec: library +ms.pagetype: deploy +author: greg-lindsay +ms.author: greglin +ms.collection: M365-modern-desktop +ms.topic: article +ms.custom: autopilot +--- + + +# Demonstrate Autopilot deployment + +**Applies to** + +- Windows 10 + +To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10. + +In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune. + +>Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual. + +The following video provides an overview of the process: + +
+ + +>For a list of terms used in this guide, see the [Glossary](#glossary) section. + +## Prerequisites + +These are the things you'll need to complete this lab: + + + +
Windows 10 installation mediaWindows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
Internet accessIf you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
Hyper-V or a physical device running Windows 10The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
A Premium Intune accountThis guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
+ +## Procedures + +A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix. + +[Verify support for Hyper-V](#verify-support-for-hyper-v) +
[Enable Hyper-V](#enable-hyper-v) +
[Create a demo VM](#create-a-demo-vm) +
    [Set ISO file location](#set-iso-file-location) +
    [Determine network adapter name](#determine-network-adapter-name) +
    [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm) +
    [Install Windows 10](#install-windows-10) +
[Capture the hardware ID](#capture-the-hardware-id) +
[Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe) +
[Verify subscription level](#verify-subscription-level) +
[Configure company branding](#configure-company-branding) +
[Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment) +
[Register your VM](#register-your-vm) +
    [Autopilot registration using Intune](#autopilot-registration-using-intune) +
    [Autopilot registration using MSfB](#autopilot-registration-using-msfb) +
[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile) +
    [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) +
       [Assign the profile](#assign-the-profile) +
    [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) +
[See Windows Autopilot in action](#see-windows-autopilot-in-action) +
[Remove devices from Autopilot](#remove-devices-from-autopilot) +
    [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device) +
[Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v) +
[Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile) +
    [Add a Win32 app](#add-a-win32-app) +
       [Prepare the app for Intune](#prepare-the-app-for-intune) +
       [Create app in Intune](#create-app-in-intune) +
       [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) +
    [Add Office 365](#add-office-365) +
       [Create app in Intune](#create-app-in-intune) +
       [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) +
[Glossary](#glossary) + +## Verify support for Hyper-V + +If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later). + +>If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10). + +If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed. + +## Enable Hyper-V + +To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command: + +```powershell +Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All +``` + +This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command: + +```powershell +Install-WindowsFeature -Name Hyper-V -IncludeManagementTools +``` + +When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. + +>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: + + ![hyper-v feature](../images/hyper-v-feature.png) + + ![hyper-v](../images/svr_mgr2.png) + +

If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools. + +After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box. + +To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/) and [Hyper-V on Windows Server](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server). + +## Create a demo VM + +Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](https://docs.microsoft.com/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell. + +To use Windows Powershell we just need to know two things: + +1. The location of the Windows 10 ISO file. + - In the example, we assume the location is **c:\iso\win10-eval.iso**. +2. The name of the network interface that connects to the Internet. + - In the example, we use a Windows PowerShell command to determine this automatically. + +After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10. + +### Set ISO file location + +You can download an ISO file for an evaluation version of the latest release of Windows 10 Enterprise [here](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise). +- When asked to select a platform, choose **64 bit**. + +After you download this file, the name will be extremely long (ex: 17763.107.101029-1455.rs5_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso). + +1. So that it is easier to type and remember, rename the file to **win10-eval.iso**. +2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**. +3. If you wish to use a different name and location for the file, you must modify the Windows PowerShell commands below to use your custom name and directory. + +### Determine network adapter name + +The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt: + +```powershell +(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name +``` + +The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name. + +For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**. + +### Use Windows PowerShell to create the demo VM + +All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands. + +>[!IMPORTANT] +>**VM switch**: a VM switch is how Hyper-V connects VMs to a network.

If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."

If you have never created an external VM switch before, then just run the commands below. + +```powershell +New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name +New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal +Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot +Start-VM -VMName WindowsAutopilot +``` + +After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager. + +See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM. + +

+PS C:\autopilot> dir c:\iso
+
+
+    Directory: C:\iso
+
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+-a----        3/12/2019   2:46 PM     4627343360 win10-eval.iso
+
+PS C:\autopilot> (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
+Ethernet
+PS C:\autopilot> New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$.Status -eq "Up" -and !$.Virtual}).Name
+
+Name              SwitchType NetAdapterInterfaceDescription
+----              ---------- ------------------------------
+AutopilotExternal External   Intel(R) Ethernet Connection (2) I218-LM
+
+PS C:\autopilot> New-VM -Name WindowsAutopilot -MemoryStartupBytes 2GB -BootDevice VHD -NewVHDPath .\VMs\WindowsAutopilot.vhdx -Path .\VMData -NewVHDSizeBytes 80GB -Generation 2 -Switch AutopilotExternal
+
+Name             State CPUUsage(%) MemoryAssigned(M) Uptime   Status             Version
+----             ----- ----------- ----------------- ------   ------             -------
+WindowsAutopilot Off   0           0                 00:00:00 Operating normally 8.0
+
+PS C:\autopilot> Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
+PS C:\autopilot> Start-VM -VMName WindowsAutopilot
+PS C:\autopilot> vmconnect.exe localhost WindowsAutopilot
+PS C:\autopilot> dir
+
+    Directory: C:\autopilot
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+d-----        3/12/2019   3:15 PM                VMData
+d-----        3/12/2019   3:42 PM                VMs
+
+PS C:\autopilot>
+
+ +### Install Windows 10 + +Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples: + + ![Windows setup](images/winsetup1.png) + ![Windows setup](images/winsetup2.png) + ![Windows setup](images/winsetup3.png) + ![Windows setup](images/winsetup4.png) + ![Windows setup](images/winsetup5.png) + ![Windows setup](images/winsetup6.png) + +>After the VM restarts, during OOBE, it’s fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example: + + ![Windows setup](images/winsetup7.png) + +Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state. You will create multiple checkpoints throughout this lab, which can be used later to go through the process again. + + ![Windows setup](images/winsetup8.png) + +To create your first checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following: + +```powershell +Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install" +``` + +Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane. + +## Capture the hardware ID + +>NOTE: Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you’re not going to use the OA3 Tool to capture the full 4K HH for various reasons (you’d have to install the OA3 tool, your device couldn’t have a volume license version of Windows, it’s a more complicated process than using a PS script, etc.). Instead, you’ll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool. + +Follow these steps to run the PS script: + +1. Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device: + + ```powershell + md c:\HWID + Set-Location c:\HWID + Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force + Install-Script -Name Get-WindowsAutopilotInfo -Force + $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts" + Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv + ``` + +When you are prompted to install the NuGet package, choose **Yes**. + +See the sample output below. + +
+PS C:\> md c:\HWID
+
+    Directory: C:\
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+d-----        3/14/2019  11:33 AM                HWID
+
+PS C:\> Set-Location c:\HWID
+PS C:\HWID> Set-ExecutionPolicy -Scope Process -ExecutionPolicy Unrestricted -Force
+PS C:\HWID> Install-Script -Name Get-WindowsAutopilotInfo -Force
+
+NuGet provider is required to continue
+PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet
+ provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or
+'C:\Users\user1\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running
+ 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and
+import the NuGet provider now?
+[Y] Yes  [N] No  [S] Suspend  [?] Help (default is "Y"): Y
+PS C:\HWID> $env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
+PS C:\HWID> Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
+PS C:\HWID> dir
+
+    Directory: C:\HWID
+
+Mode                LastWriteTime         Length Name
+----                -------------         ------ ----
+-a----        3/14/2019  11:33 AM           8184 AutopilotHWID.csv
+
+PS C:\HWID>
+
+ +Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH. + +**Note**: Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below. + +![Serial number and hardware hash](images/hwid.png) + +You will need to upload this data into Intune to register your device for Autopilot, so it needs to be transferred to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM). + +If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this. + +>[!NOTE] +>When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste. + +## Reset the VM back to Out-Of-Box-Experience (OOBE) + +With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE. + +On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**. +Select **Remove everything** and **Just remove my files**. Finally, click on **Reset**. + +![Reset this PC final prompt](images/autopilot-reset-prompt.jpg) + +Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process. + +![Reset this PC screen capture](images/autopilot-reset-progress.jpg) + +## Verify subscription level + +For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example: + +**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune** + +![MDM and Intune](images/mdm-intune2.png) + +If the configuration blade shown above does not appear, it’s likely that you don’t have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium. + +To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5. + +![Reset this PC final prompt](images/aad-lic1.png) + +## Configure company branding + +If you already have company branding configured in Azure Active Directory, you can skip this step. + +>[!IMPORTANT] +>Make sure to sign-in with a Global Administrator account. + +Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE. + +![Configure company branding](images/branding.png) + +When you are finished, click **Save**. + +>[!NOTE] +>Changes to company branding can take up to 30 minutes to apply. + +## Configure Microsoft Intune auto-enrollment + +If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step. + +Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**. + +For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**. + +![MDM user scope in the Mobility blade](images/autopilot-aad-mdm.png) + +## Register your VM + +Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB. + +### Autopilot registration using Intune + +1. In Intune in the Azure portal, choose **Device enrollment** > **Windows enrollment** > **Devices** > **Import**. + + ![Intune device import](images/device-import.png) + + >[!NOTE] + >If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared. + +2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It’s okay if other fields (Windows Product ID) are left blank. + + ![HWID CSV](images/hwid-csv.png) + + You should receive confirmation that the file is formatted correctly before uploading it, as shown above. + +3. Click **Import** and wait until the import process completes. This can take up to 15 minutes. + +4. Click **Sync** to sync the device you just registered. Wait a few moments before refreshing to verify your VM or device has been added. See the following example. + + ![Import HWID](images/import-vm.png) + +### Autopilot registration using MSfB + +>[!IMPORTANT] +>If you've already registered your VM (or device) using Intune, then skip this step. + +Optional: see the following video for an overview of the process. + +  + +> [!video https://www.youtube.com/embed/IpLIZU_j7Z0] + +First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](https://docs.microsoft.com/microsoft-store/windows-store-for-business-overview) to create a new one. + +Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** in the upper-right-corner of the main page. + +Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example: + +![Microsoft Store for Business](images/msfb.png) + +Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added. + +![Devices](images/msfb-device.png) + +## Create and assign a Windows Autopilot deployment profile + +>[!IMPORTANT] +>Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab: + +Pick one: +- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) +- [Create profiles using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) + +### Create a Windows Autopilot deployment profile using Intune + +>[!NOTE] +>Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list first: + +![Devices](images/intune-devices.png) + +>The example above lists both a physical device and a VM. Your list should only include only one of these. + +To create a Windows Autopilot profile, select **Device enrollment** > **Windows enrollment** > **Deployment profiles** + +![Deployment profiles](images/deployment-profiles.png) + +Click on **Create profile**. + +![Create deployment profile](images/create-profile.png) + +On the **Create profile** blade, use the following values: + +| Setting | Value | +|---|---| +| Name | Autopilot Lab profile | +| Description | blank | +| Convert all targeted devices to Autopilot | No | +| Deployment mode | User-driven | +| Join to Azure AD as | Azure AD joined | + +Click on **Out-of-box experience (OOBE)** and configure the following settings: + +| Setting | Value | +|---|---| +| EULA | Hide | +| Privacy Settings | Hide | +| Hide change account options | Hide | +| User account type | Standard | +| Apply device name template | No | + +See the following example: + +![Deployment profile](images/profile.png) + +Click on **OK** and then click on **Create**. + +>If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile). + +#### Assign the profile + +Profiles can only be assigned to Groups, so first you must create a group that contains the devices to which the profile should be applied. This guide will provide simple instructions to assign a profile, for more detailed instructions, see [Create an Autopilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an Autopilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group), as optional reading. + +To create a Group, open the Azure Portal and select **Azure Active Directory** > **Groups** > **All groups**: + +![All groups](images/all-groups.png) + +Select New group from the Groups blade to open the new groups UI. Select the “Security” group type, name the group, and select the “Assigned” membership type: + +Before clicking **Create**, expand the **Members** panel, click your device's serial number (it will then appear under **Selected members**) and then click **Select** to add that device to this group. + +![New group](images/new-group.png) + +Now click **Create** to finish creating the new group. + +Click on **All groups** and click **Refresh** to verify that your new group has been successfully created. + +With a group created containing your device, you can now go back and assign your profile to that group. Navigate back to the Intune page in the Azure portal (one way is to type **Intune** in the top banner search bar and select **Intune** from the results). + +From Intune, select **Device enrollment** > **Windows enrollment** > **Deployment Profiles** to open the profile blade. Click on the name of the profile you previously created (Autopilot Lab profile) to open the details blade for that profile: + +![Lab profile](images/deployment-profiles2.png) + +Under **Manage**, click **Assignments**, and then with the **Include** tab highlighted, expand the **Select groups** blade and click **AP Lab Group 1** (the group will appear under **Selected members**). + +![Include group](images/include-group.png) + +Click **Select** and then click **Save**. + +![Include group](images/include-group2.png) + +It’s also possible to assign specific users to a profile, but we will not cover this scenario in the lab. For more detailed information, see [Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/intune/enrollment-autopilot). + +### Create a Windows Autopilot deployment profile using MSfB + +If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section. + +A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below. + +First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab. + +Click **Manage** from the top menu, then click **Devices** from the left navigation tree. + +![MSfB manage](images/msfb-manage.png) + +Click the **Windows Autopilot Deployment Program** link in the **Devices** tile. + +To CREATE the profile: + +Select your device from the **Devices** list: + +![MSfB create](images/msfb-create1.png) + +On the Autopilot deployment dropdown menu, select **Create new profile**: + +![MSfB create](images/msfb-create2.png) + +Name the profile, choose your desired settings, and then click **Create**: + +![MSfB create](images/msfb-create3.png) + +The new profile is added to the Autopilot deployment list. + +To ASSIGN the profile: + +To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown: + +![MSfB assign](images/msfb-assign1.png) + +Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column: + +![MSfB assign](images/msfb-assign2.png) + +>[!IMPORTANT] +>The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device. + +## See Windows Autopilot in action + +If you shut down your VM after the last reset, it’s time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**: + +![Device status](images/device-status.png) + +Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up. + +>[!TIP] +>If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you’re expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset). + +- Ensure your device has an internet connection. +- Turn on the device +- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip). + +![OOBE sign-in page](images/autopilot-oobe.jpg) + +Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated. + +![Device enabled](images/enabled-device.png) + +Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done. + +Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoints you've created to go through this process again with different settings. + +## Remove devices from Autopilot + +To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found [here](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [here](https://docs.microsoft.com/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below. + +### Delete (deregister) Autopilot device + +You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into your Intune Azure portal, then navigate to **Intune > Devices > All Devices**. Select the checkbox next to the device you want to delete, then click the Delete button along the top menu. + +![Delete device](images/delete-device1.png) + +Click **X** when challenged to complete the operation: + +![Delete device](images/delete-device2.png) + +This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**. + +![Delete device](images/delete-device3.png) + +The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune. Note: A device will only appear in the All devices list once it has booted. The latter (Windows Autopilot Deployment Program > Devices) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune. + +To remove the device from the Autopilot program, select the device and click Delete. + +![Delete device](images/delete-device4.png) + +A warning message appears reminding you to first remove the device from Intune, which we previously did. + +![Delete device](images/delete-device5.png) + +At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program: + +![Delete device](images/delete-device6.png) + +Once the device no longer appears, you are free to reuse it for other purposes. + +If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button: + +![Delete device](images/delete-device7.png) + +## Appendix A: Verify support for Hyper-V + +Starting with Windows 8, the host computer’s microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information. + +To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example: + +
+C:>systeminfo
+
+...
+Hyper-V Requirements:      VM Monitor Mode Extensions: Yes
+                           Virtualization Enabled In Firmware: Yes
+                           Second Level Address Translation: Yes
+                           Data Execution Prevention Available: Yes
+
+ +In this example, the computer supports SLAT and Hyper-V. + +>If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings. + +You can also identify Hyper-V support using [tools](https://blogs.msdn.microsoft.com/taylorb/2008/06/19/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v/) provided by the processor manufacturer, the [msinfo32](https://technet.microsoft.com/library/cc731397.aspx) tool, or you can download the [coreinfo](https://technet.microsoft.com/sysinternals/cc835722) utility and run it, as shown in the following example: + +
+C:>coreinfo -v
+
+Coreinfo v3.31 - Dump information on system CPU and memory topology
+Copyright (C) 2008-2014 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+Intel(R) Core(TM) i7-2600 CPU @ 3.40GHz
+Intel64 Family 6 Model 42 Stepping 7, GenuineIntel
+Microcode signature: 0000001B
+HYPERVISOR      -       Hypervisor is present
+VMX             *       Supports Intel hardware-assisted virtualization
+EPT             *       Supports Intel extended page tables (SLAT)
+
+ +Note: A 64-bit operating system is required to run Hyper-V. + +## Appendix B: Adding apps to your profile + +### Add a Win32 app + +#### Prepare the app for Intune + +Before we can pull an application into Intune to make it part of our AP profile, we need to “package” the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool). After downloading the tool, gather the following three bits of information to use the tool: + +1. The source folder for your application +2. The name of the setup executable file +3. The output folder for the new file + +For the purposes of this lab, we’ll use the Notepad++ tool as our Win32 app. + +Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then opy the file to a known location, such as C:\Notepad++msi. + +Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example: + +![Add app](images/app01.png) + +After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps. + +#### Create app in Intune + +Log into the Azure portal and select **Intune**. + +Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. + +![Add app](images/app02.png) + +Under **App Type**, select **Windows app (Win32)**: + +![Add app](images/app03.png) + +On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**: + +![Add app](images/app04.png) + +On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as: + +![Add app](images/app05.png) + +On the **Program Configuration** blade, supply the install and uninstall commands: + +Install: msiexec /i "npp.7.6.3.installer.x64.msi" /q +Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q + +NOTE: Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Intune-Win32-App-Packaging-Tool) automatically generated them when it converted the .msi file into a .intunewin file. + +![Add app](images/app06.png) + +Simply using an install command like “notepad++.exe /S” will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn’t actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available). + +Click **OK** to save your input and activate the **Requirements** blade. + +On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**: + +![Add app](images/app07.png) + +Next, configure the **Detection rules**. For our purposes, we will select manual format: + +![Add app](images/app08.png) + +Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule: + +![Add app](images/app09.png) + +Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration. + +**Return codes**: For our purposes, leave the return codes at their default values: + +![Add app](images/app10.png) + +Click **OK** to exit. + +You may skip configuring the final **Scope (Tags)** blade. + +Click the **Add** button to finalize and save your app package. + +Once the indicator message says the addition has completed. + +![Add app](images/app11.png) + +You will be able to find your app in your app list: + +![Add app](images/app12.png) + +#### Assign the app to your Intune profile + +**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. + +In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu: + +![Add app](images/app13.png) + +Select **Add Group** to open the **Add group** pane that is related to the app. + +For our purposes, select *8Required** from the **Assignment type** dropdown menu: + +>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. + +Select **Included Groups** and assign the groups you previously created that will use this app: + +![Add app](images/app14.png) + +![Add app](images/app15.png) + +In the **Select groups** pane, click the **Select** button. + +In the **Assign group** pane, select **OK**. + +In the **Add group** pane, select **OK**. + +In the app **Assignments** pane, select **Save**. + +![Add app](images/app16.png) + +At this point, you have completed steps to add a Win32 app to Intune. + +For more information on adding adds to Intune, see [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps-win32-app-management). + +### Add Office 365 + +#### Create app in Intune + +Log into the Azure portal and select **Intune**. + +Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package. + +![Add app](images/app17.png) + +Under **App Type**, select **Office 365 Suite > Windows 10**: + +![Add app](images/app18.png) + +Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel: + +![Add app](images/app19.png) + +Click **OK**. + +In the **App Suite Information** pane, enter a unique suite name, and a suitable description. + +>Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal. + +![Add app](images/app20.png) + +Click **OK**. + +In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**: + +![Add app](images/app21.png) + +Click **OK** and then click **Add**. + +#### Assign the app to your Intune profile + +**NOTE**: The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#assign-the-profile). If you have not done that, please return to the main part of the lab and complete those steps before returning here. + +In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu: + +![Add app](images/app22.png) + +Select **Add Group** to open the **Add group** pane that is related to the app. + +For our purposes, select **Required** from the **Assignment type** dropdown menu: + +>**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website. + +Select **Included Groups** and assign the groups you previously created that will use this app: + +![Add app](images/app23.png) + +![Add app](images/app24.png) + +In the **Select groups** pane, click the **Select** button. + +In the **Assign group** pane, select **OK**. + +In the **Add group** pane, select **OK**. + +In the app **Assignments** pane, select **Save**. + +![Add app](images/app25.png) + +At this point, you have completed steps to add Office to Intune. + +For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/intune/apps-add-office365). + +If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate: + +![Add app](images/app26.png) + +## Glossary + + + + + + + + + + + + + + +
OEMOriginal Equipment Manufacturer
CSVComma Separated Values
MPCMicrosoft Partner Center
CSPCloud Solution Provider
MSfBMicrosoft Store for Business
AADAzure Active Directory
4K HH4K Hardware Hash
CBRComputer Build Report
ECEnterprise Commerce (server)
DDSDevice Directory Service
OOBEOut of the Box Experience
VMVirtual Machine
diff --git a/windows/privacy/gdpr-it-guidance.md b/windows/privacy/gdpr-it-guidance.md index 088f0adccd..524f34b78a 100644 --- a/windows/privacy/gdpr-it-guidance.md +++ b/windows/privacy/gdpr-it-guidance.md @@ -159,7 +159,7 @@ The following table lists in what GDPR mode – controller or processor – Wind */*Depending on which application/feature this is referring to.* -## Windows diagnostic data and Windows 10 +## Windows diagnostic data and Windows 10 ### Recommended Windows 10 settings diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index e50ae1fdfb..b9b11df607 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -16,7 +16,7 @@ ms.date: 08/17/2017 ms.reviewer: --- -# Windows Defender Credential Guard: Known issues +# Windows Defender Credential Guard: Known issues **Applies to** - Windows 10 diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 60e829af0c..4563787217 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -38,7 +38,7 @@ A new Active Directory Federation Services farm should have a minimum of two fed Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. -## Update Windows Server 2016 +## Update Windows Server 2016 Sign-in the federation server with _local admin_ equivalent credentials. 1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please advise the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 161c10f243..a6364bad59 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -38,7 +38,7 @@ A new Active Directory Federation Services farm should have a minimum of two fed Prepare the Active Directory Federation Services deployment by installing and updating two Windows Server 2016 Servers. Ensure the update listed below is applied to each server before continuing. -## Update Windows Server 2016 +## Update Windows Server 2016 Sign-in the federation server with _local admin_ equivalent credentials. 1. Ensure Windows Server 2016 is current by running **Windows Update** from **Settings**. Continue this process until no further updates are needed. If you’re not using Windows Update for updates, please review the [Windows Server 2016 update history page](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history) to make sure you have the latest updates available installed. diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md index df25b0e70c..59a2e070cb 100644 --- a/windows/security/identity-protection/remote-credential-guard.md +++ b/windows/security/identity-protection/remote-credential-guard.md @@ -15,7 +15,7 @@ ms.localizationpriority: medium ms.date: 01/12/2018 ms.reviewer: --- -# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard +# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard **Applies to** - Windows 10 diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index b89ced627d..e6b90ed8bc 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -48,7 +48,7 @@ This is applicable to Azure Hybrid AD as well. For Windows PCs and Windows Phones that enroll using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD. -## Managing servers +## Managing servers Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index cf6a9871cb..37a8fb4242 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -133,7 +133,7 @@ #### [Integrations]() ##### [Microsoft Defender ATP integrations](microsoft-defender-atp/threat-protection-integration.md) -##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md) +##### [Protect users, data, and devices with conditional access](microsoft-defender-atp/conditional-access.md) ##### [Microsoft Cloud App Security integration overview](microsoft-defender-atp/microsoft-cloud-app-security-integration.md) #### [Information protection in Windows overview]() @@ -1049,7 +1049,7 @@ ###### [Network access: Remotely accessible registry paths](security-policy-settings/network-access-remotely-accessible-registry-paths.md) ###### [Network access: Remotely accessible registry paths and subpaths](security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md) ###### [Network access: Restrict anonymous access to Named Pipes and Shares](security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md) -###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) +###### [Network access: Restrict clients allowed to make remote calls to SAM](security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md) ###### [Network access: Shares that can be accessed anonymously](security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md) ###### [Network access: Sharing and security model for local accounts](security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md) ###### [Network security: Allow Local System to use computer identity for NTLM](security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index 0379951dbd..652e76f78d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -38,7 +38,7 @@ On the top navigation you can: ![Image of alerts queue](images/alerts-queue-list.png) -## Sort, filter, and group the alerts queue +## Sort, filter, and group the alerts queue You can apply the following filters to limit the list of alerts and get a more focused view the alerts. ### Severity diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 4c97c07b2e..9706e81443 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -28,7 +28,7 @@ ms.date: 10/16/2017 Understand what data fields are exposed as part of the alerts API and how they map to Microsoft Defender Security Center. -## Alert API fields and portal mapping +## Alert API fields and portal mapping The following table lists the available fields exposed in the alerts API payload. It shows examples for the populated values and a reference on how data is reflected on the portal. The ArcSight field column contains the default mapping between the Microsoft Defender ATP fields and the built-in fields in ArcSight. You can download the mapping file from the portal when you enable the SIEM integration feature and you can modify it to match the needs of your organization. For more information, see [Enable SIEM integration in Microsoft Defender ATP](enable-siem-integration.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index 6f600470d6..732da72377 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -108,7 +108,7 @@ It is recommended that groups are created for MSSPs to make authorization access As a MSSP customer, you can always remove or modify the permissions granted to the MSSP by updating the Azure AD user groups. -## Access the Windows Defender Security Center MSSP customer portal +## Access the Windows Defender Security Center MSSP customer portal >[!NOTE] >These set of steps are directed towards the MSSP. diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md index d9a36f6795..2251ec4e49 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-detection-test.md @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: article --- -# Run a detection test on a newly onboarded Microsoft Defender ATP machine +# Run a detection test on a newly onboarded Microsoft Defender ATP machine **Applies to:** - Supported Windows 10 versions diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md index 0cf451828c..22975b13f7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-overview.md @@ -17,7 +17,7 @@ ms.collection: M365-security-compliance ms.topic: troubleshooting --- -# Troubleshoot Microsoft Defender Advanced Threat Protection +# Troubleshoot Microsoft Defender Advanced Threat Protection Troubleshoot issues that might arise as you use Microsoft Defender ATP capabilities. diff --git a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md index 9bcc029641..4b653cf263 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md @@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. -### Policy dependencies +### Policy dependencies The settings for this security policy are dependent on the [Network security: LAN Manager authentication level](network-security-lan-manager-authentication-level.md) setting value. diff --git a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md index 8ab757be7a..a9d12cc027 100644 --- a/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md +++ b/windows/security/threat-protection/wannacrypt-ransomware-worm-targets-out-of-date-systems-wdsi.md @@ -15,7 +15,7 @@ manager: dansimp ms.author: dolmont --- -# WannaCrypt ransomware worm targets out-of-date systems +# WannaCrypt ransomware worm targets out-of-date systems On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as [WannaCrypt](https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Ransom:Win32/WannaCrypt), appears to have affected computers that have not applied the patch for these vulnerabilities. While the attack is unfolding, we remind users to install [MS17-010](https://technet.microsoft.com/library/security/ms17-010.aspx) if they have not already done so. diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 129309368a..1db0749694 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -1,631 +1,631 @@ ---- -title: What's new in Windows 10 Enterprise 2019 LTSC -ms.reviewer: -manager: laurawi -ms.author: greglin -description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB). -keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"] -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -audience: itpro author: greg-lindsay -ms.localizationpriority: low -ms.topic: article ---- - -# What's new in Windows 10 Enterprise 2019 LTSC - -**Applies to** -- Windows 10 Enterprise 2019 LTSC - -This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). - ->[!NOTE] ->Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. - -Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: - - Advanced protection against modern security threats - - Full flexibility of OS deployment - - Updating and support options - - Comprehensive device and app management and control capabilities - -The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. - ->[!IMPORTANT] ->The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. - -## Microsoft Intune - ->Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. - -## Security - -This version of Window 10 includes security improvements for threat protection, information protection, and identity protection. - -### Threat protection - -#### Windows Defender ATP - -The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. - -![Windows Defender ATP](../images/wdatp.png) - -##### Attack surface reduction - -Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). - - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. - - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. - -###### Windows Defender Firewall - -Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead). - -##### Windows Defender Device Guard - -[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: -- Software-based protection provided by code integrity policies -- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) - -But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). - -### Next-gen protection - -#### Office 365 Ransomware Detection - -For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) - -### Endpoint detection and response - -Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. - - Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). - - We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: -- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) -- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) -- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) -- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) -- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) - - Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). - - New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: -- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) -- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) -- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) - - We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). - - **Endpoint detection and response** is also enhanced. New **detection** capabilities include: -- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. - - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. - - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. - - Upgraded detections of ransomware and other advanced attacks. - - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. - - **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: -- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. - - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. - -Additional capabilities have been added to help you gain a holistic view on **investigations** include: - - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) - - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) - - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. - - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. - - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. - -Other enhanced security features include: -- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. -- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. -- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. -- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. -- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. -- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. -- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) - -We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. - -We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. - -This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). - -You can read more about ransomware mitigations and detection capability at: -- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) -- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) -- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) - -Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) - -Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). - -For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). - -### Information protection - -Improvements have been added to Windows Information Protection and BitLocker. - -#### Windows Information Protection - -Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). - -Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). - -You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). - -This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). - -### BitLocker - -The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). - -#### Silent enforcement on fixed drives - -Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. - -This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. - -This feature will soon be enabled on Olympia Corp as an optional feature. - -#### Delivering BitLocker policy to AutoPilot devices during OOBE - -You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. - -For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. - -To achieve this: - -1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. -2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. - - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. -3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. - - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. - -### Identity protection - -Improvements have been added are to Windows Hello for Business and Credential Guard. - -#### Windows Hello for Business - -New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. - -New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude: -- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). -- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. -- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). - -[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. -- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). -- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. -- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. -- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. -- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. -- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). - -For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) - -#### Windows Defender Credential Guard - -Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. - -Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. - -For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). - -### Other security improvments - -#### Windows security baselines - -Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). - -**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). - -The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. - -#### SMBLoris vulnerability - -An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. - -#### Windows Security Center - -Windows Defender Security Center is now called **Windows Security Center**. - -You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. - -The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. - -WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. - -![alt text](../images/defender.png "Windows Security Center") - -#### Group Policy Security Options - -The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. - -A new security policy setting -[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. - -#### Windows 10 in S mode - -We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: - -![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") - -## Deployment - -### Windows Autopilot - -[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. - -Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information. - -Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. - -You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). - -#### Windows Autopilot self-deploying mode - -Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. - -This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. - -You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. - -To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). - - -#### Autopilot Reset - -IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset). - -### MBR2GPT.EXE - -MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). - -The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. - -Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. - -For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). - -### DISM - -The following new DISM commands have been added to manage feature updates: - - DISM /Online /Initiate-OSUninstall - – Initiates a OS uninstall to take the computer back to the previous installation of windows. - DISM /Online /Remove-OSUninstall - – Removes the OS uninstall capability from the computer. - DISM /Online /Get-OSUninstallWindow - – Displays the number of days after upgrade during which uninstall can be performed. - DISM /Online /Set-OSUninstallWindow - – Sets the number of days after upgrade during which uninstall can be performed. - -For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). - -### Windows Setup - -You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. - -Prerequisites: -- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later. -- Windows 10 Enterprise or Pro - -For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). - -It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. - - /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] - -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) - -New command-line switches are also available to control BitLocker: - - Setup.exe /BitLocker AlwaysSuspend - – Always suspend bitlocker during upgrade. - Setup.exe /BitLocker TryKeepActive - – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. - Setup.exe /BitLocker ForceKeepActive - – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. - -For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) - -### Feature update improvements - -Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). - -### SetupDiag - -[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. - -SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. - -## Sign-in - -### Faster sign-in to a Windows 10 shared pc - -If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! - -**To enable fast sign-in:** -1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. -2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. -3. Sign-in to a shared PC with your account. You'll notice the difference! - - ![fast sign-in](../images/fastsignin.png "fast sign-in") - -### Web sign-in to Windows 10 - -Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). - -**To try out web sign-in:** -1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). -2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. -3. On the lock screen, select web sign-in under sign-in options. -4. Click the “Sign in” button to continue. - -![Web sign-in](../images/websignin.png "web sign-in") - -## Windows Analytics - -### Upgrade Readiness - ->[!IMPORTANT] ->Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. - -Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. - -The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. - -For more information about Upgrade Readiness, see the following topics: - -- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) -- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) - -Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - -### Update Compliance - -Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. - -Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. - -For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). - -New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). - -### Device Health - -Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). - -## Accessibility and Privacy - -### Accessibility - -"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. - -### Privacy - -In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app. - -## Configuration - -### Kiosk configuration - -Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. - -If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel. - -### Co-management - -Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. - -For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) - -### OS uninstall period - -The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. - -### Azure Active Directory join in bulk - -Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. - -![get bulk token action in wizard](../images/bulk-token.png) - -### Windows Spotlight - -The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: - -- **Turn off the Windows Spotlight on Action Center** -- **Do not use diagnostic data for tailored experiences** -- **Turn off the Windows Welcome Experience** - -[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) - -### Start and taskbar layout - -Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). - -[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: - -- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) -- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) -- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). - -## Windows Update - -### Windows Update for Business - -Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). - -The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). - - -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. - -WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). - -Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). - -The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). - - -Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. - -WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). - -### Windows Insider for Business - -We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). - -You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). - - -### Optimize update delivery - -With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. - ->[!NOTE] -> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. - -Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. - -Added policies include: -- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) -- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) -- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) -- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) -- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) - -To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) - -### Uninstalled in-box apps no longer automatically reinstall - -Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. - -Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC. - -## Management - -### New MDM capabilities - -Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). - -Some of the other new CSPs are: - -- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. - -- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. - -- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. - -- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. - -- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). - -- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. - -IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. - -[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) - -MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). - -Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). - -### Mobile application management support for Windows 10 - -The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC. - -For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). - -### MDM diagnostics - -In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. - -### Application Virtualization for Windows (App-V) - -Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. - -For more info, see the following topics: -- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) -- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) -- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) -- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) - -### Windows diagnostic data - -Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. - -- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) -- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) - -### Group Policy spreadsheet - -Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC. - -- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) - -### Mixed Reality Apps - -This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality). - -## Networking - -### Network stack - -Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). - -### Miracast over Infrastructure - -In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). - -How it works: - -Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. - -Miracast over Infrastructure offers a number of benefits: - -- Windows automatically detects when sending the video stream over this path is applicable. -- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. -- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. -- No changes to current wireless drivers or PC hardware are required. -- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. -- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. - -Enabling Miracast over Infrastructure: - -If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: - -- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS. -- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. - - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. - - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. -- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. -- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. - -It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. - -## Registry editor improvements - -We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. - -![Registry editor dropdown](../images/regeditor.png "Registry editor dropdown") - -## Remote Desktop with Biometrics - -Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. - -To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. - -- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. -- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. - -See the following example: - -![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") -![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") -![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") - -## See Also - -[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. +--- +title: What's new in Windows 10 Enterprise 2019 LTSC +ms.reviewer: +manager: laurawi +ms.author: greglin +description: New and updated IT Pro content about new features in Windows 10 Enterprise 2019 LTSC (also known as Windows 10 Enterprise 2019 LTSB). +keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 Enterprise 2019 LTSC"] +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +author: greg-lindsay +ms.localizationpriority: low +ms.topic: article +--- + +# What's new in Windows 10 Enterprise 2019 LTSC + +**Applies to** +- Windows 10 Enterprise 2019 LTSC + +This article lists new and updated features and content that are of interest to IT Pros for Windows 10 Enterprise 2019 LTSC, compared to Windows 10 Enterprise 2016 LTSC (LTSB). For a brief description of the LTSC servicing channel and associated support, see [Windows 10 Enterprise LTSC](index.md). + +>[!NOTE] +>Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. + +Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: + - Advanced protection against modern security threats + - Full flexibility of OS deployment + - Updating and support options + - Comprehensive device and app management and control capabilities + +The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. + +>[!IMPORTANT] +>The LTSC release is [intended for special use devices](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181). Support for LTSC by apps and tools that are designed for the semi-annual channel release of Windows 10 might be limited. + +## Microsoft Intune + +>Microsoft Intune supports Windows 10 Enterprise LTSC 2019 and later. This includes support for features such as [Windows Autopilot](#windows-autopilot). However, note that Windows Update for Business (WUfB) does not currently support any LTSC releases, therefore you should use WSUS or Configuration Manager for patching. + +## Security + +This version of Window 10 includes security improvements for threat protection, information protection, and identity protection. + +### Threat protection + +#### Windows Defender ATP + +The Windows Defender Advanced Threat Protection ([Windows Defender ATP](/windows/security/threat-protection/index)) platform inludes the security pillars shown in the following diagram. In this version of Windows, Windows Defender ATP includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. + +![Windows Defender ATP](../images/wdatp.png) + +##### Attack surface reduction + +Attack surface reduction includes host-based intrusion prevention systems such as [controlled folder access](/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard). + - This feature can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether. + - When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page. + +###### Windows Defender Firewall + +Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes. You can add specific rules for a WSL process just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/windows/wsl/release-notes#build-17618-skip-ahead). + +##### Windows Defender Device Guard + +[Device Guard](/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control) has always been a collection of technologies that can be combined to lock down a PC, including: +- Software-based protection provided by code integrity policies +- Hardware-based protection provided by Hypervisor-protected code integrity (HVCI) + +But these protections can also be configured separately. And, unlike HVCI, code integrity policies do not require virtualization-based security (VBS). To help underscore the distinct value of these protections, code integrity policies have been rebranded as [Windows Defender Application Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control). + +### Next-gen protection + +#### Office 365 Ransomware Detection + +For Office 365 Home and Office 365 Personal subscribers, Ransomware Detection notifies you when your OneDrive files have been attacked and guides you through the process of restoring your files. For more information, see [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US) + +### Endpoint detection and response + +Endpoint detection and response is improved. Enterprise customers can now take advantage of the entire Windows security stack with Windows Defender Antivirus **detections** and Device Guard **blocks** being surfaced in the Windows Defender ATP portal. + + Windows Defender is now called Windows Defender Antivirus and now shares detection status between M365 services and interoperates with Windows Defender ATP. Additional policies have also been implemented to enhance cloud based protection, and new channels are available for emergency protection. For more information, see [Virus and threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection) and [Use next-gen technologies in Windows Defender Antivirus through cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus). + + We've also [increased the breadth of the documentation library for enterprise security admins](/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10). The new library includes information on: +- [Deploying and enabling AV protection](/windows/threat-protection/windows-defender-antivirus/deploy-windows-defender-antivirus) +- [Managing updates](/windows/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus) +- [Reporting](/windows/threat-protection/windows-defender-antivirus/report-monitor-windows-defender-antivirus) +- [Configuring features](/windows/threat-protection/windows-defender-antivirus/configure-windows-defender-antivirus-features) +- [Troubleshooting](/windows/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus) + + Some of the highlights of the new library include [Evaluation guide for Windows Defender AV](/windows/threat-protection/windows-defender-antivirus//evaluate-windows-defender-antivirus) and [Deployment guide for Windows Defender AV in a virtual desktop infrastructure environment](/windows/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus). + + New features for Windows Defender AV in Windows 10 Enterprise 2019 LTSC include: +- [Updates to how the Block at First Sight feature can be configured](/windows/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) +- [The ability to specify the level of cloud-protection](/windows/threat-protection/windows-defender-antivirus/specify-cloud-protection-level-windows-defender-antivirus) +- [Windows Defender Antivirus protection in the Windows Defender Security Center app](/windows/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus) + + We've [invested heavily in helping to protect against ransomware](https://blogs.windows.com/business/2016/11/11/defending-against-ransomware-with-windows-10-anniversary-update/#UJlHc6SZ2Zm44jCt.97), and we continue that investment with [updated behavior monitoring and always-on real-time protection](/windows/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). + + **Endpoint detection and response** is also enhanced. New **detection** capabilities include: +- [Use the threat intelligence API to create custom alerts](/windows/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection) - Understand threat intelligence concepts, enable the threat intel application, and create custom threat intelligence alerts for your organization. + - [Custom detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/overview-custom-detections). With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. + - Improvements on OS memory and kernel sensors to enable detection of attackers who are using in-memory and kernel-level attacks. + - Upgraded detections of ransomware and other advanced attacks. + - Historical detection capability ensures new detection rules apply to up to six months of stored data to detect previous attacks that might not have been noticed. + + **Threat reponse** is improved when an attack is detected, enabling immediate action by security teams to contain a breach: +- [Take response actions on a machine](/windows/threat-protection/windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by isolating machines or collecting an investigation package. + - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. + +Additional capabilities have been added to help you gain a holistic view on **investigations** include: + - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. + - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) + - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) + - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. + - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. + - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. + +Other enhanced security features include: +- [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. +- [Managed security service provider (MSSP) support](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection) - Windows Defender ATP adds support for this scenario by providing MSSP integration. The integration will allow MSSPs to take the following actions: Get access to MSSP customer's Windows Defender Security Center portal, fetch email notifications, and fetch alerts through security information and event management (SIEM) tools. +- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center) - Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers. +- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration) - Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines. +- [Onboard Windows Server 2019](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019) - Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines. +- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection) - Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor. +- [Enable conditional access to better protect users, devices, and data](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection) + +We've also added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on. + +We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**. + +This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which includes domain, private, and public networks). + +You can read more about ransomware mitigations and detection capability at: +- [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/) +- [Ransomware Protection in Windows 10 Anniversary Update whitepaper (PDF)](http://wincom.blob.core.windows.net/documents/Ransomware_protection_in_Windows_10_Anniversary_Update.pdf) +- [Microsoft Malware Protection Center blog](https://blogs.technet.microsoft.com/mmpc/category/research/ransomware/) + +Also see [New capabilities of Windows Defender ATP further maximizing the effectiveness and robustness of endpoint security](https://blogs.windows.com/business/2018/04/17/new-capabilities-of-windows-defender-atp-further-maximizing-the-effectiveness-and-robustness-of-endpoint-security/#62FUJ3LuMXLQidVE.97) + +Get a quick, but in-depth overview of Windows Defender ATP for Windows 10: [Windows Defender Advanced Threat Protection](/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection). + +For more information about features of Windows Defender ATP available in different editions of Windows 10, see the [Windows 10 commercial edition comparison](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf). + +### Information protection + +Improvements have been added to Windows Information Protection and BitLocker. + +#### Windows Information Protection + +Windows Information Protection is now designed to work with Microsoft Office and Azure Information Protection. For more information, see [Deploying and managing Windows Information Protection (WIP) with Azure Information Protection](https://myignite.microsoft.com/sessions/53660?source=sessions). + +Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. For more info, see [Create a Windows Information Protection (WIP) policy using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-wip-policy-using-intune) and [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](/windows/threat-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune). + +You can also now collect your audit event logs by using the Reporting configuration service provider (CSP) or the Windows Event Forwarding (for Windows desktop domain-joined devices). For info, see the brand-new topic, [How to collect Windows Information Protection (WIP) audit event logs](/windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs). + +This release enables support for WIP with Files on Demand, allows file encryption while the file is open in another app, and improves performance. For more information, see [OneDrive Files On-Demand For The Enterprise](https://techcommunity.microsoft.com/t5/OneDrive-Blog/OneDrive-Files-On-Demand-For-The-Enterprise/ba-p/117234). + +### BitLocker + +The minimum PIN length is being changed from 6 to 4, with a default of 6. For more information, see [BitLocker Group Policy settings](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-group-policy-settings#bkmk-unlockpol3). + +#### Silent enforcement on fixed drives + +Through a Modern Device Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI. + +This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others. + +This feature will soon be enabled on Olympia Corp as an optional feature. + +#### Delivering BitLocker policy to AutoPilot devices during OOBE + +You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. + +For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE. + +To achieve this: + +1. Configure the [encryption method settings](https://docs.microsoft.com/intune/endpoint-protection-windows-10#windows-encryption) in the Windows 10 Endpoint Protection profile to the desired encryption algorithm. +2. [Assign the policy](https://docs.microsoft.com/intune/device-profile-assign) to your Autopilot device group. + - **IMPORTANT**: The encryption policy must be assigned to **devices** in the group, not users. +3. Enable the Autopilot [Enrollment Status Page](https://docs.microsoft.com/windows/deployment/windows-autopilot/enrollment-status) (ESP) for these devices. + - **IMPORTANT**: If the ESP is not enabled, the policy will not apply before encryption starts. + +### Identity protection + +Improvements have been added are to Windows Hello for Business and Credential Guard. + +#### Windows Hello for Business + +New features in Windows Hello enable a better device lock experience, using multifactor unlock with new location and user proximity signals. Using Bluetooth signals, you can configure your Windows 10 device to automatically lock when you walk away from it, or to prevent others from accessing the device when you are not present. + +New features in [Windows Hello for Business](/windows/security/identity-protection/hello-for-business/hello-identity-verification.md) inlcude: +- You can now reset a forgotten PIN without deleting company managed data or apps on devices managed by [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). +- For Windows Phone devices, an administrator is able to initiate a remote PIN reset through the Intune portal. +- For Windows desktops, users are able to reset a forgotten PIN through **Settings > Accounts > Sign-in options**. For more details, check out [What if I forget my PIN?](/windows/security/identity-protection/hello-for-business/hello-features#pin-reset). + +[Windows Hello](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features) now supports FIDO 2.0 authentication for Azure AD Joined Windows 10 devices and has enhanced support for shared devices, as described in the [Kiosk configuration](#kiosk-configuration) section. +- Windows Hello is now [password-less on S-mode](https://www.windowslatest.com/2018/02/12/microsoft-make-windows-10-password-less-platform/). +- Support for S/MIME with Windows Hello for Business and APIs for non-Microsoft identity lifecycle management solutions. +- Windows Hello is part of the account protection pillar in Windows Defender Security Center. Account Protection will encourage password users to set up Windows Hello Face, Fingerprint or PIN for faster sign in, and will notify Dynamic lock users if Dynamic lock has stopped working because their phone or device Bluetooth is off. +- You can set up Windows Hello from lock screen for MSA accounts. We’ve made it easier for Microsoft account users to set up Windows Hello on their devices for faster and more secure sign-in. Previously, you had to navigate deep into Settings to find Windows Hello. Now, you can set up Windows Hello Face, Fingerprint or PIN straight from your lock screen by clicking the Windows Hello tile under Sign-in options. +- New [public API](https://docs.microsoft.com/uwp/api/windows.security.authentication.web.core.webauthenticationcoremanager.findallaccountsasync#Windows_Security_Authentication_Web_Core_WebAuthenticationCoreManager_FindAllAccountsAsync_Windows_Security_Credentials_WebAccountProvider_) for secondary account SSO for a particular identity provider. +- It is easier to set up Dynamic lock, and WD SC actionable alerts have been added when Dynamic lock stops working (ex: phone Bluetooth is off). + +For more information, see: [Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/#OdKBg3pwJQcEKCbJ.97) + +#### Windows Defender Credential Guard + +Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting. + +Windows Defender Credential Guard has always been an optional feature, but Windows 10 in S mode turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on devices running Windows 10 in S mode. Please note that Windows Defender Credential Guard is available only to S mode devices or Enterprise and Education Editions. + +For more information, see [Credential Guard Security Considerations](/windows/access-protection/credential-guard/credential-guard-requirements#security-considerations). + +### Other security improvments + +#### Windows security baselines + +Microsoft has released new [Windows security baselines](https://docs.microsoft.com/windows/device-security/windows-security-baselines) for Windows Server and Windows 10. A security baseline is a group of Microsoft-recommended configuration settings with an explanation of their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +**Windows security baselines** have been updated for Windows 10. A [security baseline](https://docs.microsoft.com/windows/device-security/windows-security-baselines) is a group of Microsoft-recommended configuration settings and explains their security impact. For more information, and to download the Policy Analyzer tool, see [Microsoft Security Compliance Toolkit 1.0](https://docs.microsoft.com/windows/device-security/security-compliance-toolkit-10). + +The new [security baseline for Windows 10 version 1803](https://docs.microsoft.com/windows/security/threat-protection/security-compliance-toolkit-10) has been published. + +#### SMBLoris vulnerability + +An issue, known as “SMBLoris�?, which could result in denial of service, has been addressed. + +#### Windows Security Center + +Windows Defender Security Center is now called **Windows Security Center**. + +You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**. + +The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products. + +WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**. + +![alt text](../images/defender.png "Windows Security Center") + +#### Group Policy Security Options + +The security setting [**Interactive logon: Display user information when the session is locked**](/windows/device-security/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked) has been updated to work in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. + +A new security policy setting +[**Interactive logon: Don't display username at sign-in**](/windows/device-security/security-policy-settings/interactive-logon-dont-display-username-at-sign-in) has been introduced in Windows 10 Enterprise 2019 LTSC. This security policy setting determines whether the username is displayed during sign in. It works in conjunction with the **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**. The setting only affects the **Other user** tile. + +#### Windows 10 in S mode + +We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: + +![Virus & threat protection settings](../images/virus-and-threat-protection.png "Virus & threat protection settings") + +## Deployment + +### Windows Autopilot + +[Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot) is a deployment tool introduced with Windows 10, version 1709 and is also available for Windows 10 Enterprise 2019 LTSC (and later versions). Windows Autopilot provides a modern device lifecycle management service powered by the cloud to deliver a zero touch experience for deploying Windows 10. + +Windows Autopilot is currently available with Surface, Dell, HP, and Lenovo. Other OEM partners such as Panasonic, and Acer will support Autopilot soon. Check the [Windows IT Pro Blog](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog) or this article for updated information. + +Using Intune, Autopilot now enables locking the device during provisioning during the Windows Out Of Box Experience (OOBE) until policies and settings for the device get provisioned, thereby ensuring that by the time the user gets to the desktop, the device is secured and configured correctly. + +You can also apply an Autopilot deployment profile to your devices using Microsoft Store for Business. When people in your organization run the out-of-box experience on the device, the profile configures Windows based on the Autopilot deployment profile you applied to the device. For more information, see [Manage Windows device deployment with Windows Autopilot Deployment](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). + +#### Windows Autopilot self-deploying mode + +Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot. + +This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process. + +You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider, and provision policies and applications, all with no user authentication or user interaction required. + +To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/windows/deployment/windows-autopilot/self-deploying). + + +#### Autopilot Reset + +IT Pros can use Autopilot Reset to quickly remove personal files, apps, and settings. A custom login screen is available from the lock screen that enables you to apply original settings and management enrollment (Azure Active Directory and device management) so that devices are returned to a fully configured, known, IT-approved state and ready to use. For more information, see [Reset devices with Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset). + +### MBR2GPT.EXE + +MBR2GPT.EXE is a new command-line tool introduced with Windows 10, version 1703 and also available in Windows 10 Enterprise 2019 LTSC (and later versions). MBR2GPT converts a disk from Master Boot Record (MBR) to GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS). + +The GPT partition format is newer and enables the use of larger and more disk partitions. It also provides added data reliability, supports additional partition types, and enables faster boot and shutdown speeds. If you convert the system disk on a computer from MBR to GPT, you must also configure the computer to boot in UEFI mode, so make sure that your device supports UEFI before attempting to convert the system disk. + +Additional security features of Windows 10 that are enabled when you boot in UEFI mode include: Secure Boot, Early Launch Anti-malware (ELAM) driver, Windows Trusted Boot, Measured Boot, Device Guard, Credential Guard, and BitLocker Network Unlock. + +For details, see [MBR2GPT.EXE](/windows/deployment/mbr-to-gpt). + +### DISM + +The following new DISM commands have been added to manage feature updates: + + DISM /Online /Initiate-OSUninstall + – Initiates a OS uninstall to take the computer back to the previous installation of windows. + DISM /Online /Remove-OSUninstall + – Removes the OS uninstall capability from the computer. + DISM /Online /Get-OSUninstallWindow + – Displays the number of days after upgrade during which uninstall can be performed. + DISM /Online /Set-OSUninstallWindow + – Sets the number of days after upgrade during which uninstall can be performed. + +For more information, see [DISM operating system uninstall command-line options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/dism-uninstallos-command-line-options). + +### Windows Setup + +You can now run your own custom actions or scripts in parallel with Windows Setup. Setup will also migrate your scripts to next feature release, so you only need to add them once. + +Prerequisites: +- Windows 10, version 1803 or Windows 10 Enterprise 2019 LTSC, or later. +- Windows 10 Enterprise or Pro + +For more information, see [Run custom actions during feature update](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions). + +It is also now possible to run a script if the user rolls back their version of Windows using the PostRollback option. + + /PostRollback [\setuprollback.cmd] [/postrollback {system / admin}] + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#21) + +New command-line switches are also available to control BitLocker: + + Setup.exe /BitLocker AlwaysSuspend + – Always suspend bitlocker during upgrade. + Setup.exe /BitLocker TryKeepActive + – Enable upgrade without suspending bitlocker but if upgrade, does not work then suspend bitlocker and complete the upgrade. + Setup.exe /BitLocker ForceKeepActive + – Enable upgrade without suspending bitlocker, but if upgrade does not work, fail the upgrade. + +For more information, see [Windows Setup Command-Line Options](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-setup-command-line-options#33) + +### Feature update improvements + +Portions of the work done during the offline phases of a Windows update have been moved to the online phase. This has resulted in a significant reduction of offline time when installing updates. For more information, see [We're listening to you](https://insider.windows.com/en-us/articles/were-listening-to-you/). + +### SetupDiag + +[SetupDiag](https://docs.microsoft.com/windows/deployment/upgrade/setupdiag) is a new command-line tool that can help diagnose why a Windows 10 update failed. + +SetupDiag works by searching Windows Setup log files. When searching log files, SetupDiag uses a set of rules to match known issues. In the current version of SetupDiag there are 53 rules contained in the rules.xml file, which is extracted when SetupDiag is run. The rules.xml file will be updated as new versions of SetupDiag are made available. + +## Sign-in + +### Faster sign-in to a Windows 10 shared pc + +If you have shared devices deployed in your work place, **Fast sign-in** enables users to sign in to a [shared Windows 10 PC](https://docs.microsoft.com/windows/configuration/set-up-shared-or-guest-pc) in a flash! + +**To enable fast sign-in:** +1. Set up a shared or guest device with Windows 10, version 1809 or Windows 10 Enterprise 2019 LTSC. +2. Set the Policy CSP, and the **Authentication** and **EnableFastFirstSignIn** policies to enable fast sign-in. +3. Sign-in to a shared PC with your account. You'll notice the difference! + + ![fast sign-in](../images/fastsignin.png "fast sign-in") + +### Web sign-in to Windows 10 + +Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML). + +**To try out web sign-in:** +1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs). +2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in. +3. On the lock screen, select web sign-in under sign-in options. +4. Click the “Sign in” button to continue. + +![Web sign-in](../images/websignin.png "web sign-in") + +## Windows Analytics + +### Upgrade Readiness + +>[!IMPORTANT] +>Upgrade Readiness will not allow you to assess an upgrade to an LTSC release (LTSC builds are not available as target versions). However, you can enroll devices running LTSC to plan for an upgrade to a semi-annual channel release. + +Upgrade Readiness helps you ensure that applications and drivers are ready for a Windows 10 upgrade. The solution provides up-to-date application and driver inventory, information about known issues, troubleshooting guidance, and per-device readiness and tracking details. The Upgrade Readiness tool moved from public preview to general availability on March 2, 2017. + +The development of Upgrade Readiness has been heavily influenced by input from the community the development of new features is ongoing. To begin using Upgrade Readiness, add it to an existing Operation Management Suite (OMS) workspace or sign up for a new OMS workspace with the Upgrade Readiness solution enabled. + +For more information about Upgrade Readiness, see the following topics: + +- [Windows Analytics blog](https://blogs.technet.microsoft.com/upgradeanalytics/) +- [Manage Windows upgrades with Upgrade Readiness](/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness) + +Upgrade Readiness provides insights into application and driver compatibility issues. New capabilities include better app coverage, post-upgrade health reports, and enhanced report filtering capabilities. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + +### Update Compliance + +Update Compliance helps you to keep Windows 10 devices in your organization secure and up-to-date. + +Update Compliance is a solution built using OMS Log Analytics that provides information about installation status of monthly quality and feature updates. Details are provided about the deployment progress of existing updates and the status of future updates. Information is also provided about devices that might need attention to resolve issues. + +For more information about Update Compliance, see [Monitor Windows Updates with Update Compliance](/windows/deployment/update/update-compliance-monitor). + +New capabilities in Update Compliance let you monitor Windows Defender protection status, compare compliance with industry peers, and optimize bandwidth for deploying updates. For more information, see [Monitor Windows Updates and Windows Defender Antivirus with Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor). + +### Device Health + +Maintaining devices is made easier with Device Health, a new, premium analytic tool that identifies devices and drivers that crash frequently and might need to be rebuilt or replaced. For more information, see [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). + +## Accessibility and Privacy + +### Accessibility + +"Out of box" accessibility is enhanced with auto-generated picture descriptions. For more information about accessibility, see [Accessibility information for IT Professionals](https://docs.microsoft.com/windows/configuration/windows-10-accessibility-for-itpros). Also see the accessibility section in the [What’s new in the Windows 10 April 2018 Update](https://blogs.windows.com/windowsexperience/2018/04/30/whats-new-in-the-windows-10-april-2018-update/) blog post. + +### Privacy + +In the Feedback and Settings page under Privacy Settings you can now delete the diagnostic data your device has sent to Microsoft. You can also view this diagnostic data using the [Diagnostic Data Viewer](https://docs.microsoft.com/windows/configuration/diagnostic-data-viewer-overview) app. + +## Configuration + +### Kiosk configuration + +Microsoft Edge has many improvements specifically targeted to Kiosks, however Edge is not available in the LTSC release of Windows 10. Internet Explorer is included in Windows 10 LTSC releases as its feature set is not changing, and it will continue to get security fixes for the life of a Windows 10 LTSC release. + +If you wish to take advantage of [Kiosk capabilities in Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy), consider [Kiosk mode](https://docs.microsoft.com/windows/configuration/kiosk-methods) with a semi-annual release channel. + +### Co-management + +Intune and System Center Configuration Manager policies have been added to enable hyrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management. + +For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803) + +### OS uninstall period + +The OS uninstall period is a length of time that users are given when they can optionally roll back a Windows 10 update. With this release, administrators can use Intune or [DISM](#dism) to customize the length of the OS uninstall period. + +### Azure Active Directory join in bulk + +Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards. + +![get bulk token action in wizard](../images/bulk-token.png) + +### Windows Spotlight + +The following new Group Policy and mobile device management (MDM) settings are added to help you configure Windows Spotlight user experiences: + +- **Turn off the Windows Spotlight on Action Center** +- **Do not use diagnostic data for tailored experiences** +- **Turn off the Windows Welcome Experience** + +[Learn more about Windows Spotlight.](/windows/configuration/windows-spotlight) + +### Start and taskbar layout + +Previously, the customized taskbar could only be deployed using Group Policy or provisioning packages. Windows 10 Enterprise 2019 LTSC adds support for customized taskbars to [MDM](/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management). + +[Additional MDM policy settings are available for Start and taskbar layout](/windows/configuration/windows-10-start-layout-options-and-policies). New MDM policy settings include: + +- Settings for the User tile: [**Start/HideUserTile**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile), [**Start/HideSwitchAccount**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount), [**Start/HideSignOut**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout), [**Start/HideLock**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock), and [**Start/HideChangeAccountSettings**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) +- Settings for Power: [**Start/HidePowerButton**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton), [**Start/HideHibernate**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate), [**Start/HideRestart**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart), [**Start/HideShutDown**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown), and [**Start/HideSleep**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) +- Additional new settings: [**Start/HideFrequentlyUsedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps), [**Start/HideRecentlyAddedApps**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps), **AllowPinnedFolder**, **ImportEdgeAssets**, [**Start/HideRecentJumplists**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists), [**Start/NoPinningToTaskbar**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar), [**Settings/PageVisibilityList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-pagevisibilitylist), and [**Start/HideAppsList**](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist). + +## Windows Update + +### Windows Update for Business + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +Windows Update for Business now provides greater control over updates, with the ability to pause and uninstall problematic updates using Intune. For more information, see [Manage software updates in Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure). + +The pause feature has been changed, and now requires a start date to set up. Users are now able to pause through **Settings > Update & security > Windows Update > Advanced options** in case a policy has not been configured. We have also increased the pause limit on quality updates to 35 days. You can find more information on pause in [Pause Feature Updates](/windows/deployment/update/waas-configure-wufb#pause-feature-updates) and [Pause Quality Updates](/windows/deployment/update/waas-configure-wufb#pause-quality-updates). + + +Windows Update for Business managed devices are now able to defer feature update installation by up to 365 days (it used to be 180 days). In settings, users are able to select their branch readiness level and update deferal periods. See [Configure devices for Current Branch (CB) or Current Branch for Business (CBB)](/windows/deployment/update/waas-configure-wufb#configure-devices-for-current-branch-or-current-branch-for-business), [Configure when devices receive Feature Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-feature-updates) and [Configure when devices receive Quality Updates](/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-quality-updates) for details. + +WUfB now has additional controls available to manage Windows Insider Program enrollment through policies. For more information, see [Manage Windows Insider Program flights](https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb#configure-when-devices-receive-windows-insider-preview-builds). + +### Windows Insider for Business + +We recently added the option to download Windows 10 Insider Preview builds using your corporate credentials in Azure Active Directory (AAD). By enrolling devices in AAD, you increase the visibility of feedback submitted by users in your organization – especially on features that support your specific business needs. For details, see [Windows Insider Program for Business](/windows/deployment/update/waas-windows-insider-for-business). + +You can now register your Azure AD domains to the Windows Insider Program. For more information, see [Windows Insider Program for Business](https://docs.microsoft.com/windows/deployment/update/waas-windows-insider-for-business#getting-started-with-windows-insider-program-for-business). + + +### Optimize update delivery + +With changes delivered in Windows 10 Enterprise 2019 LTSC, [Express updates](/windows/deployment/update/waas-optimize-windows-10-updates#express-update-delivery) are now fully supported with System Center Configuration Manager, starting with version 1702 of Configuration Manager, as well as with other third-party updating and management products that [implement this new functionality](https://technet.microsoft.com/windows-server-docs/management/windows-server-update-services/deploy/express-update-delivery-isv-support). This is in addition to current Express support on Windows Update, Windows Update for Business and WSUS. + +>[!NOTE] +> The above changes can be made available to Windows 10, version 1607, by installing the April 2017 cumulative update. + +Delivery Optimization policies now enable you to configure additional restrictions to have more control in various scenarios. + +Added policies include: +- [Allow uploads while the device is on battery while under set Battery level](/windows/deployment/update/waas-delivery-optimization#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) +- [Enable Peer Caching while the device connects via VPN](/windows/deployment/update/waas-delivery-optimization#enable-peer-caching-while-the-device-connects-via-vpn) +- [Minimum RAM (inclusive) allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-ram-allowed-to-use-peer-caching) +- [Minimum disk size allowed to use Peer Caching](/windows/deployment/update/waas-delivery-optimization#minimum-disk-size-allowed-to-use-peer-caching) +- [Minimum Peer Caching Content File Size](/windows/deployment/update/waas-delivery-optimization#minimum-peer-caching-content-file-size) + +To check out all the details, see [Configure Delivery Optimization for Windows 10 updates](/windows/deployment/update/waas-delivery-optimization) + +### Uninstalled in-box apps no longer automatically reinstall + +Starting with Windows 10 Enterprise 2019 LTSC, in-box apps that were uninstalled by the user won't automatically reinstall as part of the feature update installation process. + +Additionally, apps de-provisioned by admins on Windows 10 Enterprise 2019 LTSC machines will stay de-provisioned after future feature update installations. This will not apply to the update from Windows 10 Enterprise 2016 LTSC (or earlier) to Windows 10 Enterprise 2019 LTSC. + +## Management + +### New MDM capabilities + +Windows 10 Enterprise 2019 LTSC adds many new [configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) that provide new capabilities for managing Windows 10 devices using MDM or provisioning packages. Among other things, these CSPs enable you to configure a few hundred of the most useful Group Policy settings via MDM - see [Policy CSP - ADMX-backed policies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-admx-backed). + +Some of the other new CSPs are: + +- The [DynamicManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/dynamicmanagement-csp) allows you to manage devices differently depending on location, network, or time. For example, managed devices can have cameras disabled when at a work location, the cellular service can be disabled when outside the country to avoid roaming charges, or the wireless network can be disabled when the device is not within the corporate building or campus. Once configured, these settings will be enforced even if the device can’t reach the management server when the location or network changes. The Dynamic Management CSP enables configuration of policies that change how the device is managed in addition to setting the conditions on which the change occurs. + +- The [CleanPC CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/cleanpc-csp) allows removal of user-installed and pre-installed applications, with the option to persist user data. + +- The [BitLocker CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/bitlocker-csp) is used to manage encryption of PCs and devices. For example, you can require storage card encryption on mobile devices, or require encryption for operating system drives. + +- The [NetworkProxy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/networkproxy-csp) is used to configure a proxy server for ethernet and Wi-Fi connections. + +- The [Office CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/office-csp) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/library/jj219426.aspx). + +- The [EnterpriseAppVManagement CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterpriseappvmanagement-csp) is used to manage virtual applications in Windows 10 PCs (Enterprise and Education editions) and enables App-V sequenced apps to be streamed to PCs even when managed by MDM. + +IT pros can use the new [MDM Migration Analysis Tool (MMAT)](https://aka.ms/mmat) to determine which Group Policy settings have been configured for a user or computer and cross-reference those settings against a built-in list of supported MDM policies. MMAT can generate both XML and HTML reports indicating the level of support for each Group Policy setting and MDM equivalents. + +[Learn more about new MDM capabilities.](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/new-in-windows-mdm-enrollment-management#whatsnew10) + +MDM has been expanded to include domain joined devices with Azure Active Directory registration. Group Policy can be used with Active Directory joined devices to trigger auto-enrollment to MDM. For more information, see [Enroll a Windows 10 device automatically using Group Policy](https://docs.microsoft.com/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy). + +Multiple new configuration items are also added. For more information, see [What's new in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1709). + +### Mobile application management support for Windows 10 + +The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10 Enterprise 2019 LTSC. + +For more info, see [Implement server-side support for mobile application management on Windows](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/implement-server-side-mobile-application-management). + +### MDM diagnostics + +In Windows 10 Enterprise 2019 LTSC, we continue our work to improve the diagnostic experience for modern management. By introducing auto-logging for mobile devices, Windows will automatically collect logs when encountering an error in MDM, eliminating the need to have always-on logging for memory-constrained devices. Additionally, we are introducing [Microsoft Message Analyzer](https://www.microsoft.com/download/details.aspx?id=44226) as an additional tool to help Support personnel quickly reduce issues to their root cause, while saving time and cost. + +### Application Virtualization for Windows (App-V) + +Previous versions of the Microsoft Application Virtualization Sequencer (App-V Sequencer) have required you to manually create your sequencing environment. Windows 10 Enterprise 2019 LTSC introduces two new PowerShell cmdlets, New-AppVSequencerVM and Connect-AppvSequencerVM, which automatically create your sequencing environment for you, including provisioning your virtual machine. Additionally, the App-V Sequencer has been updated to let you sequence or update multiple apps at the same time, while automatically capturing and storing your customizations as an App-V project template (.appvt) file, and letting you use PowerShell or Group Policy settings to automatically cleanup your unpublished packages after a device restart. + +For more info, see the following topics: +- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-provision-a-vm) +- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-sequencing) +- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](/windows/application-management/app-v/appv-auto-batch-updating) +- [Automatically cleanup unpublished packages on the App-V client](/windows/application-management/app-v/appv-auto-clean-unpublished-packages) + +### Windows diagnostic data + +Learn more about the diagnostic data that's collected at the Basic level and some examples of the types of data that is collected at the Full level. + +- [Windows 10, version 1703 basic level Windows diagnostic events and fields](/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703) +- [Windows 10, version 1703 Diagnostic Data](/windows/configuration/windows-diagnostic-data-1703) + +### Group Policy spreadsheet + +Learn about the new Group Policies that were added in Windows 10 Enterprise 2019 LTSC. + +- [Group Policy Settings Reference for Windows and Windows Server](https://www.microsoft.com/download/details.aspx?id=25250) + +### Mixed Reality Apps + +This version of Windows 10 introduces [Windows Mixed Reality](https://blogs.windows.com/windowsexperience/2017/10/03/the-era-of-windows-mixed-reality-begins-october-17/). Organizations that use WSUS must take action to enable Windows Mixed Reality. You can also prohibit use of Windows Mixed Reality by blocking installation of the Mixed Reality Portal. For more information, see [Enable or block Windows Mixed Reality apps in the enterprise](https://docs.microsoft.com/windows/application-management/manage-windows-mixed-reality). + +## Networking + +### Network stack + +Several network stack enhancements are available in this release. Some of these features were also available in Windows 10, version 1703. For more information, see [Core Network Stack Features in the Creators Update for Windows 10](https://blogs.technet.microsoft.com/networking/2017/07/13/core-network-stack-features-in-the-creators-update-for-windows-10/). + +### Miracast over Infrastructure + +In this version of Windows 10, Microsoft has extended the ability to send a Miracast stream over a local network rather than over a direct wireless link. This functionality is based on the [Miracast over Infrastructure Connection Establishment Protocol (MS-MICE)](https://msdn.microsoft.com/library/mt796768.aspx). + +How it works: + +Users attempt to connect to a Miracast receiver as they did previously. When the list of Miracast receivers is populated, Windows 10 will identify that the receiver is capable of supporting a connection over the infrastructure. When the user selects a Miracast receiver, Windows 10 will attempt to resolve the device's hostname via standard DNS, as well as via multicast DNS (mDNS). If the name is not resolvable via either DNS method, Windows 10 will fall back to establishing the Miracast session using the standard Wi-Fi direct connection. + +Miracast over Infrastructure offers a number of benefits: + +- Windows automatically detects when sending the video stream over this path is applicable. +- Windows will only choose this route if the connection is over Ethernet or a secure Wi-Fi network. +- Users do not have to change how they connect to a Miracast receiver. They use the same UX as for standard Miracast connections. +- No changes to current wireless drivers or PC hardware are required. +- It works well with older wireless hardware that is not optimized for Miracast over Wi-Fi Direct. +- It leverages an existing connection which both reduces the time to connect and provides a very stable stream. + +Enabling Miracast over Infrastructure: + +If you have a device that has been updated to Windows 10 Enterprise 2019 LTSC, then you automatically have this new feature. To take advantage of it in your environment, you need to ensure the following is true within your deployment: + +- The device (PC, phone, or Surface Hub) needs to be running Windows 10, version 1703, Windows 10 Enterprise 2019 LTSC, or a later OS. +- A Windows PC or Surface Hub can act as a Miracast over Infrastructure *receiver*. A Windows PC or phone can act as a Miracast over Infrastructure *source*. + - As a Miracast receiver, the PC or Surface Hub must be connected to your enterprise network via either Ethernet or a secure Wi-Fi connection (e.g. using either WPA2-PSK or WPA2-Enterprise security). If the Hub is connected to an open Wi-Fi connection, Miracast over Infrastructure will disable itself. + - As a Miracast source, the PC or phone must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. +- The DNS Hostname (device name) of the device needs to be resolvable via your DNS servers. You can achieve this by either allowing your device to register automatically via Dynamic DNS, or by manually creating an A or AAAA record for the device's hostname. +- Windows 10 PCs must be connected to the same enterprise network via Ethernet or a secure Wi-Fi connection. + +It is important to note that Miracast over Infrastructure is not a replacement for standard Miracast. Instead, the functionality is complementary, and provides an advantage to users who are part of the enterprise network. Users who are guests to a particular location and don’t have access to the enterprise network will continue to connect using the Wi-Fi Direct connection method. + +## Registry editor improvements + +We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word. + +![Registry editor dropdown](../images/regeditor.png "Registry editor dropdown") + +## Remote Desktop with Biometrics + +Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session. + +To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click **Connect**. + +- Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click **More choices** to choose alternate credentials. +- Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN. + +See the following example: + +![Enter your credentials](../images/RDPwBioTime.png "Windows Hello") +![Enter your credentials](../images/RDPwBio2.png "Windows Hello personal") +![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016") + +## See Also + +[Windows 10 Enterprise LTSC](index.md): A short description of the LTSC servicing channel with links to information about each release. diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md index 7bf5f8b3ee..b4e4f4f224 100644 --- a/windows/whats-new/whats-new-windows-10-version-1809.md +++ b/windows/whats-new/whats-new-windows-10-version-1809.md @@ -67,7 +67,7 @@ This is an update to the [BitLocker CSP](https://docs.microsoft.com/windows/clie This feature will soon be enabled on Olympia Corp as an optional feature. -#### Delivering BitLocker policy to AutoPilot devices during OOBE +#### Delivering BitLocker policy to AutoPilot devices during OOBE You can choose which encryption algorithm to apply to BitLocker encryption capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before BitLocker encryption begins. From c80a206c5e019fe53bb3912f8a3bf03ab9701229 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Sat, 10 Aug 2019 17:48:13 -0400 Subject: [PATCH 22/37] chore: Replace "syntax" blocks with specific languages --- ...ng-microsoft-office-2016-by-using-app-v.md | 4 +- .../configuring-med-v-for-remote-networks.md | 2 +- .../med-v-trim-transfer-technology-medvv2.md | 2 +- .../client-management/mdm/applocker-csp.md | 6 +- ...e-active-directory-integration-with-mdm.md | 2 +- .../mdm/clientcertificateinstall-csp.md | 4 +- .../mdm/cm-proxyentries-csp.md | 2 +- windows/client-management/mdm/defender-csp.md | 4 +- .../diagnose-mdm-failures-in-windows-10.md | 2 +- windows/client-management/mdm/dmacc-csp.md | 2 +- .../mdm/eap-configuration.md | 10 +- .../mdm/healthattestation-csp.md | 137 +++--- .../mdm/policy-csp-update.md | 28 +- .../client-management/mdm/remotelock-csp.md | 4 +- .../client-management/mdm/remotering-csp.md | 14 +- .../client-management/mdm/reporting-csp.md | 4 +- .../mdm/securitypolicy-csp.md | 8 +- .../structure-of-oma-dm-provisioning-files.md | 8 +- windows/client-management/mdm/supl-csp.md | 2 +- .../client-management/mdm/surfacehub-csp.md | 92 ++-- .../client-management/mdm/tpmpolicy-csp.md | 32 +- windows/client-management/mdm/vpnv2-csp.md | 429 +++++++++--------- .../mdm/vpnv2-profile-xsd.md | 2 +- .../mdm/w7-application-csp.md | 2 +- windows/client-management/mdm/wifi-csp.md | 54 +-- .../windowsadvancedthreatprotection-csp.md | 2 +- .../mdm/wmi-providers-supported-in-windows.md | 4 +- 27 files changed, 429 insertions(+), 433 deletions(-) diff --git a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md index 203086f71b..4dbf7f3b64 100644 --- a/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md +++ b/mdop/appv-v5/deploying-microsoft-office-2016-by-using-app-v.md @@ -222,7 +222,7 @@ The XML file that is included in the Office Deployment Tool specifies the produc 2. With the sample configuration.xml file open and ready for editing, you can specify products, languages, and the path to which you save the Office 2016 applications. The following is a basic example of the configuration.xml file: - ``` syntax + ```xml @@ -633,7 +633,7 @@ You may want to disable specific applications in your Office App-V package. For 5. Add the Office 2016 App-V Package with the new Deployment Configuration File. - ``` syntax + ```xml Lync 2016 diff --git a/mdop/medv-v1/configuring-med-v-for-remote-networks.md b/mdop/medv-v1/configuring-med-v-for-remote-networks.md index a7a19283f2..34aa837bcd 100644 --- a/mdop/medv-v1/configuring-med-v-for-remote-networks.md +++ b/mdop/medv-v1/configuring-med-v-for-remote-networks.md @@ -53,7 +53,7 @@ When applying new settings, the service must be restarted. - You can change the IIS authentication scheme to one of the following: BASIC, DIGEST, NTLM, or NEGOTIATE. The default is NEGOTIATE and uses the following entry: - ``` syntax + ```xml diff --git a/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md b/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md index e8b68e25fc..62702d952d 100644 --- a/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md +++ b/mdop/medv-v1/med-v-trim-transfer-technology-medvv2.md @@ -32,7 +32,7 @@ You can configure which folders are indexed on the host as part of the Trim Tran When applying new settings, the service must be restarted. -``` syntax +```xml - %WINDIR% diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 79fb1d0045..356fa67a5f 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -830,7 +830,7 @@ The following list shows the apps that may be included in the inbox. The following example disables the calendar application. -``` syntax +```xml @@ -854,7 +854,7 @@ The following example disables the calendar application. The following example blocks the usage of the map application. -``` syntax +```xml @@ -1394,7 +1394,7 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo ## Example for Windows 10 Holographic for Business The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable to enable a working device, as well as Settings. -``` syntax +```xml 1 diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 5664409319..41612181c5 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -372,7 +372,7 @@ Data type is string. Enroll a client certificate through SCEP. -``` syntax +```xml @@ -571,7 +571,7 @@ Enroll a client certificate through SCEP. Add a PFX certificate. The PFX certificate password is encrypted with a custom certificate fro "My" store. -``` syntax +```xml diff --git a/windows/client-management/mdm/cm-proxyentries-csp.md b/windows/client-management/mdm/cm-proxyentries-csp.md index 432b10a418..301c28ea8e 100644 --- a/windows/client-management/mdm/cm-proxyentries-csp.md +++ b/windows/client-management/mdm/cm-proxyentries-csp.md @@ -90,7 +90,7 @@ Specifies the username used to connect to the proxy. To delete both a proxy and its associated connection, you must delete the proxy first, and then delete the connection. The following example shows how to delete the proxy and then the connection. -``` syntax +```xml diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 2579fa4d39..744a4be799 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -215,7 +215,7 @@ Supported product status values: Example: -``` syntax +```xml @@ -224,7 +224,7 @@ Example: ./Vendor/MSFT/Defender/Health/ProductStatus - + diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md index 31cb8df991..85de08a137 100644 --- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md +++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md @@ -73,7 +73,7 @@ When the PC is already enrolled in MDM, you can remotely collect logs from the P Example: Enable the Debug channel logging -``` syntax +```xml diff --git a/windows/client-management/mdm/dmacc-csp.md b/windows/client-management/mdm/dmacc-csp.md index 09b61984c1..aa61f9d50b 100644 --- a/windows/client-management/mdm/dmacc-csp.md +++ b/windows/client-management/mdm/dmacc-csp.md @@ -262,7 +262,7 @@ Stores specifies which certificate stores the DM client will search to find the Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following: -``` syntax +```xml ``` diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md index 49635be46f..03e82dc9e8 100644 --- a/windows/client-management/mdm/eap-configuration.md +++ b/windows/client-management/mdm/eap-configuration.md @@ -56,7 +56,7 @@ Here is an easy way to get the EAP configuration from your desktop using the ras 9. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML. - ``` syntax + ```powershell Get-VpnConnection -Name Test ``` @@ -80,17 +80,17 @@ Here is an easy way to get the EAP configuration from your desktop using the ras IdleDisconnectSeconds : 0 ``` - ``` syntax + ```powershell $a = Get-VpnConnection -Name Test ``` - ``` syntax + ```powershell $a.EapConfigXmlStream.InnerXml ``` Here is an example output - ``` syntax + ```xml 1300 13 diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index a14f71ce2d..3870f7d385 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -314,16 +314,16 @@ For DHA-OnPrem & DHA-EMC scenarios, send a SyncML command to the HASEndpoint nod The following example shows a sample call that instructs a managed device to communicate with an enterprise managed DHA-Service. -``` syntax - - 1 - - - ./Vendor/MSFT/HealthAttestation/HASEndpoint - - www.ContosoDHA-Service - - +```xml + + 1 + + + ./Vendor/MSFT/HealthAttestation/HASEndpoint + + www.ContosoDHA-Service + + ``` @@ -334,24 +334,24 @@ Send a SyncML call to start collection of the DHA-Data. The following example shows a sample call that triggers collection and verification of health attestation data from a managed device. -``` syntax - - 1 - - - ./Vendor/MSFT/HealthAttestation/VerifyHealth - - - +```xml + + 1 + + + ./Vendor/MSFT/HealthAttestation/VerifyHealth + + + - - 2 - - - ./Vendor/MSFT/HealthAttestation/Status - - - + + 2 + + + ./Vendor/MSFT/HealthAttestation/Status + + + ``` ## **Step 4: Take action based on the clients response** @@ -364,21 +364,21 @@ After the client receives the health attestation request, it sends a response. T Here is a sample alert that is issued by DHA_CSP: -``` syntax - - 1 - 1226 - - - ./Vendor/MSFT/HealthAttestation/VerifyHealth - - - com.microsoft.mdm:HealthAttestation.Result - int - - 3 - - +```xml + + 1 + 1226 + + + ./Vendor/MSFT/HealthAttestation/VerifyHealth + + + com.microsoft.mdm:HealthAttestation.Result + int + + 3 + + ``` - If the response to the status node is not 0, 1 or 3, then troubleshoot the issue. For the complete list of status codes see [Device HealthAttestation CSP status and error codes](#device-healthattestation-csp-status-and-error-codes). @@ -389,35 +389,34 @@ Create a call to the **Nonce**, **Certificate** and **CorrelationId** nodes, and Here is an example: -``` syntax +```xml - 1 - - - ./Vendor/MSFT/HealthAttestation/Nonce - - AAAAAAAAAFFFFFFF - + 1 + + + ./Vendor/MSFT/HealthAttestation/Nonce + + AAAAAAAAAFFFFFFF + - - 2 - - - ./Vendor/MSFT/HealthAttestation/Certificate - - - - - - 3 - - - ./Vendor/MSFT/HealthAttestation/CorrelationId - - - + + 2 + + + ./Vendor/MSFT/HealthAttestation/Certificate + + + + + 3 + + + ./Vendor/MSFT/HealthAttestation/CorrelationId + + + ``` ## **Step 6: Forward device health attestation data to DHA-service** @@ -1019,8 +1018,8 @@ Each of these are described in further detail in the following sections, along w ## DHA-Report V3 schema -``` syntax - +```xml + Example -``` syntax - - $CmdID$ - - - chr - text/plain - - - ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl - - http://abcd-srv:8530 - - +```xml + + $CmdID$ + + + chr + text/plain + + + ./Vendor/MSFT/Policy/Config/Update/UpdateServiceUrl + + http://abcd-srv:8530 + + ``` diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index ea985de378..3ea4ca8ee0 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -117,7 +117,7 @@ A Get operation on this node must follow an Exec operation on the /RemoteLock/Lo Initiate a remote lock of the device. -``` syntax +```xml 1 @@ -130,7 +130,7 @@ Initiate a remote lock of the device. Initiate a remote lock and PIN reset of the device. To successfully retrieve the new device-generated PIN, the commands must be executed together and in the proper sequence as shown below. -``` syntax +```xml 1 diff --git a/windows/client-management/mdm/remotering-csp.md b/windows/client-management/mdm/remotering-csp.md index 21149dd08e..726df442f0 100644 --- a/windows/client-management/mdm/remotering-csp.md +++ b/windows/client-management/mdm/remotering-csp.md @@ -31,14 +31,14 @@ The supported operation is Exec. The following sample shows how to initiate a remote ring on the device. -``` syntax +```xml - 5 - - - ./Vendor/MSFT/RemoteRing/Ring - - + 5 + + + ./Vendor/MSFT/RemoteRing/Ring + + ``` diff --git a/windows/client-management/mdm/reporting-csp.md b/windows/client-management/mdm/reporting-csp.md index 44828e2d90..1f1391ff33 100644 --- a/windows/client-management/mdm/reporting-csp.md +++ b/windows/client-management/mdm/reporting-csp.md @@ -81,7 +81,7 @@ Supported operations are Get and Replace. Retrieve all available Windows Information Protection (formerly known as Enterprise Data Protection) logs starting from the specified StartTime. -``` syntax +```xml @@ -104,7 +104,7 @@ Retrieve all available Windows Information Protection (formerly known as Enterpr Retrieve a specified number of security auditing logs starting from the specified StartTime. -``` syntax +```xml diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md index 91478addbe..9b8b3ce65d 100644 --- a/windows/client-management/mdm/securitypolicy-csp.md +++ b/windows/client-management/mdm/securitypolicy-csp.md @@ -199,7 +199,7 @@ The following security roles are supported. Setting a security policy: -``` syntax +```xml @@ -209,7 +209,7 @@ Setting a security policy: Querying a security policy: -``` syntax +```xml @@ -222,7 +222,7 @@ Querying a security policy: Setting a security policy: -``` syntax +```xml … @@ -245,7 +245,7 @@ Setting a security policy: Querying a security policy: -``` syntax +```xml … diff --git a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md index 7791fe19fd..0e0293bca8 100644 --- a/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md +++ b/windows/client-management/mdm/structure-of-oma-dm-provisioning-files.md @@ -53,7 +53,7 @@ The following table shows the OMA DM versions that are supported. The following example shows the general structure of the XML document sent by the server using OMA DM version 1.2.1 for demonstration purposes only. The initial XML packages exchanged between client and server could contain additional XML tags. For a detailed description and samples for those packages, see the [OMA Device Management Protocol 1.2.1](https://go.microsoft.com/fwlink/p/?LinkId=526902) specification. -``` syntax +```xml 1.2 @@ -107,7 +107,7 @@ The following example shows the header component of a DM message. In this case,   -``` syntax +```xml 1.2 DM/1.2 @@ -130,7 +130,7 @@ SyncBody contains one or more DM commands. The SyncBody can contain multiple DM The following example shows the body component of a DM message. In this example, SyncBody contains only one command, Get. This is indicated by the <Final /> tag that occurs immediately after the terminating tag for the Get command. -``` syntax +```xml @@ -157,7 +157,7 @@ The Replace command is used to update a device setting. The following example illustrates how to use the Replace command to update a device setting. -``` syntax +```xml 1.2 DM/1.2 diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md index ded1d293de..09ea7f32d0 100644 --- a/windows/client-management/mdm/supl-csp.md +++ b/windows/client-management/mdm/supl-csp.md @@ -481,7 +481,7 @@ Adding a SUPL and a V2 UPL account to the same device. Values in italic must be Adding a SUPL account to a device. Values in italic must be replaced with correct settings for the mobile operator network. A valid binary blob must be included for the root certificate data value. -``` syntax +```xml diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 50b1862e82..fcb23c170c 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -39,52 +39,52 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

Here's a SyncML example. -``` syntax - - - - 1 - - - ./Vendor/MSFT/SurfaceHub/DeviceAccount/UserPrincipalName - - - chr - - user@contoso.com - - - - 2 - - - ./Vendor/MSFT/SurfaceHub/DeviceAccount/Password - - - chr - - password - - - - 3 - - - ./Vendor/MSFT/SurfaceHub/DeviceAccount/ValidateAndCommit - - - - - 4 - - - ./Vendor/MSFT/SurfaceHub/DeviceAccount/ErrorContext - - - - - - +```xml + + + + 1 + + + ./Vendor/MSFT/SurfaceHub/DeviceAccount/UserPrincipalName + + + chr + + user@contoso.com + + + + 2 + + + ./Vendor/MSFT/SurfaceHub/DeviceAccount/Password + + + chr + + password + + + + 3 + + + ./Vendor/MSFT/SurfaceHub/DeviceAccount/ValidateAndCommit + + + + + 4 + + + ./Vendor/MSFT/SurfaceHub/DeviceAccount/ErrorContext + + + + + + ```

To use a device account from Active Directory diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index e546efa7f6..36f46f9df1 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -37,20 +37,20 @@ The following diagram shows the TPMPolicy configuration service provider in tree Here is an example: -``` syntax - - 101 - - - - ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust - - - - bool - text/plain - - true - - +```xml + + 101 + + + + ./Vendor/MSFT/TpmPolicy/IsActiveZeroExhaust + + + + bool + text/plain + + true + + ``` diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 5fa7655902..fa5597ecf6 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -598,7 +598,7 @@ Value type is bool. Supported operations include Get, Add, Replace, and Delete. Profile example -``` syntax +```xml @@ -657,244 +657,241 @@ Profile example AppTriggerList -``` syntax +```xml - - 10013 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/0/App/Id - - %PROGRAMFILES%\Internet Explorer\iexplore.exe - - - - 10014 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/1/App/Id - - %PROGRAMFILES% (x86)\Internet Explorer\iexplore.exe - - - - - 10015 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/2/App/Id - - Microsoft.MicrosoftEdge_8wekyb3d8bbwe - - + + 10013 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/0/App/Id + + %PROGRAMFILES%\Internet Explorer\iexplore.exe + + + + 10014 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/1/App/Id + + %PROGRAMFILES% (x86)\Internet Explorer\iexplore.exe + + + + + 10015 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/AppTriggerList/2/App/Id + + Microsoft.MicrosoftEdge_8wekyb3d8bbwe + + ``` RouteList and ExclusionRoute -``` syntax - - - 10008 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/Address - - 192.168.0.0 - - - - 10009 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/PrefixSize - - - int - - 24 - - - - 10010 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/ExclusionRoute - - - bool - - true - - - +```xml + + 10008 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/Address + + 192.168.0.0 + + + + 10009 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/PrefixSize + + + int + + 24 + + + + 10010 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/RouteList/0/ExclusionRoute + + + bool + + true + + ``` DomainNameInformationList -``` syntax - - - - 10013 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName - - .contoso.com - - - - 10014 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers - - 192.168.0.11,192.168.0.12 - - - +```xml + + + 10013 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DomainName + + .contoso.com + + + + 10014 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/DnsServers + + 192.168.0.11,192.168.0.12 + + + - - 10013 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName - - .contoso.com - - - - - 10015 - - -./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers - - 192.168.0.100:8888 - - - + + 10013 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/DomainName + + .contoso.com + + + + + 10015 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/WebProxyServers + + 192.168.0.100:8888 + + + - - - 10016 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName - - finance.contoso.com - - - - 10017 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers - - 192.168.0.11,192.168.0.12 - - - + + + 10016 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DomainName + + finance.contoso.com + + + + 10017 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/2/DnsServers + + 192.168.0.11,192.168.0.12 + + + - - - 10016 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName - - finance.contoso.com - - - - 10017 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers - - 192.168.0.11:8080 - - - + + + 10016 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/DomainName + + finance.contoso.com + + + + 10017 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/3/WebProxyServers + + 192.168.0.11:8080 + + + - - 10016 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DomainName - - . - - - - 10017 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DnsServers - - 192.168.0.11,192.168.0.12 - - - + + 10016 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DomainName + + . + + + + 10017 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/4/DnsServers + + 192.168.0.11,192.168.0.12 + + + - - - 10016 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/DomainName - - . - - - - 10017 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/WebProxyServers - - 192.168.0.11 - - + + + 10016 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/DomainName + + . + + + + 10017 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/5/WebProxyServers + + 192.168.0.11 + + ``` AutoTrigger -``` syntax +```xml - 10010 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/AutoTrigger - - - bool - - true - - + 10010 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/0/AutoTrigger + + + bool + + true + + ``` Persistent -``` syntax +```xml - 10010 - - - ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/Persistent - - - bool - - true - - + 10010 + + + ./Vendor/MSFT/VPNv2/VPNProfileName/DomainNameInformationList/1/Persistent + + + bool + + true + + ``` TrafficFilterLIst App -``` syntax +```xml Desktop App 10013 @@ -929,7 +926,7 @@ TrafficFilterLIst App Protocol, LocalPortRanges, RemotePortRanges, LocalAddressRanges, RemoteAddressRanges, RoutingPolicyType, EDPModeId, RememberCredentials, AlwaysOn, Lockdown, DnsSuffix, TrustedNetworkDetection -``` syntax +```xml Protocol $CmdID$ @@ -1077,7 +1074,7 @@ Protocol Proxy - Manual or AutoConfigUrl -``` syntax +```xml Manual $CmdID$ @@ -1103,7 +1100,7 @@ Manual Device Compliance - Sso -``` syntax +```xml Enabled 10011 @@ -1143,7 +1140,7 @@ Device Compliance - Sso PluginProfile -``` syntax +```xml PluginPackageFamilyName @@ -1181,7 +1178,7 @@ PluginPackageFamilyName NativeProfile -``` syntax +```xml Servers 10001 diff --git a/windows/client-management/mdm/vpnv2-profile-xsd.md b/windows/client-management/mdm/vpnv2-profile-xsd.md index 2aa15af132..fbb8abae88 100644 --- a/windows/client-management/mdm/vpnv2-profile-xsd.md +++ b/windows/client-management/mdm/vpnv2-profile-xsd.md @@ -344,7 +344,7 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro ## Plug-in profile example -``` syntax +```xml testserver1.contoso.com;testserver2.contoso..com diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 0a7adafa8c..eff35b4fd4 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -160,7 +160,7 @@ Stores specifies which certificate stores the DM client will search to find the Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following: -``` syntax +```xml ``` diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index 7db7e01ffb..79992abc08 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -121,7 +121,7 @@ These XML examples show how to perform various tasks using OMA DM. The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwork,' a proxy URL 'testproxy,' and port 80. -``` syntax +```xml @@ -160,7 +160,7 @@ The following example shows how to add PEAP-MSCHAPv2 network with SSID 'MyNetwor The following example shows how to query Wi-Fi profiles installed on an MDM server. -``` syntax +```xml 301 @@ -173,7 +173,7 @@ The following example shows how to query Wi-Fi profiles installed on an MDM serv The following example shows the response. -``` syntax +```xml 3 1 @@ -190,17 +190,17 @@ The following example shows the response. The following example shows how to remove a network with SSID ‘MyNetwork’ and no proxy. Removing all network authentication types is done in this same manner. -``` syntax +```xml - 300 - - 301 - - - ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml - - - + 300 + + 301 + + + ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml + + + ``` @@ -208,21 +208,21 @@ The following example shows how to remove a network with SSID ‘MyNetwork’ an The following example shows how to add PEAP-MSCHAPv2 network with SSID ‘MyNetwork’ and root CA validation for server certificate. -``` syntax +```xml - 300 - - 301 - - - ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml - - - chr - - MyNetworkMyNetworkfalseESSmanualWPA2AEStrueuser2500025true InsertCertThumbPrintHere truefalse26falsefalsefalsetruefalse - - + 300 + + 301 + + + ./Vendor/MSFT/WiFi/Profile/MyNetwork/WlanXml + + + chr + + MyNetworkMyNetworkfalseESSmanualWPA2AEStrueuser2500025true InsertCertThumbPrintHere truefalse26falsefalsefalsetruefalse + + ``` diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 6ae22efd72..2508fa2863 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -120,7 +120,7 @@ The following list describes the characteristics and parameters. ## Examples -``` syntax +```xml diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 4d421e7c6a..b6fb182eae 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -27,7 +27,7 @@ The child node names of the result from a WMI query are separated by a forward s Get the list of network adapters from the device. -``` syntax +```xml ./cimV2/Win32_NetworkAdapter @@ -37,7 +37,7 @@ Get the list of network adapters from the device. Result -``` syntax +```xml ./cimV2/Win32_NetworkAdapter From 6890f078457b1c42b35c6f67f8e723ef3987411e Mon Sep 17 00:00:00 2001 From: Albert Cabello Serrano Date: Mon, 12 Aug 2019 07:46:28 -0700 Subject: [PATCH 23/37] Update upgrade-readiness-additional-insights.md Removing references to spectre-meltdown as the functionality is EOL --- .../upgrade-readiness-additional-insights.md | 38 +------------------ 1 file changed, 2 insertions(+), 36 deletions(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md index 93d1f63cc0..c6c73aa23e 100644 --- a/windows/deployment/upgrade/upgrade-readiness-additional-insights.md +++ b/windows/deployment/upgrade/upgrade-readiness-additional-insights.md @@ -5,7 +5,8 @@ manager: laurawi ms.author: greglin description: Explains additional features of Upgrade Readiness. ms.prod: w10 -audience: itpro author: greg-lindsay +audience: itpro +author: greg-lindsay ms.topic: article ms.collection: M365-analytics --- @@ -14,44 +15,9 @@ ms.collection: M365-analytics This topic provides information on additional features that are available in Upgrade Readiness to provide insights into your environment. These include: -- [Spectre and Meltdown protections](#spectre-and-meltdown-protection-status): Status of devices with respect to their anti-virus, security update, and firmware updates related to protection from the "Spectre" and "Meltdown" vulnerabilities. - [Site discovery](#site-discovery): An inventory of web sites that are accessed by client computers running Windows 7, Windows 8.1, or Windows 10 using Internet Explorer. - [Office add-ins](#office-add-ins): A list of the Microsoft Office add-ins that are installed on client computers. -## Spectre and Meltdown protection status -Microsoft has published guidance for IT Pros that outlines the steps you can take to improve protection against the hardware vulnerabilities known as "Spectre" and "Meltdown." See [Windows Client Guidance for IT Pros to protect against speculative execution side-channel vulnerabilities](https://go.microsoft.com/fwlink/?linkid=867468) for details about the vulnerabilities and steps you can take. - -Microsoft recommends three steps to help protect against the Spectre and Meltdown vulnerabilities: -- Verify that you are running a supported antivirus application. -- Apply all available Windows operating system updates, including the January 2018 and later Windows security updates. -- Apply any applicable processor firmware (microcode) updates provided by your device manufacturer(s). - -Upgrade Readiness reports on status of your devices in these three areas. - -![Spectre-Meltdown protection blades](../images/spectre-meltdown-prod-closeup.png) - ->[!IMPORTANT] ->To provide these blades with data, ensure that your devices can reach the endpoint **http://adl.windows.com**. (See [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started) for more about necessary endpoints and how to whitelist them.) - -### Anti-virus status blade -This blade helps you determine if your devices' anti-virus solution is compatible with the latest Windows operating system updates. It shows the number of devices that have an anti-virus solution with no known issues, issues reported, or an unknown status for a particular Windows security update. In the following example, an anti-virus solution that has no known issues with the January 3, 2018 Windows update is installed on about 2,800 devices. - -![Spectre-Meltdown antivirus blade](../images/AV-status-by-computer.png) - -### Security update status blade -This blade indicates whether a Windows security update that includes Spectre- or Meltdown-related fixes (January 3, 2018 or later) has been installed, as well as whether specific fixes have been disabled. Though protections are enabled by default on devices running Windows (but not Windows Server) operating systems, some IT administrators might choose to disable specific protections. In the following example, about 4,300 devices have a Windows security update that includes Spectre or Meltdown protections installed, and those protections are enabled. - -![Spectre-Meltdown antivirus blade](../images/win-security-update-status-by-computer.png) - ->[!IMPORTANT] ->If you are seeing computers with statuses of either “Unknown – action may be required” or “Installed, but mitigation status unknown,” it is likely that you need to whitelist the **http://adl.windows.com** endpoint. - -### Firmware update status blade -This blade reports the number of devices that have installed a firmware update that includes Spectre or Meltdown protections. The blade might report a large number of blank, “unknown”, or “to be determined” statuses at first. As CPU information is provided by partners, the blade will automatically update with no further action required on your part. - - - - ## Site discovery The IE site discovery feature in Upgrade Readiness provides an inventory of web sites that are accessed by client computers using Internet Explorer on Windows 7, Windows 8.1, and Windows 10. Site discovery does not include sites that are accessed using other Web browsers, such as Microsoft Edge. Site inventory information is provided as optional data related to upgrading to Windows 10 and Internet Explorer 11, and is meant to help prioritize compatibility testing for web applications. You can make more informed decisions about testing based on usage data. From 5f72abd71541a2761737d5bd8490029bcd434beb Mon Sep 17 00:00:00 2001 From: illgitthat Date: Mon, 12 Aug 2019 16:15:52 -0400 Subject: [PATCH 24/37] Minor typo fix for update-alerts.md Fixed "no yet assigned" to "not yet assigned" --- .../threat-protection/microsoft-defender-atp/manage-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md index 3113e4b4f9..36e579945b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/manage-alerts.md @@ -36,7 +36,7 @@ Selecting an alert in either of those places brings up the **Alert management pa You can create a new incident from the alert or link to an existing incident. ## Assign alerts -If an alert is no yet assigned, you can select **Assign to me** to assign the alert to yourself. +If an alert is not yet assigned, you can select **Assign to me** to assign the alert to yourself. ## Suppress alerts From 94e89df6b7dca292a4fe6ba5db0d305bd3f5842d Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Mon, 12 Aug 2019 18:40:32 -0400 Subject: [PATCH 25/37] fix: MD006/ul-start-left Consider starting bulleted lists at the beginning of the line --- ...ct-data-using-enterprise-site-discovery.md | 4 +- ...ct-data-using-enterprise-site-discovery.md | 965 +++++++++--------- devices/hololens/hololens-requirements.md | 8 +- devices/surface/assettag.md | 4 +- ...timal-power-settings-on-Surface-devices.md | 26 +- .../microsoft-surface-brightness-control.md | 10 +- ...-by-step-surface-deployment-accelerator.md | 20 +- education/windows/set-up-windows-10.md | 6 +- ...n-or-plug-in-application--app-v-46-sp1-.md | 8 +- ...new-standard-application--app-v-46-sp1-.md | 8 +- ...-created-in-a-previous-version-of-app-v.md | 4 +- ...-application-with-app-v-50-beta-gb18030.md | 12 +- ...-application-with-app-v-51-beta-gb18030.md | 12 +- ...he-mbam-25-server-feature-configuration.md | 8 +- ...age-orders-microsoft-store-for-business.md | 12 +- .../app-v/appv-capacity-planning.md | 12 +- .../mdm/networkqospolicy-csp.md | 6 +- .../mdm/policy-csp-applicationmanagement.md | 10 +- .../mdm/policy-csp-taskmanager.md | 4 +- .../windowsdefenderapplicationguard-csp.md | 6 +- .../start-layout-troubleshoot.md | 8 +- windows/configuration/wcd/wcd-messaging.md | 2 +- windows/deployment/upgrade/setupdiag.md | 72 +- .../windows-autopilot-requirements.md | 14 +- ...system-components-to-microsoft-services.md | 26 +- .../hello-how-it-works-technology.md | 2 +- .../hello-hybrid-aadj-sso-base.md | 14 +- .../passwordless-strategy.md | 6 +- .../tpm/how-windows-uses-the-tpm.md | 6 +- .../threat-protection/fips-140-validation.md | 40 +- .../configure-mssp-support.md | 4 +- .../configure-proxy-internet.md | 14 +- .../microsoft-defender-atp/evaluation-lab.md | 22 +- .../exposed-apis-full-sample-powershell.md | 6 +- .../fix-unhealthy-sensors.md | 4 +- .../offboard-machines.md | 12 +- .../threat-indicator-concepts.md | 6 +- .../troubleshoot-onboarding.md | 6 +- ...ployment-vdi-windows-defender-antivirus.md | 2 +- ...ged-apps-to-existing-applocker-rule-set.md | 4 +- .../applocker/administer-applocker.md | 4 +- .../applocker-architecture-and-components.md | 4 +- .../applocker/applocker-functions.md | 4 +- .../applocker/applocker-overview.md | 4 +- .../applocker-policies-deployment-guide.md | 4 +- .../applocker-policies-design-guide.md | 4 +- .../applocker-policy-use-scenarios.md | 4 +- .../applocker-processes-and-interactions.md | 4 +- .../applocker/applocker-settings.md | 4 +- .../applocker-technical-reference.md | 4 +- ...gure-an-applocker-policy-for-audit-only.md | 4 +- ...e-an-applocker-policy-for-enforce-rules.md | 4 +- ...figure-exceptions-for-an-applocker-rule.md | 4 +- ...onfigure-the-appLocker-reference-device.md | 4 +- ...figure-the-application-identity-service.md | 4 +- .../create-a-rule-for-packaged-apps.md | 4 +- ...-a-rule-that-uses-a-file-hash-condition.md | 4 +- ...reate-a-rule-that-uses-a-path-condition.md | 4 +- ...-a-rule-that-uses-a-publisher-condition.md | 4 +- .../create-applocker-default-rules.md | 4 +- ...cations-deployed-to-each-business-group.md | 4 +- .../create-your-applocker-policies.md | 4 +- .../applocker/create-your-applocker-rules.md | 4 +- .../applocker/delete-an-applocker-rule.md | 4 +- ...cies-by-using-the-enforce-rules-setting.md | 4 +- ...oy-the-applocker-policy-into-production.md | 4 +- ...p-policy-structure-and-rule-enforcement.md | 4 +- ...igitally-signed-on-a-reference-computer.md | 4 +- ...ine-your-application-control-objectives.md | 4 +- ...-users-try-to-run-a-blocked-application.md | 4 +- .../applocker/dll-rules-in-applocker.md | 4 +- ...tructure-and-applocker-rule-enforcement.md | 4 +- .../document-your-application-list.md | 4 +- .../document-your-applocker-rules.md | 4 +- .../applocker/edit-an-applocker-policy.md | 4 +- .../applocker/edit-applocker-rules.md | 4 +- .../enable-the-dll-rule-collection.md | 4 +- .../applocker/enforce-applocker-rules.md | 4 +- .../executable-rules-in-applocker.md | 4 +- .../export-an-applocker-policy-from-a-gpo.md | 4 +- ...port-an-applocker-policy-to-an-xml-file.md | 4 +- .../applocker/how-applocker-works-techref.md | 4 +- ...-applocker-policy-from-another-computer.md | 4 +- .../import-an-applocker-policy-into-a-gpo.md | 4 +- .../applocker/maintain-applocker-policies.md | 4 +- .../manage-packaged-apps-with-applocker.md | 4 +- ...r-policies-by-using-set-applockerpolicy.md | 4 +- .../merge-applocker-policies-manually.md | 4 +- ...onitor-application-usage-with-applocker.md | 4 +- .../optimize-applocker-performance.md | 4 +- ...ckaged-app-installer-rules-in-applocker.md | 4 +- .../plan-for-applocker-policy-management.md | 4 +- .../applocker/refresh-an-applocker-policy.md | 4 +- ...ements-for-deploying-applocker-policies.md | 4 +- .../requirements-to-use-applocker.md | 4 +- ...the-automatically-generate-rules-wizard.md | 4 +- .../applocker/script-rules-in-applocker.md | 4 +- .../security-considerations-for-applocker.md | 4 +- .../select-types-of-rules-to-create.md | 4 +- ...er-policy-by-using-test-applockerpolicy.md | 4 +- .../test-and-update-an-applocker-policy.md | 4 +- .../applocker/tools-to-use-with-applocker.md | 4 +- ...derstand-applocker-enforcement-settings.md | 4 +- ...stand-applocker-policy-design-decisions.md | 4 +- ...ent-setting-inheritance-in-group-policy.md | 4 +- ...the-applocker-policy-deployment-process.md | 4 +- ...plocker-allow-and-deny-actions-on-rules.md | 4 +- .../understanding-applocker-default-rules.md | 4 +- .../understanding-applocker-rule-behavior.md | 4 +- ...nderstanding-applocker-rule-collections.md | 4 +- ...standing-applocker-rule-condition-types.md | 4 +- ...understanding-applocker-rule-exceptions.md | 4 +- ...e-file-hash-rule-condition-in-applocker.md | 4 +- ...ng-the-path-rule-condition-in-applocker.md | 4 +- ...e-publisher-rule-condition-in-applocker.md | 4 +- ...-create-and-maintain-applocker-policies.md | 4 +- ...restriction-policies-in-the-same-domain.md | 4 +- ...he-applocker-windows-powershell-cmdlets.md | 4 +- .../using-event-viewer-with-applocker.md | 4 +- ...riction-policies-and-applocker-policies.md | 4 +- .../applocker/what-is-applocker.md | 4 +- .../windows-installer-rules-in-applocker.md | 4 +- .../working-with-applocker-policies.md | 4 +- .../applocker/working-with-applocker-rules.md | 4 +- ...r-application-control-planning-document.md | 4 +- ...pplication-control-management-processes.md | 4 +- ...fender-application-control-design-guide.md | 4 +- ...tion-based-protection-of-code-integrity.md | 10 +- .../windows-platform-common-criteria.md | 205 ++-- .../ltsc/whats-new-windows-10-2019.md | 20 +- 130 files changed, 998 insertions(+), 1000 deletions(-) diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md index c90d6b1c59..15560fccc7 100644 --- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md +++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md @@ -171,13 +171,13 @@ You can determine which zones or domains are used for data collection, using Pow **To set up data collection using a domain allow list** - - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. +- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. >**Important**
Wildcards, like \*.microsoft.com, aren’t supported. **To set up data collection using a zone allow list** - - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. +- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md index aaabccc9ae..12049fdcb9 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md +++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md @@ -1,482 +1,483 @@ ---- -ms.localizationpriority: medium -ms.mktglfcycl: deploy -description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. -author: dansimp -ms.prod: ie11 -ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6 -ms.reviewer: -audience: itpro manager: dansimp -ms.author: dansimp -title: Collect data using Enterprise Site Discovery -ms.sitesec: library -ms.date: 07/27/2017 ---- - -# Collect data using Enterprise Site Discovery - -**Applies to:** - -- Windows 10 -- Windows 8.1 -- Windows 7 with Service Pack 1 (SP1) - -Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. - ->**Upgrade Readiness and Windows upgrades**
->You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). - - -## Before you begin -Before you start, you need to make sure you have the following: - -- Latest cumulative security update (for all supported versions of Internet Explorer): - - 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. - - ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) - - 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. - - ![affected software section](images/affectedsoftware.png) - - 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. - -- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including: - - - Configuration-related PowerShell scripts - - - IETelemetry.mof file - - - Sample System Center 2012 report templates - - You must use System Center 2012 R2 Configuration Manager or later for these samples to work. - -Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts. - -## What data is collected? -Data is collected on the configuration characteristics of IE and the sites it browses, as shown here. - -|Data point |IE11 |IE10 |IE9 |IE8 |Description | -|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------| -|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. | -|Domain | X | X | X | X |Top-level domain of the browsed site. | -|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. | -|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. | -|Document mode reason | X | X | | |The reason why a document mode was set by IE. | -|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. | -|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. | -|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. | -|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | -|Number of visits | X | X | X | X |Number of times a site has been visited. | -|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. | - - ->**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. - -### Understanding the returned reason codes -The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection. - -#### DocMode reason -The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. - -|Code |Description | -|-----|------------| -|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.| -|4 |Page is using an X-UA-compatible meta tag. | -|5 |Page is using an X-UA-compatible HTTP header. | -|6 |Page appears on an active **Compatibility View** list. | -|7 |Page is using native XML parsing. | -|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. | -|9 |Page state is set by the browser mode and the page's DOCTYPE.| - -#### Browser state reason -The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. - -|Code |Description | -|-----|------------| -|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. | -|2 |Site appears on an active **Compatibility View** list, created in Group Policy. | -|3 |Site appears on an active **Compatibility View** list, created by the user. | -|4 |Page is using an X-UA-compatible tag. | -|5 |Page state is set by the **Developer** toolbar. | -|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. | -|7 |Site appears on the Microsoft **Compatibility View (CV)** list. | -|8 |Site appears on the **Quirks** list, created in Group Policy. | -|11 |Site is using the default browser. | - -#### Zone -The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. - -|Code |Description | -|-----|------------| -|-1 |Internet Explorer is using an invalid zone. | -|0 |Internet Explorer is using the Local machine zone. | -|1 |Internet Explorer is using the Local intranet zone. | -|2 |Internet Explorer is using the Trusted sites zone. | -|3 |Internet Explorer is using the Internet zone. | -|4 |Internet Explorer is using the Restricted sites zone. | - -## Where is the data stored and how do I collect it? -The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: - -- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer. - -- **XML file**. Any agent that works with XML can be used. - -## WMI Site Discovery suggestions -We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company. - -On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:

250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB - ->**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. - -## Getting ready to use Enterprise Site Discovery -Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options: - -- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

--OR- -- Collect your hardware inventory using the MOF Editor with a .MOF import file.

--OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) - -### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges -You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. - ->**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output. - -**To set up Enterprise Site Discovery** - -- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). - -### WMI only: Set up your firewall for WMI data -If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps: - -**To set up your firewall** - -1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. - -2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. - -3. Restart your computer to start collecting your WMI data. - -## Use PowerShell to finish setting up Enterprise Site Discovery -You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery). - ->**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device. - -- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. - -- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. - -**To set up data collection using a domain allow list** - - - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. - - >**Important**
Wildcards, like \*.microsoft.com, aren’t supported. - -**To set up data collection using a zone allow list** - - - Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. - - >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. - -## Use Group Policy to finish setting up Enterprise Site Discovery -You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery). - ->**Note**
 All of the Group Policy settings can be used individually or as a group. - - **To set up Enterprise Site Discovery using Group Policy** - -- Open your Group Policy editor, and go to these new settings: - - |Setting name and location |Description |Options | - |---------------------------|-------------|---------| - |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |

  • **On.** Turns on WMI recording.
  • **Off.** Turns off WMI recording.
| - |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
  • **XML file path.** Including this turns on XML recording.
  • **Blank.** Turns off XML recording.
| - |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone

Binary representation: *00010*, based on:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones

Binary representation: *10110*, based on:

1 – Restricted Sites zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone | - |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:

microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com | - -### Combining WMI and XML Group Policy settings -You can use both the WMI and XML settings individually or together: - -**To turn off Enterprise Site Discovery** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputBlank
- -**Turn on WMI recording only** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputBlank
- -**To turn on XML recording only** - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputXML file path
- -To turn on both WMI and XML recording - - - - - - - - - - - - - -
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputXML file path
- -## Use Configuration Manager to collect your data -After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: - -- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

--OR- -- Collect your hardware inventory using the MOF Editor with a .MOF import file.

--OR- -- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) - -### Collect your hardware inventory using the MOF Editor while connected to a client device -You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. - - **To collect your inventory** - -1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - - ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) - -2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. - -3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. - - ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) - -4. Select the check boxes next to the following classes, and then click **OK**: - - - IESystemInfo - - - IEURLInfo - - - IECountInfo - -5. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports. - -### Collect your hardware inventory using the MOF Editor with a .MOF import file -You can collect your hardware inventory using the MOF Editor and a .MOF import file. - - **To collect your inventory** - -1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. - -2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**. - -3. Pick the inventory items to install, and then click **Import**. - -4. Click **OK** to close the default windows.
-Your environment is now ready to collect your hardware inventory and review the sample reports. - -### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) -You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. - -**To collect your inventory** - -1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory. - -2. Add this text to the end of the file: - - ``` - [SMS_Report (TRUE), - SMS_Group_Name ("IESystemInfo"), - SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), - Namespace ("root\\\\cimv2\\\\IETelemetry") ] - Class IESystemInfo: SMS_Class_Template - { - [SMS_Report (TRUE), Key ] - String SystemKey; - [SMS_Report (TRUE) ] - String IEVer; - }; - - [SMS_Report (TRUE), - SMS_Group_Name ("IEURLInfo"), - SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), - Namespace ("root\\\\cimv2\\\\IETelemetry") ] - Class IEURLInfo: SMS_Class_Template - { - [SMS_Report (TRUE), Key ] - String URL; - [SMS_Report (TRUE) ] - String Domain; - [SMS_Report (TRUE) ] - UInt32 DocMode; - [SMS_Report (TRUE) ] - UInt32 DocModeReason; - [SMS_Report (TRUE) ] - UInt32 Zone; - [SMS_Report (TRUE) ] - UInt32 BrowserStateReason; - [SMS_Report (TRUE) ] - String ActiveXGUID[]; - [SMS_Report (TRUE) ] - UInt32 CrashCount; - [SMS_Report (TRUE) ] - UInt32 HangCount; - [SMS_Report (TRUE) ] - UInt32 NavigationFailureCount; - [SMS_Report (TRUE) ] - UInt32 NumberOfVisits; - [SMS_Report (TRUE) ] - UInt32 MostRecentNavigationFailure; - }; - - [SMS_Report (TRUE), - SMS_Group_Name ("IECountInfo"), - SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), - Namespace ("root\\\\cimv2\\\\IETelemetry") ] - Class IECountInfo: SMS_Class_Template - { - [SMS_Report (TRUE), Key ] - String CountKey; - [SMS_Report (TRUE) ] - UInt32 CrashCount; - [SMS_Report (TRUE) ] - UInt32 HangCount; - [SMS_Report (TRUE) ] - UInt32 NavigationFailureCount; - }; - ``` - -3. Save the file and close it to the same location. - Your environment is now ready to collect your hardware inventory and review the sample reports. - -## View the sample reports with your collected data -The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. - -### SCCM Report Sample – ActiveX.rdl -Gives you a list of all of the ActiveX-related sites visited by the client computer. - -![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) - -### SCCM Report Sample – Site Discovery.rdl -Gives you a list of all of the sites visited by the client computer. - -![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) - -## View the collected XML data -After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: - -``` xml - - - [dword] - [dword] - [dword] - - - [string] - - [guid] - - [dword] - [dword] - [dword] - [dword] - [dword] - [dword] - [dword] - [dword] - [string] - [dword] - - - - -``` -You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list. - -**To add your XML data to your Enterprise Mode site list** - -1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. - - ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) - -2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). - -3. Click **OK** to close the **Bulk add sites to the list** menu. - -## Turn off data collection on your client devices -After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off. - -**To stop collecting data, using PowerShell** - -- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`. - - >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer. - - -**To stop collecting data, using Group Policy** - -1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**. - -2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location. - -### Delete already stored data from client computers -You can completely remove the data stored on your employee’s computers. - -**To delete all existing data** - -- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands: - - - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo` - - - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo` - - - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo` - - - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'` - -## Related topics -* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562) -* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) - - - - +--- +ms.localizationpriority: medium +ms.mktglfcycl: deploy +description: Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. +author: dansimp +ms.prod: ie11 +ms.assetid: a145e80f-eb62-4116-82c4-3cc35fd064b6 +ms.reviewer: +audience: itpro +manager: dansimp +ms.author: dansimp +title: Collect data using Enterprise Site Discovery +ms.sitesec: library +ms.date: 07/27/2017 +--- + +# Collect data using Enterprise Site Discovery + +**Applies to:** + +- Windows 10 +- Windows 8.1 +- Windows 7 with Service Pack 1 (SP1) + +Use Internet Explorer to collect data on computers running Windows Internet Explorer 8 through Internet Explorer 11 on Windows 10, Windows 8.1, or Windows 7. This inventory information helps you build a list of websites used by your company so you can make more informed decisions about your IE deployments, including figuring out which sites might be at risk or require overhauls during future upgrades. + +>**Upgrade Readiness and Windows upgrades**
+>You can use Upgrade Readiness to help manage your Windows 10 upgrades on devices running Windows 8.1 and Windows 7 (SP1). You can also use Upgrade Readiness to review several site discovery reports. For more information, see [Manage Windows upgrades with Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness). + + +## Before you begin +Before you start, you need to make sure you have the following: + +- Latest cumulative security update (for all supported versions of Internet Explorer): + + 1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**. + + ![microsoft security bulletin techcenter](images/securitybulletin-filter.png) + + 2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table. + + ![affected software section](images/affectedsoftware.png) + + 3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section. + +- [Setup and configuration package](https://go.microsoft.com/fwlink/p/?LinkId=517719), including: + + - Configuration-related PowerShell scripts + + - IETelemetry.mof file + + - Sample System Center 2012 report templates + + You must use System Center 2012 R2 Configuration Manager or later for these samples to work. + +Both the PowerShell script and the Managed Object Format (.MOF) file need to be copied to the same location on the client device, before you run the scripts. + +## What data is collected? +Data is collected on the configuration characteristics of IE and the sites it browses, as shown here. + +|Data point |IE11 |IE10 |IE9 |IE8 |Description | +|------------------------|-----|-----|-----|-----|------------------------------------------------------------------------| +|URL | X | X | X | X |URL of the browsed site, including any parameters included in the URL. | +|Domain | X | X | X | X |Top-level domain of the browsed site. | +|ActiveX GUID | X | X | X | X |GUID of the ActiveX controls loaded by the site. | +|Document mode | X | X | X | X |Document mode used by IE for a site, based on page characteristics. | +|Document mode reason | X | X | | |The reason why a document mode was set by IE. | +|Browser state reason | X | X | | |Additional information about why the browser is in its current state. Also called, browser mode. | +|Hang count | X | X | X | X |Number of visits to the URL when the browser hung. | +|Crash count | X | X | X | X |Number of visits to the URL when the browser crashed. | +|Most recent navigation failure (and count) | X | X | X | X |Description of the most recent navigation failure (like, a 404 bad request or 500 internal server error) and the number of times it happened. | +|Number of visits | X | X | X | X |Number of times a site has been visited. | +|Zone | X | X | X | X |Zone used by IE to browse sites, based on browser settings. | + + +>**Important**
By default, IE doesn’t collect this data; you have to turn this feature on if you want to use it. After you turn on this feature, data is collected on all sites visited by IE, except during InPrivate sessions. Additionally, the data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. + +### Understanding the returned reason codes +The following tables provide more info about the Document mode reason, Browser state reason, and the Zone codes that are returned as part of your data collection. + +#### DocMode reason +The codes in this table can tell you what document mode was set by IE for a webpage.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|3 |Page state is set by the `FEATURE_DOCUMENT_COMPATIBLE_MODE` feature control key.| +|4 |Page is using an X-UA-compatible meta tag. | +|5 |Page is using an X-UA-compatible HTTP header. | +|6 |Page appears on an active **Compatibility View** list. | +|7 |Page is using native XML parsing. | +|8 |Page is using a special Quirks Mode Emulation (QME) mode that uses the modern layout engine, but the quirks behavior of Internet Explorer 5. | +|9 |Page state is set by the browser mode and the page's DOCTYPE.| + +#### Browser state reason +The codes in this table can tell you why the browser is in its current state. Also called “browser mode”.
These codes only apply to Internet Explorer 10 and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|1 |Site is on the intranet, with the **Display intranet sites in Compatibility View** box checked. | +|2 |Site appears on an active **Compatibility View** list, created in Group Policy. | +|3 |Site appears on an active **Compatibility View** list, created by the user. | +|4 |Page is using an X-UA-compatible tag. | +|5 |Page state is set by the **Developer** toolbar. | +|6 |Page state is set by the `FEATURE_BROWSER_EMULATION` feature control key. | +|7 |Site appears on the Microsoft **Compatibility View (CV)** list. | +|8 |Site appears on the **Quirks** list, created in Group Policy. | +|11 |Site is using the default browser. | + +#### Zone +The codes in this table can tell you what zone is being used by IE to browse sites, based on browser settings.
These codes apply to Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11. + +|Code |Description | +|-----|------------| +|-1 |Internet Explorer is using an invalid zone. | +|0 |Internet Explorer is using the Local machine zone. | +|1 |Internet Explorer is using the Local intranet zone. | +|2 |Internet Explorer is using the Trusted sites zone. | +|3 |Internet Explorer is using the Internet zone. | +|4 |Internet Explorer is using the Restricted sites zone. | + +## Where is the data stored and how do I collect it? +The data is stored locally, in an industry-standard WMI class, .MOF file or in an XML file, depending on your configuration. This file remains on the client computer until it’s collected. To collect the files, we recommend: + +- **WMI file**. Use Microsoft Configuration Manager or any agent that can read the contents of a WMI class on your computer. + +- **XML file**. Any agent that works with XML can be used. + +## WMI Site Discovery suggestions +We recommend that you collect your data for at most a month at a time, to capture a user’s typical workflow. We don’t recommend collecting data longer than that because the data is stored in a WMI provider and can fill up your computer’s hard drive. You may also want to collect data only for pilot users or a representative sample of people, instead of turning this feature on for everyone in your company. + +On average, a website generates about 250bytes of data for each visit, causing only a minor impact to Internet Explorer’s performance. Over the course of a month, collecting data from 20 sites per day from 1,000 users, you’ll get about 150MB of data:

250 bytes (per site visit) X 20 sites/day X 30 days = (approximately) 150KB X 1000 users = (approximately) 150MB + +>**Important**
The data collection process is silent, so there’s no notification to the employee. Therefore, you must get consent from the employee before you start collecting info. You must also make sure that using this feature complies with all applicable local laws and regulatory requirements. + +## Getting ready to use Enterprise Site Discovery +Before you can start to collect your data, you must run the provided PowerShell script (IETelemetrySetUp.ps1) on your client devices to start generating the site discovery data and to set up a place to store this data locally. Then, you must start collecting the site discovery data from the client devices, using one of these three options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### WMI only: Running the PowerShell script to compile the .MOF file and to update security privileges +You need to set up your computers for data collection by running the provided PowerShell script (IETelemetrySetUp.ps1) to compile the .mof file and to update security privileges for the new WMI classes. + +>**Important**
You must run this script if you’re using WMI as your data output. It's not necessary if you're using XML as your data output. + +**To set up Enterprise Site Discovery** + +- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1 by by-passing the PowerShell execution policy, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1`. For more info, see [about Execution Policies](https://go.microsoft.com/fwlink/p/?linkid=517460). + +### WMI only: Set up your firewall for WMI data +If you choose to use WMI as your data output, you need to make sure that your WMI data can travel through your firewall for the domain. If you’re sure, you can skip this section; otherwise, follow these steps: + +**To set up your firewall** + +1. In **Control Panel**, click **System and Security**, and then click **Windows Firewall**. + +2. In the left pane, click **Allow an app or feature through Windows Firewall** and scroll down to check the box for **Windows Management Instrumentation (WMI)**. + +3. Restart your computer to start collecting your WMI data. + +## Use PowerShell to finish setting up Enterprise Site Discovery +You can determine which zones or domains are used for data collection, using PowerShell. If you don’t want to use PowerShell, you can do this using Group Policy. For more info, see [Use Group Policy to finish setting up Enterprise Site Discovery](#use-group-policy-to-finish-setting-up-enterprise-site-discovery). + +>**Important**
The .ps1 file updates turn on Enterprise Site Discovery and WMI collection for all users on a device. + +- **Domain allow list.** If you have a domain allow list, a comma-separated list of domains that should have this feature turned on, you should use this process. + +- **Zone allow list.** If you have a zone allow list, a comma-separated list of zones that should have this feature turned on, you should use this process. + +**To set up data collection using a domain allow list** + +- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -SiteAllowList sharepoint.com,outlook.com,onedrive.com`. + + >**Important**
Wildcards, like \*.microsoft.com, aren’t supported. + +**To set up data collection using a zone allow list** + +- Start PowerShell in elevated mode (using admin privileges) and run IETelemetrySetUp.ps1, using this command: `.\IETelemetrySetUp.ps1 [other args] -ZoneAllowList Computer,Intranet,TrustedSites,Internet,RestrictedSites`. + + >**Important**
Only Computer, Intranet, TrustedSites, Internet, and RestrictedSites are supported. + +## Use Group Policy to finish setting up Enterprise Site Discovery +You can use Group Policy to finish setting up Enterprise Site Discovery. If you don’t want to use Group Policy, you can do this using PowerShell. For more info, see [Use Powershell to finish setting up Enterprise Site Discovery](#use-powershell-to-finish-setting-up-enterprise-site-discovery). + +>**Note**
 All of the Group Policy settings can be used individually or as a group. + + **To set up Enterprise Site Discovery using Group Policy** + +- Open your Group Policy editor, and go to these new settings: + + |Setting name and location |Description |Options | + |---------------------------|-------------|---------| + |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output |Writes collected data to a WMI class, which can be aggregated using a client-management solution like Configuration Manager. |

  • **On.** Turns on WMI recording.
  • **Off.** Turns off WMI recording.
| + |Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output |Writes collected data to an XML file, which is stored in your specified location. |
  • **XML file path.** Including this turns on XML recording.
  • **Blank.** Turns off XML recording.
| + |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by Zone |Manages which zone can collect data. |To specify which zones can collect data, you must include a binary number that represents your selected zones, based on this order:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
0 – Local Intranet zone
0 – Local Machine zone

**Example 1:** Include only the Local Intranet zone

Binary representation: *00010*, based on:

0 – Restricted Sites zone
0 – Internet zone
0 – Trusted Sites zone
1 – Local Intranet zone
0 – Local Machine zone

**Example 2:** Include only the Restricted Sites, Trusted Sites, and Local Intranet zones

Binary representation: *10110*, based on:

1 – Restricted Sites zone
0 – Internet zone
1 – Trusted Sites zone
1 – Local Intranet zone
1 – Local Machine zone | + |Administrative Templates\Windows Components\Internet Explorer\Limit Site Discovery output by domain |Manages which domains can collect data |To specify which domains can collect data, you must include your selected domains, one domain per line, in the provided box. It should look like:

microsoft.sharepoint.com
outlook.com
onedrive.com
timecard.contoso.com
LOBApp.contoso.com | + +### Combining WMI and XML Group Policy settings +You can use both the WMI and XML settings individually or together: + +**To turn off Enterprise Site Discovery** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputBlank
+ +**Turn on WMI recording only** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputBlank
+ +**To turn on XML recording only** + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOff
Turn on Site Discovery XML outputXML file path
+ +To turn on both WMI and XML recording + + + + + + + + + + + + + +
Setting nameOption
Turn on Site Discovery WMI outputOn
Turn on Site Discovery XML outputXML file path
+ +## Use Configuration Manager to collect your data +After you’ve collected your data, you’ll need to get the local files off of your employee’s computers. To do this, use the hardware inventory process in Configuration Manager, using one of these options: + +- Collect your hardware inventory using the MOF Editor, while connecting to a client device.

+-OR- +- Collect your hardware inventory using the MOF Editor with a .MOF import file.

+-OR- +- Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) + +### Collect your hardware inventory using the MOF Editor while connected to a client device +You can collect your hardware inventory using the MOF Editor, while you’re connected to your client devices. + + **To collect your inventory** + +1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. + + ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png) + +2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes. + +3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**. + + ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png) + +4. Select the check boxes next to the following classes, and then click **OK**: + + - IESystemInfo + + - IEURLInfo + + - IECountInfo + +5. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports. + +### Collect your hardware inventory using the MOF Editor with a .MOF import file +You can collect your hardware inventory using the MOF Editor and a .MOF import file. + + **To collect your inventory** + +1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**. + +2. Click **Import**, choose the MOF file from the downloaded package we provided, and click **Open**. + +3. Pick the inventory items to install, and then click **Import**. + +4. Click **OK** to close the default windows.
+Your environment is now ready to collect your hardware inventory and review the sample reports. + +### Collect your hardware inventory using the SMS\DEF.MOF file (System Center Configuration Manager 2007 only) +You can collect your hardware inventory using the using the Systems Management Server (SMS\DEF.MOF) file. Editing this file lets you collect your data for System Center Configuration Manager 2007. If you aren’t using this version of Configuration Manager, you won’t want to use this option. + +**To collect your inventory** + +1. Using a text editor like Notepad, open the SMS\DEF.MOF file, located in your `\inboxes\clifiles.src\hinv` directory. + +2. Add this text to the end of the file: + + ``` + [SMS_Report (TRUE), + SMS_Group_Name ("IESystemInfo"), + SMS_Class_ID ("MICROSOFT|IESystemInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IESystemInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String SystemKey; + [SMS_Report (TRUE) ] + String IEVer; + }; + + [SMS_Report (TRUE), + SMS_Group_Name ("IEURLInfo"), + SMS_Class_ID ("MICROSOFT|IEURLInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IEURLInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String URL; + [SMS_Report (TRUE) ] + String Domain; + [SMS_Report (TRUE) ] + UInt32 DocMode; + [SMS_Report (TRUE) ] + UInt32 DocModeReason; + [SMS_Report (TRUE) ] + UInt32 Zone; + [SMS_Report (TRUE) ] + UInt32 BrowserStateReason; + [SMS_Report (TRUE) ] + String ActiveXGUID[]; + [SMS_Report (TRUE) ] + UInt32 CrashCount; + [SMS_Report (TRUE) ] + UInt32 HangCount; + [SMS_Report (TRUE) ] + UInt32 NavigationFailureCount; + [SMS_Report (TRUE) ] + UInt32 NumberOfVisits; + [SMS_Report (TRUE) ] + UInt32 MostRecentNavigationFailure; + }; + + [SMS_Report (TRUE), + SMS_Group_Name ("IECountInfo"), + SMS_Class_ID ("MICROSOFT|IECountInfo|1.0"), + Namespace ("root\\\\cimv2\\\\IETelemetry") ] + Class IECountInfo: SMS_Class_Template + { + [SMS_Report (TRUE), Key ] + String CountKey; + [SMS_Report (TRUE) ] + UInt32 CrashCount; + [SMS_Report (TRUE) ] + UInt32 HangCount; + [SMS_Report (TRUE) ] + UInt32 NavigationFailureCount; + }; + ``` + +3. Save the file and close it to the same location. + Your environment is now ready to collect your hardware inventory and review the sample reports. + +## View the sample reports with your collected data +The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sample – Site Discovery.rdl**, work with System Center 2012, so you can review your collected data. + +### SCCM Report Sample – ActiveX.rdl +Gives you a list of all of the ActiveX-related sites visited by the client computer. + +![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png) + +### SCCM Report Sample – Site Discovery.rdl +Gives you a list of all of the sites visited by the client computer. + +![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png) + +## View the collected XML data +After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like: + +``` xml + + + [dword] + [dword] + [dword] + + + [string] + + [guid] + + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [dword] + [string] + [dword] + + + + +``` +You can import this XML data into the correct version of the Enterprise Mode Site List Manager, automatically adding the included sites to your Enterprise Mode site list. + +**To add your XML data to your Enterprise Mode site list** + +1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**. + + ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png) + +2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md). + +3. Click **OK** to close the **Bulk add sites to the list** menu. + +## Turn off data collection on your client devices +After you’ve collected your data, you’ll need to turn Enterprise Site Discovery off. + +**To stop collecting data, using PowerShell** + +- On your client computer, start Windows PowerShell in elevated mode (using admin privileges) and run `IETelemetrySetUp.ps1`, using this command: `powershell -ExecutionPolicy Bypass .\IETelemetrySetUp.ps1 –IEFeatureOff`. + + >**Note**
Turning off data collection only disables the Enterprise Site Discovery feature – all data already written to WMI stays on your employee’s computer. + + +**To stop collecting data, using Group Policy** + +1. Open your Group Policy editor, go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery WMI output`, and click **Off**. + +2. Go to `Administrative Templates\Windows Components\Internet Explorer\Turn on Site Discovery XML output`, and clear the file path location. + +### Delete already stored data from client computers +You can completely remove the data stored on your employee’s computers. + +**To delete all existing data** + +- On the client computer, start PowerShell in elevated mode (using admin privileges) and run these four commands: + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IEURLInfo` + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IESystemInfo` + + - `Remove-WmiObject -Namespace root/cimv2/IETelemetry IECountInfo` + + - `Remove-Item -Path 'HKCU:\Software\Microsoft\Internet Explorer\WMITelemetry'` + +## Related topics +* [Enterprise Mode Site List Manager (schema v.2) download](https://go.microsoft.com/fwlink/?LinkId=746562) +* [Enterprise Mode for Internet Explorer 11 (IE11)](enterprise-mode-overview-for-ie11.md) + + + + diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md index 6cb247c60b..0ff5596fa3 100644 --- a/devices/hololens/hololens-requirements.md +++ b/devices/hololens/hololens-requirements.md @@ -37,10 +37,10 @@ When you develop for HoloLens, there are [system requirements and tools](https:/ - TTLS-TLS ### Device management - - Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4) - - Wi-Fi network - - Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs - +- Users have Azure AD accounts with [Intune license assigned](https://docs.microsoft.com/intune/get-started/start-with-a-paid-subscription-to-microsoft-intune-step-4) +- Wi-Fi network +- Intune or a 3rd party mobile device management (MDM) provider that uses Microsoft MDM APIs + ### Upgrade to Windows Holographic for Business - HoloLens Enterprise license XML file diff --git a/devices/surface/assettag.md b/devices/surface/assettag.md index 60ff9078bd..e0df401dea 100644 --- a/devices/surface/assettag.md +++ b/devices/surface/assettag.md @@ -20,9 +20,9 @@ for Surface devices. It works on Surface Pro 3 and all newer Surface devices. ## System requirements - - Surface Pro 3 or later +- Surface Pro 3 or later - - UEFI firmware version 3.9.150.0 or later +- UEFI firmware version 3.9.150.0 or later ## Using Surface Asset Tag diff --git a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md index 6dcd9db277..4a3c4f93b3 100644 --- a/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md +++ b/devices/surface/maintain-optimal-power-settings-on-Surface-devices.md @@ -59,14 +59,14 @@ instant on/instant off functionality typical of smartphones. S0ix, also known as Deepest Runtime Idle Platform State (DRIPS), is the default power mode for Surface devices. Modern standby has two modes: - - **Connected standby.** The default mode for up-to-the minute - delivery of emails, messaging, and cloud-synced data, connected - standby keeps Wi-Fi on and maintains network connectivity. +- **Connected standby.** The default mode for up-to-the minute + delivery of emails, messaging, and cloud-synced data, connected + standby keeps Wi-Fi on and maintains network connectivity. - - **Disconnected standby.** An optional mode for extended battery - life, disconnected standby delivers the same instant-on experience - and saves power by turning off Wi-Fi, Bluetooth, and related network - connectivity. +- **Disconnected standby.** An optional mode for extended battery + life, disconnected standby delivers the same instant-on experience + and saves power by turning off Wi-Fi, Bluetooth, and related network + connectivity. To learn more about modern standby, refer to the [Microsoft Hardware Dev Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/modern-standby-wake-sources). @@ -76,13 +76,13 @@ Center](https://docs.microsoft.com/windows-hardware/design/device-experiences/mo Surface integrates the following features designed to help users optimize the power management experience: - - [Singular power plan](#singular-power-plan) +- [Singular power plan](#singular-power-plan) - - [Simplified power settings user - interface](#simplified-power-settings-user-interface) +- [Simplified power settings user + interface](#simplified-power-settings-user-interface) - - [Windows performance power - slider](#windows-performance-power-slider) +- [Windows performance power + slider](#windows-performance-power-slider) ### Singular power plan @@ -171,4 +171,4 @@ To learn more, see: - [Battery saver](https://docs.microsoft.com/windows-hardware/design/component-guidelines/battery-saver) -- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) \ No newline at end of file +- [Deploying the latest firmware and drivers for Surface devices](deploy-the-latest-firmware-and-drivers-for-surface-devices.md) diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index 34ccb3aa18..41b2e3d994 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -25,16 +25,16 @@ designed to help reduce thermal load and lower the overall carbon footprint for deployed Surface devices. The tool automatically dims the screen when not in use and includes the following configuration options: - - Period of inactivity before dimming the display. +- Period of inactivity before dimming the display. - - Brightness level when dimmed. +- Brightness level when dimmed. - - Maximum brightness level when in use. +- Maximum brightness level when in use. **To run Surface Brightness Control:** - - Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control - will begin working immediately. +- Install surfacebrightnesscontrol.msi on the target device and Surface Brightness Control + will begin working immediately. ## Configuring Surface Brightness Control diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index a1e5874ea2..956924345f 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -100,25 +100,25 @@ The following steps show you how to create a deployment share for Windows 10 tha 7. On the **Summary** page confirm your selections and click **Finish** to begin the creation of your deployment share. The process can take several minutes as files are downloaded, the tools are installed, and the deployment share is created. While the SDA scripts are creating your deployment share, an **Installation Progress** window will be displayed, as shown in Figure 5. A typical SDA process includes: - - Download of Windows ADK + - Download of Windows ADK - - Installation of Windows ADK + - Installation of Windows ADK - - Download of MDT + - Download of MDT - - Installation of MDT + - Installation of MDT - - Download of Surface apps and drivers + - Download of Surface apps and drivers - - Creation of the deployment share + - Creation of the deployment share - - Import of Windows installation files into the deployment share + - Import of Windows installation files into the deployment share - - Import of the apps and drivers into the deployment share + - Import of the apps and drivers into the deployment share - - Creation of rules and task sequences for Windows deployment + - Creation of rules and task sequences for Windows deployment - ![The installation progress window](images/sdasteps-fig5-installwindow.png "The installation progress window") + ![The installation progress window](images/sdasteps-fig5-installwindow.png "The installation progress window") *Figure 5. The Installation Progress window* diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md index eaa22faf91..1f8eb4eb0f 100644 --- a/education/windows/set-up-windows-10.md +++ b/education/windows/set-up-windows-10.md @@ -20,9 +20,9 @@ manager: dansimp - Windows 10 You have two tools to choose from to set up PCs for your classroom: - * Set up School PCs - * Windows Configuration Designer - +* Set up School PCs +* Windows Configuration Designer + Choose the tool that is appropriate for how your students will sign in (Active Directory, Azure Active Directory, or no account). You can use the following diagram to compare the tools. diff --git a/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md index d572d752a6..acfe510e08 100644 --- a/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-sequence-a-new-add-on-or-plug-in-application--app-v-46-sp1-.md @@ -79,13 +79,13 @@ Click **Next**. 10. On the **Customize** page, if you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. If you want to customize any of the items in the following list, select **Customize**. - - Edit the file type associations associated with an application. + - Edit the file type associations associated with an application. - - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers. + - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers. - - Specify the operating systems that can run this package. + - Specify the operating systems that can run this package. - Click **Next**. + Click **Next**. 11. On the **Edit Shortcuts** page, you can optionally configure the file type associations (FTA) that will be associated with the various applications in the package. To create a new FTA, in the left pane, select and expand the application that you want to customize, and then click **Add**. In the **Add File Type Association** dialog box, provide the necessary information for the new FTA. Under the application, select **Shortcuts** to review the shortcut information associated with an application. In the **Location** pane, you can review the icon file information. To edit an existing FTA, click **Edit**. To remove an FTA, select the FTA, and then click **Remove**. Click **Next**. diff --git a/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md b/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md index c1dbfafeb3..baf39c7e2c 100644 --- a/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md +++ b/mdop/appv-v4/how-to-sequence-a-new-standard-application--app-v-46-sp1-.md @@ -69,13 +69,13 @@ Click **Next**. 11. On the **Customize** page, if you are finished installing and configuring the virtual application, select **Stop now** and skip to step 15 of this procedure. If you want to customize any of the items in the following list, select **Customize**. - - Edit the file type associations and the icons associated with an application. + - Edit the file type associations and the icons associated with an application. - - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers. + - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers. - - Specify the operating systems that can run this package. + - Specify the operating systems that can run this package. - Click **Next**. + Click **Next**. 12. On the **Edit Shortcuts** page, you can optionally configure the file type associations (FTA) and shortcut locations that will be associated with the various applications in the package. To create a new FTA, in the left pane, select and expand the application you want to customize, and then click **Add**. In the **Add File Type Association** dialog box, provide the necessary information for the new FTA. To review the shortcut information associated with an application, under the application, select **Shortcuts**, and in the **Location** pane, you can edit the icon file information. To edit an existing FTA, click **Edit**. To remove an FTA, select the FTA, and then click **Remove**. Click **Next**. diff --git a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md index 7bc0c4e2c1..e1e6432a8a 100644 --- a/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md +++ b/mdop/appv-v5/how-to-convert-a-package-created-in-a-previous-version-of-app-v.md @@ -43,9 +43,7 @@ You must configure the package converter to always save the package ingredients Import-Module AppVPkgConverter ``` -3. - - The following cmdlets are available: +3. The following cmdlets are available: - Test-AppvLegacyPackage – This cmdlet is designed to check packages. It will return information about any failures with the package such as missing **.sft** files, an invalid source, **.osd** file errors, or invalid package version. This cmdlet will not parse the **.sft** file or do any in depth validation. For information about options and basic functionality for this cmdlet, using the PowerShell cmdline, type `Test-AppvLegacyPackage -?`. diff --git a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md index f69cd05803..8652ce06d6 100644 --- a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md +++ b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-50-beta-gb18030.md @@ -143,11 +143,11 @@ Click **Next**. 11. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. To perform either of the following customizations, select **Customize**. - - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers. + - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers. - - Specify the operating systems that can run this package. + - Specify the operating systems that can run this package. - Click **Next**. + Click **Next**. 12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**. @@ -234,11 +234,11 @@ Click **Next**. 10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**. - - Optimize how the package will run across a slow or unreliable network. + - Optimize how the package will run across a slow or unreliable network. - - Specify the operating systems that can run this package. + - Specify the operating systems that can run this package. - Click **Next**. + Click **Next**. 11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**. diff --git a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md index 5143059379..ba6d5a807d 100644 --- a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md +++ b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md @@ -128,11 +128,11 @@ Click **Next**. 11. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 14 of this procedure. To perform either of the following customizations, select **Customize**. - - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers. + - Prepare the virtual package for streaming. Streaming improves the experience when the virtual application package is run on target computers. - - Specify the operating systems that can run this package. + - Specify the operating systems that can run this package. - Click **Next**. + Click **Next**. 12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**. @@ -210,11 +210,11 @@ On the computer that runs the sequencer, click **All Programs**, and then Click 10. The **Customize** page is displayed. If you are finished installing and configuring the virtual application, select **Stop now** and skip to step 12 of this procedure. To perform either of the following customizations, select **Customize**. - - Optimize how the package will run across a slow or unreliable network. + - Optimize how the package will run across a slow or unreliable network. - - Specify the operating systems that can run this package. + - Specify the operating systems that can run this package. - Click **Next**. + Click **Next**. 11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**. diff --git a/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md b/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md index 4c7082ea57..76b918713f 100644 --- a/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md +++ b/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md @@ -90,13 +90,13 @@ If SSRS was not configured to use Secure Socket Layer (SSL), the URL for the rep 10. Browse to the following web services to verify that they load successfully. A page opens to indicate that the service is running, but the page does not display any metadata. - - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMAdministrationService/AdministrationService.svc + - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMAdministrationService/AdministrationService.svc - - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMUserSupportService/UserSupportService.svc + - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMUserSupportService/UserSupportService.svc - - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMComplianceStatusService/StatusReportingService.svc + - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMComplianceStatusService/StatusReportingService.svc - - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMRecoveryAndHardwareService/CoreService.svc + - http(s)://< *MBAMAdministrationServerName*>:<*port*>/MBAMRecoveryAndHardwareService/CoreService.svc ## Validating the MBAM Server deployment with the Configuration Manager Integration topology diff --git a/store-for-business/manage-orders-microsoft-store-for-business.md b/store-for-business/manage-orders-microsoft-store-for-business.md index 115dd3fa5b..91a18494e2 100644 --- a/store-for-business/manage-orders-microsoft-store-for-business.md +++ b/store-for-business/manage-orders-microsoft-store-for-business.md @@ -42,14 +42,14 @@ Refunds work a little differently for free apps, and apps that have a price. In **Refunds for free apps** - For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses, and then you can remove the app from your organization's inventory. +For free apps, there isn't really a refund to request -- you're removing the app from your inventory. You must first reclaim any assigned licenses, and then you can remove the app from your organization's inventory. - **Refunds for apps that have a price** +**Refunds for apps that have a price** - There are a few requirements for apps that have a price: - - **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30. - - **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. - - **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. +There are a few requirements for apps that have a price: +- **Timing** - Refunds are available for the first 30 days after you place your order. For example, if your order is placed on June 1, you can self-refund through June 30. +- **Available licenses** - You need to have enough available licenses to cover the number of licenses in the order you are refunding. For example, if you purchased 10 copies of an app and you want to request a refund, you must have at least 10 licenses of the app available in your inventory -- those 10 licenses can't be assigned to people in your organization. +- **Whole order refunds only** - You must refund the complete amount of apps in an order. You can't refund a part of an order. For example, if you purchased 10 copies of an app, but later found you only needed 5 copies, you'll need to request a refund for the 10 apps, and then make a separate order for 5 apps. If you have had multiple orders of the same app, you can refund one order but still keep the rest of the inventory. **To refund an order** diff --git a/windows/application-management/app-v/appv-capacity-planning.md b/windows/application-management/app-v/appv-capacity-planning.md index 3d117f1d01..099bcdf1c4 100644 --- a/windows/application-management/app-v/appv-capacity-planning.md +++ b/windows/application-management/app-v/appv-capacity-planning.md @@ -128,9 +128,9 @@ Computers running the App-V client connect to the App-V publishing server to sen > [!IMPORTANT] > The following list displays the main factors to consider when setting up the App-V publishing server: -> * The number of clients connecting simultaneously to a single publishing server. -> * The number of packages in each refresh. -> * The available network bandwidth in your environment between the client and the App-V publishing server. +> * The number of clients connecting simultaneously to a single publishing server. +> * The number of packages in each refresh. +> * The available network bandwidth in your environment between the client and the App-V publishing server. |Scenario|Summary| |---|---| @@ -153,9 +153,9 @@ Computers running the App-V client stream the virtual application package from t > [!IMPORTANT] > The following list identifies the main factors to consider when setting up the App-V streaming server: -> * The number of clients streaming application packages simultaneously from a single streaming server. -> * The size of the package being streamed. -> * The available network bandwidth in your environment between the client and the streaming server. +> * The number of clients streaming application packages simultaneously from a single streaming server. +> * The size of the package being streamed. +> * The available network bandwidth in your environment between the client and the streaming server. |Scenario|Summary| |---|---| diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index e35af4bde2..debd9dbd5a 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -49,9 +49,9 @@ The following diagram shows the NetworkQoSPolicy configuration service provider

Valid values are: - - 0 (default) - Both TCP and UDP - - 1 - TCP - - 2 - UDP +- 0 (default) - Both TCP and UDP +- 1 - TCP +- 2 - UDP

The data type is int. diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 5ce6a56526..9feb66be2d 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -478,11 +478,11 @@ An XML blob that specifies the application restrictions company want to put to t > > Here's additional guidance for the upgrade process: > -> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). -> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it. -> - In the SyncML, you must use lowercase product ID. -> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. -> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents). +> - Use Windows 10 product IDs for the apps listed in [inbox apps](applocker-csp.md#inboxappsandcomponents). +> - Use the new Microsoft publisher name (PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US") and Publisher="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" if you are using the publisher policy. Do not remove the Windows Phone 8.1 publisher if you are using it. +> - In the SyncML, you must use lowercase product ID. +> - Do not duplicate a product ID. Messaging and Skype Video use the same product ID. Duplicates cause an error. +> - You cannot disable or enable **Contact Support** and **Windows Feedback** apps using ApplicationManagement/ApplicationRestrictions policy, although these are listed in the [inbox apps](applocker-csp.md#inboxappsandcomponents). An application that is running may not be immediately terminated. diff --git a/windows/client-management/mdm/policy-csp-taskmanager.md b/windows/client-management/mdm/policy-csp-taskmanager.md index 5e4b03fa34..1553b89d93 100644 --- a/windows/client-management/mdm/policy-csp-taskmanager.md +++ b/windows/client-management/mdm/policy-csp-taskmanager.md @@ -70,8 +70,8 @@ manager: dansimp This setting determines whether non-administrators can use Task Manager to end tasks. Value type is integer. Supported values: - - 0 - Disabled. EndTask functionality is blocked in TaskManager. - - 1 - Enabled (default). Users can perform EndTask in TaskManager. +- 0 - Disabled. EndTask functionality is blocked in TaskManager. +- 1 - Enabled (default). Users can perform EndTask in TaskManager. diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md index 0b9e8aa3aa..7831cfbce6 100644 --- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md +++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md @@ -30,9 +30,9 @@ Interior node. Supported operation is Get. **Settings/AllowWindowsDefenderApplicationGuard** Turn on Windows Defender Application Guard in Enterprise Mode. Value type is integer. Supported operations are Add, Get, Replace, and Delete. - - - 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment. - - 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container. + +- 0 - Stops Application Guard in Enterprise Mode. Trying to access non-enterprise domains on the host will not automatically get transferred into the insolated environment. +- 1 - Enables Application Guard in Enterprise Mode. Trying to access non-enterprise websites on the host will automatically get transferred into the container. **Settings/ClipboardFileType** Determines the type of content that can be copied from the host to Application Guard environment and vice versa. Value type is integer. Supported operations are Add, Get, Replace, and Delete. diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md index b7a9b2ca2d..2e002f5962 100644 --- a/windows/configuration/start-layout-troubleshoot.md +++ b/windows/configuration/start-layout-troubleshoot.md @@ -233,10 +233,10 @@ XML files can and should be tested locally on a Hyper-V or other virtual machine - User-initiated changes to the start layout are not roamed. Specifically, behaviors include - - Applications (apps or icons) pinned to the start menu are missing. - - Entire tile window disappears. - - The start button fails to respond. - - If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing. +- Applications (apps or icons) pinned to the start menu are missing. +- Entire tile window disappears. +- The start button fails to respond. +- If a new roaming user is created, the first logon appears normal, but on subsequent logons, tiles are missing. ![Example of a working layout](images/start-ts-3.png) diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md index 9dd957088d..cb9a984961 100644 --- a/windows/configuration/wcd/wcd-messaging.md +++ b/windows/configuration/wcd/wcd-messaging.md @@ -357,4 +357,4 @@ For networks that require non-standard handling of single-segment incoming MMS W ## Related topics - - [Customizations for SMS and MMS](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/customizations-for-sms-and-mms) +- [Customizations for SMS and MMS](https://docs.microsoft.com/windows-hardware/customize/mobile/mcsf/customizations-for-sms-and-mms) diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index cd3aaab920..355c0da246 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -319,54 +319,54 @@ Each rule name and its associated unique rule identifier are listed with a descr ## Release notes 06/19/2019 - SetupDiag v1.5.0.0 is released with 60 rules, as a standalone tool available from the Download Center. - - All date and time outputs are updated to localized format per user request. - - Added setup Operation and Phase information to /verbose log. - - Added last Setup Operation and last Setup Phase information to most rules where it make sense (see new output below). - - Performance improvement in searching setupact.logs to determine correct log to parse. - - Added SetupDiag version number to text report (xml and json always had it). - - Added "no match" reports for xml and json per user request. - - Formatted Json output for easy readability. - - Performance improvements when searching for setup logs; this should be much faster now. - - Added 7 new rules: PlugInComplianceBlock, PreReleaseWimMountDriverFound, WinSetupBootFilterFailure, WimMountDriverIssue, DISMImageSessionFailure, FindEarlyDownlevelError, and FindSPFatalError. See the [Rules](#rules) section above for more information. - - Diagnostic information is now output to the registry at **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag** - - The **/AddReg** command was added to toggle registry output. This setting is off by default for offline mode, and on by default for online mode. The command has no effect for online mode and enables registry output for offline mode. - - This registry key is deleted as soon as SetupDiag is run a second time, and replaced with current data, so it’s always up to date. - - This registry key also gets deleted when a new update instance is invoked. - - For an example, see [Sample registry key](#sample-registry-key). +- All date and time outputs are updated to localized format per user request. +- Added setup Operation and Phase information to /verbose log. +- Added last Setup Operation and last Setup Phase information to most rules where it make sense (see new output below). +- Performance improvement in searching setupact.logs to determine correct log to parse. +- Added SetupDiag version number to text report (xml and json always had it). +- Added "no match" reports for xml and json per user request. +- Formatted Json output for easy readability. +- Performance improvements when searching for setup logs; this should be much faster now. +- Added 7 new rules: PlugInComplianceBlock, PreReleaseWimMountDriverFound, WinSetupBootFilterFailure, WimMountDriverIssue, DISMImageSessionFailure, FindEarlyDownlevelError, and FindSPFatalError. See the [Rules](#rules) section above for more information. +- Diagnostic information is now output to the registry at **HKLM\SYSTEM\Setup\MoSetup\Volatile\SetupDiag** + - The **/AddReg** command was added to toggle registry output. This setting is off by default for offline mode, and on by default for online mode. The command has no effect for online mode and enables registry output for offline mode. + - This registry key is deleted as soon as SetupDiag is run a second time, and replaced with current data, so it’s always up to date. + - This registry key also gets deleted when a new update instance is invoked. + - For an example, see [Sample registry key](#sample-registry-key). 05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center. - - This release adds the ability to find and diagnose reset and recovery failures (Push Button Reset). +- This release adds the ability to find and diagnose reset and recovery failures (Push Button Reset). 12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center. - - This release includes major improvements in rule processing performance: ~3x faster rule processing performance! - - The FindDownlevelFailure rule is up to 10x faster. - - New rules have been added to analyze failures upgrading to Windows 10 version 1809. - - A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure. - - Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode. - - Some functional and output improvements were made for several rules. +- This release includes major improvements in rule processing performance: ~3x faster rule processing performance! + - The FindDownlevelFailure rule is up to 10x faster. +- New rules have been added to analyze failures upgrading to Windows 10 version 1809. +- A new help link is available for resolving servicing stack failures on the down-level OS when the rule match indicates this type of failure. +- Removed the need to specify /Mode parameter. Now if you specify /LogsPath, it automatically assumes offline mode. +- Some functional and output improvements were made for several rules. 07/16/2018 - SetupDiag v1.3.1 is released with 44 rules, as a standalone tool available from the Download Center. - - This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed. +- This release fixes a problem that can occur when running SetupDiag in online mode on a computer that produces a setupmem.dmp file, but does not have debugger binaries installed. 07/10/2018 - SetupDiag v1.30 is released with 44 rules, as a standalone tool available from the Download Center. - - Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues. - - New feature: Ability to output logs in JSON and XML format. - - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic. - - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text. - - New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive. - - 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed. +- Bug fix for an over-matched plug-in rule. The rule will now correctly match only critical (setup failure) plug-in issues. +- New feature: Ability to output logs in JSON and XML format. + - Use "/Format:xml" or "/Format:json" command line parameters to specify the new output format. See [sample logs](#sample-logs) at the bottom of this topic. + - If the “/Format:xml” or “/Format:json” parameter is omitted, the log output format will default to text. +- New Feature: Where possible, specific instructions are now provided in rule output to repair the identified error. For example, instructions are provided to remediate known blocking issues such as uninstalling an incompatible app or freeing up space on the system drive. +- 3 new rules added: AdvancedInstallerFailed, MigrationAbortedDueToPluginFailure, DISMAddPackageFailed. 05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center. - - Fixed a bug in device install failure detection in online mode. - - Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost. - - Telemetry is refactored to only send the rule name and GUID (or “NoRuleMatched” if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing. +- Fixed a bug in device install failure detection in online mode. +- Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate. This change enables the tool to analyze update failures that occur prior to calling SetupHost. +- Telemetry is refactored to only send the rule name and GUID (or “NoRuleMatched” if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing. 05/02/2018 - SetupDiag v1.10 is released with 34 rules, as a standalone tool available from the Download Center. - - A performance enhancment has been added to result in faster rule processing. - - Rules output now includes links to support articles, if applicable. - - SetupDiag now provides the path and name of files that it is processing. - - You can now run SetupDiag by simply clicking on it and then examining the output log file. - - An output log file is now always created, whether or not a rule was matched. +- A performance enhancment has been added to result in faster rule processing. +- Rules output now includes links to support articles, if applicable. +- SetupDiag now provides the path and name of files that it is processing. +- You can now run SetupDiag by simply clicking on it and then examining the output log file. +- An output log file is now always created, whether or not a rule was matched. 03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center. diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index a9317ae207..4fcd4811c2 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -84,13 +84,13 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: - - [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) - - [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) - - [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) - - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). - - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. - - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. - - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service). +- [Microsoft 365 Business subscriptions](https://www.microsoft.com/en-us/microsoft-365/business) +- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise/firstline) +- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/en-us/education/buy-license/microsoft365/default.aspx) +- [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/en-us/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). +- [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/en-us/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. +- [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. +- [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune) (or an alternative MDM service). Additionally, the following are also recommended (but not required): - [Office 365 ProPlus](https://www.microsoft.com/en-us/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services). diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index a7aec9de77..af50e5b96b 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1049,11 +1049,11 @@ To turn off dictation of your voice, speaking to Cortana and other apps, and to If you're running at Windows 10, version 1703 up to and including Windows 10, version 1803, you can turn off updates to the speech recognition and speech synthesis models: - - **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data** +- **Disable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Speech** > **Allow automatic update of Speech Data** -or- - - Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)** +- Create a REG_DWORD registry setting named **AllowSpeechModelUpdate** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Speech** with a **value of 0 (zero)** @@ -1415,11 +1415,11 @@ In the **Inking & Typing** area you can configure the functionality as such: To turn off Inking & Typing data collection (note: there is no Group Policy for this setting): - - In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing** and turn **Improve inking & typing** to **Off** +- In the UI go to **Settings -> Privacy -> Diagnostics & Feedback -> Inking and typing** and turn **Improve inking & typing** to **Off** -or- - - Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** to a **value of 1 (one)** +- Set **RestrictImplicitTextCollection** registry REG_DWORD setting in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** to a **value of 1 (one)** ### 18.22 Activity History @@ -1484,29 +1484,29 @@ To turn this Off in the UI: Enterprise customers can manage their Windows activation status with volume licensing using an on-premises Key Management Server. You can opt out of sending KMS client activation data to Microsoft automatically by doing one of the following: - **For Windows 10:** +**For Windows 10:** - - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** -or- - - Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**. +- Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a **value of 1 (one)**. **For Windows Server 2019 or later:** - - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Software Protection Platform** > **Turn off KMS Client Online AVS Validation** -or- - - Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). +- Create a REG_DWORD registry setting named **NoGenTicket** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). **For Windows Server 2016:** - - Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). +- Create a REG_DWORD registry setting named **NoAcquireGT** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one). - >[!NOTE] - >Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead. - >The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. +>[!NOTE] +>Due to a known issue the **Turn off KMS Client Online AVS Validation** group policy does not work as intended on Windows Server 2016, the **NoAcquireGT** value needs to be set instead. +>The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS. ### 20. Storage health diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index 26b5607798..f32db55329 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -71,7 +71,7 @@ Azure AD Join is intended for organizations that desire to be cloud-first or clo [Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined) ### More information - - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction). +- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction). [Return to Top](hello-how-it-works-technology.md) ## Azure AD Registered diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 847bbfdf0e..d1c11a2a8c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -309,13 +309,13 @@ Sign-in a workstation with access equivalent to a _domain user_. ![Intune Windows Hello for Business policy settings](images/aadj/IntuneWHFBPolicy-01.png) 11. Select the appropriate configuration for the following settings. - * **Lowercase letters in PIN** - * **Uppercase letters in PIN** - * **Special characters in PIN** - * **PIN expiration (days)** - * **Remember PIN history** - > [!NOTE] - > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. + * **Lowercase letters in PIN** + * **Uppercase letters in PIN** + * **Special characters in PIN** + * **PIN expiration (days)** + * **Remember PIN history** + > [!NOTE] + > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature. 12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**. 13. Select **No** to **Allow phone sign-in**. This feature has been deprecated. diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index d9a19aed80..57238c3214 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -34,9 +34,9 @@ With Windows Hello for Business and passwords coexisting in your environment, th ### 3. Transition into a passwordless deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where: - - the users never type their password - - the users never change their password - - the users do not know their password +- the users never type their password +- the users never change their password +- the users do not know their password In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md index a0d1ffbf6e..fbb2f028fd 100644 --- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md +++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md @@ -24,11 +24,11 @@ The Windows 10 operating system improves most existing security features in the **See also:** - - [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) +- [Windows 10 Specifications](https://www.microsoft.com/windows/windows-10-specifications) - - [TPM Fundamentals](tpm-fundamentals.md) +- [TPM Fundamentals](tpm-fundamentals.md) - - [TPM Recommendations](tpm-recommendations.md)  +- [TPM Recommendations](tpm-recommendations.md)  ## TPM Overview diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index ac3e78109d..5548e18dd5 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -18,14 +18,14 @@ ms.reviewer: On this page - - [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo) - - [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd) - - [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd) - - [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve) - - [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac) - - [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac) - - [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac) - - [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg) +- [Introduction](https://technet.microsoft.com/library/cc750357.aspx#id0eo) +- [FIPS 140 Overview](https://technet.microsoft.com/library/cc750357.aspx#id0ebd) +- [Microsoft Product Validation (Information for Procurement Officers and Auditors)](https://technet.microsoft.com/library/cc750357.aspx#id0ezd) +- [Information for System Integrators](https://technet.microsoft.com/library/cc750357.aspx#id0eve) +- [Information for Software Developers](https://technet.microsoft.com/library/cc750357.aspx#id0eibac) +- [FIPS 140 FAQ](https://technet.microsoft.com/library/cc750357.aspx#id0eqcac) +- [Microsoft FIPS 140 Validated Cryptographic Modules](https://technet.microsoft.com/library/cc750357.aspx#id0ewfac) +- [Cryptographic Algorithms](https://technet.microsoft.com/library/cc750357.aspx#id0erobg) Updated: March 2018 @@ -103,12 +103,12 @@ Rather than validate individual components and products, Microsoft chooses to va The following list contains some of the Windows components and Microsoft products that rely on FIPS 140 validated cryptographic modules: - - Schannel Security Package - - Remote Desktop Protocol (RDP) Client - - Encrypting File System (EFS) - - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) - - BitLocker® Drive Full-volume Encryption - - IPsec Settings of Windows Firewall +- Schannel Security Package +- Remote Desktop Protocol (RDP) Client +- Encrypting File System (EFS) +- Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) +- BitLocker® Drive Full-volume Encryption +- IPsec Settings of Windows Firewall ## Information for System Integrators @@ -145,12 +145,12 @@ While there are alternative methods for setting the FIPS local/group security po The following list details some of the Microsoft components that use the cryptographic functionality implemented by either CNG or legacy CAPI. When the FIPS Local/Group Security Policy is set, the following components will enforce the validated module Security Policy. - - Schannel Security Package - - Remote Desktop Protocol (RDP) Client - - Encrypting File System (EFS) - - Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) - - BitLocker® Drive Full-volume Encryption - - IPsec Settings of Windows Firewall +- Schannel Security Package +- Remote Desktop Protocol (RDP) Client +- Encrypting File System (EFS) +- Some Microsoft .NET Framework Applications (.NET also provides cryptographic algorithm implementations that have not been FIPS 140 validated.) +- BitLocker® Drive Full-volume Encryption +- IPsec Settings of Windows Firewall #### Effects of Setting FIPS Local/Group Security Policy Flag diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md index aa7a994ca7..406b15ff97 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md @@ -143,8 +143,8 @@ For more information, see [Create rules for alert notifications](configure-email These check boxes must be checked: - - **Include organization name** - The customer name will be added to email notifications - - **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal +- **Include organization name** - The customer name will be added to email notifications +- **Include tenant-specific portal link** - Alert link URL will have tenant specific parameter (tid=target_tenant_id) that allows direct access to target tenant portal ## Fetch alerts from MSSP customer's tenant into the SIEM system diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index dba3eaf576..71cc754e25 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -36,17 +36,17 @@ The embedded Microsoft Defender ATP sensor runs in system context using the Loca The WinHTTP configuration setting is independent of the Windows Internet (WinINet) Internet browsing proxy settings and can only discover a proxy server by using the following discovery methods: - - Auto-discovery methods: - - Transparent proxy - - Web Proxy Auto-discovery Protocol (WPAD) +- Auto-discovery methods: + - Transparent proxy + - Web Proxy Auto-discovery Protocol (WPAD) > [!NOTE] > If you're using Transparent proxy or WPAD in your network topology, you don't need special configuration settings. For more information on Microsoft Defender ATP URL exclusions in the proxy, see [Enable access to Microsoft Defender ATP service URLs in the proxy server](#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server). - - Manual static proxy configuration: - - Registry based configuration - - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) +- Manual static proxy configuration: + - Registry based configuration + - WinHTTP configured using netsh command – Suitable only for desktops in a stable topology (for example: a desktop in a corporate network behind the same proxy) @@ -182,4 +182,4 @@ However, if the connectivity check results indicate a failure, an HTTP error is ## Related topics - [Onboard Windows 10 machines](configure-endpoints.md) -- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) \ No newline at end of file +- [Troubleshoot Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md index 9b2eecd333..14ad8b673c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md +++ b/windows/security/threat-protection/microsoft-defender-atp/evaluation-lab.md @@ -49,19 +49,19 @@ When you add a machine to your environment, Microsoft Defender ATP sets up a wel The machine will automatically be onboarded to your tenant with the recommended Windows security components turned on and in audit mode - with no effort on your side. - The following security components are pre-configured in the test machines: + The following security components are pre-configured in the test machines: - - [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) - - [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) - - [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) - - [Exploit Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection) - - [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) - - [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) - - [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) - - [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview) +- [Attack Surface Reduction](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) +- [Block at first sight](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus) +- [Controlled Folder Access](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard) +- [Exploit Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection) +- [Network Protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard) +- [Potentially unwanted application detection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus) +- [Cloud-delivered protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus) +- [Windows Defender SmartScreen](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview) - >[!NOTE] - > Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). +>[!NOTE] +> Windows Defender Antivirus will be on (not in audit). If Windows Defender Antivirus blocks you from running your simulation, you may turn off real-time protection on the machine through Windows Security. For more information, see [Configure always-on protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus). Automated investigation settings will be dependent on tenant settings. It will be configured to be semi-automated by default. For more information, see [Overview of Automated investigations](automated-investigations.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md index 34c8475792..31fa70aa03 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-full-sample-powershell.md @@ -26,9 +26,9 @@ ms.date: 09/24/2018 Full scenario using multiple APIs from Microsoft Defender ATP. In this section we share PowerShell samples to - - Retrieve a token - - Use token to retrieve the latest alerts in Microsoft Defender ATP - - For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL. +- Retrieve a token +- Use token to retrieve the latest alerts in Microsoft Defender ATP +- For each alert, if the alert has medium or high priority and is still in progress, check how many times the machine has connected to suspicious URL. >**Prerequisite**: You first need to [create an app](apis-intro.md). diff --git a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md index bd6891a8c2..badfd2aed7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md +++ b/windows/security/threat-protection/microsoft-defender-atp/fix-unhealthy-sensors.md @@ -53,8 +53,8 @@ Do you expect a machine to be in ‘Active’ status? [Open a support ticket](ht ## Misconfigured machines Misconfigured machines can further be classified to: - - Impaired communications - - No sensor data +- Impaired communications +- No sensor data ### Impaired communications This status indicates that there's limited communication between the machine and the service. diff --git a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md index 66a4fdedf6..ada385d846 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/offboard-machines.md @@ -32,13 +32,13 @@ ms.topic: conceptual Follow the corresponding instructions depending on your preferred deployment method. ## Offboard Windows 10 machines - - [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script) - - [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy) - - [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager) - - [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools) +- [Offboard machines using a local script](configure-endpoints-script.md#offboard-machines-using-a-local-script) +- [Offboard machines using Group Policy](configure-endpoints-gp.md#offboard-machines-using-group-policy) +- [Offboard machines using System Center Configuration Manager](configure-endpoints-sccm.md#offboard-machines-using-system-center-configuration-manager) +- [Offboard machines using Mobile Device Management tools](configure-endpoints-mdm.md#offboard-and-monitor-machines-using-mobile-device-management-tools) ## Offboard Servers - - [Offboard servers](configure-server-endpoints.md#offboard-servers) +- [Offboard servers](configure-server-endpoints.md#offboard-servers) ## Offboard non-Windows machines - - [Offboard non-Windows machines](configure-endpoints-non-windows.md#offboard-non-windows-machines) +- [Offboard non-Windows machines](configure-endpoints-non-windows.md#offboard-non-windows-machines) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md index 7b758a94bc..0be4b4e073 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-indicator-concepts.md @@ -44,9 +44,9 @@ In the context of Microsoft Defender ATP, alert definitions are containers for I Each IOC defines the concrete detection logic based on its type and value as well as its action, which determines how it is matched. It is bound to a specific alert definition that defines how a detection is displayed as an alert on the Microsoft Defender ATP console. Here is an example of an IOC: - - Type: Sha1 - - Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56 - - Action: Equals +- Type: Sha1 +- Value: 92cfceb39d57d914ed8b14d0e37643de0797ae56 +- Action: Equals IOCs have a many-to-one relationship with alert definitions such that an alert definition can have many IOCs that correspond to it. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index 289a76f1c5..fa862e9599 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -296,9 +296,9 @@ You might also need to check the following: ## Licensing requirements Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - - Windows 10 Enterprise E5 - - Windows 10 Education E5 - - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 +- Windows 10 Enterprise E5 +- Windows 10 Education E5 +- Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). diff --git a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md index b61fbe54d1..115361ba35 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/deployment-vdi-windows-defender-antivirus.md @@ -191,7 +191,7 @@ This setting will prevent a scan from occurring after receiving an update. You c ### Enable headless UI mode - - Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users. +- Double-click **Enable headless UI mode** and set the option to **Enabled**. Click **OK**. This hides the entire Windows Defender AV user interface from users. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index 3622d0e101..f762644195 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Add rules for packaged apps to existing AppLocker rule-set **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 86c295cf9e..8730c6c545 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -20,8 +20,8 @@ ms.date: 02/28/2019 # Administer AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index d2d3584bf7..f7a0f16873 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # AppLocker architecture and components **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professional describes AppLocker’s basic architecture and its major components. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index c12a1e59ac..3bfb26bb30 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # AppLocker functions **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 37045a74e8..7f4112593f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -20,8 +20,8 @@ ms.date: 10/16/2017 # AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index 7758f45ec7..e92450d695 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -21,8 +21,8 @@ ms.date: 09/21/2017 # AppLocker deployment guide **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index a7258ab473..d723d9a054 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # AppLocker design guide **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 6e50eebbd2..3e660d6659 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # AppLocker policy use scenarios **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index e32e6bf896..54ec678b22 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # AppLocker processes and interactions **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md index c02fce9a90..f289a40fe7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # AppLocker settings **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional lists the settings used by AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md index f330084b0b..031ce25230 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # AppLocker technical reference **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This overview topic for IT professionals provides links to the topics in the technical reference. AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md index ce69d9e064..2dd978d52b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md @@ -20,8 +20,8 @@ ms.date: 06/08/2018 # Configure an AppLocker policy for audit only **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index 24f5aeb1ef..36cce5baec 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Configure an AppLocker policy for enforce rules **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md index 018d76dd6b..dfb7c8814a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Add exceptions for an AppLocker rule **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index 52899e5621..a3a2d593bb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Configure the AppLocker reference device **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index fffa53c756..c2c55cccf6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -20,8 +20,8 @@ ms.date: 04/02/2018 # Configure the Application Identity service **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index d87b6b2d31..7ac5a2faeb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Create a rule for packaged apps **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md index 9248042379..f7689c76f7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Create a rule that uses a file hash condition **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md index 7d7608f7c8..728693dc35 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Create a rule that uses a path condition **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals shows how to create an AppLocker rule with a path condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md index 58609a7102..5a875b4b84 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Create a rule that uses a publisher condition **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md index 8f20bf3c9a..f68602c282 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Create AppLocker default rules **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 7afc539899..e0c0cb658f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Create a list of apps deployed to each business group **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index 859761b9b9..4cb2f24434 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Create Your AppLocker policies **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index 6fb52b2843..6d75ecfc99 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Create Your AppLocker rules **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index 84e53cfb2d..be00ebc127 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -20,8 +20,8 @@ ms.date: 08/02/2018 # Delete an AppLocker rule **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to delete an AppLocker rule. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 0fe96e42aa..65374479fc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Deploy AppLocker policies by using the enforce rules setting **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index dd81603afd..058e736230 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Deploy the AppLocker policy into production **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index 2226a672dd..e03376d487 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Determine the Group Policy structure and rule enforcement **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This overview topic describes the process to follow when you are planning to deploy AppLocker rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index c8d4acc789..3b75aaec82 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Determine which apps are digitally signed on a reference device **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index e1b0bef761..7f43b4f3cd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Determine your application control objectives **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index c39d07f07a..f87c93e451 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Display a custom URL message when users try to run a blocked app **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index 60741a87ed..ec45f1d75e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # DLL rules in AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic describes the file formats and available default rules for the DLL rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index 415d381cc4..44a181aa71 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Document the Group Policy structure and AppLocker rule enforcement **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index 1ea62b509f..3cac5abbce 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Document your app list **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index a748a0fb9d..2147e2fe3f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Document your AppLocker rules **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic describes what rule conditions to associate with each file, how to associate the rule conditions with each file, the source of the rule, and whether the file should be included or excluded. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 08db847c8a..03b04a1190 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Edit an AppLocker policy **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps required to modify an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md index 8bf42722e6..028a8237bc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Edit AppLocker rules **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md index 1f45a8cb4d..575de45499 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Enable the DLL rule collection **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md index e34cd10524..b396db1cfb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Enforce AppLocker rules **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes how to enforce application control rules by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md index 09e13411bb..ffdc7ace8c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Executable rules in AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic describes the file formats and available default rules for the executable rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md index 579f6a1677..0443b67c6b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Export an AppLocker policy from a GPO **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md index 1d42dabe51..6856386f4a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Export an AppLocker policy to an XML file **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md index 6d259a430f..b4adeb4b33 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # How AppLocker works **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index cd3f2ab32d..eaa7c7aa78 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Import an AppLocker policy from another computer **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes how to import an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index 07ffba8bd0..ac5ac53cd5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Import an AppLocker policy into a GPO **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index af959d3197..20b1b50dae 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Maintain AppLocker policies **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic describes how to maintain rules within AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index bd4497b964..3a9dee486d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Manage packaged apps with AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 575ad0d393..47c7db9884 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Merge AppLocker policies by using Set-ApplockerPolicy **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index 0ccb16202c..f40ead0fc0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Merge AppLocker policies manually **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index 72378b52ca..9d03415f49 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Monitor app usage with AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md index 50e84edb7a..d669f7c890 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Optimize AppLocker performance **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes how to optimize AppLocker policy enforcement. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index eb87d51320..1057121e64 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -20,8 +20,8 @@ ms.date: 10/13/2017 # Packaged apps and packaged app installer rules in AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic explains the AppLocker rule collection for packaged app installers and packaged apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index d0e2f069fe..90bf198903 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Plan for AppLocker policy management **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index de3556a475..9e6a10f475 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Refresh an AppLocker policy **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to force an update for an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index b1187d6b13..5bfe8d38ed 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Requirements for deploying AppLocker policies **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index edcc2be0d3..ded7e2d592 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Requirements to use AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index a0a509e1ae..a87df1bc69 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Run the Automatically Generate Rules wizard **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 068f4f5786..1854e961d1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Script rules in AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic describes the file formats and available default rules for the script rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 2fbfbf63aa..bde5f92033 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Security considerations for AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 74fe7bc8ec..4daacad66d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Select the types of rules to create **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic lists resources you can use when selecting your application control policy rules by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index dd5cb6b46d..00511d0f23 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Test an AppLocker policy by using Test-AppLockerPolicy **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index e1d63a2f9d..6306c10479 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Test and update an AppLocker policy **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic discusses the steps required to test an AppLocker policy prior to deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index d3666a1e1e..974a0000cc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Tools to use with AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes the tools available to create and administer AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 38e080a194..0cd67f03d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understand AppLocker enforcement settings **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic describes the AppLocker enforcement settings for rule collections. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index 29a92cb366..fedd0c187e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -20,8 +20,8 @@ ms.date: 10/13/2017 # Understand AppLocker policy design decisions **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 60372d5be9..eef85dda63 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understand AppLocker rules and enforcement setting inheritance in Group Policy **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index cf93b27a4b..5e0c80b55d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understand the AppLocker policy deployment process **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 50811e33c0..f9cdae7831 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understanding AppLocker allow and deny actions on rules **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic explains the differences between allow and deny actions on AppLocker rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index aab40287b6..d2d2d98598 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understanding AppLocker default rules **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index fb7afc79b9..cbb7806a6b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understanding AppLocker rule behavior **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index f2788d4bfc..0392b51405 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understanding AppLocker rule collections **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md index f937e73090..ace4b89837 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understanding AppLocker rule condition types **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes the three types of AppLocker rule conditions. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index 08aeb4091d..9420c1f20f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understanding AppLocker rule exceptions **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic describes the result of applying AppLocker rule exceptions to rule collections. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 3bb3ba52c4..b0e028c79d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understanding the file hash rule condition in AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 0e59ec885b..95863340c0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understanding the path rule condition in AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index 52259c9248..73bd0d992a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Understanding the publisher rule condition in AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index 9c5076e4c6..adf5eb6279 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -21,8 +21,8 @@ ms.date: 09/21/2017 # Use a reference device to create and maintain AppLocker policies **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 1f70ea7e87..828934ca43 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Use AppLocker and Software Restriction Policies in the same domain **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index 0f4a4872cf..58edb0059e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Use the AppLocker Windows PowerShell cmdlets **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index a3834e3625..78c04357c6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Using Event Viewer with AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index 3583e3fd1b..1dd5197ddd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Use Software Restriction Policies and AppLocker policies **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index a3c525fbfa..2ddcbb332e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # What Is AppLocker? **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index a853be9f44..50fff5a7b2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Windows Installer rules in AppLocker **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic describes the file formats and available default rules for the Windows Installer rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index d3c403d633..2bde016bc2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Working with AppLocker policies **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index c899126846..1b92efcccf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -18,8 +18,8 @@ ms.date: 08/27/2018 # Working with AppLocker rules **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md index abaa31c6ff..d7f2a132fb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Create your Windows Defender Application Control (WDAC) planning document **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This planning topic for the IT professional summarizes the information you need to research and include in your WDAC planning document. diff --git a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md index 6a6df72992..f29188cd79 100644 --- a/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md +++ b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md @@ -20,8 +20,8 @@ ms.date: 09/21/2017 # Document your application control management processes **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This planning topic describes the Windows Defender Application Control (WDAC) policy maintenance information to record for your design document. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 44ff0aa926..e9719fd4e4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -18,8 +18,8 @@ ms.author: dansimp # Windows Defender Application Control design guide **Applies to** - - Windows 10 - - Windows Server +- Windows 10 +- Windows Server This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 07172573b3..ea7aa818f2 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -293,8 +293,8 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ``` ### Requirements for running HVCI in Hyper-V virtual machines - - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. - - HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time - - Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. - - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. +- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. +- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. +- HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time +- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. +- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. diff --git a/windows/security/threat-protection/windows-platform-common-criteria.md b/windows/security/threat-protection/windows-platform-common-criteria.md index d9cd25a523..149ba35f1d 100644 --- a/windows/security/threat-protection/windows-platform-common-criteria.md +++ b/windows/security/threat-protection/windows-platform-common-criteria.md @@ -23,33 +23,33 @@ Microsoft is committed to optimizing the security of its products and services. The Security Target describes security functionality and assurance measures used to evaluate Windows. - - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) - - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf) - - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf) - - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx) - - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx) - - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx) - - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf) - - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx) - - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) - - [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf) - - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) - - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf) - - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf) - - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf) - - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf) - - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf) - - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf) - - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf) - - [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf) - - [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305) - - [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) - - [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) - - [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) - - [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf) - - [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) - - [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) +- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/0/7/6/0764E933-DD0B-45A7-9144-1DD9F454DCEF/Windows%2010%201803%20GP%20OS%20Security%20Target.pdf) +- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf) +- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf) +- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf) +- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx) +- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx) +- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/b/f/5/bf59e430-e57b-462d-8dca-8ac3c93cfcff/windows%2010%20anniversary%20update%20ipsec%20vpn%20client%20security%20target%20-%20public%20\(december%2029%202016\)%20\(clean\).docx) +- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/7/2/372beb03-b1ed-4bb6-9b9b-b8f43afc570d/st_vid10746-st.pdf) +- [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/a/c/2/ac2a6ed8-4d2f-4f48-a9bf-f059d6c9af38/windows%2010%20mdf3%20security%20target%20-%20public%20\(june%2022%202016\)\(final\).docx) +- [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) +- [Windows 10 and Windows Server 2012 R2](http://www.commoncriteriaportal.org/files/epfiles/st_windows10.pdf) +- [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-st.pdf) +- [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-st.pdf) +- [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-st.pdf) +- [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-st.pdf) +- [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-st.pdf) +- [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-st.pdf) +- [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-st.pdf) +- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-st.pdf) +- [Windows 7 and Windows Server 2008 R2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-st.pdf) +- [Microsoft Windows Server 2008 R2 Hyper-V Role](http://www.microsoft.com/download/en/details.aspx?id=29305) +- [Windows Vista and Windows Server 2008 at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-st.pdf) +- [Microsoft Windows Server 2008 Hyper-V Role](http://www.commoncriteriaportal.org/files/epfiles/0570b_pdf.pdf) +- [Windows Vista and Windows Server 2008 at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_st_v1.0.pdf) +- [Windows Server 2003 SP2 including R2, x64, and IA64; Windows XP Professional SP2 and x64 SP2; and Windows XP Embedded SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10184-st.pdf) +- [Windows Server 2003 Certificate Server](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-st.pdf) +- [Windows Rights Management Services (RMS) 1.0 SP2](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-st.pdf) ## Common Criteria Deployment and Administration @@ -59,77 +59,77 @@ These documents describe how to configure Windows to replicate the configuration **Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2** - - - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) - - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf) - - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf) - - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx) - - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx) - - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx) - - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf) - - [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx) - - [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf) - - [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf) - - [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf) + +- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/C/1/6C13FBFF-9CB0-455F-A1C8-3E3CB0ACBD7B/Windows%2010%201803%20GP%20OS%20Administrative%20Guide.pdf) +- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf) +- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf) +- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf) +- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx) +- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx) +- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client Operational Guidance](https://download.microsoft.com/download/2/c/c/2cc8f929-233e-4a40-b673-57b449680984/windows%2010%20au%20and%20server%202016%20ipsec%20vpn%20client%20operational%20guidance%20\(21%20dec%202016\)%20\(public\).docx) +- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/3/3/f/33fa01dd-b380-46e1-833f-fd85854b4022/st_vid10746-agd.pdf) +- [Microsoft Windows 10 November 2015 Update with Surface Book Administrative Guide](https://download.microsoft.com/download/3/2/c/32c6fa02-b194-478f-a0f6-0215b47d0f40/windows%2010%20mdf3%20mobile%20device%20pp%20operational%20guidance%20\(may%2027,%202016\)\(public\).docx) +- [Microsoft Windows 10 Mobile and Windows 10 Administrative Guide](https://download.microsoft.com/download/2/d/c/2dce3435-9328-48e2-9813-c2559a8d39fa/microsoft%20windows%2010%20and%20windows%2010%20mobile%20guidance.pdf) +- [Windows 10 and Windows Server 2012 R2 Administrative Guide](https://download.microsoft.com/download/0/f/d/0fd33c9a-98ac-499e-882f-274f80f3d4f0/microsoft%20windows%2010%20and%20server%202012%20r2%20gp%20os%20guidance.pdf) +- [Windows 10 Common Criteria Operational Guidance](https://download.microsoft.com/download/d/6/f/d6fb4cec-f0f2-4d00-ab2e-63bde3713f44/windows%2010%20mobile%20device%20operational%20guidance.pdf) **Windows 8.1 and Windows Phone 8.1** - - [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) - - [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) +- [Microsoft Surface Pro 3 Common Criteria Mobile Operational Guidance](https://download.microsoft.com/download/b/e/3/be365594-daa5-4af3-a6b5-9533d61eae32/surface%20pro%203%20mobile%20operational%20guidance.docx) +- [Windows 8.1 and Windows Phone 8.1 CC Supplemental Admin Guide](https://download.microsoft.com/download/b/0/e/b0e30225-5017-4241-ac0a-6c40bc8e6714/mobile%20operational%20guidance.docx) **Windows 8, Windows RT, and Windows Server 2012** - - [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) - - [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) - - [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) - - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) +- [Windows 8 and Windows Server 2012](https://download.microsoft.com/download/6/0/b/60b27ded-705a-4751-8e9f-642e635c3cf3/microsoft%20windows%208%20windows%20server%202012%20common%20criteria%20supplemental%20admin%20guidance.docx) +- [Windows 8 and Windows RT](https://download.microsoft.com/download/8/6/e/86e8c001-8556-4949-90cf-f5beac918026/microsoft%20windows%208%20microsoft%20windows%20rt%20common%20criteria%20supplemental%20admin.docx) +- [Windows 8 and Windows Server 2012 BitLocker](https://download.microsoft.com/download/0/8/4/08468080-540b-4326-91bf-f2a33b7e1764/administrative%20guidance%20for%20software%20full%20disk%20encryption%20clients.pdf) +- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](https://download.microsoft.com/download/a/9/f/a9fd7e2d-023b-4925-a62f-58a7f1a6bd47/microsoft%20windows%208%20windows%20server%202012%20supplemental%20admin%20guidance%20ipsec%20vpn%20client.docx) **Windows 7 and Windows Server 2008 R2** - - [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) - - [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308) +- [Windows 7 and Windows Server 2008 R2 Supplemental CC Guide](https://www.microsoft.com/downloads/en/details.aspx?familyid=ee05b6d0-9939-4765-9217-63083bb94a00) +- [Windows Server 2008 R2 Hyper-V Common Criteria Configuration Guide](http://www.microsoft.com/download/en/details.aspx?id=29308) **Windows Vista and Windows Server 2008** - - [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) - - [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) +- [Windows Vista and Windows Server 2008 Supplemental CC Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=06166288-24c4-4c42-9daa-2b2473ddf567) +- [Windows Server 2008 Hyper-V Role Common Criteria Administrator Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=cb19538d-9e13-4ab6-af38-8f48abfdad08) **Windows Server 2003 SP2 including R2, x64, and Itanium** - - [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949) - - [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc) +- [Windows Server 2003 SP2 R2 Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=39598841-e693-4891-9234-cfd1550f3949) +- [Windows Server 2003 SP2 R2 Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=4f7b6a93-0307-480f-a5af-a20268cbd7cc) **Windows Server 2003 SP1(x86), x64, and IA64** - - [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef) - - [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8) +- [Windows Server 2003 with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=8a26829f-c177-4b79-913a-4135fb7b96ef) +- [Windows Server 2003 with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=3f9ecd0a-74dd-4d23-a4e5-d7b63fed70e8) **Windows Server 2003 SP1** - - [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc) - - [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38) +- [Windows Server 2003 Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=75736009-59e9-4a71-879e-cf581817b8cc) +- [Windows Server 2003 Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=a0ad1856-beb7-4285-b47c-381e8a210c38) **Windows XP Professional SP2 (x86) and x64 Edition** - - [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee) - - [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694) - - [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779) - - [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431) - - [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54) - - [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569) +- [Windows XP Common Criteria Administrator Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=9a7f0b16-72ce-4675-aec8-58785c4e37ee) +- [Windows XP Common Criteria Configuration Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=165da57d-f066-4ddf-9462-cbecfcd68694) +- [Windows XP Common Criteria User Guide 3.0](http://www.microsoft.com/downloads/details.aspx?familyid=7c1a4761-9b9e-429c-84eb-cd7b034c5779) +- [Windows XP Professional with x64 Hardware Administrator's Guide](http://www.microsoft.com/downloads/details.aspx?familyid=346f041e-d641-4af7-bdea-c5a3246d0431) +- [Windows XP Professional with x64 Hardware Configuration Guide](http://www.microsoft.com/downloads/details.aspx?familyid=a7075319-cc3d-4420-a00b-8c9a7068ad54) +- [Windows XP Professional with x64 Hardware User’s Guide](http://www.microsoft.com/downloads/details.aspx?familyid=26c49cf5-6159-4197-97ce-bf1fdfc54569) **Windows XP Professional SP2, and XP Embedded SP2** - - [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60) - - [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de) - - [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8) +- [Windows XP Professional Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9bcac470-a0b3-4d34-a561-fa8308c0ff60) +- [Windows XP Professional Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=9f04915e-571a-422d-8ffa-5797051e81de) +- [Windows XP Professional User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=d39d0028-7093-495c-80da-2b5b29a54bd8) **Windows Server 2003 Certificate Server** - - [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) - - [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2) - - [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e) +- [Windows Server 2003 Certificate Server Administrator's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=445093d8-45e2-4cf6-884c-8802c1e6cb2d) +- [Windows Server 2003 Certificate Server Configuration Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=46abc8b5-11be-4e3d-85c2-63226c3688d2) +- [Windows Server 2003 Certificate Server User's Guide](http://www.microsoft.com/downloads/en/details.aspx?familyid=74f66d84-2654-48d0-b9b5-b383d383425e) ## Common Criteria Evaluation Technical Reports and Certification / Validation Reports @@ -137,41 +137,40 @@ These documents describe how to configure Windows to replicate the configuration An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team. - - [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) - - [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) - - [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) - - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) - - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) - - [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) - - [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) - - [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) - - [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf) - - [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) - - [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf) - - [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf) - - [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf) - - [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf) - - [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf) - - [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf) - - [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) - - [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) - - [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) - - [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) - - [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) - - [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) - - [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef) - - [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658) - - [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) - - [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) - - [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) - - [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265) - - [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf) - - [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) - - [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) - - [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) +- [Microsoft Windows 10 (April 2018 Update)](http://download.microsoft.com/download/6/7/1/67167BF2-885D-4646-A61E-96A0024B52BB/Windows%2010%201803%20GP%20OS%20Certification%20Report.pdf) +- [Microsoft Windows 10 (Fall Creators Update)](https://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) +- [Microsoft Windows 10 (Creators Update)](https://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf) +- [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](https://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf) +- [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](https://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf) +- [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](https://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf) +- [Windows 10 (Anniversary Update) and Windows Server 2016 IPsec VPN Client](https://download.microsoft.com/download/2/0/a/20a8e686-3cd9-43c4-a22a-54b552a9788a/st_vid10753-vr.pdf) +- [Microsoft Windows 10 IPsec VPN Client](https://download.microsoft.com/download/9/b/6/9b633763-6078-48aa-b9ba-960da2172a11/st_vid10746-vr.pdf) +- [Microsoft Windows 10 November 2015 Update with Surface Book](https://download.microsoft.com/download/d/c/b/dcb7097d-1b9f-4786-bb07-3c169fefb579/st_vid10715-vr.pdf) +- [Microsoft Windows 10 Mobile with Lumia 950, 950 XL, 550, 635, and Windows 10 with Surface Pro 4](https://www.niap-ccevs.org/st/st_vid10694-vr.pdf) +- [Windows 10 and Windows Server 2012 R2](https://www.commoncriteriaportal.org/files/epfiles/cr_windows10.pdf) +- [Windows 10](https://www.niap-ccevs.org/st/st_vid10677-vr.pdf) +- [Windows 8.1 with Surface 3 and Windows Phone 8.1 with Lumia 635 and Lumia 830](https://www.niap-ccevs.org/st/st_vid10635-vr.pdf) +- [Microsoft Surface Pro 3 and Windows 8.1](https://www.niap-ccevs.org/st/st_vid10632-vr.pdf) +- [Windows 8.1 and Windows Phone 8.1](https://www.niap-ccevs.org/st/st_vid10592-vr.pdf) +- [Windows 8 and Windows Server 2012](https://www.niap-ccevs.org/st/st_vid10520-vr.pdf) +- [Windows 8 and Windows RT](https://www.niap-ccevs.org/st/st_vid10620-vr.pdf) +- [Windows 8 and Windows Server 2012 BitLocker](http://www.commoncriteriaportal.org/files/epfiles/st_vid10540-vr.pdf) +- [Windows 8, Windows RT, and Windows Server 2012 IPsec VPN Client](http://www.commoncriteriaportal.org/files/epfiles/st_vid10529-vr.pdf) +- [Windows 7 and Windows Server 2008 R2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10390-vr.pdf) +- [Windows Vista and Windows Server 2008 Validation Report at EAL4+](http://www.commoncriteriaportal.org/files/epfiles/st_vid10291-vr.pdf) +- [Windows Server 2008 Hyper-V Role Certification Report](http://www.commoncriteriaportal.org/files/epfiles/0570a_pdf.pdf) +- [Windows Vista and Windows Server 2008 Certification Report at EAL1](http://www.commoncriteriaportal.org/files/epfiles/efs-t005_msvista_msserver2008_eal1_cr_v1.0.pdf) +- [Windows XP / Windows Server 2003 with x64 Hardware ETR](http://www.microsoft.com/downloads/details.aspx?familyid=6e8d98f9-25b9-4c85-9bd9-24d91ea3c9ef) +- [Windows XP / Windows Server 2003 with x64 Hardware ETR, Part II](http://www.microsoft.com/downloads/details.aspx?familyid=0c35e7d8-9c56-4686-b902-d5ffb9915658) +- [Windows Server 2003 SP2 including R2, Standard, Enterprise, Datacenter, x64, and Itanium Editions Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) +- [Windows XP Professional SP2 and x64 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) +- [Windows XP Embedded SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/20080303_st_vid10184-vr.pdf) +- [Windows XP and Windows Server 2003 ETR](http://www.microsoft.com/downloads/details.aspx?familyid=63cf2a1e-f578-4bb5-9245-d411f0f64265) +- [Windows XP and Windows Server 2003 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9506-vr.pdf) +- [Windows Server 2003 Certificate Server ETR](http://www.microsoft.com/downloads/details.aspx?familyid=a594e77f-dcbb-4787-9d68-e4689e60a314) +- [Windows Server 2003 Certificate Server Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid9507-vr.pdf) +- [Microsoft Windows Rights Management Services (RMS) 1.0 SP2 Validation Report](http://www.commoncriteriaportal.org/files/epfiles/st_vid10224-vr.pdf) ## Other Common Criteria Related Documents - - [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc) - +- [Identifying Windows XP and Windows Server 2003 Common Criteria Certified Requirements for the NIST Special Publication 800-53](https://download.microsoft.com/download/a/9/6/a96d1dfc-2bd4-408d-8d93-e0ede7529691/xpws03_ccto800-53.doc) diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md index 1db0749694..4c6f69c1a2 100644 --- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md +++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md @@ -24,10 +24,10 @@ This article lists new and updated features and content that are of interest to >Features in Windows 10 Enterprise 2019 LTSC are equivalent to Windows 10, version 1809. Windows 10 Enterprise LTSC 2019 builds on Windows 10 Pro, version 1809 adding premium features designed to address the needs of large and mid-size organizations (including large academic institutions), such as: - - Advanced protection against modern security threats - - Full flexibility of OS deployment - - Updating and support options - - Comprehensive device and app management and control capabilities +- Advanced protection against modern security threats +- Full flexibility of OS deployment +- Updating and support options +- Comprehensive device and app management and control capabilities The Windows 10 Enterprise LTSC 2019 release is an important release for LTSC users because it includes the cumulative enhancements provided in Windows 10 versions 1703, 1709, 1803, and 1809. Details about these enhancements are provided below. @@ -108,12 +108,12 @@ Endpoint detection and response is improved. Enterprise customers can now take a - [Take response actions on a file](/windows/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection) - Quickly respond to detected attacks by stopping and quarantining files or blocking a file. Additional capabilities have been added to help you gain a holistic view on **investigations** include: - - [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - - [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) - - [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) - - [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. - - [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. - - [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. +- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics) - Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. +- [Query data using Advanced hunting in Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection) +- [Use Automated investigations to investigate and remediate threats](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection) +- [Investigate a user account](/windows/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection) - Identify user accounts with the most active alerts and investigate cases of potential compromised credentials. +- [Alert process tree](/windows/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection#alert-process-tree) - Aggregates multiple detections and related events into a single view to reduce case resolution time. +- [Pull alerts using REST API](/windows/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection) - Use REST API to pull alerts from Windows Defender ATP. Other enhanced security features include: - [Check sensor health state](/windows/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection) - Check an endpoint's ability to provide sensor data and communicate with the Windows Defender ATP service and fix known issues. From 4321583a9c828b8007c024277d90191ec6d46b02 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Mon, 12 Aug 2019 19:11:21 -0400 Subject: [PATCH 26/37] fix: MD005/list-indent Inconsistent indentation for list items at the same level --- windows/deployment/update/waas-wu-settings.md | 84 +++++++++---------- ...-basic-audit-policy-on-a-file-or-folder.md | 2 +- 2 files changed, 43 insertions(+), 43 deletions(-) diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 2b0e2f7f98..2b84969903 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -9,7 +9,7 @@ author: jaimeo ms.localizationpriority: medium ms.audience: itpro author: jaimeo -ms.reviewer: +ms.reviewer: manager: laurawi ms.topic: article --- @@ -22,7 +22,7 @@ ms.topic: article - Windows 10 -> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) +> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) You can use Group Policy settings or mobile device management (MDM) to configure the behavior of Windows Update (WU) on your Windows 10 devices. You can configure the update detection frequency, select when updates are received, specify the update service location and more. @@ -31,7 +31,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure ## Summary of Windows Update settings -| Group Policy setting | MDM setting | Supported from version | +| Group Policy setting | MDM setting | Supported from version | | --- | --- | --- | | [Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) | [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) and [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | All | | [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) | [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | 1703 | @@ -62,9 +62,9 @@ For additional settings that configure when Feature and Quality updates are rece ### Specify Intranet Microsoft update service location Specifies an intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network. -This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. +This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network. -To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service. +To use this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update\Specify Intranet Microsoft update service location**. You must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update Agent to download updates from an alternate download server instead of the intranet update service. If the setting is set to **Enabled**, the Automatic Updates client connects to the specified intranet Microsoft update service (or alternate download server), instead of Windows Update, to search for and download updates. Enabling this setting means that end users in your organization don’t have to go through a firewall to get updates, and it gives you the opportunity to test updates after deploying them. If the setting is set to **Disabled** or **Not Configured**, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet. @@ -125,7 +125,7 @@ If the intranet Microsoft update service supports multiple target groups, this p ### Allow signed updates from an intranet Microsoft update service location -This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. +This policy setting allows you to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location. To configure this setting in Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows update\Allow signed updates from an intranet Microsoft update service location**. @@ -148,7 +148,7 @@ To add more flexibility to the update process, settings are available to control Allows admins to exclude Windows Update (WU) drivers during updates. -To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**. +To configure this setting in Group Policy, use **Computer Configuration\Administrative Templates\Windows Components\Windows update\Do not include drivers with Windows Updates**. Enable this policy to not include drivers with Windows quality updates. If you disable or do not configure this policy, Windows Update will include updates that have a Driver classification. @@ -192,48 +192,48 @@ To do this, follow these steps: 3. Add one of the following registry values to configure Automatic Update. * NoAutoUpdate (REG_DWORD): - + * **0**: Automatic Updates is enabled (default). - + * **1**: Automatic Updates is disabled. - + * AUOptions (REG_DWORD): - + * **1**: Keep my computer up to date is disabled in Automatic Updates. - + * **2**: Notify of download and installation. - + * **3**: Automatically download and notify of installation. - + * **4**: Automatically download and scheduled installation. - * ScheduledInstallDay (REG_DWORD): - - * **0**: Every day. - - * **1** through **7**: The days of the week from Sunday (1) to Saturday (7). - - * ScheduledInstallTime (REG_DWORD): - - **n**, where **n** equals the time of day in a 24-hour format (0-23). - - * UseWUServer (REG_DWORD) - - Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update. - - * RescheduleWaitTime (REG_DWORD) - - **m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes) - - > [!NOTE] - > This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions. - - * NoAutoRebootWithLoggedOnUsers (REG_DWORD): - - **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on. - - > [!NOTE] - > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions. + * ScheduledInstallDay (REG_DWORD): + + * **0**: Every day. + + * **1** through **7**: The days of the week from Sunday (1) to Saturday (7). + + * ScheduledInstallTime (REG_DWORD): + + **n**, where **n** equals the time of day in a 24-hour format (0-23). + + * UseWUServer (REG_DWORD) + + Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update. + + * RescheduleWaitTime (REG_DWORD) + + **m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes) + + > [!NOTE] + > This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions. + + * NoAutoRebootWithLoggedOnUsers (REG_DWORD): + + **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on. + + > [!NOTE] + > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions. To use Automatic Updates with a server that is running Software Update Services, see the Deploying Microsoft Windows Server Update Services 2.0 guidance. @@ -256,7 +256,7 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ - [Update Windows 10 in the enterprise](index.md) - [Overview of Windows as a service](waas-overview.md) -- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) +- [Manage updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md) - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index d72c39898d..f623632235 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -49,7 +49,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder and files** - **Subfolders and files only** - **Subfolders only** - - **Files only** + - **Files only** 7. By default, the selected **Basic Permissions** to audit are the following: - **Read and execute** From 29e7f6d63324b05bd96758f896b20527fc4e7ff4 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Mon, 12 Aug 2019 19:12:38 -0400 Subject: [PATCH 27/37] fix: MD006/ul-start-left Consider starting bulleted lists at the beginning of the line --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index af50e5b96b..f4e4106726 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1730,7 +1730,7 @@ If you're running Windows 10, version 1607 or later, you need to: > The Group Policy for the **LockScreenOverlaysDisabled** regkey is **Force a specific default lock screen and logon image** that is under **Control Panel** **Personalization**. --AND- + \-AND- - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Do not show Windows tips** to **Enabled** @@ -1740,7 +1740,7 @@ If you're running Windows 10, version 1607 or later, you need to: - Create a new REG_DWORD registry setting named **DisableSoftLanding** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\CloudContent** with a **value of 1 (one)** --AND- + \-AND- - Set the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Cloud Content** > **Turn off Microsoft consumer experiences** to **Enabled** From 503a73635027547d8f9f0e76c58971f10523454a Mon Sep 17 00:00:00 2001 From: vskab Date: Tue, 13 Aug 2019 09:37:13 +0300 Subject: [PATCH 28/37] instruct to use absolute path to python --- .../microsoft-defender-atp-mac-install-manually.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md index 73f3bdc5e1..872f7f0588 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md @@ -151,7 +151,7 @@ realTimeProtectionEnabled : true 2. Install the configuration file on a client machine: ```bash - python WindowsDefenderATPOnboarding.py + /usr/bin/python WindowsDefenderATPOnboarding.py Generating /Library/Application Support/Microsoft/Defender/com.microsoft.wdav.atp.plist ... (You may be required to enter sudos password) ``` From 210ee05777593417c93affa0024fbcdf0a3e87ce Mon Sep 17 00:00:00 2001 From: Matthew Palko Date: Tue, 13 Aug 2019 08:58:34 -0700 Subject: [PATCH 29/37] updating table of contents --- windows/security/identity-protection/hello-for-business/toc.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md index c286b36226..fece037015 100644 --- a/windows/security/identity-protection/hello-for-business/toc.md +++ b/windows/security/identity-protection/hello-for-business/toc.md @@ -53,7 +53,6 @@ #### [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) #### [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) #### [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -##### [Configure or Deploy Multifactor Authentication Services](hello-cert-trust-deploy-mfa.md) #### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md) ## [Windows Hello and password changes](hello-and-password-changes.md) From 1b67afcf69330767602b51c9b7bf226119d2a0ab Mon Sep 17 00:00:00 2001 From: John Kaiser <35939694+CoveMiner@users.noreply.github.com> Date: Tue, 13 Aug 2019 09:48:25 -0700 Subject: [PATCH 30/37] Update deploy-the-latest-firmware-and-drivers-for-surface-devices.md --- ...irmware-and-drivers-for-surface-devices.md | 38 +++++++++++++------ 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md index 76e1c293cc..78eb4bd170 100644 --- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md +++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md @@ -1,5 +1,5 @@ --- -title: Download the latest firmware and drivers for Surface devices (Surface) +title: Deploy the latest firmware and drivers for Surface devices (Surface) description: This article provides a list of the available downloads for Surface devices and links to download the drivers and firmware for your device. ms.assetid: 7662BF68-8BF7-43F7-81F5-3580A770294A ms.reviewer: @@ -11,27 +11,43 @@ ms.mktglfcycl: deploy ms.pagetype: surface, devices ms.sitesec: library author: dansimp -ms.date: 11/15/2018 +ms.date: 08/13/2018 ms.author: dansimp ms.topic: article --- -# Deploying the latest firmware and drivers for Surface devices +# Deploy the latest firmware and drivers for Surface devices Although Surface devices are typically automatically updated with the latest device drivers and firmware via Windows Update, sometimes it's necessary to download and install updates manually, such as during a Windows deployment. -## Downloading MSI files +## Download MSI files To download MSI files, refer to the following Microsoft Support page: - [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware-for-surface)
Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices. ## Deploying MSI files -Driver and firmware updates for Surface devices containing all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10. -In the name of each of these files you will find a Windows build number, this number indicates the minimum supported build required to install the drivers and firmware contained within. Refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information) for a list of the build numbers for each version. For example, to install the drivers contained in SurfacePro6_Win10_16299_1900307_0.msi file you must have Windows 10 Fall Creators Update version 1709, or newer installed on your Surface Pro 6. +Driver and firmware updates for Surface devices consisting of all required cumulative updates are packaged in separate MSI files for specific versions of Windows 10. +The MSI file names contain useful information including the minimum supported Windows build number required to install the drivers and firmware. For example, to install the drivers contained in SurfaceBook_Win10_17763_19.080.2031.0.msi requires Windows 10 Fall Creators Update version 1709 or later installed on your Surface Book. + +To view build numbers for each version, refer to [Windows 10 release information](https://docs.microsoft.com/windows/windows-10/release-information). ### Surface MSI naming convention -Each .MSI file is named in accordance with a formula that begins with the product and Windows release information, followed by the Windows build number and version number, and ending with the revision of version number. SurfacePro6_Win10_16299_1900307_0.msi is classified as follows: +Beginning in August 2019, MSI files use the following naming formula: + +- Product > Windows release > Windows build number > Version number > Revision of version number (typically zero). + +**Example:** +SurfacePro6_Win10_18362_19.073.44195_0.msi : + +| Product | Windows release | Build | Version | Revision of version | +| --- | --- | --- | --- | --- | +| SurfacePro6 | Win10 | 18362 | 19.073.44195 | 0 | +| | | | Indicates key date and sequence information. | Indicates release history of the update. | +| | | | **19:** Signifies the year (2019).
**073**: Signifies the month (July) and week of the release (3).
**44195**: Signifies the minute of the month that the MSI file was created. |**0:** Signifies it's the first release of version 1907344195 and has not been re-released for any reason. | + +### Legacy Surface MSI naming convention +Legacy MSI files prior to August 2019 followed the same overall naming formula but used a different method to derive the version number. **Example:** SurfacePro6_Win10_16299_1900307_0.msi : @@ -39,8 +55,8 @@ SurfacePro6_Win10_16299_1900307_0.msi : | Product | Windows release | Build | Version | Revision of version | | --- | --- | --- | --- | --- | | SurfacePro6 | Win10 | 16299 | 1900307 | 0 | -| | | | Indicates key date and sequence information | Indicates release history of the MSI file | -| | | | **19:** Signifies the year (2019)
**003**: Signifies that it’s the third release of 2019
**07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. | +| | | | Indicates key date and sequence information. | Indicates release history of the MSI file. | +| | | | **19:** Signifies the year (2019)
**003**: Signifies that it’s the third release of 2019.
**07**: Signifies the product version number. (Surface Pro 6 is officially the seventh version of Surface Pro.) | **0:** Signifies it's the first release of version 1900307 and has not been re-released for any reason. | Look to the **version** number to determine the latest files that contain the most recent security updates. For example, you might need to install the newest file from the following list: @@ -60,9 +76,9 @@ There are no downloadable firmware or driver updates available for Surface devic For more information about deploying Surface drivers and firmware, refer to: -- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates). +- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates) -- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business). +- [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business)   From 44048c726cfcba58f9d7f3e5534adf2e5cf4f825 Mon Sep 17 00:00:00 2001 From: John Liu <49762389+ShenLanJohn@users.noreply.github.com> Date: Tue, 13 Aug 2019 18:43:45 -0700 Subject: [PATCH 31/37] CAT Auto Publish for Windows Release Messages - CAT_AutoPublish Windows Release Changes - CAT_AutoPublish_2019081317494921 (#897) --- .../resolved-issues-windows-10-1507.yml | 8 ++----- .../resolved-issues-windows-10-1607.yml | 21 +++++++++++++------ .../resolved-issues-windows-10-1703.yml | 19 +++++++++++------ .../resolved-issues-windows-10-1709.yml | 19 +++++++++++------ .../resolved-issues-windows-10-1803.yml | 19 +++++++++++------ ...indows-10-1809-and-windows-server-2019.yml | 19 +++++++++++------ .../resolved-issues-windows-10-1903.yml | 4 ++-- ...ndows-7-and-windows-server-2008-r2-sp1.yml | 10 +++++---- ...windows-8.1-and-windows-server-2012-r2.yml | 8 +++---- ...esolved-issues-windows-server-2008-sp2.yml | 6 ++---- .../resolved-issues-windows-server-2012.yml | 6 ++---- .../status-windows-10-1507.yml | 4 ++-- ...indows-10-1607-and-windows-server-2016.yml | 14 ++++++------- .../status-windows-10-1703.yml | 10 ++++----- .../status-windows-10-1709.yml | 10 ++++----- .../status-windows-10-1803.yml | 10 ++++----- ...indows-10-1809-and-windows-server-2019.yml | 10 ++++----- .../status-windows-10-1903.yml | 20 +++++++----------- ...ndows-7-and-windows-server-2008-r2-sp1.yml | 12 +++++++---- ...windows-8.1-and-windows-server-2012-r2.yml | 8 +++---- .../status-windows-server-2008-sp2.yml | 4 ++-- .../status-windows-server-2012.yml | 4 ++-- .../windows-message-center.yml | 5 +++++ 23 files changed, 142 insertions(+), 108 deletions(-) diff --git a/windows/release-information/resolved-issues-windows-10-1507.yml b/windows/release-information/resolved-issues-windows-10-1507.yml index ab7065d60a..798d3fa659 100644 --- a/windows/release-information/resolved-issues-windows-10-1507.yml +++ b/windows/release-information/resolved-issues-windows-10-1507.yml @@ -32,17 +32,15 @@ sections: - type: markdown text: " - + - -
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
August 09, 2019
07:03 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved
KB4507458		July 09, 2019
10:00 AM PT
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >		OS Build 10240.18215

May 14, 2019
KB4499154		Resolved
KB4505051		May 19, 2019
02:00 PM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4493475		April 09, 2019
10:00 AM PT
Unable to access hotspots with third-party applications
Third-party applications may have difficulty authenticating hotspots.

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4487018		February 12, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4493475		April 09, 2019
10:00 AM PT
Error 1309 when installing/uninstalling MSI or MSP files
Users may receive \"Error 1309\" while installing or uninstalling certain types of MSI and MSP files.

See details >		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4489872		March 12, 2019
10:00 AM PT
Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.

See details >		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4491101		February 21, 2019
02:00 PM PT
First character of Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4489872		March 12, 2019
10:00 AM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 10240.18158

March 12, 2019
KB4489872		Resolved
KB4493475		April 09, 2019
10:00 AM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4487018		February 12, 2019
10:00 AM PT
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.

See details >		OS Build 10240.18132

February 12, 2019
KB4487018		Resolved
KB4489872		March 12, 2019
10:00 AM PT
" @@ -59,7 +57,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -108,8 +106,6 @@ sections: - type: markdown text: " - -
DetailsOriginating updateStatusHistory
Unable to access hotspots with third-party applications
After installing KB4480962, third-party applications may have difficulty authenticating hotspots.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4487018.

Back to top		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4487018		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480962, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493475.

Back to top		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4493475		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, \"Unrecognized Database Format\".

Affected platforms:
  • Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487018.

Back to top		OS Build 10240.18094

January 08, 2019
KB4480962		Resolved
KB4487018		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1607.yml b/windows/release-information/resolved-issues-windows-10-1607.yml index 2c0de867c7..e8b0598941 100644 --- a/windows/release-information/resolved-issues-windows-10-1607.yml +++ b/windows/release-information/resolved-issues-windows-10-1607.yml @@ -32,7 +32,9 @@ sections: - type: markdown text: " - + + + @@ -52,10 +54,8 @@ sections: - -
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
August 09, 2019
04:25 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 14393.3115

July 16, 2019
KB4507459		Resolved
KB4512517		August 13, 2019
10:00 AM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.

See details >		OS Build 14393.3085

July 09, 2019
KB4507460		Resolved
KB4512517		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
August 09, 2019
07:03 PM PT
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Resolved
KB4507459		July 16, 2019
10:00 AM PT
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)

See details >		OS Build 14393.2941

April 25, 2019
KB4493473		Resolved
KB4507459		July 16, 2019
10:00 AM PT
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

See details >		OS Build 14393.2969

May 14, 2019
KB4494440		Resolved
KB4507460		July 09, 2019
10:00 AM PT
Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.

See details >		OS Build 14393.2791

February 12, 2019
KB4487026		Resolved
KB4487006		February 19, 2019
02:00 PM PT
First character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		OS Build 14393.2759

January 17, 2019
KB4480977		Resolved
KB4487006		February 19, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 14393.2848

March 12, 2019
KB4489882		Resolved
KB4493473		April 25, 2019
02:00 PM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.

See details >		OS Build 14393.2724

January 08, 2019
KB4480961		Resolved
KB4487026		February 12, 2019
10:00 AM PT
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.

See details >		OS Build 14393.2791

February 12, 2019
KB4487026		Resolved
KB4487006		February 19, 2019
02:00 PM PT
Issue hosting multiple terminal server sessions and a user logs off on Windows Server
In some cases, Windows Server will stop working and restart when hosting multiple terminal server sessions and a user logs off.

See details >		OS Build 14393.2828

February 19, 2019
KB4487006		Resolved
KB4489882		March 12, 2019
10:00 AM PT
Instant search in Microsoft Outlook fails on Windows Server 2016
Instant search in Microsoft Outlook clients fail with the error, \"Outlook cannot perform the search\" on Windows Server 2016.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Resolved
KB4487026		February 12, 2019
10:00 AM PT
" @@ -71,7 +71,18 @@ sections: - type: markdown text: " - + +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
+ " + +- title: July 2019 +- items: + - type: markdown + text: " + + +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512517. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 14393.3115

July 16, 2019
KB4507459		Resolved
KB4512517		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.

Affected platforms:
  • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4512517.

Back to top		OS Build 14393.3085

July 09, 2019
KB4507460		Resolved
KB4512517		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 26, 2019
04:58 PM PT
" @@ -140,7 +151,6 @@ sections:

Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480961, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493470.

Back to topOS Build 14393.2724

January 08, 2019
KB4480961Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480961, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493470.

Back to topOS Build 14393.2724

January 08, 2019
KB4480961Resolved
KB4493470Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480977, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487006.

Back to topOS Build 14393.2759

January 17, 2019
KB4480977Resolved
KB4487006Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 17, 2019
02:00 PM PT -
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.

Affected platforms:
  • Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4487026.

Back to topOS Build 14393.2724

January 08, 2019
KB4480961Resolved
KB4487026Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT " @@ -150,6 +160,5 @@ sections: text: " -
DetailsOriginating updateStatusHistory
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host after installing KB4467684.

Additionally, if you do not follow the best practices, a stop error may occur in vfpext.sys on the hosts.

Affected platforms:
  • Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4507459.

Back to top		OS Build 14393.2639

November 27, 2018
KB4467684		Resolved
KB4507459		Resolved:
July 16, 2019
10:00 AM PT

Opened:
November 27, 2018
10:00 AM PT
Instant search in Microsoft Outlook fails on Windows Server 2016
After installing KB4467684 on Windows Server 2016, instant search in Microsoft Outlook clients fail with the error, \"Outlook cannot perform the search\".

Affected platforms:
  • Client: Windows 10, version 1607; Windows 10 Enterprise LTSC 2016
  • Server: Windows Server 2016
Resolution: This issue is resolved in KB4487026.

Back to top		OS Build 14393.2639

November 27, 2018
KB4467684		Resolved
KB4487026		Resolved:
February 12, 2019
10:00 AM PT

Opened:
November 27, 2018
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1703.yml b/windows/release-information/resolved-issues-windows-10-1703.yml index 3401b26fdf..0786837bf2 100644 --- a/windows/release-information/resolved-issues-windows-10-1703.yml +++ b/windows/release-information/resolved-issues-windows-10-1703.yml @@ -32,7 +32,8 @@ sections: - type: markdown text: " - + + @@ -46,9 +47,7 @@ sections: - -
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
August 09, 2019
04:25 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 15063.1955

July 16, 2019
KB4507467		Resolved
KB4512507		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
August 09, 2019
07:03 PM PT
Devices with Hyper-V enabled may receive BitLocker error 0xC0210000
Some devices with Hyper-V enabled may start into BitLocker recovery with error 0xC0210000.

See details >		OS Build 15063.1805

May 14, 2019
KB4499181		Resolved
KB4507450		July 09, 2019
10:00 AM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 15063.1839

May 28, 2019
KB4499162		Resolved
KB4509476		June 26, 2019
04:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved
KB4503289		June 18, 2019
02:00 PM PT
Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.

See details >		OS Build 15063.1631

February 12, 2019
KB4487020		Resolved
KB4487011		February 19, 2019
02:00 PM PT
First character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		OS Build 15063.1596

January 15, 2019
KB4480959		Resolved
KB4487011		February 19, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 15063.1689

March 12, 2019
KB4489871		Resolved
KB4493436		April 25, 2019
02:00 PM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4487020		February 12, 2019
10:00 AM PT
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.

See details >		OS Build 15063.1631

February 12, 2019
KB4487020		Resolved
KB4487011		February 19, 2019
02:00 PM PT
Webpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4487020		February 12, 2019
10:00 AM PT
" @@ -64,7 +63,17 @@ sections: - type: markdown text: " - + +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
+ " + +- title: July 2019 +- items: + - type: markdown + text: " + +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512507. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 15063.1955

July 16, 2019
KB4507467		Resolved
KB4512507		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
" @@ -119,7 +128,5 @@ sections: - -
DetailsOriginating updateStatusHistory
MSXML6 may cause applications to stop responding
After installing KB4480973, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493474.

Back to top		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4493474		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480959, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487011.

Back to top		OS Build 15063.1596

January 15, 2019
KB4480959		Resolved
KB4487011		Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 15, 2019
10:00 AM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.

Affected platforms:
  • Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487020.

Back to top		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4487020		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Webpages become unresponsive in Microsoft Edge
After installing KB4480973, some Microsoft Edge users report that they:
  • Cannot load web pages using a local IP address.
  • Cannot load web pages on the Internet using a VPN connection.
Browsing fails or the web page may become unresponsive.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue is resolved in KB4486996

Back to top		OS Build 15063.1563

January 08, 2019
KB4480973		Resolved
KB4487020		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1709.yml b/windows/release-information/resolved-issues-windows-10-1709.yml index d2b59916e7..36039dceaa 100644 --- a/windows/release-information/resolved-issues-windows-10-1709.yml +++ b/windows/release-information/resolved-issues-windows-10-1709.yml @@ -32,7 +32,8 @@ sections: - type: markdown text: " - + + @@ -46,9 +47,7 @@ sections: - -
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
August 09, 2019
04:25 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 16299.1296

July 16, 2019
KB4507465		Resolved
KB4512516		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
August 09, 2019
07:03 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4509477		June 26, 2019
04:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved
KB4503281		June 18, 2019
02:00 PM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >		OS Build 16299.1182

May 28, 2019
KB4499147		Resolved
KB4503284		June 11, 2019
10:00 AM PT
Error 1309 when installing/uninstalling MSI or MSP files
Users may receive “Error 1309” while installing or uninstalling certain types of MSI and MSP files.

See details >		OS Build 16299.967

February 12, 2019
KB4486996		Resolved
KB4489886		March 12, 2019
10:00 AM PT
Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.

See details >		OS Build 16299.967

February 12, 2019
KB4486996		Resolved
KB4487021		February 19, 2019
02:00 PM PT
First character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		OS Build 16299.936

January 15, 2019
KB4480967		Resolved
KB4487021		February 19, 2019
02:00 PM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4486996		February 12, 2019
10:00 AM PT
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.

See details >		OS Build 16299.967

February 12, 2019
KB4486996		Resolved
KB4487021		February 19, 2019
02:00 PM PT
Webpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4486996		February 12, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.

See details >		OS Build 16299.1029

March 12, 2019
KB4489886		Resolved
KB4493441		April 09, 2019
10:00 AM PT
" @@ -65,7 +64,17 @@ sections: - type: markdown text: " - + +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
+ " + +- title: July 2019 +- items: + - type: markdown + text: " + +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512516. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 16299.1296

July 16, 2019
KB4507465		Resolved
KB4512516		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
" @@ -129,7 +138,5 @@ sections: - -
DetailsOriginating updateStatusHistory
MSXML6 causes applications to stop responding if an exception was thrown
After installing KB4480978, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493441.

Back to top		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4493441		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480967, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487021.

Back to top		OS Build 16299.936

January 15, 2019
KB4480967		Resolved
KB4487021		Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 15, 2019
10:00 AM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format.”

Affected platforms:
  • Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4486996.

Back to top		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4486996		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Webpages become unresponsive in Microsoft Edge
After installing KB4480978, some Microsoft Edge users report that they:
  • Cannot load web pages using a local IP address. 
  • Cannot load web pages on the Internet using a VPN connection.  
Browsing fails or the web page may become unresponsive. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue is resolved in KB4486996.

Back to top		OS Build 16299.904

January 08, 2019
KB4480978		Resolved
KB4486996		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1803.yml b/windows/release-information/resolved-issues-windows-10-1803.yml index 24ad1254f2..c94998225d 100644 --- a/windows/release-information/resolved-issues-windows-10-1803.yml +++ b/windows/release-information/resolved-issues-windows-10-1803.yml @@ -32,7 +32,8 @@ sections: - type: markdown text: " - + + @@ -46,9 +47,7 @@ sections: - -
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
August 09, 2019
04:25 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17134.915

July 16, 2019
KB4507466		Resolved
KB4512501		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
August 09, 2019
07:03 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 17134.799

May 21, 2019
KB4499183		Resolved
KB4509478		June 26, 2019
04:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Resolved
KB4503288		June 18, 2019
02:00 PM PT
Opening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.

See details >		OS Build 17134.799

May 21, 2019
KB4499183		Resolved
KB4503286		June 11, 2019
10:00 AM PT
Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.

See details >		OS Build 17134.590

February 12, 2019
KB4487017		Resolved
KB4487029		February 19, 2019
02:00 PM PT
First character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		OS Build 17134.556

January 15, 2019
KB4480976		Resolved
KB4487029		February 19, 2019
02:00 PM PT
Custom URI schemes may not start corresponding application
Custom URI schemes for application protocol handlers may not start the corresponding application for local intranet and trusted sites in Internet Explorer.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Resolved
KB4493437		April 25, 2019
02:00 PM PT
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working.

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4487017		February 12, 2019
10:00 AM PT
Cannot pin a web link on the Start menu or the taskbar
Some users cannot pin a web link on the Start menu or the taskbar.

See details >		OS Build 17134.471

December 11, 2018
KB4471324		Resolved
KB4487029		February 19, 2019
02:00 PM PT
Webpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4487017		February 12, 2019
10:00 AM PT
Stop error when attempting to start SSH from WSL
A stop error occurs when attempting to start Secure Shell from Windows Subsystem for Linux with agent forwarding using a command line switch (ssh –A) or a configuration setting.

See details >		OS Build 17134.648

March 12, 2019
KB4489868		Resolved
KB4493464		April 09, 2019
10:00 AM PT
" @@ -65,7 +64,17 @@ sections: - type: markdown text: " - + +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
+ " + +- title: July 2019 +- items: + - type: markdown + text: " + +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512501. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 17134.915

July 16, 2019
KB4507466		Resolved
KB4512501		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
" @@ -128,8 +137,6 @@ sections: - -
DetailsOriginating updateStatusHistory
MSXML6 may cause applications to stop responding
After installing KB4480966, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493464

Back to top		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4493464		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
First character of the Japanese era name not recognized
After installing KB4480976, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487029

Back to top		OS Build 17134.556

January 15, 2019
KB4480976		Resolved
KB4487029		Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 95 file format may randomly stop working. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487017.

Back to top		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4487017		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Webpages become unresponsive in Microsoft Edge
After installing KB4480966, some Microsoft Edge users report that they: 
  • Cannot load web pages using a local IP address. 
  • Cannot load web pages on the Internet using a VPN connection.  
Browsing fails or the web page may become unresponsive. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue is resolved in KB4487017

Back to top		OS Build 17134.523

January 08, 2019
KB4480966		Resolved
KB4487017		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml index f2dc569ffb..2dd93de94b 100644 --- a/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/resolved-issues-windows-10-1809-and-windows-server-2019.yml @@ -32,7 +32,8 @@ sections: - type: markdown text: " - + + @@ -55,13 +56,11 @@ sections: - -
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
August 09, 2019
04:25 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17763.652

July 22, 2019
KB4505658		Resolved
KB4511553		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
August 09, 2019
07:03 PM PT
Difficulty connecting to some iSCSI-based SANs
Devices may have difficulty connecting to some Storage Area Network (SAN) devices that leverage iSCSI.

See details >		OS Build 17763.529

May 21, 2019
KB4497934		Resolved
KB4509479		June 26, 2019
04:00 PM PT
Devices with Realtek Bluetooth radios drivers may not pair or connect as expected
Devices with some Realtek Bluetooth radios drivers, in some circumstances, may have issues pairing or connecting to devices.

See details >		OS Build 17763.503

May 14, 2019
KB4494441		Resolved
KB4501371		June 18, 2019
02:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Resolved
KB4501371		June 18, 2019
02:00 PM PT
Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.

See details >		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4482887		March 01, 2019
10:00 AM PT
First character of the Japanese era name not recognized
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4482887		March 01, 2019
10:00 AM PT
Applications using Microsoft Jet database and Access 95 file format stop working
Applications that use a Microsoft Jet database with the Microsoft Access 9 file format may randomly stop working.

See details >		OS Build 17763.316

February 12, 2019
KB4487044		Resolved
KB4482887		March 01, 2019
10:00 AM PT
Issues with lock screen and Microsoft Edge tabs for certain AMD Radeon video cards
Upgrade block: Devices utilizing AMD Radeon HD2000 or HD4000 series video cards may experience issues with the lock screen and Microsoft Edge tabs.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4487044		February 12, 2019
10:00 AM PT
Shared albums may not sync with iCloud for Windows
Upgrade block: Apple has identified an incompatibility with iCloud for Windows (version 7.7.0.27) where users may experience issues updating or synching Shared Albums.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		March 01, 2019
10:00 AM PT
Intel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Upgrade block: Users may see an Intel Audio Display (intcdaud.sys) notification during setup for devices with certain Intel Display Audio Drivers.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		March 01, 2019
10:00 AM PT
F5 VPN clients losing network connectivity
Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.

See details >		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		March 01, 2019
10:00 AM PT
Global DNS outage affects Windows Update customers
Windows Update customers were recently affected by a network infrastructure event caused by an external DNS service provider's global outage.

See details >		N/A

Resolved
March 08, 2019
11:15 AM PT
Apps may stop working after selecting an audio output device other than the default
Users with multiple audio devices that select an audio output device different from the \"Default Audio Device\" may find certain applications stop working unexpectedly.

See details >		OS Build 17763.348

March 01, 2019
KB4482887		Resolved
KB4490481		April 02, 2019
10:00 AM PT
Webpages become unresponsive in Microsoft Edge
Microsoft Edge users report difficulty browsing and loading webpages.

See details >		OS Build 17763.253

January 08, 2019
KB4480116		Resolved
KB4487044		February 12, 2019
10:00 AM PT
" @@ -77,7 +76,17 @@ sections: - type: markdown text: " - + +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
+ " + +- title: July 2019 +- items: + - type: markdown + text: " + +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4511553. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 17763.652

July 22, 2019
KB4505658		Resolved
KB4511553		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
" @@ -149,7 +158,6 @@ sections:
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480116, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to: 
  • Cache size and location show zero or empty. 
  • Keyboard shortcuts may not work properly. 
  • Webpages may intermittently fail to load or render correctly. 
  • Issues with credential prompts. 
  • Issues when downloading files. 
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue was resolved in KB4493509

Back to topOS Build 17763.253

January 08, 2019
KB4480116Resolved
KB4493509Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480116, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().
 
The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue was resolved in KB4493509

Back to topOS Build 17763.253

January 08, 2019
KB4480116Resolved
KB4493509Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Global DNS outage affects Windows Update customers
Windows Update customers were affected by a network infrastructure event on January 29, 2019 (21:00 UTC), caused by an external DNS service provider's global outage. A software update to the external provider's DNS servers resulted in the distribution of corrupted DNS records that affected connectivity to the Windows Update service. The DNS records were restored by January 30, 2019 (00:10 UTC), and the majority of local Internet Service Providers (ISP) have refreshed their DNS servers and customer services have been restored. 
 
Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
While this was not an issue with Microsoft's services, we take any service disruption for our customers seriously. We will work with partners to better understand this so we can provide higher quality service in the future even across diverse global network providers. 
 
If you are still unable to connect to Windows Update services due to this problem, please contact your local ISP or network administrator. You can also refer to our new KB4493784 for more information to determine if your network is affected, and to provide your local ISP or network administrator with additional information to assist you. 

Back to topN/A

Resolved
Resolved:
March 08, 2019
11:15 AM PT

Opened:
January 29, 2019
02:00 PM PT -
Webpages become unresponsive in Microsoft Edge
After installing KB4480116, some Microsoft Edge users report that they:
  • Cannot load web pages using a local IP address. 
  • Cannot load web pages on the Internet using a VPN connection.
Browsing fails or the web page may become unresponsive.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709
Resolution: This issue is resolved in KB4487020

Back to topOS Build 17763.253

January 08, 2019
KB4480116Resolved
KB4487044Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT " @@ -159,7 +167,6 @@ sections: text: " - diff --git a/windows/release-information/resolved-issues-windows-10-1903.yml b/windows/release-information/resolved-issues-windows-10-1903.yml index ad7c9065b6..46128ad713 100644 --- a/windows/release-information/resolved-issues-windows-10-1903.yml +++ b/windows/release-information/resolved-issues-windows-10-1903.yml @@ -32,7 +32,7 @@ sections: - type: markdown text: "
DetailsOriginating updateStatusHistory
Audio not working on monitors or TV connected to a PC via HDMI, USB, or DisplayPort
Upgrade block: Microsoft has identified issues with certain new Intel display drivers. Intel inadvertently released versions of its display driver (versions 24.20.100.6344, 24.20.100.6345) to OEMs that accidentally turned on unsupported features in Windows. 
 
As a result, after updating to Windows 10, version 1809, audio playback from a monitor or television connected to a PC via HDMI, USB-C, or a DisplayPort may not function correctly on devices with these drivers.
Note: This Intel display driver issue is different from the Intel Smart Sound Technology driver (version 09.21.00.3755) audio issue previously documented.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019 
Next steps: Intel has released updated drivers to OEM device manufacturers. OEMs need to make the updated driver available via Windows Update. For more information, see the Intel Customer Support article.

Resolution: Microsoft has removed the safeguard hold.



Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
Resolved:
May 21, 2019
07:42 AM PT

Opened:
November 13, 2018
10:00 AM PT
Issues with lock screen and Microsoft Edge tabs for certain AMD Radeon video cards
Note: AMD no longer supports Radeon HD2000 and HD4000 series graphic processor units (GPUs).
 
Upgrade block: After updating to Windows 10, version 1809, Microsoft Edge tabs may stop working when a device is configured with AMD Radeon HD2000 or HD4000 series video cards. Customers may get the following error code: \"INVALID_POINTER_READ_c0000005_atidxx64.dll\". 
 
Some users may also experience performance issues with the lock screen or the ShellExperienceHost. (The lock screen hosts widgets, and the ShellExperienceHost is responsible for assorted shell functionality.) 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4487044, and the block was removed.

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4487044		Resolved:
February 12, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
Shared albums may not sync with iCloud for Windows
Upgrade block: Users who attempt to install iCloud for Windows (version 7.7.0.27) will see a message displayed that this version iCloud for Windows isn't supported and the install will fail.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
To ensure a seamless experience, Microsoft is blocking devices with iCloud for Windows (version 7.7.0.27) software installed from being offered Windows 10, version 1809 until this issue has been resolved. 

We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool from the Microsoft software download website until this issue is resolved. 
 
Resolution: Apple has released an updated version of iCloud for Windows (version 7.8.1) that resolves compatibility issues encountered when updating or synching Shared Albums after updating to Windows 10, version 1809. We recommend that you update your iCloud for Windows to version 7.8.1 when prompted before attempting to upgrade to Windows 10, version 1809. You can also manually download the latest version of iCloud for Windows by visiting https://support.apple.com/HT204283.

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
Intel Audio Display (intcdaud.sys) notification during Windows 10 Setup
Upgrade block: Microsoft and Intel have identified a compatibility issue with a range of Intel Display Audio device drivers (intcdaud.sys, versions 10.25.0.3 - 10.25.0.8) that may result in excessive processor demand and reduced battery life. As a result, the update process to the Windows 10 October 2018 Update (Windows 10, version 1809) will fail and affected devices will automatically revert to the previous working configuration. 

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
If you see a \"What needs your attention\" notification during installation of the October 2018 Update, you have one of these affected drivers on your system. On the notification, click Back to remain on your current version of Windows 10. 
 
To ensure a seamless experience, we are blocking devices from being offered the October 2018 Update until updated Intel device drivers are installed on your current operating system. We recommend that you do not attempt to manually update to Windows 10, version 1809, using the Update Now button or the Media Creation Tool from the Microsoft Software Download Center until newer Intel device drivers are available with the update. You can either wait for newer drivers to be installed automatically through Windows Update or check with your computer manufacturer for the latest device driver software availability and installation procedures. For more information about this issue, see Intel's customer support guidance.
 
Resolution: This issue was resolved in KB4482887 and the upgrade block removed. 

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
F5 VPN clients losing network connectivity
Upgrade block: After updating to Windows 10, version 1809, F5 VPN clients may lose network connectivity when the VPN service is in a split tunnel configuration.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019
  • Server: Windows Server, version 1809; Windows Server 2019
Resolution: This issue was resolved in KB4482887 and the upgrade block removed. 

Back to top		OS Build 17763.134

November 13, 2018
KB4467708		Resolved
KB4482887		Resolved:
March 01, 2019
10:00 AM PT

Opened:
November 13, 2018
10:00 AM PT
- + @@ -58,7 +58,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
August 09, 2019
07:03 PM PT
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		July 26, 2019
02:00 PM PT
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4505903		July 26, 2019
02:00 PM PT
Loss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.

See details >		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
July 11, 2019
01:54 PM PT
- +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml index 33a6733fd2..56fbefcd4d 100644 --- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml @@ -32,7 +32,9 @@ sections: - type: markdown text: " - + + + @@ -48,7 +50,6 @@ sections: -
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503292		Resolved External
August 09, 2019
04:25 PM PT
IA64-based devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64-based devices may fail to start.

See details >		August 13, 2019
KB4512506		Resolved
KB4474419		August 13, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Resolved External
August 13, 2019
10:06 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503292		Resolved External
August 09, 2019
07:03 PM PT
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >		May 14, 2019
KB4499164		Resolved
KB4503277		June 20, 2019
02:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		June 11, 2019
KB4503292		Resolved
KB4503277		June 20, 2019
02:00 PM PT
Unable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible

See details >		May 14, 2019
KB4499164		Resolved
KB4505050		May 18, 2019
02:00 PM PT
Internet Explorer may fail to load images
Internet Explorer may fail to load images with a backslash (\\) in their relative source path.

See details >		February 12, 2019
KB4486563		Resolved
KB4486565		February 19, 2019
02:00 PM PT
First character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		January 17, 2019
KB4480955		Resolved
KB4486565		February 19, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480970		Resolved
KB4493472		April 09, 2019
10:00 AM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.

See details >		January 08, 2019
KB4480970		Resolved
KB4486563		February 12, 2019
10:00 AM PT
Event Viewer may not show some event descriptions for network interface cards
The Event Viewer may not show some event descriptions for network interface cards (NIC).

See details >		October 18, 2018
KB4462927		Resolved
KB4489878		March 12, 2019
10:00 AM PT
Virtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.

See details >		January 08, 2019
KB4480970		Resolved
KB4490511		February 19, 2019
02:00 PM PT
@@ -66,7 +67,8 @@ sections: - type: markdown text: " - + +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503292		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
IA64-based devices may fail to start after installing updates
After installing KB4512506, IA64-based devices may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Resolution: This issue has been resolved in the latest version of KB4474419 (released on or after August 13, 2019).Please verify that KB4474419 is installed and restart your machine before installing KB4512506 released August 13th, 2019 or later.

 

Back to top		August 13, 2019
KB4512506		Resolved
KB4474419		Resolved:
August 13, 2019
10:00 AM PT

Opened:
August 13, 2019
08:34 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503292		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -94,6 +96,7 @@ sections: - type: markdown text: " + @@ -130,7 +133,6 @@ sections:
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles: 

Back to top		April 09, 2019
KB4493472		Resolved External
Last updated:
August 13, 2019
10:06 AM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
May 14, 2019
01:23 PM PT

Opened:
April 09, 2019
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
May 14, 2019
01:22 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
May 14, 2019
01:21 PM PT

Opened:
April 09, 2019
10:00 AM PT
-
DetailsOriginating updateStatusHistory
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480955, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4486565.

Back to top		January 17, 2019
KB4480955		Resolved
KB4486565		Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 17, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480970, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493472.

Back to top		January 08, 2019
KB4480970		Resolved
KB4493472		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.

Affected Platforms:
  • Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 

Resolution: This issue is resolved in KB4486563.

Back to top		January 08, 2019
KB4480970		Resolved
KB4486563		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Virtual machines fail to restore
After installing KB4480970, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4490511.

Back to top		January 08, 2019
KB4480970		Resolved
KB4490511		Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml index 9bf1ac9d82..dbb57e0e0b 100644 --- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml @@ -32,7 +32,8 @@ sections: - type: markdown text: " - + + @@ -51,7 +52,6 @@ sections: -
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503276		Resolved External
August 09, 2019
04:25 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Resolved External
August 13, 2019
10:06 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503276		Resolved External
August 09, 2019
07:03 PM PT
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >		May 14, 2019
KB4499151		Resolved
KB4503283		June 20, 2019
02:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		June 11, 2019
KB4503276		Resolved
KB4503283		June 20, 2019
02:00 PM PT
Issue using PXE to start a device from WDS
There may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.

See details >		March 12, 2019
KB4489881		Resolved
KB4503276		June 11, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding.
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		January 08, 2019
KB4480963		Resolved
KB4493446		April 09, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480963		Resolved
KB4493446		April 09, 2019
10:00 AM PT
Virtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.

See details >		January 08, 2019
KB4480963		Resolved
KB4490512		February 19, 2019
02:00 PM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.

See details >		January 08, 2019
KB4480963		Resolved
KB4487000		February 12, 2019
10:00 AM PT
" @@ -67,7 +67,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503276		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503276		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -96,6 +96,7 @@ sections: - type: markdown text: " + @@ -134,6 +135,5 @@ sections: -
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to top		April 09, 2019
KB4493446		Resolved External
Last updated:
August 13, 2019
10:06 AM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
May 14, 2019
01:22 PM PT

Opened:
April 09, 2019
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
May 14, 2019
01:22 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
May 14, 2019
01:21 PM PT

Opened:
April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding.
After installing KB4480963, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493446.

Back to top		January 08, 2019
KB4480963		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480963, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493446.

Back to top		January 08, 2019
KB4480963		Resolved
KB4493446		Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Virtual machines fail to restore
After installing KB4480963, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4490512.

Back to top		January 08, 2019
KB4480963		Resolved
KB4490512		Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.

Affected platforms: 
  • Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue is resolved in KB4487000.

Back to top		January 08, 2019
KB4480963		Resolved
KB4487000		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml index aeb08c2fd5..b83e9cc1e7 100644 --- a/windows/release-information/resolved-issues-windows-server-2008-sp2.yml +++ b/windows/release-information/resolved-issues-windows-server-2008-sp2.yml @@ -32,7 +32,7 @@ sections: - type: markdown text: " - + @@ -42,7 +42,6 @@ sections: -
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503273		Resolved External
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503273		Resolved External
August 09, 2019
07:03 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		June 11, 2019
KB4503273		Resolved
KB4503271		June 20, 2019
02:00 PM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.

See details >		April 09, 2019
KB4493471		Resolved
May 14, 2019
01:21 PM PT
System may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.

See details >		April 09, 2019
KB4493471		Resolved
May 14, 2019
01:19 PM PT
First character of the Japanese era name not recognized as an abbreviation
The first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

See details >		January 17, 2019
KB4480974		Resolved
KB4489880		March 12, 2019
10:00 AM PT
Embedded objects may display incorrectly
Any compound document (OLE) server application that places embedded objects into the Windows Metafile (WMF) using the PatBlt API may display embedded objects incorrectly.

See details >		February 12, 2019
KB4487023		Resolved
KB4493471		April 09, 2019
10:00 AM PT
Virtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.

See details >		January 08, 2019
KB4480968		Resolved
KB4490514		February 19, 2019
02:00 PM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.

See details >		January 08, 2019
KB4480968		Resolved
KB4487023		February 12, 2019
10:00 AM PT
" @@ -58,7 +57,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503273		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503273		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -108,6 +107,5 @@ sections: -
DetailsOriginating updateStatusHistory
First character of the Japanese era name not recognized as an abbreviation
After installing KB4480974, the first character of the Japanese era name is not recognized as an abbreviation and may cause date parsing issues.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4489880.

Back to top		January 17, 2019
KB4480974		Resolved
KB4489880		Resolved:
March 12, 2019
10:00 AM PT

Opened:
January 17, 2019
10:00 AM PT
Virtual machines fail to restore
After installing KB4480968, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, “Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).”

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4490514.

Back to top		January 08, 2019
KB4480968		Resolved
KB4490514		Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, “Unrecognized Database Format”.

Affected platforms: 
  • Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487023.

Back to top		January 08, 2019
KB4480968		Resolved
KB4487023		Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
" diff --git a/windows/release-information/resolved-issues-windows-server-2012.yml b/windows/release-information/resolved-issues-windows-server-2012.yml index 532b8144c8..9a3dd8d77a 100644 --- a/windows/release-information/resolved-issues-windows-server-2012.yml +++ b/windows/release-information/resolved-issues-windows-server-2012.yml @@ -32,7 +32,7 @@ sections: - type: markdown text: " - + @@ -48,7 +48,6 @@ sections: -
SummaryOriginating updateStatusDate resolved
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503285		Resolved External
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503285		Resolved External
August 09, 2019
07:03 PM PT
Some devices and generation 2 Hyper-V VMs may have issues installing updates
Some devices and generation 2 Hyper-V virtual machines (VMs) may have issues installing some updates when Secure Boot is enabled.

See details >		June 11, 2019
KB4503285		Resolved
KB4503295		June 21, 2019
02:00 PM PT
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >		May 14, 2019
KB4499171		Resolved
KB4503295		June 21, 2019
02:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		June 11, 2019
KB4503285		Resolved
KB4503295		June 20, 2019
02:00 PM PT
Internet Explorer 11 authentication issue with multiple concurrent logons
Internet Explorer 11 users may encounter issues if two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine.

See details >		January 08, 2019
KB4480975		Resolved
KB4493451		April 09, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
MSXML6 may cause applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

See details >		January 08, 2019
KB4480975		Resolved
KB4493451		April 09, 2019
10:00 AM PT
Virtual machines fail to restore
Virtual machines (VMs) may fail to restore successfully if the VM has been saved and restored once before.

See details >		January 08, 2019
KB4480975		Resolved
KB4490516		February 19, 2019
02:00 PM PT
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if column names are greater than 32 characters.

See details >		January 08, 2019
KB4480975		Resolved
KB4487025		February 12, 2019
10:00 AM PT
Event Viewer may not show some event descriptions for network interface cards
The Event Viewer may not show some event descriptions for network interface cards (NIC).

See details >		September 11, 2018
KB4457135		Resolved
KB4489891		March 12, 2019
10:00 AM PT
" @@ -65,7 +64,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503285		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503285		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -129,7 +128,6 @@ sections:
Internet Explorer 11 authentication issue with multiple concurrent logons
After installing KB4480975, Internet Explorer 11 and other applications that use WININET.DLL may have authentication issues. This occurs when two or more people use the same user account for multiple, concurrent login sessions on the same Windows Server machine, including Remote Desktop Protocol (RDP) and Terminal Server logons. Symptoms reported by customers include, but may not be limited to:
  • Cache size and location show zero or empty.
  • Keyboard shortcuts may not work properly.
  • Webpages may intermittently fail to load or render correctly.
  • Issues with credential prompts.
  • Issues when downloading files.
Affected platforms: 
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1
Resolution: This issue is resolved in KB4493451.

Back to topJanuary 08, 2019
KB4480975Resolved
KB4493451Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
MSXML6 may cause applications to stop responding
After installing KB4480975, MSXML6 causes applications to stop responding if an exception was thrown during node operations, such as appendChild(), insertBefore(), and moveNode().

The Group Policy editor may stop responding when editing a Group Policy Object (GPO) that contains Group Policy Preferences (GPP) for Internet Explorer 10 settings.

Affected platforms:
  • Client: Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1
  • Server: Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012
Resolution: This issue is resolved in KB4493451.

Back to topJanuary 08, 2019
KB4480975Resolved
KB4493451Resolved:
April 09, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT
Virtual machines fail to restore
After installing KB4480975, virtual machines (VM) may fail to restore successfully if the VM has been saved and restored once before. The error message is, \"Failed to restore the virtual machine state: Cannot restore this virtual machine because the saved state data cannot be read. Delete the saved state data and then try to start the virtual machine. (0xC0370027).\"

This affects AMD Bulldozer Family 15h, AMD Jaguar Family 16h, and AMD Puma Family 16h (second generation) microarchitectures.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4490516.

Back to topJanuary 08, 2019
KB4480975Resolved
KB4490516Resolved:
February 19, 2019
02:00 PM PT

Opened:
January 08, 2019
10:00 AM PT -
Applications using Microsoft Jet database fail to open
Applications that use a Microsoft Jet database with the Microsoft Access 97 file format may fail to open if the database has column names greater than 32 characters. The database will fail to open with the error, \"Unrecognized Database Format\".

Affected platforms: 
  • Client: Windows 10, version 1709; Windows 10, version 1703; Windows 10, version 1607; Windows 10 Enterprise LTSC 2016; Windows 10, version 1507; Windows 10 Enterprise LTSB 2015; Windows 8.1; Windows 7 SP1 
  • Server: Windows Server, version 1709; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue is resolved in KB4487025.

Back to topJanuary 08, 2019
KB4480975Resolved
KB4487025Resolved:
February 12, 2019
10:00 AM PT

Opened:
January 08, 2019
10:00 AM PT " diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 010cb9d55b..55d16a4b23 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -60,7 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- +
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
August 09, 2019
07:03 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
April 25, 2019
02:00 PM PT
" @@ -77,7 +77,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index a554e88e9e..407e511420 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -60,10 +60,10 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - + + + - @@ -85,7 +85,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
August 09, 2019
04:25 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 14393.3115

July 16, 2019
KB4507459		Investigating
August 08, 2019
07:18 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 14393.3115

July 16, 2019
KB4507459		Resolved
KB4512517		August 13, 2019
10:00 AM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.

See details >		OS Build 14393.3085

July 09, 2019
KB4507460		Resolved
KB4512517		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
August 09, 2019
07:03 PM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.

See details >		OS Build 14393.3053

June 18, 2019
KB4503294		Investigating
August 01, 2019
05:00 PM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.

See details >		OS Build 14393.3085

July 09, 2019
KB4507460		Mitigated
July 26, 2019
04:58 PM PT
SCVMM cannot enumerate and manage logical switches deployed on the host
For hosts managed by System Center Virtual Machine Manager (VMM), VMM cannot enumerate and manage logical switches deployed on the host.

See details >		OS Build 14393.2639

November 27, 2018
KB4467684		Resolved
KB4507459		July 16, 2019
10:00 AM PT
Some applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)

See details >		OS Build 14393.2941

April 25, 2019
KB4493473		Resolved
KB4507459		July 16, 2019
10:00 AM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Mitigated
July 10, 2019
07:09 PM PT
- +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
 Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

Affected platforms:
  • Server: Windows Server 2019; Windows Server 2016
Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 14393.3053

June 18, 2019
KB4503294		Investigating
Last updated:
August 01, 2019
05:00 PM PT

Opened:
August 01, 2019
05:00 PM PT
" @@ -95,9 +95,9 @@ sections: - type: markdown text: " - - + +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507459. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 14393.3115

July 16, 2019
KB4507459		Investigating
Last updated:
August 08, 2019
07:18 PM PT

Opened:
July 25, 2019
06:10 PM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.

Affected platforms:
  • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016
Workaround: To mitigate this issue, you need to Enable Script Debugging using one of the following ways.

You can configure the below registry key:
Registry setting: HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Internet Explorer\\Main
Value: Disable Script Debugger
Type: REG_SZ
Data: no

Or you can Enable Script Debugging in Internet Settings. You can open Internet Setting by either typing Internet Settings into the search box on Windows or by selecting Internet Options in Internet Explorer. Once open, select Advanced then Browsing and finally, select Enable Script Debugging.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 14393.3085

July 09, 2019
KB4507460		Mitigated
Last updated:
July 26, 2019
04:58 PM PT

Opened:
July 26, 2019
04:58 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507459. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512517. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 14393.3115

July 16, 2019
KB4507459		Resolved
KB4512517		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
Internet Explorer 11 may fail to render some JavaScript after installing KB4507460. You may also have issues with apps using JavaScript or the WebBrowser control, such as the present PowerPoint feature of Skype Meeting Broadcast.

Affected platforms:
  • Client: Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server 2016
Resolution: This issue was resolved in KB4512517.

Back to top		OS Build 14393.3085

July 09, 2019
KB4507460		Resolved
KB4512517		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 26, 2019
04:58 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503267 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
To mitigate this issue on an SCCM server:
  1. Verify Variable Window Extension is enabled.
  2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

To mitigate this issue on a WDS server without SCCM:
  1. In WDS TFTP settings, verify Variable Window Extension is enabled.
  2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
  3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Mitigated
Last updated:
July 10, 2019
07:09 PM PT

Opened:
July 10, 2019
02:51 PM PT
" diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 58b6047c36..895bd3c1db 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -60,8 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - + +
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
August 09, 2019
04:25 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 15063.1955

July 16, 2019
KB4507467		Investigating
August 08, 2019
07:18 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 15063.1955

July 16, 2019
KB4507467		Resolved
KB4512507		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
August 09, 2019
07:03 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
April 25, 2019
02:00 PM PT
" @@ -78,7 +78,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -87,8 +87,8 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507467. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 15063.1955

July 16, 2019
KB4507467		Investigating
Last updated:
August 08, 2019
07:18 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507467. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512507. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 15063.1955

July 16, 2019
KB4507467		Resolved
KB4512507		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
" diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 279e20ebd2..930121e60e 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -60,8 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - + +
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
August 09, 2019
04:25 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 16299.1296

July 16, 2019
KB4507465		Investigating
August 08, 2019
07:18 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 16299.1296

July 16, 2019
KB4507465		Resolved
KB4512516		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Mitigated
July 10, 2019
07:09 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 16299.904

January 08, 2019
KB4480978		Mitigated
April 25, 2019
02:00 PM PT
@@ -79,7 +79,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -88,8 +88,8 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507465. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 16299.1296

July 16, 2019
KB4507465		Investigating
Last updated:
August 08, 2019
07:18 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507465. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512516. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 16299.1296

July 16, 2019
KB4507465		Resolved
KB4512516		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503284 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
To mitigate this issue on an SCCM server:
  1. Verify Variable Window Extension is enabled.
  2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

To mitigate this issue on a WDS server without SCCM:
  1. In WDS TFTP settings, verify Variable Window Extension is enabled.
  2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
  3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Mitigated
Last updated:
July 10, 2019
07:09 PM PT

Opened:
July 10, 2019
02:51 PM PT
" diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index ab543899da..0d6c3bc4dd 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -65,8 +65,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - + + @@ -85,7 +85,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
August 09, 2019
04:25 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17134.915

July 16, 2019
KB4507466		Investigating
August 08, 2019
07:18 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17134.915

July 16, 2019
KB4507466		Resolved
KB4512501		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Mitigated
July 10, 2019
07:09 PM PT
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Mitigated
June 14, 2019
04:41 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 17134.523

January 08, 2019
KB4480966		Mitigated
April 25, 2019
02:00 PM PT
- +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -94,8 +94,8 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4507466. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 17134.915

July 16, 2019
KB4507466		Investigating
Last updated:
August 08, 2019
07:18 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4507466. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4512501. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 17134.915

July 16, 2019
KB4507466		Resolved
KB4512501		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503286 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
To mitigate this issue on an SCCM server:
  1. Verify Variable Window Extension is enabled.
  2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

To mitigate this issue on a WDS server without SCCM:
  1. In WDS TFTP settings, verify Variable Window Extension is enabled.
  2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
  3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Mitigated
Last updated:
July 10, 2019
07:09 PM PT

Opened:
July 10, 2019
02:51 PM PT
" diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index d67d705cf0..a6f1d702b4 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -64,8 +64,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - + + @@ -86,7 +86,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
August 09, 2019
04:25 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17763.652

July 22, 2019
KB4505658		Investigating
August 08, 2019
07:18 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17763.652

July 22, 2019
KB4505658		Resolved
KB4511553		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
August 09, 2019
07:03 PM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.

See details >		OS Build 17763.55

October 09, 2018
KB4464330		Investigating
August 01, 2019
05:00 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Mitigated
July 10, 2019
07:09 PM PT
Startup to a black screen after installing updates
Your device may startup to a black screen during the first logon after installing updates.

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Mitigated
June 14, 2019
04:41 PM PT
- +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
 Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

Affected platforms:
  • Server: Windows Server 2019; Windows Server 2016
Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.55

October 09, 2018
KB4464330		Investigating
Last updated:
August 01, 2019
05:00 PM PT

Opened:
August 01, 2019
05:00 PM PT
" @@ -96,8 +96,8 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4505658. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 17763.652

July 22, 2019
KB4505658		Investigating
Last updated:
August 08, 2019
07:18 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4505658. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Resolution: This issue was resolved in KB4511553. To safeguard your upgrade experience, the compatibility hold on devices from being offered Windows 10, version 1903 or Windows Server, version 1903 is still in place. Once the issue is addressed on Windows 10, version 1903, this safeguard hold will be removed for all affected platforms. Check the Windows 10, version 1903 section of the release information dashboard for the most up to date information on this and other safeguard holds.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 17763.652

July 22, 2019
KB4505658		Resolved
KB4511553		Resolved:
August 13, 2019
10:00 AM PT

Opened:
July 25, 2019
06:10 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503327 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
To mitigate this issue on an SCCM server:
  1. Verify Variable Window Extension is enabled.
  2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

To mitigate this issue on a WDS server without SCCM:
  1. In WDS TFTP settings, verify Variable Window Extension is enabled.
  2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
  3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Mitigated
Last updated:
July 10, 2019
07:09 PM PT

Opened:
July 10, 2019
02:51 PM PT
" diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index 1eff433b4f..3ea2e03409 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -65,18 +65,15 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- - - + + + - - - @@ -97,7 +94,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
August 09, 2019
04:25 PM PT
Issues updating when certain versions of Intel storage drivers are installed
Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated External
August 09, 2019
02:20 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
August 08, 2019
07:18 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
August 13, 2019
05:24 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
August 09, 2019
07:03 PM PT
Issues updating when certain versions of Intel storage drivers are installed
Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated External
August 09, 2019
07:03 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated External
August 01, 2019
08:44 PM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
August 01, 2019
06:27 PM PT
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		July 26, 2019
02:00 PM PT
RASMAN service may stop working and result in the error “0xc0000005”
The Remote Access Connection Manager (RASMAN) service may stop working and result in the error “0xc0000005” with VPN profiles configured as an Always On VPN connection.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Resolved
KB4505903		July 26, 2019
02:00 PM PT
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Some apps or games that needs to perform graphics intensive operations may close or fail to open on Surface Book 2 devices with Nvidia dGPU.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
July 16, 2019
09:04 AM PT
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
July 12, 2019
04:42 PM PT
Loss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.

See details >		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
July 11, 2019
01:54 PM PT
Error attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
July 11, 2019
01:53 PM PT
Audio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
July 11, 2019
01:53 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Mitigated
July 10, 2019
07:09 PM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language was changed between updates

See details >		OS Build 18362.116

May 20, 2019
KB4505057		Investigating
June 10, 2019
06:06 PM PT
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
May 21, 2019
04:48 PM PT
- +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -106,9 +103,9 @@ sections: - type: markdown text: " - - + + @@ -132,9 +129,6 @@ sections: - - - diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index 88c5129963..f55dd568c1 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,9 +60,11 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

DetailsOriginating updateStatusHistory
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).  

To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.

Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Workaround: To mitigate this issue before the resolution is released, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later.  Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for Windows 10, version 1903. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

Next Steps: We are working on a resolution and estimate a solution will be available in late August.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated External
Last updated:
August 09, 2019
02:20 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in mid-August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
August 08, 2019
07:18 PM PT

Opened:
July 25, 2019
06:10 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
+

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in late August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
August 13, 2019
05:24 PM PT

Opened:
July 25, 2019
06:10 PM PT
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).  

To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.

Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Workaround: To mitigate this issue before the resolution is released, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later.  Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for Windows 10, version 1903. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

Next Steps: We are working on a resolution and estimate a solution will be available in late August.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
July 25, 2019
06:10 PM PT
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.

To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the Scan for hardware changes button in the Action menu or on the toolbar in Device Manager.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
July 16, 2019
09:04 AM PT

Opened:
July 12, 2019
04:20 PM PT
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Next steps: We are working on a resolution that will be made available in upcoming release.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
July 12, 2019
04:42 PM PT

Opened:
July 12, 2019
04:42 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) or System Center Configuration Manager (SCCM) may fail to start with the error \"Status: 0xc0000001, Info: A required device isn't connected or can't be accessed\" after installing KB4503293 on a WDS server.

Affected platforms:
  • Server: Windows Server 2008 SP2; Windows Server 2008 R2 SP1; Windows Server 2012; Windows Server 2012 R2; Windows Server 2016; Windows Server, version 1803; Windows Server 2019; Windows Server, version 1809; Windows Server, version 1903
Workaround:
To mitigate this issue on an SCCM server:
  1. Verify Variable Window Extension is enabled.
  2. Set the values of TFTP block size to 4096 and TFTP window size to 1. For guidance on how to configure them, see Customize the RamDisk TFTP block and window sizes on PXE-enabled distribution points.
Note Try the default values for TFTP block size and TFTP window size first but depending on your environment and overall settings, you may need to adjust them for your setup. You can also try the Enable a PXE responder without Windows Deployment Service setting. For more information on this setting, see Install and configure distribution points in Configuration Manager.

To mitigate this issue on a WDS server without SCCM:
  1. In WDS TFTP settings, verify Variable Window Extension is enabled.
  2. In the Boot Configuration Data (BCD) of the imported image, set RamDiskTFTPBlockSize to 1456.
  3. In the BCD of the imported image, set RamDiskTFTPWindowSize to 4.
Note Try the default values for RamDiskTFTPBlockSize and RamDiskTFTPWindowSize first but depending on your environment and overall settings, you may need to adjust them for your setup.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Mitigated
Last updated:
July 10, 2019
07:09 PM PT

Opened:
July 10, 2019
02:51 PM PT
Intermittent loss of Wi-Fi connectivity
Some older computers may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver. An updated Wi-Fi driver should be available from your device manufacturer (OEM).

To safeguard your upgrade experience, we have applied a hold on devices with this Qualcomm driver from being offered Windows 10, version 1903, until the updated driver is installed.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: Before updating to Windows 10, version 1903, you will need to download and install an updated Wi-Fi driver from your device manufacturer (OEM).
 
Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until a new driver has been installed and the Windows 10, version 1903 feature update has been automatically offered to you.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated External
Last updated:
August 01, 2019
08:44 PM PT

Opened:
May 21, 2019
07:13 AM PT
Gamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.

Microsoft has identified some scenarios in which these features may have issues or stop working, for example:
  • Connecting to (or disconnecting from) an external monitor, dock, or projector
  • Rotating the screen
  • Updating display drivers or making other display mode changes
  • Closing full screen applications
  • Applying custom color profiles
  • Running applications that rely on custom gamma ramps
Affected platforms:
  • Client: Windows 10, version 1903
Workaround: If you find that your night light has stopped working, try turning the night light off and on, or restarting your computer. For other color setting issues, restart your computer to correct the issue.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
August 01, 2019
06:27 PM PT

Opened:
May 21, 2019
07:28 AM PT
Display brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers. After updating to Windows 10, version 1903, brightness settings may sometime appear as if changes applied took effect, yet the actual display brightness doesn't change.

To safeguard your update experience, we have applied a compatibility hold on devices with certain Intel drivers from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue was resolved in KB4505903 and the safeguard hold has been removed. Please ensure you have applied the resolving update before attempting to update to the Windows 10 May 2019 Update (version 1903). Please note, it can take up to 48 hours for the safeguard to be removed.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
KB4505903		Resolved:
July 26, 2019
02:00 PM PT

Opened:
May 21, 2019
07:56 AM PT
Loss of functionality in Dynabook Smartphone Link app
Some users may experience a loss of functionality after updating to Windows 10, version 1903 when using the Dynabook Smartphone Link application on Windows devices. Loss of functionality may affect the display of phone numbers in the Call menu and the ability to answer phone calls on the Windows PC.

To safeguard your update experience, we have applied a compatibility hold on devices with Dynabook Smartphone Link from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 20, 2019
KB4505057		Resolved
Resolved:
July 11, 2019
01:54 PM PT

Opened:
May 24, 2019
03:10 PM PT
Error attempting to update with external USB device or memory card attached
If you have an external USB device or SD memory card attached when installing Windows 10, version 1903, you may get an error message stating \"This PC can't be upgraded to Windows 10.\" This is caused by inappropriate drive reassignment during installation.

Sample scenario: An update to Windows 10, version 1903 is attempted on a computer that has a thumb drive inserted into its USB port. Before the update, the thumb drive is mounted in the system as drive G based on the existing drive configuration. After the feature update is installed; however, the device is reassigned a different drive letter (e.g., drive H).

Note The drive reassignment is not limited to removable drives. Internal hard drives may also be affected.

To safeguard your update experience, we have applied a hold on devices with an external USB device or SD memory card attached from being offered Windows 10, version 1903 until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
July 11, 2019
01:53 PM PT

Opened:
May 21, 2019
07:38 AM PT
Audio not working with Dolby Atmos headphones and home theater
After updating to Windows 10, version 1903, you may experience loss of audio with Dolby Atmos for home theater (free extension) or Dolby Atmos for headphones (paid extension) acquired through the Microsoft Store due to a licensing configuration error.
 
This occurs due to an issue with a Microsoft Store licensing component, where license holders are not able to connect to the Dolby Access app and enable Dolby Atmos extensions.
 
To safeguard your update experience, we have applied protective hold on devices from being offered Windows 10, version 1903 until this issue is resolved. This configuration error will not result in loss of access for the acquired license once the problem is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Resolution: This issue is now resolved and the safeguard hold has been removed. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Resolved
Resolved:
July 11, 2019
01:53 PM PT

Opened:
May 21, 2019
07:16 AM PT
Windows Sandbox may fail to start with error code “0x80070002”
Windows Sandbox may fail to start with \"ERROR_FILE_NOT_FOUND (0x80070002)\" on devices in which the operating system language is changed during the update process when installing Windows 10, version 1903.

Affected platforms:
  • Client: Windows 10, version 1903
Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.116

May 20, 2019
KB4505057		Investigating
Last updated:
June 10, 2019
06:06 PM PT

Opened:
May 24, 2019
04:20 PM PT
Unable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some driver versions for Bluetooth radios made by Realtek and Qualcomm. To safeguard your update experience, we have applied a compatibility hold on devices with affected driver versions for Realtek or Qualcomm Bluetooth radios from being offered Windows 10, version 1903 or Windows Server, version 1903 until the driver has been updated.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Workaround: Check with your device manufacturer (OEM) to see if an updated driver is available and install it.

  • For Qualcomm drivers, you will need to install a driver version greater than 10.0.1.11.
  • For Realtek drivers, you will need to install a driver version greater than 1.5.1011.0.
Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

Next steps: Microsoft is working with Realtek and Qualcomm to release new drivers for all affected system via Windows Update.  


Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
May 21, 2019
04:48 PM PT

Opened:
May 21, 2019
07:29 AM PT
Intel Audio displays an intcdaud.sys notification
Microsoft and Intel have identified an issue with a range of Intel Display Audio device drivers that may result in higher than normal battery drain. If you see an intcdaud.sys notification or “What needs your attention” notification when trying to update to Windows 10, version 1903, you have an affected Intel Audio Display device driver installed on your machine (intcdaud.sys, versions 10.25.0.3 through 10.25.0.8).
  
To safeguard your update experience, we have applied a compatibility hold on devices with drivers from being offered Windows 10, version 1903 until updated device drivers have been installed.

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809
Workaround:
On the “What needs your attention\" notification, click the Back button to remain on your current version of Windows 10. (Do not click Confirm as this will proceed with the update and you may experience compatibility issues.) Affected devices will automatically revert to the previous working configuration.

For more information, see Intel's customer support guidance and the Microsoft knowledge base article KB4465877.

Note We recommend you do not attempt to update your devices until newer device drivers are installed.

Next steps: You can opt to wait for newer drivers to be installed automatically through Windows Update or check with the computer manufacturer for the latest device driver software availability and installation procedures.

Back to top		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated
Last updated:
May 21, 2019
04:47 PM PT

Opened:
May 21, 2019
07:22 AM PT
- + + + + -
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503292		Resolved External
August 09, 2019
04:25 PM PT
IA64-based devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64-based devices may fail to start.

See details >		August 13, 2019
KB4512506		Resolved
KB4474419		August 13, 2019
10:00 AM PT
Windows updates that are SHA-2 signed may not be offered
Windows udates that are SHA-2 signed are not available with Symantec Endpoint Protection installed

See details >		August 13, 2019
KB4512506		Investigating
August 13, 2019
10:05 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Resolved External
August 13, 2019
10:06 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503292		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503292		Mitigated
July 10, 2019
02:59 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Mitigated
April 25, 2019
02:00 PM PT
" @@ -78,7 +80,9 @@ sections: - type: markdown text: " - + + +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503292		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
IA64-based devices may fail to start after installing updates
After installing KB4512506, IA64-based devices may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Resolution: This issue has been resolved in the latest version of KB4474419 (released on or after August 13, 2019).Please verify that KB4474419 is installed and restart your machine before installing KB4512506 released August 13th, 2019 or later.

 

Back to top		August 13, 2019
KB4512506		Resolved
KB4474419		Resolved:
August 13, 2019
10:00 AM PT

Opened:
August 13, 2019
08:34 AM PT
Windows updates that are SHA-2 signed may not be offered
Symantec has identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Workaround: Guidance for Symantec customers can be found in the Symantec support article.

Next steps: To safeguard your update experience, Microsoft and Symantec have partnered to place a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.

Back to top		August 13, 2019
KB4512506		Investigating
Last updated:
August 13, 2019
10:05 AM PT

Opened:
August 13, 2019
10:05 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503292		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -96,6 +100,6 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client:  Windows 8.1; Windows 7 SP1
  • Server:  Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles: 
Next steps: We are presently investigating this issue with McAfee. We will provide an update once we have more information.

Back to top		April 09, 2019
KB4493472		Mitigated
Last updated:
April 25, 2019
02:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles: 

Back to top		April 09, 2019
KB4493472		Resolved External
Last updated:
August 13, 2019
10:06 AM PT

Opened:
April 09, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index a15ed55837..202c053f79 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,10 +60,10 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- + + -
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503276		Resolved External
August 09, 2019
04:25 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Resolved External
August 13, 2019
10:06 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503276		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503276		Mitigated
July 10, 2019
07:09 PM PT
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.

See details >		April 25, 2019
KB4493443		Mitigated
May 15, 2019
05:53 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Mitigated
April 18, 2019
05:00 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

See details >		January 08, 2019
KB4480963		Mitigated
April 25, 2019
02:00 PM PT
" @@ -80,7 +80,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503276		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503276		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -107,7 +107,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client:  Windows 8.1; Windows 7 SP1
  • Server:  Windows Server 2012 R2; Windows Server 2008 R2 SP1
Workaround: Guidance for McAfee customers can be found in the following McAfee support articles:  
Next steps: We are presently investigating this issue with McAfee. We will provide an update once we have more information. 

Back to top		April 09, 2019
KB4493446		Mitigated
Last updated:
April 18, 2019
05:00 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to top		April 09, 2019
KB4493446		Resolved External
Last updated:
August 13, 2019
10:06 AM PT

Opened:
April 09, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 7e730c134a..89a7335b26 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -60,7 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- +
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503273		Resolved External
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503273		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503273		Mitigated
July 10, 2019
02:59 PM PT
" @@ -77,7 +77,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503273		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503273		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index ed7deea5f4..5d1e15e515 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -60,7 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- + @@ -79,7 +79,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503285		Resolved External
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503285		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503285		Mitigated
July 10, 2019
07:09 PM PT
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.

See details >		April 25, 2019
KB4493462		Mitigated
May 15, 2019
05:53 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.

See details >		January 08, 2019
KB4480975		Mitigated
April 25, 2019
02:00 PM PT
- +
DetailsOriginating updateStatusHistory
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503285		Resolved External
Last updated:
August 09, 2019
04:25 PM PT

Opened:
August 09, 2019
04:25 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503285		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" diff --git a/windows/release-information/windows-message-center.yml b/windows/release-information/windows-message-center.yml index c7a8b5e2d7..85c3bf144d 100644 --- a/windows/release-information/windows-message-center.yml +++ b/windows/release-information/windows-message-center.yml @@ -50,6 +50,11 @@ sections: text: " + + + + + From fa81b40bfeebabb78f184c7011ed617d3b391333 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 14 Aug 2019 10:10:03 -0700 Subject: [PATCH 32/37] Update windows-defender-antivirus-in-windows-10.md removed ====== --- .../windows-defender-antivirus-in-windows-10.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index bd9df5835d..def6571abc 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -47,7 +47,6 @@ You can configure and manage Windows Defender Antivirus with: > [!NOTE] > For more information regarding what's new in each Windows version, please refer to [What's new in Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp). -======= ## Minimum system requirements From b642e9524b4b74cc302c5b9be4d60cf16da4eaef Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 14 Aug 2019 14:05:23 -0700 Subject: [PATCH 33/37] some metadata fixes --- education/docfx.json | 1 + education/get-started/get-started-with-microsoft-education.md | 2 +- mdop/docfx.json | 2 ++ windows/client-management/docfx.json | 1 + 4 files changed, 5 insertions(+), 1 deletion(-) diff --git a/education/docfx.json b/education/docfx.json index 2f691e4f77..15587928ef 100644 --- a/education/docfx.json +++ b/education/docfx.json @@ -28,6 +28,7 @@ "audience": "windows-education", "ms.topic": "article", "ms.technology": "windows", + "manager": "laurawi", "audience": "ITPro", "breadcrumb_path": "/education/breadcrumb/toc.json", "ms.date": "05/09/2017", diff --git a/education/get-started/get-started-with-microsoft-education.md b/education/get-started/get-started-with-microsoft-education.md index a36cdb45da..64cf56759a 100644 --- a/education/get-started/get-started-with-microsoft-education.md +++ b/education/get-started/get-started-with-microsoft-education.md @@ -5,7 +5,7 @@ keywords: education, Microsoft Education, full cloud IT solution, school, deploy ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.topic: hero-article +ms.topic: article ms.localizationpriority: medium ms.pagetype: edu author: levinec diff --git a/mdop/docfx.json b/mdop/docfx.json index 55e32ba407..0f44ef3a0b 100644 --- a/mdop/docfx.json +++ b/mdop/docfx.json @@ -27,6 +27,8 @@ "ms.technology": "windows", "audience": "ITPro", "manager": "dansimp", + "ms.author": "dansimp", + "author": "dansimp", "ms.sitesec": "library", "ms.topic": "article", "ms.date": "04/05/2017", diff --git a/windows/client-management/docfx.json b/windows/client-management/docfx.json index bb9c73976e..d687294412 100644 --- a/windows/client-management/docfx.json +++ b/windows/client-management/docfx.json @@ -35,6 +35,7 @@ "ms.technology": "windows", "audience": "ITPro", "ms.topic": "article", + "manager": "dansimp", "feedback_system": "GitHub", "feedback_github_repo": "MicrosoftDocs/windows-itpro-docs", "feedback_product_url": "https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app", From 38353cbfe7f1d02d54b644ea08fc6a1503aef860 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 14 Aug 2019 14:42:16 -0700 Subject: [PATCH 34/37] fixing one more metadata issue --- .../General-Data-Privacy-Regulation-and-Surface-Hub.md | 2 -- .../connect-app-in-surface-hub-unexpectedly-exits.md | 2 -- .../known-issues-and-additional-info-about-surface-hub.md | 2 -- ...b-installs-updates-and-restarts-outside-maintenance-hours.md | 2 -- devices/surface-hub/surface-hub-update-history.md | 2 -- .../surfacehub-miracast-not-supported-europe-japan-israel.md | 2 -- .../use-cloud-recovery-for-bitlocker-on-surfacehub.md | 2 -- .../use-surface-hub-diagnostic-test-device-account.md | 2 -- mdop/docfx.json | 1 + 9 files changed, 1 insertion(+), 16 deletions(-) diff --git a/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md b/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md index 3254e13d6c..e499178078 100644 --- a/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md +++ b/devices/surface-hub/General-Data-Privacy-Regulation-and-Surface-Hub.md @@ -2,8 +2,6 @@ title: General Data Privacy Regulation and Surface Hub description: Informs users who are subject to EU data protection laws of their options regarding how to delete or restrict diagnostic data produced by Surface Hub. ms.assetid: 087713CF-631D-477B-9CC6-EFF939DE0186 -ms.reviewer: -manager: keywords: GDPR ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md b/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md index 9e70a8755c..439d3c68d7 100644 --- a/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md +++ b/devices/surface-hub/connect-app-in-surface-hub-unexpectedly-exits.md @@ -2,8 +2,6 @@ title: What to do if the Connect app in Surface Hub exits unexpectedly description: Describes how to resolve an issue where the Connect app in Surface Hub exits to the Welcome screen after cycling through inputs. ms.assetid: 9576f4e4-d936-4235-8a03-d8a6fe9e8fec -ms.reviewer: -manager: keywords: surface, hub, connect, input, displayport ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md b/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md index 93c56d4e28..003795ec22 100644 --- a/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md +++ b/devices/surface-hub/known-issues-and-additional-info-about-surface-hub.md @@ -2,8 +2,6 @@ title: Known issues and additional information about Microsoft Surface Hub description: Outlines known issues with Microsoft Surface Hub. ms.assetid: aee90a0c-fb05-466e-a2b1-92de89d0f2b7 -ms.reviewer: -manager: keywords: surface, hub, issues ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md b/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md index 1ec6740c76..98ad30890e 100644 --- a/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md +++ b/devices/surface-hub/surface-Hub-installs-updates-and-restarts-outside-maintenance-hours.md @@ -2,8 +2,6 @@ title: Surface Hub may install updates and restart outside maintenance hours description: troubleshooting information for Surface Hub regarding automatic updates ms.assetid: 6C09A9F8-F9CF-4491-BBFB-67A1A1DED0AA -ms.reviewer: -manager: keywords: surface hub, maintenance window, update ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 568e515039..0f70604dac 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -2,8 +2,6 @@ title: Surface Hub update history description: Surface Hub update history ms.assetid: d66a9392-2b14-4cb2-95c3-92db0ae2de34 -ms.reviewer: -manager: keywords: ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md b/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md index 12678d2a9c..7a30ff1e37 100644 --- a/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md +++ b/devices/surface-hub/surfacehub-miracast-not-supported-europe-japan-israel.md @@ -2,8 +2,6 @@ title: Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel description: Surface Hub Miracast channels 149-165 not supported in Europe, Japan, Israel ms.assetid: 8af3a832-0537-403b-823b-12eaa7a1af1f -ms.reviewer: -manager: keywords: ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md b/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md index 2cb3ab2414..d03cfe3055 100644 --- a/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md +++ b/devices/surface-hub/use-cloud-recovery-for-bitlocker-on-surfacehub.md @@ -2,8 +2,6 @@ title: How to use cloud recovery for BitLocker on a Surface Hub description: How to use cloud recovery for BitLocker on a Surface Hub ms.assetid: c0bde23a-49de-40f3-a675-701e3576d44d -ms.reviewer: -manager: keywords: Accessibility settings, Settings app, Ease of Access ms.prod: surface-hub ms.sitesec: library diff --git a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md index eedbfe9ae5..40a5768d27 100644 --- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md +++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md @@ -2,8 +2,6 @@ title: Using the Surface Hub Hardware Diagnostic Tool to test a device account description: Using the Surface Hub Hardware Diagnostic Tool to test a device account ms.assetid: a87b7d41-d0a7-4acc-bfa6-b9070f99bc9c -ms.reviewer: -manager: keywords: Accessibility settings, Settings app, Ease of Access ms.prod: surface-hub ms.sitesec: library diff --git a/mdop/docfx.json b/mdop/docfx.json index 55e32ba407..fdec25d6d3 100644 --- a/mdop/docfx.json +++ b/mdop/docfx.json @@ -27,6 +27,7 @@ "ms.technology": "windows", "audience": "ITPro", "manager": "dansimp", + "ms.prod": w10, "ms.sitesec": "library", "ms.topic": "article", "ms.date": "04/05/2017", From 469d976a4d780f727904379b6a1deac3a7e6f1b7 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 14 Aug 2019 15:23:38 -0700 Subject: [PATCH 35/37] Update control-usb-devices-using-intune.md --- .../control-usb-devices-using-intune.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md index 8c67db295c..2517d1852c 100644 --- a/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md +++ b/windows/security/threat-protection/device-control/control-usb-devices-using-intune.md @@ -112,13 +112,13 @@ To prevent malware infections or data loss, an organization may restrict USB dri | Allow installation and usage of USB drives and other peripherals | Allow users to install only the USB drives and other peripherals included on a list of authorized devices or device types | | Prevent installation and usage of USB drives and other peripherals| Prevent users from installing USB drives and other peripherals included on a list of unauthorized devices and device types | -All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/en-us/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates: +All of the above controls can be set through the Intune [Administrative Templates](https://docs.microsoft.com/intune/administrative-templates-windows). The relevant policies are located here in the Intune Administrator Templates: ![Admintemplates](images/admintemplates.png) >[!Note] >Using Intune, you can apply device configuration policies to AAD user and/or device groups. -The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/en-us/previous-versions/dotnet/articles/bb530324(v=msdn.10)). +The above policies can also be set through the [Device Installation CSP settings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deviceinstallation) and the [Device Installation GPOs](https://docs.microsoft.com/previous-versions/dotnet/articles/bb530324(v=msdn.10)). >[!Note] >Always test and refine these settings with a pilot group of users and devices first before applying them in production. @@ -131,14 +131,14 @@ One way to approach allowing installation and usage of USB drives and other peri >[!Note] >Because an unauthorized USB peripheral can have firmware that spoofs its USB properties, we recommend only allowing specifically approved USB peripherals and limiting the users who can access them. >1. Enable **prevent installation of devices not described by other policy settings** to all users. ->2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/en-us/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). +>2. Enable **allow installation of devices using drivers that match these device setup classes** for all [device setup classes](https://docs.microsoft.com/windows-hardware/drivers/install/system-defined-device-setup-classes-available-to-vendors). To enforce the policy for already installed devices, apply the prevent policies that have this setting. When configuring the allow device installation policy, you will need to allow all parent attributes as well. You can view the parents of a device by opening device manager and view by connection. ![Device by Connection](images/devicesbyconnection.png) -In this example, the following classesneeded to be added: HID, Keboard, and {36fc9e60-c465-11cf-8056-444553540000}. More information on [Microsoft-provided USB drivers](https://docs.microsoft.com/en-us/windows-hardware/drivers/usbcon/supported-usb-classes). +In this example, the following classesneeded to be added: HID, Keboard, and {36fc9e60-c465-11cf-8056-444553540000}. More information on [Microsoft-provided USB drivers](https://docs.microsoft.com/windows-hardware/drivers/usbcon/supported-usb-classes). ![Device host controller](images/devicehostcontroller.jpg) @@ -152,7 +152,7 @@ If you want to restrict to certain devices, remove the device setup class of the >Using PowerShell: Get-WMIObject -Class Win32_DiskDrive | Select-Object -Property * ->For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/en-us/windows-hardware/drivers/install/standard-usb-identifiers) +>For the typical format for the USB ID please reference the following link; (https://docs.microsoft.com/windows-hardware/drivers/install/standard-usb-identifiers) ### Prevent installation and usage of USB drives and other peripherals If you want to prevent a device class or certain devices, you can use the prevent device installation policies. @@ -252,11 +252,11 @@ You can create custom alerts and response actions with the WDATP Connector and t **Restrict execution of all applications** on the machine except a predefined set MDATP connector is one of over 200 pre-defined connectors including Outlook, Teams, Slack, etc. Custom connectors can be built. -- [More information on WDATP Connector Response Actions](https://docs.microsoft.com/en-us/connectors/wdatp/) +- [More information on WDATP Connector Response Actions](https://docs.microsoft.com/connectors/wdatp/) **Custom Detection Rules Response Action:** Both machine and file level actions can be applied. -- [More information on Custom Detection Rules Response Actions](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) +- [More information on Custom Detection Rules Response Actions](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/custom-detection-rules) ## Related topics From b94e5c4c023d6840bb61fbbb32ee160e5e38d35e Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 14 Aug 2019 15:32:23 -0700 Subject: [PATCH 36/37] fixing build error --- mdop/docfx.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mdop/docfx.json b/mdop/docfx.json index 648af2a3f1..252c242145 100644 --- a/mdop/docfx.json +++ b/mdop/docfx.json @@ -27,7 +27,7 @@ "ms.technology": "windows", "audience": "ITPro", "manager": "dansimp", - "ms.prod": w10, + "ms.prod": "w10", "ms.author": "dansimp", "author": "dansimp", "ms.sitesec": "library", From 5c8f62e754bce3aaa60df4e89c02f6897ff5b620 Mon Sep 17 00:00:00 2001 From: John Liu <49762389+ShenLanJohn@users.noreply.github.com> Date: Wed, 14 Aug 2019 16:47:59 -0700 Subject: [PATCH 37/37] CAT Auto Pulish for Windows Release Messages - CAT_AutoPublish_2019081415474726 (#904) --- ...issues-windows-7-and-windows-server-2008-r2-sp1.yml | 4 ++-- ...d-issues-windows-8.1-and-windows-server-2012-r2.yml | 4 ++-- windows/release-information/status-windows-10-1507.yml | 2 ++ .../status-windows-10-1607-and-windows-server-2016.yml | 2 ++ windows/release-information/status-windows-10-1703.yml | 2 ++ windows/release-information/status-windows-10-1709.yml | 2 ++ windows/release-information/status-windows-10-1803.yml | 2 ++ .../status-windows-10-1809-and-windows-server-2019.yml | 2 ++ windows/release-information/status-windows-10-1903.yml | 6 ++++-- ...status-windows-7-and-windows-server-2008-r2-sp1.yml | 10 ++++++---- .../status-windows-8.1-and-windows-server-2012-r2.yml | 6 ++++-- .../status-windows-server-2008-sp2.yml | 2 ++ .../release-information/status-windows-server-2012.yml | 2 ++ 13 files changed, 34 insertions(+), 12 deletions(-) diff --git a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml index 56fbefcd4d..6c32625e16 100644 --- a/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/resolved-issues-windows-7-and-windows-server-2008-r2-sp1.yml @@ -33,7 +33,7 @@ sections: text: "
MessageDate
August 2019 security update now available for Windows 10, version 1903 and all supported versions of Windows
The August 2019 security update release, referred to as our “B” release, is now available for Windows 10, version 1903 and all supported versions of Windows. A “B” release is the primary, regular update event for each month and is the only regular release that contains security fixes. As a result, we recommend that you install these updates promptly. For more information on the different types of monthly quality updates, see our Windows 10 update servicing cadence primer. To be informed about the latest updates and releases, follow us on Twitter @WindowsUpdate.
August 13, 2019
10:00 AM PT
Advisory: Bluetooth encryption key size vulnerability disclosed (CVE-2019-9506)
On August 13, 2019, Microsoft released security updates to address a Bluetooth key length encryption vulnerability. To exploit this vulnerability, an attacker would need specialized hardware and would be limited by the signal range of the Bluetooth devices in use. For more information about this industry-wide issue, see CVE-2019-9506 | Bluetooth Encryption Key Size Vulnerability in the Microsoft Security Update Guide and important guidance for IT pros in KB4514157. (Note: we are documenting this vulnerability together with guidance for IT admins as part of a coordinated industry disclosure effort.)
August 13, 2019
10:00 AM PT
Advisory: Windows Advanced Local Procedure Call Elevation of Privilege vulnerability disclosed (CVE-2019-1162)
On August 13, 2019, Google Project Zero (GPZ) disclosed an Elevation of Privilege (EoP) vulnerability in the Windows Collaborative Translation Framework (CTF) service that affects Windows operating systems, versions 8.1 and higher. An attacker must already have code execution on the target system to leverage these vulnerabilities. Microsoft released security updates on August 13, 2019 that partially address this issue. Other items disclosed by GPZ require more time to address and we are working to release a resolution in mid-September. For more information, see CVE-2019-1162 | Windows ALPC Elevation of Privilege Vulnerability
August 13, 2019
10:00 AM PT
Take action: Install required updates for Windows 7 SP1 and Windows Server 2008 RS2 SP1 for SHA-2 code sign support
As of August 13, 2019, Windows 7 SP1 and Windows Server 2008 R2 SP1 updates signatures only support SHA-2 code signing. As outlined in 2019 SHA-2 Code Signing Support requirement for Windows and WSUS, we are requiring that SHA-2 code signing support be installed. If you have Windows Update enabled and have applied the security updates released in March 2019 (KB4490628) and August 2019 (KB4474419), you are protected automatically; no further configuration is necessary. If you have not installed the March 2019 updates, you will need to do so in order to continue to receive updates on devices running Windows 7 SP1 and Windows Server 2008 R2 SP1.
August 13, 2019
10:00 AM PT
Take action: Windows 10, version 1803 (the April 2018 Update) reaches end of service on November 12, 2019
Windows 10, version 1803 (the April 2018 Update) will reach end of service on November 12, 2019 for Home and Pro editions. We will begin updating devices running Windows 10, version 1803 to Windows 10, version 1903 (the May 2019 Update) starting July 16, 2019 to help ensure that these devices remain in a serviced and secure state. For more information, see the Windows 10, version 1903 section of the Windows release health dashboard.
August 13, 2019
10:00 AM PT
Advisory: Windows Kernel Information Disclosure Vulnerability (CVE-2019-1125)
On July 9, 2019, Microsoft released a security update for a Windows kernel information disclosure vulnerability (CVE-2019-1125). Customers who have Windows Update enabled and have applied the security updates released on July 9, 2019 are protected automatically; no further configuration is necessary. For more information, see CVE-2019-1125 | Windows Kernel Information Disclosure Vulnerability in the Microsoft Security Update Guide. (Note: we are documenting this mitigation publicly today, instead of back in July, as part of a coordinated industry disclosure effort.)
August 06, 2019
10:00 AM PT
Resolved August 1, 2019 16:00 PT: Microsoft Store users may encounter blank screens when clicking on certain buttons
Some customers running the version of the Microsoft Store app released on July 29, 2019 encountered a blank screen when selecting “Switch out of S mode,” “Get Genuine,” or some “Upgrade to [version]” OS upgrade options. This issue has now been resolved and a new version of the Microsoft Store app has been released. Users who encountered this issue will need to update the Microsoft Store app on their device. If you are still encountering an issue, please see Fix problems with apps from Microsoft Store.
August 01, 2019
02:00 PM PT
Status update: Windows 10, version 1903 “D” release now available
The optional monthly “D” release for Windows 10, version 1903 is now available. Follow @WindowsUpdate for the latest on the availability of this release.
July 26, 2019
02:00 PM PT
- + @@ -96,7 +96,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusDate resolved
IA64-based devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64-based devices may fail to start.

See details >		August 13, 2019
KB4512506		Resolved
KB4474419		August 13, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Resolved External
August 13, 2019
10:06 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Resolved External
August 13, 2019
06:59 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503292		Resolved External
August 09, 2019
07:03 PM PT
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >		May 14, 2019
KB4499164		Resolved
KB4503277		June 20, 2019
02:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		June 11, 2019
KB4503292		Resolved
KB4503277		June 20, 2019
02:00 PM PT
- + diff --git a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml index dbb57e0e0b..c99e109581 100644 --- a/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/resolved-issues-windows-8.1-and-windows-server-2012-r2.yml @@ -32,7 +32,7 @@ sections: - type: markdown text: "
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles: 

Back to top		April 09, 2019
KB4493472		Resolved External
Last updated:
August 13, 2019
10:06 AM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles: 

Back to top		April 09, 2019
KB4493472		Resolved External
Last updated:
August 13, 2019
06:59 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
May 14, 2019
01:23 PM PT

Opened:
April 09, 2019
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493472.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
May 14, 2019
01:22 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493472.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493472		Resolved
Resolved:
May 14, 2019
01:21 PM PT

Opened:
April 09, 2019
10:00 AM PT
- + @@ -96,7 +96,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusDate resolved
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Resolved External
August 13, 2019
10:06 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Resolved External
August 13, 2019
06:59 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503276		Resolved External
August 09, 2019
07:03 PM PT
IE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working.

See details >		May 14, 2019
KB4499151		Resolved
KB4503283		June 20, 2019
02:00 PM PT
Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.

See details >		June 11, 2019
KB4503276		Resolved
KB4503283		June 20, 2019
02:00 PM PT
- + diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml index 55d16a4b23..ad95a86417 100644 --- a/windows/release-information/status-windows-10-1507.yml +++ b/windows/release-information/status-windows-10-1507.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to top		April 09, 2019
KB4493446		Resolved External
Last updated:
August 13, 2019
10:06 AM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to top		April 09, 2019
KB4493446		Resolved External
Last updated:
August 13, 2019
06:59 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if ArcaBit antivirus software installed
Microsoft and ArcaBit have identified an issue on devices with ArcaBit antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. ArcaBit has released an update to address this issue. For more information, see the Arcabit support article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
May 14, 2019
01:22 PM PT

Opened:
April 09, 2019
10:00 AM PT
System unresponsive after restart if Sophos Endpoint Protection installed
Microsoft and Sophos have identified an issue on devices with Sophos Endpoint Protection installed and managed by either Sophos Central or Sophos Enterprise Console (SEC) that may cause the system to become unresponsive upon restart after installing KB4493446.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Sophos has released an update to address this issue. Guidance for Sophos Endpoint and Sophos Enterprise Console customers can be found in the Sophos support article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
May 14, 2019
01:22 PM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart if Avira antivirus software installed
Microsoft and Avira have identified an issue on devices with Avira antivirus software installed that may cause the system to become unresponsive upon restart after installing KB4493446.

Affected platforms: 
  • Client: Windows 8.1; Windows 7 SP1 
  • Server: Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2 
Resolution: This issue has been resolved. Microsoft has removed the temporary block for all affected Windows updates. Avira has released an automatic update to address this issue. Guidance for Avira customers can be found in the Avira support article.

Back to top		April 09, 2019
KB4493446		Resolved
Resolved:
May 14, 2019
01:21 PM PT

Opened:
April 09, 2019
10:00 AM PT
+
SummaryOriginating updateStatusLast updated
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		OS Build 10240.18305

August 13, 2019
KB4512497		Acknowledged
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
August 09, 2019
07:03 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 10240.18094

January 08, 2019
KB4480962		Mitigated
April 25, 2019
02:00 PM PT
@@ -77,6 +78,7 @@ sections: - type: markdown text: " +
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512497, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		OS Build 10240.18305

August 13, 2019
KB4512497		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503291) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 10240.18244

June 11, 2019
KB4503291		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml index 407e511420..91613ec839 100644 --- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml +++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -85,6 +86,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		OS Build 14393.3144

August 13, 2019
KB4512517		Acknowledged
August 14, 2019
03:34 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 14393.3115

July 16, 2019
KB4507459		Resolved
KB4512517		August 13, 2019
10:00 AM PT
Internet Explorer 11 and apps using the WebBrowser control may fail to render
JavaScript may fail to render as expected in Internet Explorer 11 and in apps using JavaScript or the WebBrowser control.

See details >		OS Build 14393.3085

July 09, 2019
KB4507460		Resolved
KB4512517		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
August 09, 2019
07:03 PM PT
+
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512517, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		OS Build 14393.3144

August 13, 2019
KB4512517		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503267) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 14393.3025

June 11, 2019
KB4503267		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
 Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

Affected platforms:
  • Server: Windows Server 2019; Windows Server 2016
Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 14393.3053

June 18, 2019
KB4503294		Investigating
Last updated:
August 01, 2019
05:00 PM PT

Opened:
August 01, 2019
05:00 PM PT
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml index 895bd3c1db..14b06262a2 100644 --- a/windows/release-information/status-windows-10-1703.yml +++ b/windows/release-information/status-windows-10-1703.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -78,6 +79,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		OS Build 15063.1988

August 13, 2019
KB4512507		Acknowledged
August 14, 2019
03:34 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 15063.1955

July 16, 2019
KB4507467		Resolved
KB4512507		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
August 09, 2019
07:03 PM PT
Certain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".

See details >		OS Build 15063.1563

January 08, 2019
KB4480973		Mitigated
April 25, 2019
02:00 PM PT
+
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512507, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		OS Build 15063.1988

August 13, 2019
KB4512507		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503279) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 15063.1868

June 11, 2019
KB4503279		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml index 930121e60e..0f421e0330 100644 --- a/windows/release-information/status-windows-10-1709.yml +++ b/windows/release-information/status-windows-10-1709.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -79,6 +80,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		OS Build 16299.1331

August 13, 2019
KB4512516		Acknowledged
August 14, 2019
03:34 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 16299.1296

July 16, 2019
KB4507465		Resolved
KB4512516		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 16299.1217

June 11, 2019
KB4503284		Mitigated
July 10, 2019
07:09 PM PT
+
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512516, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		OS Build 16299.1331

August 13, 2019
KB4512516		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503284) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 16299.1217

June 11, 2019
KB4503284		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml index 0d6c3bc4dd..43dd7629a1 100644 --- a/windows/release-information/status-windows-10-1803.yml +++ b/windows/release-information/status-windows-10-1803.yml @@ -65,6 +65,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -85,6 +86,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		OS Build 17134.950

August 13, 2019
KB4512501		Acknowledged
August 14, 2019
03:34 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17134.915

July 16, 2019
KB4507466		Resolved
KB4512501		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		OS Build 17134.829

June 11, 2019
KB4503286		Mitigated
July 10, 2019
07:09 PM PT
+
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512501, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		OS Build 17134.950

August 13, 2019
KB4512501		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503286) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17134.829

June 11, 2019
KB4503286		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml index a6f1d702b4..84e577f6f6 100644 --- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml +++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml @@ -64,6 +64,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -86,6 +87,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		OS Build 17763.678

August 13, 2019
KB4511553		Acknowledged
August 14, 2019
03:34 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 17763.652

July 22, 2019
KB4505658		Resolved
KB4511553		August 13, 2019
10:00 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
August 09, 2019
07:03 PM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data.

See details >		OS Build 17763.55

October 09, 2018
KB4464330		Investigating
August 01, 2019
05:00 PM PT
+
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4511553, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		OS Build 17763.678

August 13, 2019
KB4511553		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503327) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 17763.557

June 11, 2019
KB4503327		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
Apps and scripts using the NetQueryDisplayInformation API may fail with error
 Applications and scripts that call the NetQueryDisplayInformation API or the WinNT provider equivalent may fail to return results after the first page of data, often 50 or 100 entries. When requesting additional pages you may receive the error, “1359: an internal error occurred.”

Affected platforms:
  • Server: Windows Server 2019; Windows Server 2016
Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 17763.55

October 09, 2018
KB4464330		Investigating
Last updated:
August 01, 2019
05:00 PM PT

Opened:
August 01, 2019
05:00 PM PT
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml index 3ea2e03409..ac69403baa 100644 --- a/windows/release-information/status-windows-10-1903.yml +++ b/windows/release-information/status-windows-10-1903.yml @@ -65,7 +65,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- + + @@ -94,6 +95,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
August 13, 2019
05:24 PM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		OS Build 18362.295

August 13, 2019
KB4512508		Acknowledged
August 14, 2019
03:34 PM PT
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after updating.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
August 13, 2019
06:59 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
August 09, 2019
07:03 PM PT
Issues updating when certain versions of Intel storage drivers are installed
Certain versions of Intel Rapid Storage Technology (Intel RST) drivers may cause updating to Windows 10, version 1903 to fail.

See details >		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated External
August 09, 2019
07:03 PM PT
Intermittent loss of Wi-Fi connectivity
Some older devices may experience loss of Wi-Fi connectivity due to an outdated Qualcomm driver.

See details >		OS Build 18362.116

May 21, 2019
KB4505057		Mitigated External
August 01, 2019
08:44 PM PT
+
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512508, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		OS Build 18362.295

August 13, 2019
KB4512508		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503293) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		OS Build 18362.175

June 11, 2019
KB4503293		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -104,7 +106,7 @@ sections: text: " +

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in late August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml index f55dd568c1..e6f0096fc3 100644 --- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml +++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml @@ -60,9 +60,10 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

DetailsOriginating updateStatusHistory
Domain connected devices that use MIT Kerberos realms will not start up
Devices connected to a domain that is configured to use MIT Kerberos realms will not start up or may continue to restart after installation of KB4497935. Devices that are domain controllers or domain members are both affected.

To safeguard your update experience, we have applied a compatibility hold on devices configured to use MIT Kerberos realm from being offered Windows 10, version 1903 or Windows Server, version 1903.

Note If you are not sure if your device is affected, contact your administrator. Advanced users can check for “Define interoperable Kerberos v5 realm settings” policy under Computer Configuration -> Policies -> Administrative Templates > System -> Kerberos or check if this registry key exists:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\MitRealms
-

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016
Next steps: At this time, we suggest that devices in an affected environment do not install KB4497935. We are working on a resolution and estimate a solution will be available in late August.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
August 13, 2019
05:24 PM PT

Opened:
July 25, 2019
06:10 PM PT
OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
August 13, 2019
06:59 PM PT

Opened:
July 25, 2019
06:10 PM PT
Issues updating when certain versions of Intel storage drivers are installed
Intel and Microsoft have found incompatibility issues with certain versions of the Intel Rapid Storage Technology (Intel RST) drivers and the Windows 10 May 2019 Update (Windows 10, version 1903).  

To safeguard your update experience, we have applied a compatibility hold on devices with Intel RST drivers, versions 15.1.0.1002 through version 15.5.2.1053 installed from installing or being offered Windows 10, version 1903 or Windows Server, version 1903, until the driver has been updated.

Versions 15.5.2.1054 or later are compatible, and a device that has these drivers installed can install the Windows 10 May 2019 Update. For affected devices, the recommended version is 15.9.8.1050.

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Workaround: To mitigate this issue before the resolution is released, you will need to update the Intel RST drivers for your device to version 15.5.2.1054 or a later.  Check with your device manufacturer (OEM) to see if an updated driver is available and install it. You can also download the latest Intel RST drivers directly from Intel at Intel® Rapid Storage Technology (Intel® RST) User Interface and Driver. Once your drivers are updated, you can restart the installation process for Windows 10, version 1903. Please note, it can take up to 48 hours before you can update to Windows 10, version 1903.

Note Until an updated driver has been installed, we recommend you do not attempt to manually update using the Update now button or the Media Creation Tool. 

Next Steps: We are working on a resolution and estimate a solution will be available in late August.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Mitigated External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
July 25, 2019
06:10 PM PT
The dGPU may occasionally disappear from device manager on Surface Book 2 with dGPU
Microsoft has identified a compatibility issue on some Surface Book 2 devices configured with Nvidia discrete graphics processing unit (dGPU). After updating to Windows 10, version 1903 (May 2019 Feature Update), some apps or games that needs to perform graphics intensive operations may close or fail to open.

To safeguard your update experience, we have applied a compatibility hold on Surface Book 2 devices with Nvidia dGPUs from being offered Windows 10, version 1903, until this issue is resolved.

Affected platforms:
  • Client: Windows 10, version 1903
Workaround: To mitigate the issue if you are already on Windows 10, version 1903, you can restart the device or select the Scan for hardware changes button in the Action menu or on the toolbar in Device Manager.

Note We recommend that you do not attempt to manually update using the Update now button or the Media Creation Tool until this issue has been resolved.

Next steps: We are working on a resolution and will provide an update in an upcoming release.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
July 16, 2019
09:04 AM PT

Opened:
July 12, 2019
04:20 PM PT
Initiating a Remote Desktop connection may result in black screen
When initiating a Remote Desktop connection to devices with some older GPU drivers, you may receive a black screen. Any version of Windows may encounter this issue when initiating a Remote Desktop connection to a Windows 10, version 1903 device which is running an affected display driver, including the drivers for the Intel 4 series chipset integrated GPU (iGPU).

Affected platforms:
  • Client: Windows 10, version 1903
  • Server: Windows Server, version 1903
Next steps: We are working on a resolution that will be made available in upcoming release.

Back to top		OS Build 18362.145

May 29, 2019
KB4497935		Investigating
Last updated:
July 12, 2019
04:42 PM PT

Opened:
July 12, 2019
04:42 PM PT
+ - - + +
SummaryOriginating updateStatusLast updated
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512506		Acknowledged
August 14, 2019
03:34 PM PT
IA64-based devices may fail to start after installing updates
After installing updates released on or after August 13, 2019, IA64-based devices may fail to start.

See details >		August 13, 2019
KB4512506		Resolved
KB4474419		August 13, 2019
10:00 AM PT
Windows updates that are SHA-2 signed may not be offered
Windows udates that are SHA-2 signed are not available with Symantec Endpoint Protection installed

See details >		August 13, 2019
KB4512506		Investigating
August 13, 2019
10:05 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Resolved External
August 13, 2019
10:06 AM PT
Windows updates that are SHA-2 signed may not be offered
Windows udates that are SHA-2 signed are not available with Symantec Endpoint Protection installed

See details >		August 13, 2019
KB4512506		Investigating
August 13, 2019
06:59 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493472		Resolved External
August 13, 2019
06:59 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503292		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503292		Mitigated
July 10, 2019
02:59 PM PT
@@ -80,8 +81,9 @@ sections: - type: markdown text: " + - +
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512506, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		August 13, 2019
KB4512506		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
IA64-based devices may fail to start after installing updates
After installing KB4512506, IA64-based devices may fail to start with the following error:
\"File: \\Windows\\system32\\winload.efi
Status: 0xc0000428
Info: Windows cannot verify the digital signature for this file.\"

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Resolution: This issue has been resolved in the latest version of KB4474419 (released on or after August 13, 2019).Please verify that KB4474419 is installed and restart your machine before installing KB4512506 released August 13th, 2019 or later.

 

Back to top		August 13, 2019
KB4512506		Resolved
KB4474419		Resolved:
August 13, 2019
10:00 AM PT

Opened:
August 13, 2019
08:34 AM PT
Windows updates that are SHA-2 signed may not be offered
Symantec has identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Workaround: Guidance for Symantec customers can be found in the Symantec support article.

Next steps: To safeguard your update experience, Microsoft and Symantec have partnered to place a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.

Back to top		August 13, 2019
KB4512506		Investigating
Last updated:
August 13, 2019
10:05 AM PT

Opened:
August 13, 2019
10:05 AM PT
Windows updates that are SHA-2 signed may not be offered
Symantec has identified an issue that occurs when a device is running any Symantec or Norton antivirus program and installs updates for Windows that are signed with SHA-2 certificates only. The Windows updates are blocked or deleted by the antivirus program during installation, which may then cause Windows to stop working or fail to start.

Affected platforms:
  • Client: Windows 7 SP1
  • Server: Windows Server 2008 R2 SP1
Workaround: Guidance for Symantec customers can be found in the Symantec support article.

Next steps: To safeguard your update experience, Microsoft and Symantec have partnered to place a safeguard hold on devices with an affected version of Symantec Antivirus or Norton Antivirus installed to prevent them from receiving this type of Windows update until a solution is available. We recommend that you do not manually install affected updates until a solution is available.

Back to top		August 13, 2019
KB4512506		Investigating
Last updated:
August 13, 2019
06:59 PM PT

Opened:
August 13, 2019
10:05 AM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503292) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503292		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -100,6 +102,6 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles: 

Back to top		April 09, 2019
KB4493472		Resolved External
Last updated:
August 13, 2019
10:06 AM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles: 

Back to top		April 09, 2019
KB4493472		Resolved External
Last updated:
August 13, 2019
06:59 PM PT

Opened:
April 09, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml index 202c053f79..14996a4841 100644 --- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml +++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml @@ -60,7 +60,8 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

- + + @@ -80,6 +81,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Resolved External
August 13, 2019
10:06 AM PT
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512488		Acknowledged
August 14, 2019
03:34 PM PT
System may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.

See details >		April 09, 2019
KB4493446		Resolved External
August 13, 2019
06:59 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503276		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503276		Mitigated
July 10, 2019
07:09 PM PT
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.

See details >		April 25, 2019
KB4493443		Mitigated
May 15, 2019
05:53 PM PT
+
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512488, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		August 13, 2019
KB4512488		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503276) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503276		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" @@ -107,7 +109,7 @@ sections: - type: markdown text: " - +
DetailsOriginating updateStatusHistory
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to top		April 09, 2019
KB4493446		Resolved External
Last updated:
August 13, 2019
10:06 AM PT

Opened:
April 09, 2019
10:00 AM PT
System may be unresponsive after restart with certain McAfee antivirus products
Microsoft and McAfee have identified an issue on devices with McAfee Endpoint Security (ENS) Threat Prevention 10.x or McAfee Host Intrusion Prevention (Host IPS) 8.0 or McAfee VirusScan Enterprise (VSE) 8.8 installed. It may cause the system to have slow startup or become unresponsive at restart after installing this update. 

Affected platforms:
  • Client: Windows 8.1; Windows 7 SP1
  • Server: Windows Server 2012 R2; Windows Server 2008 R2 SP1
Resolution: This issue has been resolved. McAfee has released an automatic update to address this issue. Guidance for McAfee customers can be found in the following McAfee support articles:  

Back to top		April 09, 2019
KB4493446		Resolved External
Last updated:
August 13, 2019
06:59 PM PT

Opened:
April 09, 2019
10:00 AM PT
" diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml index 89a7335b26..033396edf0 100644 --- a/windows/release-information/status-windows-server-2008-sp2.yml +++ b/windows/release-information/status-windows-server-2008-sp2.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+
SummaryOriginating updateStatusLast updated
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512476		Acknowledged
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503273		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503273		Mitigated
July 10, 2019
02:59 PM PT
@@ -77,6 +78,7 @@ sections: - type: markdown text: " +
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512476, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		August 13, 2019
KB4512476		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503273) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503273		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
" diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml index 5d1e15e515..08e207a24e 100644 --- a/windows/release-information/status-windows-server-2012.yml +++ b/windows/release-information/status-windows-server-2012.yml @@ -60,6 +60,7 @@ sections: - type: markdown text: "
This table offers a summary of current active issues and those issues that have been resolved in the last 30 days.

+ @@ -79,6 +80,7 @@ sections: - type: markdown text: "
SummaryOriginating updateStatusLast updated
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
Applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and VBScript may stop responding and you may receive an error.

See details >		August 13, 2019
KB4512518		Acknowledged
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on MacOS when trying to access network shares via CIFS or SMBv1 on Windows devices that installed updates on June 11, 2019 or later.

See details >		June 11, 2019
KB4503285		Resolved External
August 09, 2019
07:03 PM PT
Devices starting using PXE from a WDS or SCCM servers may fail to start
Devices that start up using Preboot Execution Environment (PXE) images from Windows Deployment Services (WDS) may fail to start with error \"0xc0000001.\"

See details >		June 11, 2019
KB4503285		Mitigated
July 10, 2019
07:09 PM PT
Japanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.

See details >		April 25, 2019
KB4493462		Mitigated
May 15, 2019
05:53 PM PT
+
DetailsOriginating updateStatusHistory
Apps using Visual Basic 6 (VB6), VBA, and VBScript may stop responding with error
After installing KB4512518, applications that were made using Visual Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts or apps using Visual Basic Scripting Edition (VBScript) may stop responding and you may receive an \"invalid procedure call error.\"

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Next steps: Microsoft is presently investigating this issue and will provide an update when available.

Back to top		August 13, 2019
KB4512518		Acknowledged
Last updated:
August 14, 2019
03:34 PM PT

Opened:
August 14, 2019
03:34 PM PT
MacOS may be unable to access network shares via CIFS or SMBv1 on Windows devices
You may receive an error on your Apple MacOS device when trying to access network shares via CIFS or SMBv1 on a Windows devices that has installed updates on June 11, 2019 (KB4503285) or later. When you encounter this issue, in MacOS you may receive the error, “There was a problem connecting to the server “{Server Host Name}”. Check the server name or IP address, and then try again. If you continue to have problems, contact your system administrator.”

Affected platforms:
  • Client: Windows 10, version 1903; Windows 10, version 1809; Windows 10 Enterprise LTSC 2019; Windows 10, version 1803; Windows 10, version 1709; Windows 10, version 1703; Windows 10 Enterprise LTSC 2016; Windows 10, version 1607; Windows 10 Enterprise LTSC 2015; Windows 8.1; Windows 7 SP1
  • Server: Windows Server, version 1903; Windows Server, version 1809; Windows Server 2019; Windows Server, version 1803; Windows Server, version 1709 ; Windows Server 2016; Windows Server 2012 R2; Windows Server 2012; Windows Server 2008 R2 SP1; Windows Server 2008 SP2
Resolution: For guidance on this issue, see the Apple support article If your Mac can't use NTLM to connect to a Windows server. There is no update for Windows needed for this issue.

Back to top		June 11, 2019
KB4503285		Resolved External
Last updated:
August 09, 2019
07:03 PM PT

Opened:
August 09, 2019
04:25 PM PT
"

**Note**
If you want to change any of your settings, you can click **Modify Settings** to open the **Internet Properties** box, click **Set associations**, and make your changes. + +2. Click **Next** to go to the [Additional Settings](additional-settings-ieak11-wizard.md) page or **Back** to go to the [Add a Root Certificate](add-root-certificate-ieak11-wizard.md) page. + +  + +  + + + + + diff --git a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md index 72f123de7f..fc7cf4147e 100644 --- a/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md +++ b/devices/surface/upgrade-surface-devices-to-windows-10-with-mdt.md @@ -14,7 +14,7 @@ ms.reviewer: manager: dansimp --- -# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit +# Upgrade Surface devices to Windows 10 with Microsoft Deployment Toolkit #### Applies to * Surface Pro 3 diff --git a/education/windows/s-mode-switch-to-edu.md b/education/windows/s-mode-switch-to-edu.md index d92973b13b..7c0eaafd0a 100644 --- a/education/windows/s-mode-switch-to-edu.md +++ b/education/windows/s-mode-switch-to-edu.md @@ -42,7 +42,7 @@ S mode is an enhanced security mode of Windows 10 – streamlined for security a |Credential Guard | | | | X | |Device Guard | | | | X | -### Windows 10 in S mode is safe, secure, and fast. +### Windows 10 in S mode is safe, secure, and fast. However, in some limited scenarios, you might need to switch to Windows 10 Education. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store. ## How to switch diff --git a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md index fd47fcd34c..9cd3aaa842 100644 --- a/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md +++ b/mdop/appv-v4/application-virtualization-server-based-scenario-overview.md @@ -19,7 +19,7 @@ ms.date: 06/16/2016 If you plan to use a server-based deployment scenario for your Microsoft Application Virtualization environment, it is important to understand the differences between the *Application Virtualization Management Server* and the *Application Virtualization Streaming Server*. This topic describes those differences and also provides information about package delivery methods, transmission protocols, and external components that you will need to consider as you proceed with your deployment. -## Application Virtualization Management Server +## Application Virtualization Management Server The Application Virtualization Management Server performs both the publishing function and the streaming function. The server publishes application icons, shortcuts, and file type associations to the App-V clients for authorized users. When user requests for applications are received the server streams that data on-demand to authorized users using RTSP or RTSPS protocols. In most configurations using this server, one or more Management Servers share a common data store for configuration and package information. @@ -28,7 +28,7 @@ The Application Virtualization Management Servers use Active Directory groups to Because the Application Virtualization Management Servers stream applications to end-users on demand, these servers are ideally suited for system configurations that have reliable, high-bandwidth LANs. -## Application Virtualization Streaming Server +## Application Virtualization Streaming Server The Application Virtualization Streaming Server delivers the same streaming and package upgrade capabilities provided by the Management Server, but without its Active Directory or SQL Server requirements. However, the Streaming Server does not have a publishing service, nor does it have licensing or metering capabilities. The publishing service of a separate App-V Management Server is used in conjunction with the App-V Streaming Server. The App-V Streaming Server addresses the needs of businesses that want to use Application Virtualization in multiple locations with the streaming capabilities of the classic server configuration but might not have the infrastructure to support App-V Management Servers in every location. diff --git a/mdop/appv-v4/planning-for-server-security.md b/mdop/appv-v4/planning-for-server-security.md index 7f51cc0fc6..3144f1bb2a 100644 --- a/mdop/appv-v4/planning-for-server-security.md +++ b/mdop/appv-v4/planning-for-server-security.md @@ -31,7 +31,7 @@ The content directory contains all of the packages that are to be streamed to cl Keep the number of users with administrative privileges to a minimum to reduce possible threats to the data in the data store and to avoid publishing malicious applications into the infrastructure. -## Application Virtualization Security +## Application Virtualization Security App-V uses several methods of communication between the various components of the infrastructure. When you plan your App-V infrastructure, securing the communications between servers can reduce the security risks that might already be present on the existing network. diff --git a/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md b/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md index cd65628a24..6aab565898 100644 --- a/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md +++ b/mdop/mbam-v1/planning-for-mbam-10-administrator-roles.md @@ -19,7 +19,7 @@ ms.date: 06/16/2016 This topic includes and describes the administrator roles that are available in Microsoft BitLocker Administration and Monitoring (MBAM), as well as the server locations where the local groups are created. -## MBAM Administrator roles +## MBAM Administrator roles **MBAM System Administrators** diff --git a/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md b/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md index eb5ac48c44..b5fe8b5617 100644 --- a/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md +++ b/mdop/mbam-v1/planning-for-mbam-10-group-policy-requirements.md @@ -141,7 +141,7 @@ This section describes the Client Management policy definitions for MBAM, found -## Fixed Drive policy definitions +## Fixed Drive policy definitions This section describes the Fixed Drive policy definitions for MBAM, which can be found at the following GPO node: **Computer Configuration**\\**Administrative Templates**\\**Windows Components**\\**MDOP MBAM (BitLocker Management)** \\ **Fixed Drive**. diff --git a/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md index 129b9e694f..f1a773c308 100644 --- a/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md +++ b/mdop/mbam-v2/planning-for-mbam-20-administrator-roles-mbam-2.md @@ -19,7 +19,7 @@ ms.date: 06/16/2016 This topic lists and describes the available administrator roles that are available in Microsoft BitLocker Administration and Monitoring (MBAM) as well as the server locations where the local groups are created. -## MBAM Administrator Roles +## MBAM Administrator Roles **MBAM System Administrators** diff --git a/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md b/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md index cb5cb89526..d7de859c09 100644 --- a/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md +++ b/mdop/mbam-v2/planning-for-mbam-20-group-policy-requirements-mbam-2.md @@ -142,7 +142,7 @@ This section describes Client Management policy definitions for Microsoft BitLoc -## Fixed Drive Policy Definitions +## Fixed Drive Policy Definitions This section describes Fixed Drive policy definitions for Microsoft BitLocker Administration and Monitoring found at the following GPO node: **Computer Configuration**\\**Policies**\\**Administrative Templates**\\**Windows Components**\\**MDOP MBAM (BitLocker Management)**\\**Fixed Drive**. diff --git a/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md b/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md index 48f0163995..e17e36fce5 100644 --- a/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md +++ b/mdop/uev-v1/sharing-settings-location-templates-with-the-ue-v-template-gallery.md @@ -17,7 +17,7 @@ ms.date: 08/30/2016 # Sharing Settings Location Templates with the UE-V Template Gallery -## Share location templates with the template gallery +## Share location templates with the template gallery The Microsoft User Experience Virtualization (UE-V) template gallery allows administrators to share their UE-V settings location templates. In the gallery, you can upload your settings location templates for other people to use, and you can download templates that other people have created. The UE-V template gallery is located on Microsoft TechNet here: . diff --git a/mdop/uev-v1/troubleshooting-ue-v-10.md b/mdop/uev-v1/troubleshooting-ue-v-10.md index 81aa6256a0..d04a56ec25 100644 --- a/mdop/uev-v1/troubleshooting-ue-v-10.md +++ b/mdop/uev-v1/troubleshooting-ue-v-10.md @@ -19,7 +19,7 @@ ms.date: 08/30/2016 Troubleshooting content is not included in the Administrator's Guide for this product. Instead, you can find troubleshooting information for this product on the [TechNet Wiki](https://go.microsoft.com/fwlink/p/?LinkId=224905). -## Find troubleshooting information +## Find troubleshooting information You can use the following information to find troubleshooting content or additional technical content for this product. @@ -44,7 +44,7 @@ The first step to find help content in the Administrator’s Guide is to search 3. Review the search results for assistance. -## Create a troubleshooting article +## Create a troubleshooting article If you have a troubleshooting tip or a best practice to share that is not already included in the MDOP Online Help or TechNet Wiki, you can create your own TechNet Wiki article. diff --git a/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md b/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md index 733876d705..161015c807 100644 --- a/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/troubleshooting-ue-v-2x-both-uevv2.md @@ -19,7 +19,7 @@ ms.date: 08/30/2016 Troubleshooting content is not included in the Administrator's Guide for this product. Instead, you can find troubleshooting information for this product on the [TechNet Wiki](https://go.microsoft.com/fwlink/p/?LinkId=224905). -## Find troubleshooting information +## Find troubleshooting information You can use the following information to find troubleshooting content or additional technical content for this product. @@ -44,7 +44,7 @@ The first step to find help content in the Administrator’s Guide is to search 3. Review the search results for assistance. -## Create a troubleshooting article +## Create a troubleshooting article If you have a troubleshooting tip or a best practice to share that is not already included in the MDOP Online Help or TechNet Wiki, you can create your own TechNet Wiki article. diff --git a/store-for-business/device-guard-signing-portal.md b/store-for-business/device-guard-signing-portal.md index 2c0e080ed7..6a2720e035 100644 --- a/store-for-business/device-guard-signing-portal.md +++ b/store-for-business/device-guard-signing-portal.md @@ -51,7 +51,7 @@ Catalog and policy files have required files types. | catalog files | .cat | | policy files | .bin | - ## Store for Business roles and permissions + ## Store for Business roles and permissions Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role. ## Device Guard signing certificates diff --git a/store-for-business/work-with-partner-microsoft-store-business.md b/store-for-business/work-with-partner-microsoft-store-business.md index 9ca69eef76..e2829a08cb 100644 --- a/store-for-business/work-with-partner-microsoft-store-business.md +++ b/store-for-business/work-with-partner-microsoft-store-business.md @@ -38,7 +38,7 @@ There are several ways that a solution provider can work with you. Solution prov | OEM PC partner | Solution providers can upload device IDs for PCs that you're [managing with Autopilot](https://docs.microsoft.com/microsoft-store/add-profile-to-devices). | | Line-of-business (LOB) partner | Solution providers can develop, submit, and manage LOB apps specific for your organization or school. | -## Find a solution provider +## Find a solution provider You can find partner in Microsoft Store for Business and Education. diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md index f4394c7d54..2570e65b3d 100644 --- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md +++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md @@ -11,7 +11,7 @@ ms.reviewer: manager: dansimp --- -# Win32CompatibilityAppraiser CSP +# Win32CompatibilityAppraiser CSP > [!WARNING] > Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. diff --git a/windows/client-management/reset-a-windows-10-mobile-device.md b/windows/client-management/reset-a-windows-10-mobile-device.md index 945ba0f15a..e90c985fdb 100644 --- a/windows/client-management/reset-a-windows-10-mobile-device.md +++ b/windows/client-management/reset-a-windows-10-mobile-device.md @@ -66,7 +66,7 @@ To perform a "wipe and persist" reset, preserving the provisioning applied to th ``` -## Reset using the UI +## Reset using the UI 1. On your mobile device, go to **Settings** > **System** > **About** > **Reset your Phone** diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index ac7e1e2391..27b46491dc 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -17,7 +17,7 @@ manager: dansimp This article provides steps to troubleshoot **Stop error 7B: Inaccessible_Boot_Device**. This error may occur after some changes are made to the computer, or immediately after you deploy Windows on the computer. -## Causes of the Inaccessible_Boot_Device Stop error +## Causes of the Inaccessible_Boot_Device Stop error Any one of the following factors may cause the stop error: @@ -37,7 +37,7 @@ Any one of the following factors may cause the stop error: * Corrupted files in the **Boot** partition (for example, corruption in the volume that is labeled **SYSTEM** when you run the `diskpart` > `list vol` command) -## Troubleshoot this error +## Troubleshoot this error Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference#span-identrypointsintowinrespanspan-identrypointsintowinrespanspan-identrypointsintowinrespanentry-points-into-winre). To do this, follow these steps. @@ -47,9 +47,9 @@ Start the computer in [Windows Recovery Mode (WinRE)](https://docs.microsoft.com 3. On the **System Recovery Options** screen, select **Next** > **Command Prompt** . -### Verify that the boot disk is connected and accessible +### Verify that the boot disk is connected and accessible -#### Step 1 +#### Step 1 At the WinRE Command prompt, run `diskpart`, and then run `list disk`. @@ -67,7 +67,7 @@ If the computer uses a Unified Extensible Firmware Interface (UEFI) startup inte If the computer uses a basic input/output system (BIOS) interface, there will not be an asterisk in the **Dyn** column. -#### Step 2 +#### Step 2 If the `list disk` command lists the OS disks correctly, run the `list vol` command in `diskpart`. @@ -88,7 +88,7 @@ If the `list disk` command lists the OS disks correctly, run the `list vol` comm >[!NOTE] >If the disk that contains the OS is not listed in the output, you will have to engage the OEM or virtualization manufacturer. -### Verify the integrity of Boot Configuration Database +### Verify the integrity of Boot Configuration Database Check whether the Boot Configuration Database (BCD) has all the correct entries. To do this, run `bcdedit` at the WinRE command prompt. @@ -163,7 +163,7 @@ If you do not have a Windows 10 ISO, you must format the partition and copy **bo 4. Right-click the partition, and then format it. -### Troubleshooting if this issue occurs after a Windows Update installation +### Troubleshooting if this issue occurs after a Windows Update installation Run the following command to verify the Windows update installation and dates: @@ -203,9 +203,9 @@ After you run this command, you will see the **Install pending** and **Uninstall 11. Expand **Control\Session Manager**. Check whether the **PendingFileRenameOperations** key exists. If it does, back up the **SessionManager** key, and then delete the **PendingFileRenameOperations** key. -### Verifying boot critical drivers and services +### Verifying boot critical drivers and services -#### Check services +#### Check services 1. Follow steps 1-10 in the "Troubleshooting if this issue occurs after an Windows Update installation" section. (Step 11 does not apply to this procedure.) @@ -235,7 +235,7 @@ ren SYSTEM SYSTEM.old copy OSdrive:\Windows\System32\config\RegBack\SYSTEM OSdrive:\Windows\System32\config\ ``` -#### Check upper and lower filter drivers +#### Check upper and lower filter drivers Check whether there are any non-Microsoft upper and lower filter drivers on the computer and that they do not exist on another, similar working computer. if they do exist, remove the upper and lower filter drivers: @@ -268,7 +268,7 @@ The reason that these entries may affect us is because there may be an entry in >[!NOTE] >If there actually is a service that is set to **0** or **1** that corresponds to an **UpperFilters** or **LowerFilters** entry, setting the service to disabled in the **Services** registry (as discussed in steps 2 and 3 of the Check services section) without removing the **Filter Driver** entry causes the computer to crash and generate a 0x7b Stop error. -### Running SFC and Chkdsk +### Running SFC and Chkdsk If the computer still does not start, you can try to run a **chkdisk** process on the system drive, and also run System File Checker. To do this, run the following commands at a WinRE command prompt: diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index ff9c230e83..cf28c53e4a 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -16,7 +16,7 @@ ms.author: dansimp ms.topic: article --- -# Assigned Access configuration (kiosk) XML reference +# Assigned Access configuration (kiosk) XML reference **Applies to** diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md index 5b29de8d83..294a31c04b 100644 --- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md +++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md @@ -1,850 +1,850 @@ ---- -title: Demonstrate Autopilot deployment -ms.reviewer: -manager: laurawi -description: Step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment -keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade -ms.prod: w10 -ms.mktglfcycl: deploy -ms.localizationpriority: medium -ms.sitesec: library -ms.pagetype: deploy -audience: itpro author: greg-lindsay -ms.author: greglin -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: autopilot ---- - - -# Demonstrate Autopilot deployment - -**Applies to** - -- Windows 10 - -To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10. - -In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V. Note: Although there are [multiple platforms](administer.md) available to enable Autopilot, this lab primarily uses Intune. - ->Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual. - -The following video provides an overview of the process: - -
- - ->For a list of terms used in this guide, see the [Glossary](#glossary) section. - -## Prerequisites - -These are the things you'll need to complete this lab: - - - -
Windows 10 installation mediaWindows 10 Professional or Enterprise (ISO file), version 1703 or later is required. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.
Internet accessIf you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet.
Hyper-V or a physical device running Windows 10The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.
A Premium Intune accountThis guide will describe how to obtain a free 30-day trial premium account that can be used to complete the lab.
- -## Procedures - -A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix. - -[Verify support for Hyper-V](#verify-support-for-hyper-v) -
[Enable Hyper-V](#enable-hyper-v) -
[Create a demo VM](#create-a-demo-vm) -
    [Set ISO file location](#set-iso-file-location) -
    [Determine network adapter name](#determine-network-adapter-name) -
    [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm) -
    [Install Windows 10](#install-windows-10) -
[Capture the hardware ID](#capture-the-hardware-id) -
[Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe) -
[Verify subscription level](#verify-subscription-level) -
[Configure company branding](#configure-company-branding) -
[Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment) -
[Register your VM](#register-your-vm) -
    [Autopilot registration using Intune](#autopilot-registration-using-intune) -
    [Autopilot registration using MSfB](#autopilot-registration-using-msfb) -
[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile) -
    [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune) -
       [Assign the profile](#assign-the-profile) -
    [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb) -
[See Windows Autopilot in action](#see-windows-autopilot-in-action) -
[Remove devices from Autopilot](#remove-devices-from-autopilot) -
    [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device) -
[Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v) -
[Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile) -
    [Add a Win32 app](#add-a-win32-app) -
       [Prepare the app for Intune](#prepare-the-app-for-intune) -
       [Create app in Intune](#create-app-in-intune) -
       [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) -
    [Add Office 365](#add-office-365) -
       [Create app in Intune](#create-app-in-intune) -
       [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile) -
[Glossary](#glossary) - -## Verify support for Hyper-V - -If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later). - ->If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10). - -If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed. - -## Enable Hyper-V - -To enable Hyper-V, open an elevated Windows PowerShell prompt and run the following command: - -```powershell -Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All -``` - -This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command: - -```powershell -Install-WindowsFeature -Name Hyper-V -IncludeManagementTools -``` - -When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. - ->Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below: - - ![hyper-v feature](../images/hyper-v-feature.png) - - ![hyper-v](../images/svr_mgr2.png) - -