From 01155f6cea2d2aac71a2b1b283e592ef73edb423 Mon Sep 17 00:00:00 2001 From: mapalko Date: Fri, 26 Apr 2019 11:32:50 -0700 Subject: [PATCH 001/137] Fixing typo in Federation with Azure Section You cannot deploy both password sync and PTA in the same environment. The changed statement is being fixed to reflect either can be deployed but not both. --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index f59a78c750..307cd0ee45 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -85,7 +85,7 @@ Organizations using older directory synchronization technology, such as DirSync
## Federation with Azure ## -You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. +You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) or [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) 2012 R2 or later. ### Section Review ### > [!div class="checklist"] From 4dfdeec0f8b91478680d8422b292d65a205501ae Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 11 Jun 2019 10:19:49 +0500 Subject: [PATCH 002/137] Hybrid Certificate Trust Updated HCT works with Federated environment so I have updated the title and links accordingly. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3942 --- .../hello-for-business/hello-how-it-works-provisioning.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 0492d0e9fc..edcb4de493 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -28,7 +28,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Azure AD joined provisioning in a Managed environment](#azure-ad-joined-provisioning-in-a-managed-environment)
[Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
-[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)
+[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-federated-environment)
[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
@@ -76,8 +76,8 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) -## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment -![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-certtrust-managed.png) +## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment +![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](images/howitworks/prov-haadj-certtrust-managed.png) | Phase | Description | From 6ce9c411996e9936fa5d54bd47b80e171252d3dc Mon Sep 17 00:00:00 2001 From: Adam Gross Date: Tue, 25 Jun 2019 10:46:55 -0500 Subject: [PATCH 003/137] Updated Version Information --- .../upgrade/upgrade-readiness-deployment-script.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 83db3a42b1..f0d95c0e05 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -20,9 +20,12 @@ To automate the steps provided in [Get started with Upgrade Readiness](upgrade-r >[!IMPORTANT] >Upgrade Readiness was previously called Upgrade Analytics. References to Upgrade Analytics in any scripts or online content pertain to the Upgrade Readiness solution. +>[!IMPORTANT] +>The latest version of the Upgrade Readiness Script is **2.4.4 - 10.10.2018** + For detailed information about using the Upgrade Readiness (also known as upgrade analytics) deployment script, see the [Upgrade Analytics blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/New-version-of-the-Upgrade-Analytics-Deployment-Script-available/ba-p/187164?advanced=false&collapse_discussion=true&q=new%20version%20of%20the%20upgrade%20analytics%20deployment%20script%20available&search_type=thread). -> The following guidance applies to version 11.11.16 or later of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). +> The following guidance applies to version **2.4.4 - 10.10.2018** of the Upgrade Readiness deployment script. If you are using an older version, download the latest from the [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409). The Upgrade Readiness deployment script does the following: @@ -70,7 +73,7 @@ To run the Upgrade Readiness deployment script: > > *IEOptInLevel = 3 Data collection is enabled for all sites* -4. A recent version (03.02.17) of the deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**. +4. The deployment script is configured to collect and send diagnostic and debugging data to Microsoft. If you wish to disable sending diagnostic and debugging data to Microsoft, set **AppInsightsOptIn = false**. By default, **AppInsightsOptIn** is set to **true**. The data that is sent is the same data that is collected in the text log file that captures the events and error codes while running the script. This file is named in the following format: **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. Log files are created in the drive that is specified in the RunConfig.bat file. By default this is set to: **%SystemDrive%\UADiagnostics**. @@ -79,7 +82,7 @@ To run the Upgrade Readiness deployment script: \*vortex\*.data.microsoft.com
\*settings\*.data.microsoft.com -5. The latest version (03.28.2018) of the deployment script configures insider builds to continue to send the device name to the diagnostic data management service and the analytics portal. If you do not want to have insider builds send the device name sent to analytics and be available in the analytics portal, set **DeviceNAmeOptIn = false**. By default it is true, which preserves the behavior on previous versions of Windows. This setting only applies to insider builds. Note that the device name is also sent to AppInsights, so to ensure the device name is not sent to either place you would need to also set **AppInsightsOptIn = false**. +5. The deployment script configures insider builds to continue to send the device name to the diagnostic data management service and the analytics portal. If you do not want to have insider builds send the device name sent to analytics and be available in the analytics portal, set **DeviceNAmeOptIn = false**. By default it is true, which preserves the behavior on previous versions of Windows. This setting only applies to insider builds. Note that the device name is also sent to AppInsights, so to ensure the device name is not sent to either place you would need to also set **AppInsightsOptIn = false**. 6. After you finish editing the parameters in RunConfig.bat, you are ready to run the script. If you are using the Pilot version, run RunConfig.bat from an elevated command prompt. If you are using the Deployment version, use ConfigMgr or other software deployment service to run RunConfig.bat as system. From 3df0420a7c0bc7ce12da96681d331d13cabd99b5 Mon Sep 17 00:00:00 2001 From: Maximilian Golla Date: Wed, 26 Jun 2019 15:45:44 +0200 Subject: [PATCH 004/137] Update of PIN algorithm description Description was inaccurate and not correct. Moreover it included a wrong example (the PIN 1593, is not allowed) and negative deltas do not exist. --- .../hello-for-business/hello-faq.md | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 116bff8b92..1487ab5138 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -114,15 +114,19 @@ Windows 10 does not allow the local administrator to enroll biometric gestures(f No. If your organization is federated or using on-line services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory. ## Does Windows Hello for Business prevent the use of simple PINs? -Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. This prevents repeating numbers, sequential numbers and simple patterns. +Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. The algorithm counts the number of steps required to reach the next digit, overflowing at ten ('zero'). So, for example: -* 1111 has a constant delta of 0, so it is not allowed -* 1234 has a constant delta of 1, so it is not allowed -* 1357 has a constant delta of 2, so it is not allowed -* 9630 has a constant delta of -3, so it is not allowed -* 1231 does not have a constant delta, so it is okay -* 1593 does not have a constant delta, so it is okay +* The PIN 1111 has a constant delta of (0,0,0), so it is not allowed +* The PIN 1234 has a constant delta of (1,1,1), so it is not allowed +* The PIN 1357 has a constant delta of (2,2,2), so it is not allowed +* The PIN 9630 has a constant delta of (7,7,7), so it is not allowed +* The PIN 1593 has a constant delta of (4,4,4), so it is not allowed +* The PIN 7036 has a constant delta of (3,3,3), so it is not allowed +* The PIN 1231 does not have a constant delta (1,1,8), so it is allowed +* The PIN 1872 does not have a constant delta (7,9,5), so it is allowed +This prevents repeating numbers, sequential numbers, and simple patterns. +It always results in a list of 100 disallowed PINs (independent of the PIN length). This algorithm does not apply to alphanumeric PINs. ## How does PIN caching work with Windows Hello for Business? From 27efcbaf595d1d90eae856bf52bc5e07f41f3412 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 27 Jun 2019 10:41:23 +0500 Subject: [PATCH 005/137] Adding app to private store I have updated the content to make apps available in a private store. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2109 --- .../distribute-apps-from-your-private-store.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index 50f43122c5..5ebc487b89 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -43,13 +43,11 @@ Microsoft Store adds the app to **Products and services**. Click **Manage**, **A -3. Use **Refine results** to search for online-licensed apps under **License type**. -4. From the list of online-licensed apps, click the ellipses for the app you want, and then choose **Add to private store**. +3. Click on the application to open the application settings and then click on **Private store availability**. +4. Select **Everyone** to make application available for all people in your organization. -The value under **Private store** for the app will change to pending. It will take approximately thirty-six hours before the app is available in the private store. - >[!Note] > If you are working with a new Line-of-Business (LOB) app, you have to wait for the app to be available in **Products & services** before adding it to your private store. For more information, see [Working with line-of-business apps](working-with-line-of-business-apps.md). From d6a894d0ff4c31da6288334b36016ea24b8d86ed Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 28 Jun 2019 16:20:39 +0530 Subject: [PATCH 006/137] added two new commands for exporting and importing .xml files Taken example from Windows 10 v1903 build no 18362.207. added two commands under export of configuration file and import of configuration file --- .../import-export-exploit-protection-emet-xml.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md index c9851d72d1..14c37305cc 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md @@ -70,6 +70,9 @@ When you have configured exploit protection to your desired state (including bot Change `filename` to any name or location of your choosing. +example command +**Get-ProcessMitigation -RegistryConfigFilePath C:\ExploitConfigfile.xml** + > [!IMPORTANT] > When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location. @@ -91,6 +94,10 @@ After importing, the settings will be instantly applied and can be reviewed in t Change `filename` to the location and name of the exploit protection XML file. +example command +**Set-ProcessMitigation -PolicyFilePath C:\ExploitConfigfile.xml** + + >[!IMPORTANT] > >Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first. @@ -151,6 +158,7 @@ You can use Group Policy to deploy the configuration you've created to multiple - C:\MitigationSettings\Config.XML - \\\Server\Share\Config.xml - https://localhost:8080/Config.xml + - C:\ExploitConfigfile.xml 8. Click **OK** and [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). From 13ee67ec1c137b22e54bf08131493a5aa645dd24 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 29 Jun 2019 14:37:08 +0500 Subject: [PATCH 007/137] Update store-for-business/distribute-apps-from-your-private-store.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- store-for-business/distribute-apps-from-your-private-store.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/distribute-apps-from-your-private-store.md b/store-for-business/distribute-apps-from-your-private-store.md index 5ebc487b89..d45e508ac3 100644 --- a/store-for-business/distribute-apps-from-your-private-store.md +++ b/store-for-business/distribute-apps-from-your-private-store.md @@ -43,7 +43,7 @@ Microsoft Store adds the app to **Products and services**. Click **Manage**, **A -3. Click on the application to open the application settings and then click on **Private store availability**. +3. Click on the application to open the application settings, then select **Private store availability**. 4. Select **Everyone** to make application available for all people in your organization. From 01f38be30b806428057382138de08074b1c9b26f Mon Sep 17 00:00:00 2001 From: Kartikay Sharma <44971599+SharmaKartikay@users.noreply.github.com> Date: Mon, 1 Jul 2019 16:48:14 +0100 Subject: [PATCH 008/137] Added Info on TPM 2.0 with Legacy \ CSM Mode The info on the page lacks the complete info and this had led customer open a support cases with us where Bitlocker does not work when they have TPM 2.0 in legacy Mode. This Note will help readers get a complete rationale. --- .../information-protection/bitlocker/bitlocker-overview.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 138a9d5422..9b9350921a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -60,6 +60,11 @@ A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant B The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment. +> [!NOTE] +> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. + +> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. + The hard disk must be partitioned with at least two drives: - The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system. From a084b73e59aa75573f3bbc78592c7559ada38469 Mon Sep 17 00:00:00 2001 From: Kartikay Sharma <44971599+SharmaKartikay@users.noreply.github.com> Date: Mon, 1 Jul 2019 16:49:58 +0100 Subject: [PATCH 009/137] Added Info on TPM 2.0 with Legacy \ CSM Mode The info on the page lacks the complete info and this had led customer open a support cases with us where Bitlocker does not work when they have TPM 2.0 in legacy Mode. This Note will help readers get a complete rationale. --- .../bitlocker/bitlocker-overview-and-requirements-faq.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index dd0439236b..a3625890b5 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -51,6 +51,11 @@ Two partitions are required to run BitLocker because pre-startup authentication BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requires Unified Extensible Firmware Interface (UEFI) for the device. +> [!NOTE] +> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. + +> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. + ## How can I tell if a TPM is on my computer? Beginning with Windows 10, version 1803, you can check TPM status in **Windows Defender Security Center** > **Device Security** > **Security processor details**. In previous versions of Windows, open the TPM MMC console (tpm.msc) and look under the **Status** heading. From 82a516aff33812a0d0409c3e2ddc1d162b75a4ae Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 1 Jul 2019 21:58:14 +0530 Subject: [PATCH 010/137] added location of windowsbiometric datas --- .../hello-for-business/hello-overview.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index cd6424eb47..8ecaacb2da 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -50,6 +50,17 @@ As an administrator in an enterprise or educational organization, you can create Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. +## In Windows 10 from v1803 , windows Hello feature is usefull for hasslefree login. +01.Users are advised to enable fingerprint to their laptops by using builtin fingerprint reader or external usb fingerprint redader. +02.Go to settings\accounts\sign-in-options\windows hello fingerprint\ add fingerprint +03. Usershould add PIN after adding fingerprint to the reader. +04. Location of the windows biometeric data in this folder + **C:\Windows\System32\WinBioDatabase\** **all fingerprint datas are stored in .DAT formats** +05. if user are unable to login with alreasdy register finger means , then users are advisied to delete all contents in this folder + **C:\Windows\System32\WinBioDatabase\** and then re add finger. + + + ## The difference between Windows Hello and Windows Hello for Business From 5773a6a535817b232531ea90b2d267c51166ca7d Mon Sep 17 00:00:00 2001 From: illfated Date: Tue, 2 Jul 2019 23:16:40 +0200 Subject: [PATCH 011/137] Microsoft Edge/kiosk mode: broken relative links Description: The 4 images in the subsection "Supported configuration types" are supposed to be linked to their image files, but the relative links have been broken by not containing the needed parent directory dots. Proposed change: Add the required parent directory dots to enable the links to point to the files as intended (even if not strictly needed to begin with). Closes #4275 --- .../includes/configure-kiosk-mode-supported-values-include.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md index 2d6285a59d..e5a7ff9155 100644 --- a/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md +++ b/browsers/edge/includes/configure-kiosk-mode-supported-values-include.md @@ -11,7 +11,7 @@ ms.topic: include | | | |----------|------| -|**Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

  • **Digital signage** does not require user interaction.

    ***Example.*** Use digital signage for things like a rotating advertisement or menu.

  • **Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet.

    ***Example.*** Use interactive signage for things like a building business directory or restaurant order/pay station.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

Public browsing

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an End session button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | -| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

Public browsing

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | +|**Single-app**

![thumbnail](../images/Picture1-sm.png)

**Digital/interactive signage**

Displays a specific site in full-screen mode, running Microsoft Edge InPrivate protecting user data.

  • **Digital signage** does not require user interaction.

    ***Example.*** Use digital signage for things like a rotating advertisement or menu.

  • **Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet.

    ***Example.*** Use interactive signage for things like a building business directory or restaurant order/pay station.

**Policy setting** = Not configured (0 default)

|

 

![thumbnail](../images/Picture2-sm.png)

Public browsing

Runs a limited multi-tab version of Microsoft Edge, protecting user data. Microsoft Edge is the only app users can use on the device, preventing them from customizing Microsoft Edge. Users can only browse publically or end their browsing session.

The single-app public browsing mode is the only kiosk mode that has an End session button. Microsoft Edge also resets the session after a specified time of user inactivity. Both restart Microsoft Edge and clear the user’s session.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | +| **Multi-app**

![thumbnail](../images/Picture5-sm.png)

**Normal browsing**

Runs a full-version of Microsoft Edge with all browsing features and preserves the user data and state between sessions.

Some features may not work depending on what other apps you have configured in assigned access. For example, installing extensions or books from the Microsoft store are not allowed if the store is not available. Also, if Internet Explorer 11 is set up in assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

**Policy setting** = Not configured (0 default) |

 

![thumbnail](../images/Picture6-sm.png)

Public browsing

Runs a multi-tab version of Microsoft Edge InPrivate with a tailored experience for kiosks that runs in full-screen mode. Users can open and close Microsoft Edge and launch other apps if allowed by assigned access. Instead of an End session button to clear their browsing session, the user closes Microsoft Edge normally.

In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisemodesitelist) to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.

Example. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.

Policy setting = Enabled (1) | --- From 1b2ed844ab5381f403504a965d665beb5c637cb0 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 3 Jul 2019 17:41:54 +0500 Subject: [PATCH 012/137] Update windows-update-troubleshooting.md --- windows/deployment/update/windows-update-troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 65a79ce245..9f3f7c2ee6 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -138,7 +138,7 @@ Or DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A ``` -Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information , see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337\(v=ws.10\)) or [Windows Update stuck at 0 percent on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4039473/windows-update-stuck-at-0-percent-on-windows-10-and-windows-server-201). +Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information , see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337\(v=ws.10\)). ## Issues arising from configuration of conflicting policies Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. From e5260b5cbde89c26924d027b7c8f8db419261b2d Mon Sep 17 00:00:00 2001 From: Nathan ziehnert Date: Wed, 3 Jul 2019 22:02:58 -0600 Subject: [PATCH 013/137] Remove duplicate info in "Additional Changes" section --- .../access-control/dynamic-access-control.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md index 86cb99ce3b..73b4f343aa 100644 --- a/windows/security/identity-protection/access-control/dynamic-access-control.md +++ b/windows/security/identity-protection/access-control/dynamic-access-control.md @@ -96,10 +96,6 @@ By default, devices running any of the supported versions of Windows are able to Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**. -### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain. - -Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**. - ### Support in Active Directory to store user and device claims, resource properties, and central access policy objects. ### Support for using Group Policy to deploy central access policy objects. From 8d3e5fbe8cbb51a56891bd0e0ada71ba329be5ab Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Thu, 4 Jul 2019 11:47:01 +0200 Subject: [PATCH 014/137] Update understanding-applocker-allow-and-deny-actions-on-rules.md Added wording for clarification. --- .../understanding-applocker-allow-and-deny-actions-on-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 6f06fb76e5..3f02c4256b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -27,7 +27,7 @@ This topic explains the differences between allow and deny actions on AppLocker ## Allow action versus deny action on rules -Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This configuration makes it easier to determine what will occur when an AppLocker rule is applied. +Unlike Software Restriction Policies (SRP), in a block by default, allow by exception configuration, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This configuration makes it easier to determine what will occur when an AppLocker rule is applied. You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file. From c2550a66bae219fb4d5cde443899b130d18140e4 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 5 Jul 2019 09:04:22 +0500 Subject: [PATCH 015/137] Update windows-10-upgrade-paths.md --- .../upgrade/windows-10-upgrade-paths.md | 41 +++++-------------- 1 file changed, 10 insertions(+), 31 deletions(-) diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index fb67b1f826..42361c65c9 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -27,9 +27,9 @@ This topic provides a summary of available upgrade paths to Windows 10. You can > > **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. > -> In-place upgrade from Windows 7, Windows 8.1, or Windows 10 semi-annual channel to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). +> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). > -> **Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. +> **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. > > **Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355). @@ -61,7 +61,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Home Basic @@ -72,7 +71,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Home Premium @@ -83,7 +81,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Professional @@ -94,7 +91,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - Ultimate @@ -105,7 +101,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - Enterprise @@ -116,7 +111,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - Windows 8.1 @@ -130,7 +124,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Connected @@ -141,7 +134,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Pro @@ -152,7 +144,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - Pro Student @@ -163,7 +154,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - Pro WMC @@ -174,7 +164,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - Enterprise @@ -185,7 +174,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - Embedded Industry @@ -196,7 +184,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - Windows RT @@ -207,7 +194,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - Windows Phone 8.1 @@ -218,18 +204,16 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - Windows 10 Home - ✔ - ✔ - ✔ - ✔ + ✔ + ✔ + ✔ @@ -237,11 +221,10 @@ D = Edition downgrade; personal data is maintained, applications and settings ar Pro D - ✔ - ✔ - ✔ - ✔ + ✔ + ✔ + ✔ @@ -250,9 +233,8 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - ✔ - D + D @@ -262,7 +244,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - ✔ @@ -276,7 +257,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar ✔ - ✔ Mobile Enterprise @@ -285,9 +265,8 @@ D = Edition downgrade; personal data is maintained, applications and settings ar - D - ✔ + From 8eb90328bff74046a7e0784d7c4f4a47162d6aee Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 5 Jul 2019 11:58:03 +0500 Subject: [PATCH 016/137] Update windows-update-troubleshooting.md --- windows/deployment/update/windows-update-troubleshooting.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md index 9f3f7c2ee6..2b51f8351f 100644 --- a/windows/deployment/update/windows-update-troubleshooting.md +++ b/windows/deployment/update/windows-update-troubleshooting.md @@ -138,7 +138,7 @@ Or DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A ``` -Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information , see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337\(v=ws.10\)). +Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information, see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337(v=ws.10)). ## Issues arising from configuration of conflicting policies Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors. From 165d1e77048d885f7d33a9212e3e7dcaee1ffeb5 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sat, 6 Jul 2019 11:12:26 +0200 Subject: [PATCH 017/137] Update memory-integrity.md Added note. --- .../windows-defender-exploit-guard/memory-integrity.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index 1e2192cfb7..f5baa7066d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -24,5 +24,6 @@ manager: dansimp Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016. - +> [!NOTE] +> For more information see [Device protection in Windows Defender Security Center](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center). From bb9228fca525e74e2ffda65c67d564009bbc80ba Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sun, 7 Jul 2019 12:44:43 +0200 Subject: [PATCH 018/137] Update use-windows-defender-application-control-with-intelligent-security-graph.md Added note. --- ...nder-application-control-with-intelligent-security-graph.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 559852d48c..1b9c6bf0fa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -98,3 +98,6 @@ Modern apps are not supported with the ISG heuristic and will need to be separat The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run. In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases. + +>[!NOTE] +> A rule that explicitly allows an application will take precedence over the ISG rule that does not allow it. In this scenario, this policy is not compatible with Intune, where there is no option to add rules to the template that enables ISG. In almost any circumstance, you would need to build a custom WDAC policy, including ISG if desired. From b422de5f228f2964720dba3d59ec0bac1cd9eded Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 7 Jul 2019 20:03:16 +0530 Subject: [PATCH 019/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 8ecaacb2da..5a3d8abbb0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -51,7 +51,7 @@ As an administrator in an enterprise or educational organization, you can create Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. ## In Windows 10 from v1803 , windows Hello feature is usefull for hasslefree login. -01.Users are advised to enable fingerprint to their laptops by using builtin fingerprint reader or external usb fingerprint redader. +1. Fingerprint scan as a login method can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. 02.Go to settings\accounts\sign-in-options\windows hello fingerprint\ add fingerprint 03. Usershould add PIN after adding fingerprint to the reader. 04. Location of the windows biometeric data in this folder From 714c3b6560258c13ac471d7e2e1c0d1e251ea94a Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 7 Jul 2019 20:04:52 +0530 Subject: [PATCH 020/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 5a3d8abbb0..802243c2f8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -53,7 +53,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o ## In Windows 10 from v1803 , windows Hello feature is usefull for hasslefree login. 1. Fingerprint scan as a login method can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. 02.Go to settings\accounts\sign-in-options\windows hello fingerprint\ add fingerprint -03. Usershould add PIN after adding fingerprint to the reader. +3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. 04. Location of the windows biometeric data in this folder **C:\Windows\System32\WinBioDatabase\** **all fingerprint datas are stored in .DAT formats** 05. if user are unable to login with alreasdy register finger means , then users are advisied to delete all contents in this folder From 08a42cb5e514d182f98b02dfc24341adb6c5b0cb Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sun, 7 Jul 2019 16:56:30 +0200 Subject: [PATCH 021/137] Update windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../understanding-applocker-allow-and-deny-actions-on-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 3f02c4256b..a57aaae2f1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -27,7 +27,7 @@ This topic explains the differences between allow and deny actions on AppLocker ## Allow action versus deny action on rules -Unlike Software Restriction Policies (SRP), in a block by default, allow by exception configuration, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This configuration makes it easier to determine what will occur when an AppLocker rule is applied. +Unlike Software Restriction Policies (SRP) each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This **block by default, allow by exception** configuration makes it easier to determine what will occur when an AppLocker rule is applied. You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file. From d6b8cd39db3e913175b82ef395c6eb0745d4bb40 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 7 Jul 2019 21:03:33 +0530 Subject: [PATCH 022/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 802243c2f8..8ed8bc1eba 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -54,7 +54,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o 1. Fingerprint scan as a login method can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. 02.Go to settings\accounts\sign-in-options\windows hello fingerprint\ add fingerprint 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. -04. Location of the windows biometeric data in this folder +4. Windows Biometric data is located in the following folder: **C:\Windows\System32\WinBioDatabase\** **all fingerprint datas are stored in .DAT formats** 05. if user are unable to login with alreasdy register finger means , then users are advisied to delete all contents in this folder **C:\Windows\System32\WinBioDatabase\** and then re add finger. From 68dce30df057ad35603775a92578a564697f4f58 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 7 Jul 2019 21:04:33 +0530 Subject: [PATCH 023/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 8ed8bc1eba..5f205bcb2b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -52,7 +52,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o ## In Windows 10 from v1803 , windows Hello feature is usefull for hasslefree login. 1. Fingerprint scan as a login method can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. -02.Go to settings\accounts\sign-in-options\windows hello fingerprint\ add fingerprint +2. Go to Settings > Accounts > Sign-in-options > Windows Hello Fingerprint > Add fingerprint 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. 4. Windows Biometric data is located in the following folder: **C:\Windows\System32\WinBioDatabase\** **all fingerprint datas are stored in .DAT formats** From c3055460b76717a24e6ee7158a787b19300c6a34 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 7 Jul 2019 21:05:30 +0530 Subject: [PATCH 024/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 5f205bcb2b..e251a8fc3f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -55,7 +55,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o 2. Go to Settings > Accounts > Sign-in-options > Windows Hello Fingerprint > Add fingerprint 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. 4. Windows Biometric data is located in the following folder: - **C:\Windows\System32\WinBioDatabase\** **all fingerprint datas are stored in .DAT formats** + `C:\Windows\System32\WinBioDatabase\` (fingerprint data is stored with the .DAT file name extension) 05. if user are unable to login with alreasdy register finger means , then users are advisied to delete all contents in this folder **C:\Windows\System32\WinBioDatabase\** and then re add finger. From 0c871d17fddcbcb31e292c56ed9f867de5c73688 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 7 Jul 2019 21:06:21 +0530 Subject: [PATCH 025/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index e251a8fc3f..6531cd821e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -56,7 +56,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. 4. Windows Biometric data is located in the following folder: `C:\Windows\System32\WinBioDatabase\` (fingerprint data is stored with the .DAT file name extension) -05. if user are unable to login with alreasdy register finger means , then users are advisied to delete all contents in this folder +5. Users unable to login with already registered fingerprints will have to delete the entire content of this folder and register their fingerprints again. **C:\Windows\System32\WinBioDatabase\** and then re add finger. From c0a791f0f33d1d8a70b9059ab2df9dee2f6132a2 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 7 Jul 2019 23:51:34 +0530 Subject: [PATCH 026/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 6531cd821e..a019b869fd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -50,7 +50,7 @@ As an administrator in an enterprise or educational organization, you can create Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. -## In Windows 10 from v1803 , windows Hello feature is usefull for hasslefree login. +## Starting from Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure login method. 1. Fingerprint scan as a login method can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. 2. Go to Settings > Accounts > Sign-in-options > Windows Hello Fingerprint > Add fingerprint 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. From fcf09f234ac52e9fec5aaf2dbf9f8ebf39d49bff Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 7 Jul 2019 23:53:00 +0530 Subject: [PATCH 027/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md sir i think this Location is neccesary Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index a019b869fd..df695c122b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -57,7 +57,6 @@ Windows stores biometric data that is used to implement Windows Hello securely o 4. Windows Biometric data is located in the following folder: `C:\Windows\System32\WinBioDatabase\` (fingerprint data is stored with the .DAT file name extension) 5. Users unable to login with already registered fingerprints will have to delete the entire content of this folder and register their fingerprints again. - **C:\Windows\System32\WinBioDatabase\** and then re add finger. From ef3427ce468ed98cd5c042a196d9efa195845660 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 7 Jul 2019 23:53:38 +0530 Subject: [PATCH 028/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index df695c122b..dc8004100e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -59,7 +59,6 @@ Windows stores biometric data that is used to implement Windows Hello securely o 5. Users unable to login with already registered fingerprints will have to delete the entire content of this folder and register their fingerprints again. - ## The difference between Windows Hello and Windows Hello for Business From 17cfad080ce46bcecd4f86a697b7c0d405e3896f Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Sun, 7 Jul 2019 23:54:33 +0530 Subject: [PATCH 029/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index dc8004100e..24dfa88480 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -57,7 +57,6 @@ Windows stores biometric data that is used to implement Windows Hello securely o 4. Windows Biometric data is located in the following folder: `C:\Windows\System32\WinBioDatabase\` (fingerprint data is stored with the .DAT file name extension) 5. Users unable to login with already registered fingerprints will have to delete the entire content of this folder and register their fingerprints again. - ## The difference between Windows Hello and Windows Hello for Business From 0912496000c5fb1e936d28ac8eb2178af99c8701 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 8 Jul 2019 00:24:56 +0530 Subject: [PATCH 030/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 24dfa88480..cbf02be728 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -57,7 +57,6 @@ Windows stores biometric data that is used to implement Windows Hello securely o 4. Windows Biometric data is located in the following folder: `C:\Windows\System32\WinBioDatabase\` (fingerprint data is stored with the .DAT file name extension) 5. Users unable to login with already registered fingerprints will have to delete the entire content of this folder and register their fingerprints again. - ## The difference between Windows Hello and Windows Hello for Business From 576823c83aeda61d52a8ea220a6eb12e42d7a73c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 8 Jul 2019 00:55:24 +0530 Subject: [PATCH 031/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md this suggestion is already accepted Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index cbf02be728..2547228228 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -50,7 +50,7 @@ As an administrator in an enterprise or educational organization, you can create Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. -## Starting from Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure login method. +## From Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure login method. 1. Fingerprint scan as a login method can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. 2. Go to Settings > Accounts > Sign-in-options > Windows Hello Fingerprint > Add fingerprint 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. From 8d54f03050f39e6835b13d037791c06e55d8fe24 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 8 Jul 2019 00:56:25 +0530 Subject: [PATCH 032/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md new sugguestion accepted Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 2547228228..bd5d46b348 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -56,7 +56,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. 4. Windows Biometric data is located in the following folder: `C:\Windows\System32\WinBioDatabase\` (fingerprint data is stored with the .DAT file name extension) -5. Users unable to login with already registered fingerprints will have to delete the entire content of this folder and register their fingerprints again. +5. If you are unable to login with previously registered fingerprints, delete the entire content of this folder and register your fingerprints again. ## The difference between Windows Hello and Windows Hello for Business From 9c727acb1c8a0dc40a7297b7c2a63501da056aae Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 8 Jul 2019 00:57:09 +0530 Subject: [PATCH 033/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index bd5d46b348..28518dbd0e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -52,7 +52,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o ## From Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure login method. 1. Fingerprint scan as a login method can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. -2. Go to Settings > Accounts > Sign-in-options > Windows Hello Fingerprint > Add fingerprint +2. Go to **Settings** > **Accounts** > **Sign-in-options** > **Windows Hello Fingerprint** > **Add fingerprint** 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. 4. Windows Biometric data is located in the following folder: `C:\Windows\System32\WinBioDatabase\` (fingerprint data is stored with the .DAT file name extension) From 16df00c5ec722564d831bee3177d7347517e5a8d Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Mon, 8 Jul 2019 06:05:48 +0200 Subject: [PATCH 034/137] Update windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../understanding-applocker-allow-and-deny-actions-on-rules.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index a57aaae2f1..50811e33c0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -27,7 +27,7 @@ This topic explains the differences between allow and deny actions on AppLocker ## Allow action versus deny action on rules -Unlike Software Restriction Policies (SRP) each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This **block by default, allow by exception** configuration makes it easier to determine what will occur when an AppLocker rule is applied. +Unlike Software Restriction Policies (SRP), each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection are allowed to run. This **block by default, allow by exception** configuration makes it easier to determine what will occur when an AppLocker rule is applied. You can also create rules that use the deny action. When applying rules, AppLocker first checks whether any explicit deny actions are specified in the rule list. If you have denied a file from running in a rule collection, the deny action will take precedence over any allow action, regardless of which Group Policy Object (GPO) the rule was originally applied in. Because AppLocker functions as an allowed list by default, if no rule explicitly allows or denies a file from running, AppLocker's default deny action will block the file. From 7dbf85917d1923a4b8c4cd8491370356cf342596 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 8 Jul 2019 10:09:42 +0530 Subject: [PATCH 035/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 28518dbd0e..f69edc7ad9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -54,7 +54,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o 1. Fingerprint scan as a login method can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. 2. Go to **Settings** > **Accounts** > **Sign-in-options** > **Windows Hello Fingerprint** > **Add fingerprint** 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. -4. Windows Biometric data is located in the following folder: +4. Windows Biometric data is located in the `C:\Windows\System32\WinBioDatabase\` folder (fingerprint data is stored with the .DAT file name extension). `C:\Windows\System32\WinBioDatabase\` (fingerprint data is stored with the .DAT file name extension) 5. If you are unable to login with previously registered fingerprints, delete the entire content of this folder and register your fingerprints again. From 06303486ab461598022dc0fb189e2b9aab7573d7 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 8 Jul 2019 10:11:39 +0530 Subject: [PATCH 036/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md sir i am getting many changes from other users Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index f69edc7ad9..4d80c4f49a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -51,7 +51,7 @@ As an administrator in an enterprise or educational organization, you can create Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. ## From Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure login method. -1. Fingerprint scan as a login method can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. +1. Fingerprint scan can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. 2. Go to **Settings** > **Accounts** > **Sign-in-options** > **Windows Hello Fingerprint** > **Add fingerprint** 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. 4. Windows Biometric data is located in the `C:\Windows\System32\WinBioDatabase\` folder (fingerprint data is stored with the .DAT file name extension). From 34d2c5ade3e2059c6f0b93938f96db2e260b2aa1 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 8 Jul 2019 10:12:10 +0530 Subject: [PATCH 037/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 4d80c4f49a..29e1af5c32 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -56,7 +56,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. 4. Windows Biometric data is located in the `C:\Windows\System32\WinBioDatabase\` folder (fingerprint data is stored with the .DAT file name extension). `C:\Windows\System32\WinBioDatabase\` (fingerprint data is stored with the .DAT file name extension) -5. If you are unable to login with previously registered fingerprints, delete the entire content of this folder and register your fingerprints again. +5. If you are unable to sign in with previously registered fingerprints, delete the entire content of this folder and register your fingerprints again. ## The difference between Windows Hello and Windows Hello for Business From 5b2115eb3e943db306ddc5e0f8bbb8bd62fe8984 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 8 Jul 2019 10:12:39 +0530 Subject: [PATCH 038/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md accepted Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 29e1af5c32..87dc95cecd 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -50,7 +50,7 @@ As an administrator in an enterprise or educational organization, you can create Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn’t roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there’s no single collection point an attacker can compromise to steal biometric data. -## From Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure login method. +## From Windows 10 version 1803, the Windows Hello feature can be used as a safe and secure sign-in method. 1. Fingerprint scan can be enabled on laptop computers by using a built-in fingerprint reader or an external USB fingerprint reader. 2. Go to **Settings** > **Accounts** > **Sign-in-options** > **Windows Hello Fingerprint** > **Add fingerprint** 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. From 6d61ae1e330fbc47d672ba63317f94bd12cdc4ed Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 8 Jul 2019 10:14:19 +0530 Subject: [PATCH 039/137] Update windows/security/identity-protection/hello-for-business/hello-overview.md totally i am fedup sir. many users are already sent suggested to change Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 87dc95cecd..a99767faaf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -55,7 +55,7 @@ Windows stores biometric data that is used to implement Windows Hello securely o 2. Go to **Settings** > **Accounts** > **Sign-in-options** > **Windows Hello Fingerprint** > **Add fingerprint** 3. Users will need to add a PIN after adding their fingerprint(s) to the reader configuration. 4. Windows Biometric data is located in the `C:\Windows\System32\WinBioDatabase\` folder (fingerprint data is stored with the .DAT file name extension). - `C:\Windows\System32\WinBioDatabase\` (fingerprint data is stored with the .DAT file name extension) + 5. If you are unable to sign in with previously registered fingerprints, delete the entire content of this folder and register your fingerprints again. ## The difference between Windows Hello and Windows Hello for Business From 5f7f0a02e01520aba4239aaf8fc67d602837c460 Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Tue, 9 Jul 2019 09:21:35 +0200 Subject: [PATCH 040/137] Update enable-virtualization-based-protection-of-code-integrity.md Added to note. --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 3cd5fee197..b26626c2f9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -26,7 +26,7 @@ This can cause devices or software to malfunction and in rare cases may result i If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. >[!NOTE] ->HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. +>HVCI works with modern 7th gen CPUs or higher and its equivalent on AMD. CPU new feature is required *Mode based execution control (MBE) Virtualization*. AMD CPUs do not have MBE. >[!TIP] > "The Secure Kernel relies on the Mode-Based Execution Control (MBEC) feature, if present in hardware, which enhances the SLAT with a user/kernel executable bit, or the hypervisor’s software emulation of this feature, called Restricted User Mode (RUM)." Mark Russinovich and Alex Ionescu. Windows Internals 7th Edition book From fd863810d93e714ab71f736a74ba96906afdc56b Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 9 Jul 2019 23:20:01 +0500 Subject: [PATCH 041/137] User can use convenience PIN with Azure AD I have updated the doc as the user can use convenience PIN with Azure AD. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4037 --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 116bff8b92..651f56b3fe 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -42,7 +42,7 @@ The statement "PIN is stronger than Password" is not directed at the strength of The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016. ## Can I use convenience PIN with Azure AD? -No. If you want to use PIN or biometrics with Azure Active Directory identities on Azure AD registered, Azure AD joined, or hybrid Azure AD joined devices, then you must deploy Windows Hello for Business. +Yes. If you want to use PIN or biometrics with Azure Active Directory identities on Azure AD registered, Azure AD joined, or hybrid Azure AD joined devices, In Intune you can set Windows Hello for Business to Not Configured to use this feature. ## Can I use an external camera when my laptop is closed or docked? No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. From bfbbc2d3449506dc38ae1764e90d68feb1f433a1 Mon Sep 17 00:00:00 2001 From: HarshithaCMurthy <52260858+HarshithaCMurthy@users.noreply.github.com> Date: Tue, 9 Jul 2019 15:15:43 -0700 Subject: [PATCH 042/137] SEMM update --- devices/surface/surface-enterprise-management-mode.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md index 9244515eb1..df65b6c73d 100644 --- a/devices/surface/surface-enterprise-management-mode.md +++ b/devices/surface/surface-enterprise-management-mode.md @@ -226,8 +226,16 @@ create a reset package using PowerShell to reset SEMM. ## Version History + + +### Version 2.43.136.0 +* Support to enable/disable simulatenous multithreating +* Separate options for WiFi and Bluetooth for some devices +* Battery Limit removed for Surface Studio + ### Version 2.26.136.0 * Add support to Surface Studio 2 +* Battery Limit feature ### Version 2.21.136.0 * Add support to Surface Pro 6 From 2b5ae166017393159d5f7e83421062cb4991329d Mon Sep 17 00:00:00 2001 From: Elizabeth Greene Date: Wed, 10 Jul 2019 19:22:43 -0500 Subject: [PATCH 043/137] Update customize-windows-10-start-screens-by-using-group-policy.md minor typo correction in ## Related Topics --- .../customize-windows-10-start-screens-by-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md index 5caeb82469..0647e4eec3 100644 --- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md +++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md @@ -130,7 +130,7 @@ After you use Group Policy to apply a customized Start and taskbar layout on a c - [Add image for secondary tiles](start-secondary-tiles.md) - [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) From f1484f596fef31cfefba1f45f89722cfd4889592 Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Thu, 11 Jul 2019 15:27:46 +0200 Subject: [PATCH 044/137] Update distribute-offline-apps.md Changed instructions --- store-for-business/distribute-offline-apps.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/store-for-business/distribute-offline-apps.md b/store-for-business/distribute-offline-apps.md index 696f1be75a..ae9f6c7106 100644 --- a/store-for-business/distribute-offline-apps.md +++ b/store-for-business/distribute-offline-apps.md @@ -66,8 +66,8 @@ There are several items to download or create for offline-licensed apps. The app 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/) or [Microsoft Store for Education](https://educationstore.microsoft.com). 2. Click **Manage**. -3. Under **Shopping Experience**, set **Show offline apps** to **On**. -4. Click **Shop for my group**. Search for the required inbox-app, select it, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. +3. Click **Settings**. +4. Click **Shop settings**. Search for the **Shopping experience** section, change the License type to **Offline**, and click **Get the app**, which will add the app to your inventory. 5. Click **Manage**. You now have access to download the appx bundle package metadata and license file. 6. Go to **Products & services**, and select **Apps & software**. (The list may be empty, but it will auto-populate after some time.) From f7debd003f4f4c21f165b9c0701444ed82fa7b0e Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Thu, 11 Jul 2019 15:44:13 +0200 Subject: [PATCH 045/137] Update windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../windows-defender-exploit-guard/memory-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md index f5baa7066d..8163dafe10 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md @@ -25,5 +25,5 @@ manager: dansimp Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016. > [!NOTE] -> For more information see [Device protection in Windows Defender Security Center](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center). +> For more information, see [Device protection in Windows Defender Security Center](https://support.microsoft.com/help/4096339/windows-10-device-protection-in-windows-defender-security-center). From 4e4eeac9bc6e87b03e6ebdc75889338db7ebfd3a Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Thu, 11 Jul 2019 15:45:09 +0200 Subject: [PATCH 046/137] Update windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...ender-application-control-with-intelligent-security-graph.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 1b9c6bf0fa..91eec3f5c5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -100,4 +100,4 @@ The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must h In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases. >[!NOTE] -> A rule that explicitly allows an application will take precedence over the ISG rule that does not allow it. In this scenario, this policy is not compatible with Intune, where there is no option to add rules to the template that enables ISG. In almost any circumstance, you would need to build a custom WDAC policy, including ISG if desired. +> A rule that explicitly allows an application will take precedence over the ISG rule that does not allow it. In this scenario, this policy is not compatible with Intune, where there is no option to add rules to the template that enables ISG. In most circumstances you would need to build a custom WDAC policy, including ISG if desired. From 86b26192d7d14a98f845cddd05c3133d6d85a5c0 Mon Sep 17 00:00:00 2001 From: Nathan ziehnert Date: Thu, 11 Jul 2019 13:19:50 -0600 Subject: [PATCH 047/137] Adding error codes It appears that some error codes were added to the deployment script after this document was created. This PR documents those new error codes and the best effort understanding of remediation paths. --- .../upgrade/upgrade-readiness-deployment-script.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 9e087abb3e..1b88d830c7 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -147,8 +147,12 @@ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Mi | 59 - CleanupOneSettings failed to delete LastPersistedEventTimeOrFirstBoot property at registry key path: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\Diagtrack** |The CleanupOneSettings function clears some of the cached values needed by the Appraiser which is the data collector on the monitored device. This helps in the download of the most recent for accurate running of the data collector. Verify that the account has the correct permissions to change or add registry keys. | | 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. | | 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. | +| 62 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is a REG_DWORD. | | 63 - Diagnostic data is disabled for the device | If AllowTelemetry == 0, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. | - +| 64 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is a REG_DWORD. | +| 65 - Diagnostic data is disabled for the device | If AllowTelemetry == 0, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**. | +| 66 - All recent data uploads for the Universal Telemetry Client failed. | Review the UtcConnectionReport in WMI in the namespace **root\cimv2\mdm\dmmap** under the **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** class. Only SYSTEM has access to this class. Use [PSExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) to execute your WMI utility as SYSTEM. | +| 67 - CheckUtcCsp failed with an exception | There was an error reading the WIM/CIM class **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** in the namespace **root\cimv2\mdm\dmmap**. Review system for WMI errors. | From 9213bb2f63d1096b00612c6b58c6713938ae6b07 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 12 Jul 2019 06:04:39 +0500 Subject: [PATCH 048/137] Removed the managed section from doc As suggested, removed the managed section from the doc --- .../hello-how-it-works-provisioning.md | 40 ------------------- 1 file changed, 40 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index edcb4de493..b11a86b51d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -29,8 +29,6 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Azure AD joined provisioning in a Federated environment](#azure-ad-joined-provisioning-in-a-federated-environment)
[Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-key-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-federated-environment)
-[Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-certificate-trust-deployment-in-a-managed-environment)
-[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-managed-environment)
[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](#hybrid-azure-ad-joined-provisioning-in-a-synchronous-certificate-trust-deployment-in-a-federated-environment)
[Domain joined provisioning in an On-premises Key Trust deployment](#domain-joined-provisioning-in-an-on-premises-key-trust-deployment)
[Domain joined provisioning in an On-premises Certificate Trust deployment](#domain-joined-provisioning-in-an-on-premises-certificate-trust-deployment)
@@ -76,45 +74,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) -## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment -![Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Federated environment](images/howitworks/prov-haadj-certtrust-managed.png) - -| Phase | Description | -|:-----:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. | -| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). | -| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application, which represents the end of user key registration. | -| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. | -| E | The registration authority validates the public key in the certificate request matches a registered key for the user.
If the public key in the certificate is not found in the list of registered public keys, certificate enrollment is deferred until Phase F completes. The application is informed of the deferment and exits to the user's desktop. The automatic certificate enrollment client triggers the Azure AD Web Account Manager plug-in to retry the certificate enrollment at 24, 85, 145, 205, 265, and 480 minutes after phase C successfully completes. The user must remain signed in for automatic certificate enrollment to trigger certificate enrollment. If the user signs out, automatic certificate enrollment is triggered approximately 30 minutes after the user's next sign in.
After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate. | -| G | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. | -| H | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. | -| F | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory. | - -> [!IMPORTANT] -> The newly provisioned user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory. - - -[Return to top](#windows-hello-for-business-provisioning) -## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment -![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environment](images/howitworks/prov-haadj-instant-certtrust-managed.png) - - -| Phase | Description | -|:-----:|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| A | The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in.
Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid.
Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. | -| B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv). | -| C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration. | -| D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned.
The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm.
After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys. | -| E | The registration authority validates the public key in the certificate request matches a registered key for the user.
If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure.
After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate. | -| F | The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application. | -| G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning. | - -> [!IMPORTANT] -> Synchronous certificate enrollment does not depend on Azure AD Connect to synchronize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not shown in this flow. - - -[Return to top](#windows-hello-for-business-provisioning) ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment ![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png) From 4b1d34da778894889ebef99ba4c35f96bfa71008 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 12 Jul 2019 06:34:59 +0500 Subject: [PATCH 049/137] Windows Server 2016 and above is required Requirement for WHfB is authentication is both Windows Server 2016 and 2019 DCs. I have made the corrections Reference: https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-planning-guide#trust-types Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4306 --- .../hello-for-business/hello-adequate-domain-controllers.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 57524af4a3..2f40604e85 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -30,13 +30,13 @@ ms.reviewer: ## How many is adequate -How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2019 includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged. +How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 and above includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged. -Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2019 domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2019 domain controller. +Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 and above domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller. -Determining an adequate number of Windows Server 2019 domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2019) to a deployment of existing domain controllers (Windows Server 2008R2, Windows Server 2012R2 or Windows Server 2016) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario: +Determining an adequate number of Windows Server domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding the most current version of a domain controller (in this case Windows Server 2019) to a deployment of existing domain controllers (Windows Server 2008R2, Windows Server 2012R2 or Windows Server 2016) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario: Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following: From 002ef8dc2e524b52fbd3f814844b8874d2b12a7d Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 12 Jul 2019 16:07:15 +0500 Subject: [PATCH 050/137] Update windows/security/identity-protection/hello-for-business/hello-faq.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 651f56b3fe..2030d964b0 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -42,7 +42,7 @@ The statement "PIN is stronger than Password" is not directed at the strength of The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016. ## Can I use convenience PIN with Azure AD? -Yes. If you want to use PIN or biometrics with Azure Active Directory identities on Azure AD registered, Azure AD joined, or hybrid Azure AD joined devices, In Intune you can set Windows Hello for Business to Not Configured to use this feature. +Yes. If you want to use a PIN or biometrics with Azure Active Directory identities on Azure AD registered, Azure AD joined, or hybrid Azure AD joined devices, you can set Windows Hello for Business to **Not Configured** in Intune to use this feature. ## Can I use an external camera when my laptop is closed or docked? No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. From 2c788956525ed55dfd2111780c9b837acee3e087 Mon Sep 17 00:00:00 2001 From: Andrew Baker Date: Fri, 12 Jul 2019 13:46:57 +0100 Subject: [PATCH 051/137] Update level-1-enterprise-basic-security.md Fixed typo on line 46 --- .../level-1-enterprise-basic-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md index 60e0c1e82c..fe043e036b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/level-1-enterprise-basic-security.md @@ -43,7 +43,7 @@ Microsoft recommends using [the rings methodology](https://docs.microsoft.com/wi |-------------------------|--------------------------------------------------------------------------------------------------|---------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | Account Lockout | Account Lockout Duration | 15 | The number of minutes a locked-out account remains locked out before automatically becoming unlocked. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time. | | Account Lockout | Account Lockout Threshold | 10 | The number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired. | -| Account Lockout | Reset account lockout conter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. | +| Account Lockout | Reset account lockout counter after | 15 | The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts. | | Password Policy | Enforce password history | 24 | The number of unique new passwords that must be associated with a user account before an old password can be reused. | | Password Policy | Minimum password length | 14 | The least number of characters that a password for a user account may contain. | | Password Policy | Password must meet complexity requirements | Enabled | Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`\|\\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages. | From 3dce66a7060f08f9142723a9693e40c9cc7a0d62 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Fri, 12 Jul 2019 21:23:36 +0300 Subject: [PATCH 052/137] point to updated article https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2511 as advised by Daniel Simpson --- ...indows-defender-antivirus-in-windows-10.md | 19 ++----------------- 1 file changed, 2 insertions(+), 17 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md index 3aae4bb7f2..849e3e3a7d 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md +++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md @@ -42,23 +42,8 @@ You can configure and manage Windows Defender Antivirus with: >- Fast learning (including Block at first sight) >- Potentially unwanted application blocking -## What's new in Windows 10, version 1803 - -- The [block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files. -- The [Virus & threat protection area in the Windows Security app](windows-defender-security-center-antivirus.md) now includes a section for ransomware protection. It includes controlled folder access settings and ransomware recovery settings. - - -## What's new in Windows 10, version 1703 - -New features for Windows Defender Antivirus in Windows 10, version 1703 include: -- [Updates to how the block at first sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md) -- [The ability to specify the level of cloud-protection](specify-cloud-protection-level-windows-defender-antivirus.md) -- [Windows Defender Antivirus protection in the Windows Security app](windows-defender-security-center-antivirus.md) - -We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender Antivirus, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios: -- [Evaluation guide for Windows Defender Antivirus](evaluate-windows-defender-antivirus.md) -- [Deployment guide for Windows Defender Antivirus in a virtual desktop infrastructure environment](deployment-vdi-windows-defender-antivirus.md) - +>[!NOTE] +For more information regarding what's new in each Windows version, please refer to [What's new in Microsoft Defender ATP](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp) ## Minimum system requirements From 6f344f67e66c5eeb41875de905339fec4b03b06c Mon Sep 17 00:00:00 2001 From: Nathan ziehnert Date: Fri, 12 Jul 2019 13:16:25 -0600 Subject: [PATCH 053/137] Change == to 'equals' --- .../deployment/upgrade/upgrade-readiness-deployment-script.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 1b88d830c7..f6a4288074 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -148,9 +148,9 @@ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Mi | 60 - CleanupOneSettings failed to delete registry key: **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\ Diagnostics\Diagtrack\SettingsRequests** | Verify that the account has the correct permissions to change or add registry keys. | | 61 - CleanupOneSettings failed with an exception | CleanupOneSettings failed with an unexpected exception. | | 62 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at path **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection** is a REG_DWORD. | -| 63 - Diagnostic data is disabled for the device | If AllowTelemetry == 0, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. | +| 63 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Policies\Microsoft\Windows\DataCollection**. | | 64 - AllowTelemetry property value at registry key path **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is not of type REG_DWORD. It should be of type REG_DWORD. | Ensure that the **AllowTelemetry** property at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is a REG_DWORD. | -| 65 - Diagnostic data is disabled for the device | If AllowTelemetry == 0, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**. | +| 65 - Diagnostic data is disabled for the device | If AllowTelemetry equals **0**, devices cannot send diagnostic data. To resolve this, set the **AllowTelemetry** value at **HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection**. | | 66 - All recent data uploads for the Universal Telemetry Client failed. | Review the UtcConnectionReport in WMI in the namespace **root\cimv2\mdm\dmmap** under the **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** class. Only SYSTEM has access to this class. Use [PSExec](https://docs.microsoft.com/en-us/sysinternals/downloads/psexec) to execute your WMI utility as SYSTEM. | | 67 - CheckUtcCsp failed with an exception | There was an error reading the WIM/CIM class **MDM_Win32CompatibilityAppraiser_UniversalTelemetryClient01** in the namespace **root\cimv2\mdm\dmmap**. Review system for WMI errors. | From 7798d26461aed3383ae36482fcab0d99cb4e76a8 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 12 Jul 2019 15:47:00 -0400 Subject: [PATCH 054/137] chore: Remove it-client orphan submodule Fixes #4110 --- it-client | 1 - 1 file changed, 1 deletion(-) delete mode 160000 it-client diff --git a/it-client b/it-client deleted file mode 160000 index 61e0a21977..0000000000 --- a/it-client +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 61e0a21977430f3c0eef1c32e398999dc090c332 From ab55da07d746e2f0984f408ee0449a277fedac13 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 12 Jul 2019 15:57:43 -0400 Subject: [PATCH 055/137] fix: MD033/no-inline-html Escpe elemnents swallowed as inline HTML --- devices/hololens/hololens-cortana.md | 6 +++--- ...ultiple-windows-defender-application-control-policies.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/devices/hololens/hololens-cortana.md b/devices/hololens/hololens-cortana.md index 8c74b3b97e..dfe9539b1b 100644 --- a/devices/hololens/hololens-cortana.md +++ b/devices/hololens/hololens-cortana.md @@ -31,13 +31,13 @@ Here are some things you can try saying (remember to say "Hey Cortana" first): - Restart. - Go to sleep. - Mute. -- Launch . -- Move here (gaze at the spot you want the app to move to). +- Launch ``. +- Move `` here (gaze at the spot you want the app to move to). - Go to Start. - Take a picture. - Start recording. (Starts recording a video.) - Stop recording. (Stops recording a video.) -- Call . (Requires Skype.) +- Call ``. (Requires Skype.) - What time is it? - Show me the latest NBA scores. - How much battery do I have left? diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index abc8820fab..cf929bfd6e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -85,7 +85,7 @@ In order to deploy policies using the new multiple policy format you will need t - Policies must be copied to this directory: C:\Windows\System32\CodeIntegrity\CiPolicies\Active 2. Binary policy files must have the correct name which takes the format {PolicyGUID}.cip - Ensure that the name of the binary policy file is exactly the same as the PolicyID in the policy - - For example if the policy XML had the ID as {A6D7FBBF-9F6B-4072-BF37-693741E1D745} the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip + - For example if the policy XML had the ID as `{A6D7FBBF-9F6B-4072-BF37-693741E1D745}` the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip 3. Reboot the system or use WMI to rebootlessly refresh the policy ```powershell From 3a1d8437f195a840378b1463a94be320c7df6bb5 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 12 Jul 2019 15:58:20 -0400 Subject: [PATCH 056/137] fix: MD039/no-space-in-links Spaces inside link text --- devices/surface-hub/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/TOC.md b/devices/surface-hub/TOC.md index 7eac6565e2..d9bdb48c3a 100644 --- a/devices/surface-hub/TOC.md +++ b/devices/surface-hub/TOC.md @@ -5,7 +5,7 @@ ## Overview ### [What's new in Surface Hub 2S for IT admins](surface-hub-2s-whats-new.md) ### [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md) -### [Operating system essentials (Surface Hub) ](differences-between-surface-hub-and-windows-10-enterprise.md) +### [Operating system essentials (Surface Hub)](differences-between-surface-hub-and-windows-10-enterprise.md) ### [Adjust Surface Hub 2S brightness, volume, and input](surface-hub-2s-onscreen-display.md) ## Plan From 25c47f92e30c12111a8d1ee6ba514ab93486ef46 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 12 Jul 2019 16:00:25 -0400 Subject: [PATCH 057/137] fix: MD042/no-empty-links No empty links --- windows/security/threat-protection/TOC.md | 2 +- .../security/threat-protection/microsoft-defender-atp/TOC.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md index 9535492f02..0de508a4fa 100644 --- a/windows/security/threat-protection/TOC.md +++ b/windows/security/threat-protection/TOC.md @@ -422,7 +422,7 @@ ##### [Check service health](microsoft-defender-atp/service-status.md) -#### [Troubleshoot live response issues]() +#### [Troubleshoot live response issues](microsoft-defender-atp/troubleshoot-live-response.md) ##### [Troubleshoot issues related to live response](microsoft-defender-atp/troubleshoot-live-response.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/TOC.md b/windows/security/threat-protection/microsoft-defender-atp/TOC.md index 44f14073d3..d837a99508 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/TOC.md +++ b/windows/security/threat-protection/microsoft-defender-atp/TOC.md @@ -418,7 +418,7 @@ #### [Check service health](service-status.md) -### [Troubleshoot live response issues]() +### [Troubleshoot live response issues](troubleshoot-live-response.md) #### [Troubleshoot issues related to live response](troubleshoot-live-response.md) ### Troubleshoot attack surface reduction From 301d3bfc3eaab66193ced76ca645e2a9cf717a5a Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 12 Jul 2019 16:22:55 -0400 Subject: [PATCH 058/137] fix: MD038/no-space-in-code Spaces inside code span elements --- .../intranet-problems-and-ie11.md | 2 +- mdop/appv-v4/delete-package.md | 2 +- mdop/appv-v4/sfttray-command-reference.md | 16 +-- ...-publishing-server-on-a-remote-computer.md | 25 ++-- ...ublishing-server-on-a-remote-computer51.md | 25 ++-- ...ve-mbam-10-features-to-another-computer.md | 130 ++++++++++-------- ...-20-features-to-another-computer-mbam-2.md | 120 ++++++++-------- .../troubleshoot-windows-freeze.md | 2 +- .../customize-and-export-start-layout.md | 2 +- .../usmt/usmt-customize-xml-files.md | 2 +- .../usmt/usmt-general-conventions.md | 2 +- .../usmt/usmt-xml-elements-library.md | 4 +- .../hello-hybrid-cert-trust-devreg.md | 8 +- ...s-defender-application-control-policies.md | 6 +- .../create-initial-default-policy.md | 6 +- ...rt-windows-defender-application-control.md | 20 +-- ...s-defender-application-control-policies.md | 18 +-- ...s-defender-application-control-policies.md | 14 +- .../select-types-of-rules-to-create.md | 4 +- .../signing-policies-with-signtool.md | 16 +-- ...r-application-control-against-tampering.md | 16 +-- ...tion-based-protection-of-code-integrity.md | 2 +- 22 files changed, 229 insertions(+), 213 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md index 91517251f0..77eb2fa5b1 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md +++ b/browsers/internet-explorer/ie11-deploy-guide/intranet-problems-and-ie11.md @@ -24,7 +24,7 @@ IE11 works differently with search, based on whether your organization is domain - **Non-domain-joined computers.** A single word entry is treated as an intranet site. However, if the term doesn't resolve to a site, IE11 then treats the entry as a search term and opens your default search provider. -To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like ` contoso/` or the `https://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment. +To explicitly go to an intranet site, regardless of the environment, users can type either a trailing slash like `contoso/` or the `https://` prefix. Either of these will cause IE11 to treat the entry as an intranet search. You can also change the default behavior so that IE11 treats your single word entry in the address bar as an intranet site, regardless of your environment. **To enable single-word intranet search** diff --git a/mdop/appv-v4/delete-package.md b/mdop/appv-v4/delete-package.md index b5f9062d59..925e63a5c9 100644 --- a/mdop/appv-v4/delete-package.md +++ b/mdop/appv-v4/delete-package.md @@ -19,7 +19,7 @@ ms.date: 06/16/2016 Removes a package record and the applications associated with it. -` SFTMIME DELETE PACKAGE:package-name [/LOG log-pathname | /CONSOLE | /GUI]` +`SFTMIME DELETE PACKAGE:package-name [/LOG log-pathname | /CONSOLE | /GUI]` diff --git a/mdop/appv-v4/sfttray-command-reference.md b/mdop/appv-v4/sfttray-command-reference.md index 0b72c8c94c..38b1c28072 100644 --- a/mdop/appv-v4/sfttray-command-reference.md +++ b/mdop/appv-v4/sfttray-command-reference.md @@ -31,23 +31,23 @@ There is only one Application Virtualization Client Tray instance for each user -` Sfttray.exe /?` +`Sfttray.exe /?` ### Command Usage -` Sfttray.exe [/HIDE | /SHOW]` +`Sfttray.exe [/HIDE | /SHOW]` -` Sfttray.exe [/HIDE | /SHOW] [/QUIET] [/EXE alternate-exe] /LAUNCH app [args]` +`Sfttray.exe [/HIDE | /SHOW] [/QUIET] [/EXE alternate-exe] /LAUNCH app [args]` -` Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LOAD app [/SFTFILE sft]` +`Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LOAD app [/SFTFILE sft]` -` Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LOADALL` +`Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LOADALL` -` Sfttray.exe [/HIDE | /SHOW] [/QUIET] /REFRESHALL` +`Sfttray.exe [/HIDE | /SHOW] [/QUIET] /REFRESHALL` -` Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LAUNCHRESULT /LAUNCH app [args]` +`Sfttray.exe [/HIDE | /SHOW] [/QUIET] /LAUNCHRESULT /LAUNCH app [args]` -` Sfttray.exe /EXIT` +`Sfttray.exe /EXIT` ### Command-Line Switches diff --git a/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer.md b/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer.md index d9862868d2..ee45693fca 100644 --- a/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer.md +++ b/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer.md @@ -51,21 +51,16 @@ Use the following procedure to install the publishing server on a separate compu 9. To verify if the publishing server is running correctly, you should import a package to the management server, entitle the package to an AD group, and publish the package. Using an internet browser, open the following URL: http://publishingserver:pubport. If the server is running correctly information similar to the following will be displayed: - `` - - ` ` - - ` ` - - ` ` - - ` ` - - ` ` - - ` ` - - `` + ```xml + + + + + + + + + ``` **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer51.md b/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer51.md index b304366dd1..c9ed253251 100644 --- a/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer51.md +++ b/mdop/appv-v5/how-to-install-the-publishing-server-on-a-remote-computer51.md @@ -51,21 +51,16 @@ Use the following procedure to install the publishing server on a separate compu 9. To verify if the publishing server is running correctly, you should import a package to the management server, entitle the package to an AD group, and publish the package. Using an internet browser, open the following URL: http://publishingserver:pubport. If the server is running correctly information similar to the following will be displayed: - `` - - ` ` - - ` ` - - ` ` - - ` ` - - ` ` - - ` ` - - `` + ```xml + + + + + + + + + ``` **Got a suggestion for App-V**? Add or vote on suggestions [here](http://appv.uservoice.com/forums/280448-microsoft-application-virtualization). **Got an App-V issue?** Use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopappv). diff --git a/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md b/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md index b300c0341b..e0dec01036 100644 --- a/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md +++ b/mdop/mbam-v1/how-to-move-mbam-10-features-to-another-computer.md @@ -88,49 +88,55 @@ You can use the following procedure to move the MBAM Recovery and Hardware Datab Modify the MBAM Recovery and Hardware Database to use the full recovery mode. - `USE master;` + ```sql + USE master; - `GO` + GO - `ALTER DATABASE "MBAM Recovery and Hardware"` + ALTER DATABASE "MBAM Recovery and Hardware" - ` SET RECOVERY FULL;` + SET RECOVERY FULL; - `GO` + GO + ``` Create MBAM Recovery and Hardware Database Data and MBAM Recovery logical backup devices. - `USE master` + ```sql + USE master - `GO` + GO - `EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device',` + EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device', - `'Z:\MBAM Recovery and Hardware Database Data.bak';` + 'Z:\MBAM Recovery and Hardware Database Data.bak'; - `GO` + GO + ``` Back up the full MBAM Recovery and Hardware database. - `BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device];` + ```sql + BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device]; - `GO` + GO - `BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate]` + BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate] - `TO FILE = 'Z:\SQLServerInstanceCertificateFile'` + TO FILE = 'Z:\SQLServerInstanceCertificateFile' - `WITH PRIVATE KEY` + WITH PRIVATE KEY - `(` + ( - ` FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',` + FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', - ` ENCRYPTION BY PASSWORD = '$PASSWORD$'` + ENCRYPTION BY PASSWORD = '$PASSWORD$' - `);` + ); - `GO` + GO + ``` **Note** Replace the values from the preceding example with those that match your environment: @@ -181,43 +187,51 @@ You can use the following procedure to move the MBAM Recovery and Hardware Datab 4. To automate this procedure, create a SQL file (.sql) that contains the following SQL script: - `-- Restore MBAM Recovery and Hardware Database. ` + ```sql + -- Restore MBAM Recovery and Hardware Database. - `USE master` + USE master - `GO` + GO + ``` Drop the certificate created by MBAM Setup. - `DROP CERTIFICATE [MBAM Recovery Encryption Certificate]` + ```sql + DROP CERTIFICATE [MBAM Recovery Encryption Certificate] - `GO` + GO + ``` Add certificate - `CREATE CERTIFICATE [MBAM Recovery Encryption Certificate]` + ```sql + CREATE CERTIFICATE [MBAM Recovery Encryption Certificate] - `FROM FILE = 'Z: \SQLServerInstanceCertificateFile'` + FROM FILE = 'Z: \SQLServerInstanceCertificateFile' - `WITH PRIVATE KEY` + WITH PRIVATE KEY - `(` + ( - ` FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',` + FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', - ` DECRYPTION BY PASSWORD = '$PASSWORD$'` + DECRYPTION BY PASSWORD = '$PASSWORD$' - `);` + ); - `GO` + GO + ``` Restore the MBAM Recovery and Hardware database data and the log files. - `RESTORE DATABASE [MBAM Recovery and Hardware]` + ```sql + RESTORE DATABASE [MBAM Recovery and Hardware] - ` FROM DISK = 'Z:\MBAM Recovery and Hardware Database Data.bak'` + FROM DISK = 'Z:\MBAM Recovery and Hardware Database Data.bak' - ` WITH REPLACE` + WITH REPLACE + ``` **Note** Replace the values from the preceding example with those that match your environment: @@ -354,35 +368,37 @@ If you choose to move the MBAM Compliance Status Database feature from one compu 2. To automate this procedure, create a SQL file (.sql) that contains the following-SQL script: - `-- Modify the MBAM Compliance Status Database to use the full recovery model.` + ```sql + -- Modify the MBAM Compliance Status Database to use the full recovery model. - `USE master;` + USE master; - `GO` + GO - `ALTER DATABASE "MBAM Compliance Status"` + ALTER DATABASE "MBAM Compliance Status" - ` SET RECOVERY FULL;` + SET RECOVERY FULL; - `GO` + GO - `-- Create MBAM Compliance Status Data logical backup devices.` + -- Create MBAM Compliance Status Data logical backup devices. - `USE master` + USE master - `GO` + GO - `EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device',` + EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device', - `'Z: \MBAM Compliance Status Database Data.bak';` + 'Z: \MBAM Compliance Status Database Data.bak'; - `GO` + GO -- Back up the full MBAM Recovery and Hardware database. - `BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device];` + BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device]; - `GO` + GO + ``` 3. Run the SQL file with a command that is similar to the following one, by using the SQL Server PowerShell: @@ -422,19 +438,21 @@ If you choose to move the MBAM Compliance Status Database feature from one compu 3. To automate this procedure, create a SQL file (.sql) that contains the following-SQL script: - `-- Create MBAM Compliance Status Database Data logical backup devices. ` + ```sql + -- Create MBAM Compliance Status Database Data logical backup devices. - `Use master` + Use master - `GO` + GO -- Restore the MBAM Compliance Status database data files. - `RESTORE DATABASE [MBAM Compliance Status Database]` + RESTORE DATABASE [MBAM Compliance Status Database] - ` FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak'` + FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak' - ` WITH REPLACE` + WITH REPLACE + ``` 4. Run the SQL File with a command that is similar to the following one, by using the SQL Server PowerShell: diff --git a/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md b/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md index 46aeb38af7..7888f34d72 100644 --- a/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md +++ b/mdop/mbam-v2/how-to-move-mbam-20-features-to-another-computer-mbam-2.md @@ -88,49 +88,51 @@ To move the Recovery Database from one computer to another (for example, from Se Modify the MBAM Recovery Database to use the full recovery mode. - `USE master;` + ```sql + USE master; - `GO` + GO - `ALTER DATABASE "MBAM Recovery and Hardware"` + ALTER DATABASE "MBAM Recovery and Hardware" - ` SET RECOVERY FULL;` + SET RECOVERY FULL; - `GO` + GO -- Create MBAM Recovery Database Data and MBAM Recovery logical backup devices. - `USE master` + USE master - `GO` + GO - `EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device',` + EXEC sp_addumpdevice 'disk', 'MBAM Recovery and Hardware Database Data Device', - `'Z:\MBAM Recovery Database Data.bak';` + 'Z:\MBAM Recovery Database Data.bak'; - `GO` + GO -- Back up the full MBAM Recovery Database. - `BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device];` + BACKUP DATABASE [MBAM Recovery and Hardware] TO [MBAM Recovery and Hardware Database Data Device]; - `GO` + GO - `BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate]` + BACKUP CERTIFICATE [MBAM Recovery Encryption Certificate] - `TO FILE = 'Z:\SQLServerInstanceCertificateFile'` + TO FILE = 'Z:\SQLServerInstanceCertificateFile' - `WITH PRIVATE KEY` + WITH PRIVATE KEY - `(` + ( - ` FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',` + FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', - ` ENCRYPTION BY PASSWORD = '$PASSWORD$'` + ENCRYPTION BY PASSWORD = '$PASSWORD$' - `);` + ); - `GO` + GO + ``` **Note** Replace the following values in the example above with those that match your environment: @@ -183,43 +185,45 @@ To move the Recovery Database from one computer to another (for example, from Se 4. To automate this procedure, create a SQL file (.sql) that contains the following-SQL script: - `-- Restore MBAM Recovery Database. ` + ```sql + -- Restore MBAM Recovery Database. - `USE master` + USE master - `GO` + GO -- Drop certificate created by MBAM Setup. - `DROP CERTIFICATE [MBAM Recovery Encryption Certificate]` + DROP CERTIFICATE [MBAM Recovery Encryption Certificate] - `GO` + GO --Add certificate - `CREATE CERTIFICATE [MBAM Recovery Encryption Certificate]` + CREATE CERTIFICATE [MBAM Recovery Encryption Certificate] - `FROM FILE = 'Z: \SQLServerInstanceCertificateFile'` + FROM FILE = 'Z: \SQLServerInstanceCertificateFile' - `WITH PRIVATE KEY` + WITH PRIVATE KEY - `(` + ( - ` FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey',` + FILE = ' Z:\SQLServerInstanceCertificateFilePrivateKey', - ` DECRYPTION BY PASSWORD = '$PASSWORD$'` + DECRYPTION BY PASSWORD = '$PASSWORD$' - `);` + ); - `GO` + GO -- Restore the MBAM Recovery Database data and log files. - `RESTORE DATABASE [MBAM Recovery and Hardware]` + RESTORE DATABASE [MBAM Recovery and Hardware] - ` FROM DISK = 'Z:\MBAM Recovery Database Data.bak'` + FROM DISK = 'Z:\MBAM Recovery Database Data.bak' - ` WITH REPLACE` + WITH REPLACE + ``` **Note** Replace the following values in the example above with those that match your environment: @@ -362,35 +366,37 @@ If you want to move the MBAM Compliance and Audit Database from one computer to 2. To automate this procedure, create a SQL file (.sql) that contains the following-SQL script: - `-- Modify the MBAM Compliance Status Database to use the full recovery model.` + ```sql + -- Modify the MBAM Compliance Status Database to use the full recovery model. - `USE master;` + USE master; - `GO` + GO - `ALTER DATABASE "MBAM Compliance Status"` + ALTER DATABASE "MBAM Compliance Status" - ` SET RECOVERY FULL;` + SET RECOVERY FULL; - `GO` + GO - `-- Create MBAM Compliance Status Data logical backup devices.` + -- Create MBAM Compliance Status Data logical backup devices. - `USE master` + USE master - `GO` + GO - `EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device',` + EXEC sp_addumpdevice 'disk', 'MBAM Compliance Status Database Data Device', - `'Z: \MBAM Compliance Status Database Data.bak';` + 'Z: \MBAM Compliance Status Database Data.bak'; - `GO` + GO -- Back up the full MBAM Recovery database. - `BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device];` + BACKUP DATABASE [MBAM Compliance Status] TO [MBAM Compliance Status Database Data Device]; - `GO` + GO + ``` 3. Run the SQL file by using a Windows PowerShell command line that is similar to the following: @@ -430,19 +436,21 @@ If you want to move the MBAM Compliance and Audit Database from one computer to 3. To automate this procedure, create a SQL file (.sql) that contains the following-SQL script: - `-- Create MBAM Compliance Status Database Data logical backup devices. ` + ```sql + -- Create MBAM Compliance Status Database Data logical backup devices. - `Use master` + Use master - `GO` + GO -- Restore the MBAM Compliance Status database data files. - `RESTORE DATABASE [MBAM Compliance Status]` + RESTORE DATABASE [MBAM Compliance Status] - ` FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak'` + FROM DISK = 'C:\test\MBAM Compliance Status Database Data.bak' - ` WITH REPLACE` + WITH REPLACE + ``` 4. Run the SQL File by using a Windows PowerShell command line that is similar to the following: diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index 576ee3a7c0..920e5a1ff0 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -204,7 +204,7 @@ If the physical computer is still running in a frozen state, follow these steps 2. From a remote computer that is preferably in the same network and subnet, go to **Registry Editor** \> **Connect Network Registry**. Then, connect to the concerned computer, and verify the following settings: - * ` `*HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled` + * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\CrashDumpEnabled` Make sure that the [CrashDumpEnabled](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-2000-server/cc976050(v=technet.10)) registry entry is `1`. diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index 2fd51caeeb..aa221c4b9e 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -91,7 +91,7 @@ When you have the Start layout that you want your users to see, use the [Export- 2. On a device running Windows 10, version 1607, 1703, or 1803, at the Windows PowerShell command prompt, enter the following command: - `Export-StartLayout –path .xml ` + `Export-StartLayout –path .xml` On a device running Windows 10, version 1809, run the **Export-StartLayout** with the switch **-UseDesktopApplicationID**. For example: diff --git a/windows/deployment/usmt/usmt-customize-xml-files.md b/windows/deployment/usmt/usmt-customize-xml-files.md index de23e1d507..e1e7522f96 100644 --- a/windows/deployment/usmt/usmt-customize-xml-files.md +++ b/windows/deployment/usmt/usmt-customize-xml-files.md @@ -89,7 +89,7 @@ In addition, note the following functionality with the Config.xml file: - If a parent component is removed from the migration in the Config.xml file by specifying `migrate="no"`, all of its child components will automatically be removed from the migration, even if the child component is set to `migrate="yes"`. -- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no" `and the other line specifies `migrate="yes"`, the component will be migrated. +- If you mistakenly have two lines of code for the same component where one line specifies `migrate="no"` and the other line specifies `migrate="yes"`, the component will be migrated. - In USMT there are several migration policies that can be configured in the Config.xml file. For example, you can configure additional **<ErrorControl>**, **<ProfileControl>**, and **<HardLinkStoreControl>** options. For more information, see the [Config.xml File](usmt-configxml-file.md) topic. diff --git a/windows/deployment/usmt/usmt-general-conventions.md b/windows/deployment/usmt/usmt-general-conventions.md index 6b9330d5ec..daad6f47ed 100644 --- a/windows/deployment/usmt/usmt-general-conventions.md +++ b/windows/deployment/usmt/usmt-general-conventions.md @@ -50,7 +50,7 @@ Before you modify the .xml files, become familiar with the following guidelines: - **File names with brackets** - If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named File.txt, you must specify `c:\documents\mydocs [file^].txt] `instead of `c:\documents\mydocs [file].txt]`. + If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named File.txt, you must specify `c:\documents\mydocs [file^].txt]` instead of `c:\documents\mydocs [file].txt]`. - **Using quotation marks** diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index 84d7c89277..13fcf0effc 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -1499,7 +1499,7 @@ For example: - **MergeMultiSzContent** - The MergeMultiSzContent function merges the MULTI-SZ content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and` String` either remove or add content to the resulting MULTI-SZ. Duplicate elements will be removed. + The MergeMultiSzContent function merges the MULTI-SZ content of the registry values that are enumerated by the parent <ObjectSet> element with the content of the equivalent registry values that already exist on the destination computer. `Instruction` and `String` either remove or add content to the resulting MULTI-SZ. Duplicate elements will be removed. Syntax: MergeMultiSzContent (*Instruction*,*String*,*Instruction*,*String*,…) @@ -3618,7 +3618,7 @@ The return value that is required by <script> depends on the parent elemen Syntax: <script>MigXmlHelper.GetStringContent("*ObjectType*","*EncodedLocationPattern*", "*ExpandContent*")</script> - Example:` ` + Example: `` - You can use [GenerateUserPatterns](#scriptfunctions) when <script> is within <objectSet>. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 8a74c77ed5..c640737793 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -126,7 +126,7 @@ If your AD FS farm is not already configured for Device Authentication (you can 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands: `Import-module activedirectory` - `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" ` + `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName ""` 3. On the pop-up window click **Yes**. > [!NOTE] @@ -150,7 +150,7 @@ The above PSH creates the following objects: If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS 1. Open Windows PowerShell and execute the following: - `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" ` + `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"` > [!NOTE] > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep @@ -165,7 +165,7 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure 3. Run the following PowerShell command - `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred ` + `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred` Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory. @@ -176,7 +176,7 @@ To ensure AD DS objects and containers are in the correct state for write back o 1. Open Windows PowerShell and execute the following: - `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] ` + `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name]` Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 30acb5dae4..aed91aa7a0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -77,13 +77,13 @@ Use the following procedure after you have been running a computer with a WDAC p 2. In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename shown here is **DeviceGuardAuditPolicy.xml**: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + `$CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` + `$CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` 3. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. - ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt` + `New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt` > [!NOTE] > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index fece90650c..67c1e0ccef 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -40,11 +40,11 @@ To create a WDAC policy, copy each of the following commands into an elevated Wi 1. Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + `$CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` + `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` + `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` 2. Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications: diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index 98d3710250..13fa578687 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -41,7 +41,7 @@ To create a catalog file, you use a tool called **Package Inspector**. You must 2. Start Package Inspector, and then start scanning a local drive, for example, drive C: - ` PackageInspector.exe Start C:` + `PackageInspector.exe Start C:` > [!NOTE] > Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer. @@ -69,13 +69,13 @@ To create a catalog file, you use a tool called **Package Inspector**. You must For the last command, which stops Package Inspector, be sure to type the drive letter of the drive you have been scanning, for example, C:. - ` $ExamplePath=$env:userprofile+"\Desktop"` + `$ExamplePath=$env:userprofile+"\Desktop"` - ` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` + `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` - ` $CatDefName=$ExamplePath+"\LOBApp.cdf"` + `$CatDefName=$ExamplePath+"\LOBApp.cdf"` - ` PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName` + `PackageInspector.exe Stop C: -Name $CatFileName -cdfpath $CatDefName` > **Note**  Package Inspector catalogs the hash values for each discovered binary file. If the applications that were scanned are updated, complete this process again to trust the new binaries’ hash values. @@ -116,15 +116,15 @@ To sign the existing catalog file, copy each of the following commands into an e 1. Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed: - ` $ExamplePath=$env:userprofile+"\Desktop"` + `$ExamplePath=$env:userprofile+"\Desktop"` - ` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` + `$CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"` 2. Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. 3. Sign the catalog file with Signtool.exe: - ` sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName` + ` sign /n "ContosoDGSigningCert" /fd sha256 /v $CatFileName` > **Note**  The *<Path to signtool.exe>* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file. > @@ -148,14 +148,14 @@ After the catalog file is signed, add the signing certificate to a WDAC policy, 2. If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a WDAC policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**: - ` New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs` + `New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs` > [!NOTE] > Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity. 3. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `` and ``: - ` Add-SignerRule -FilePath -CertificatePath -User ` + `Add-SignerRule -FilePath -CertificatePath -User` If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 275a1ff7ff..13a60fe360 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -28,13 +28,13 @@ Every WDAC policy is created with audit mode enabled. After you have successfull 1. Initialize the variables that will be used: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + `$CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" ` + `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - ` $EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"` + `$EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"` - ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"` + `$CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"` > [!NOTE] > The initial WDAC policy that this section refers to was created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are using a different WDAC policy, update the **CIPolicyPath** and **InitialCIPolicy** variables. @@ -43,23 +43,23 @@ Every WDAC policy is created with audit mode enabled. After you have successfull To ensure that these options are enabled in a policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect. - ` Set-RuleOption -FilePath $InitialCIPolicy -Option 9` + `Set-RuleOption -FilePath $InitialCIPolicy -Option 9` - ` Set-RuleOption -FilePath $InitialCIPolicy -Option 10` + `Set-RuleOption -FilePath $InitialCIPolicy -Option 10` 3. Copy the initial file to maintain an original copy: - ` copy $InitialCIPolicy $EnforcedCIPolicy` + `copy $InitialCIPolicy $EnforcedCIPolicy` 4. Use Set-RuleOption to delete the audit mode rule option: - ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete` + `Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete` > [!NOTE] > To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy. 5. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary format: - ` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin` + `ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin` Now that this policy is in enforced mode, you can deploy it to your test computers. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). You can also use other client management software to deploy and manage the policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index a0a8076215..4d04e9f6fa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -30,26 +30,26 @@ To merge two WDAC policies, complete the following steps in an elevated Windows 1. Initialize the variables that will be used: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + `$CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` + `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - ` $AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` + `$AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"` - ` $MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"` + `$MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"` - ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"` + `$CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"` > [!NOTE] > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly. 2. Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy: - ` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy` + `Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy` 3. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the merged WDAC policy to binary format: - ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin ` + `ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin` Now that you have created a new WDAC policy, you can deploy the policy binary to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 960a7fb0ca..ab584cebd9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -36,13 +36,13 @@ To modify the policy rule options of an existing WDAC policy, use [Set-RuleOptio - To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command: - ` Set-RuleOption -FilePath -Option 0` + `Set-RuleOption -FilePath -Option 0` Note that a policy that was created without the `-UserPEs` option is empty of user mode executables, that is, applications. If you enable UMCI (Option 0) for such a policy and then attempt to run an application, Windows Defender Application Control will see that the application is not on its list (which is empty of applications), and respond. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. To create a policy that includes user mode executables (applications), when you run `New-CIPolicy`, include the `-UserPEs` option. - To disable UMCI on an existing WDAC policy, delete rule option 0 by running the following command: - ` Set-RuleOption -FilePath -Option 0 -Delete` + `Set-RuleOption -FilePath -Option 0 -Delete` You can set several rule options within a WDAC policy. Table 2 describes each rule option. diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md index b00e9c0154..7f2c0b16d3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md +++ b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md @@ -43,11 +43,11 @@ If you do not have a code signing certificate, see the [Optional: Create a code 1. Initialize the variables that will be used: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + `$CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` + `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` + `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` > [!NOTE] > This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. @@ -58,11 +58,11 @@ If you do not have a code signing certificate, see the [Optional: Create a code 4. Navigate to your desktop as the working directory: - ` cd $env:USERPROFILE\Desktop ` + `cd $env:USERPROFILE\Desktop` 5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: - ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` + `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` > [!NOTE] > \ should be the full path to the certificate that you exported in step 3. @@ -70,15 +70,15 @@ If you do not have a code signing certificate, see the [Optional: Create a code 6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: - ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` + `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` 7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: - ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` + `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` 8. Sign the WDAC policy by using SignTool.exe: - ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` + ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` > [!NOTE] > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index e481ff08f8..7cca116982 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -45,11 +45,11 @@ If you do not have a code signing certificate, see [Optional: Create a code sign 1. Initialize the variables that will be used: - ` $CIPolicyPath=$env:userprofile+"\Desktop\"` + `$CIPolicyPath=$env:userprofile+"\Desktop\"` - ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` + `$InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"` - ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` + `$CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"` > [!NOTE] > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information. @@ -60,11 +60,11 @@ If you do not have a code signing certificate, see [Optional: Create a code sign 4. Navigate to your desktop as the working directory: - ` cd $env:USERPROFILE\Desktop ` + `cd $env:USERPROFILE\Desktop` 5. Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy: - ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` + `Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath -Kernel -User –Update` > [!NOTE] > *<Path to exported .cer certificate>* should be the full path to the certificate that you exported in step 3. @@ -72,15 +72,15 @@ If you do not have a code signing certificate, see [Optional: Create a code sign 6. Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option: - ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` + `Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete` 7. Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format: - ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` + `ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin` 8. Sign the WDAC policy by using SignTool.exe: - ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` + ` sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin` > [!NOTE] > The *<Path to signtool.exe>* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy. diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 3cd5fee197..f50aa10ac9 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -177,7 +177,7 @@ reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Unlocked" /t REG Windows 10 and Windows Server 2016 have a WMI class for related properties and features: *Win32\_DeviceGuard*. This class can be queried from an elevated Windows PowerShell session by using the following command: -` Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard` +`Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard` > [!NOTE] > The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10. From 9638f458a04e9419425afa0990370e3c09e85747 Mon Sep 17 00:00:00 2001 From: Oliver Kieselbach Date: Sat, 13 Jul 2019 00:29:27 +0200 Subject: [PATCH 059/137] Update windows-autopilot-scenarios.md markup links are broken because they are inline of the
tag.... changed them to html now they are functional --- .../windows-autopilot/windows-autopilot-scenarios.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md index 3422c91127..280bd8b3aa 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md @@ -28,11 +28,11 @@ The following Windows Autopilot scenarios are described in this guide:
ScenarioMore information -
Deploy devices that will be set up by a member of the organization and configured for that person[Windows Autopilot user-driven mode](user-driven.md) -
Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.[Windows Autopilot self-deploying mode](self-deploying.md) -
Re-deploy a device in a business-ready state.[Windows Autopilot Reset](windows-autopilot-reset.md) -
Pre-provision a device with up-to-date applications, policies and settings.[White glove](white-glove.md) -
Deploy Windows 10 on an existing Windows 7 or 8.1 device[Windows Autopilot for existing devices](existing-devices.md) +
Deploy devices that will be set up by a member of the organization and configured for that personWindows Autopilot user-driven mode +
Deploy devices that will be automatically configured for shared use, as a kiosk, or as a digital signage device.Windows Autopilot self-deploying mode +
Re-deploy a device in a business-ready state.Windows Autopilot Reset +
Pre-provision a device with up-to-date applications, policies and settings.White glove +
Deploy Windows 10 on an existing Windows 7 or 8.1 deviceWindows Autopilot for existing devices
## Windows Autopilot capabilities From 9de5db1f62b28ff6bc89232e9065f5d343eb2700 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 13 Jul 2019 14:58:55 +0500 Subject: [PATCH 060/137] Update policy-csp-smartscreen.md --- windows/client-management/mdm/policy-csp-smartscreen.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/client-management/mdm/policy-csp-smartscreen.md b/windows/client-management/mdm/policy-csp-smartscreen.md index 61a11806fa..ee2e01759b 100644 --- a/windows/client-management/mdm/policy-csp-smartscreen.md +++ b/windows/client-management/mdm/policy-csp-smartscreen.md @@ -73,6 +73,9 @@ manager: dansimp Added in Windows 10, version 1703. Allows IT Admins to control whether users are allowed to install apps from places other than the Store. +> [!Note] +> This policy will block installation only while the device is online. To block offline installation too, policies **SmartScreen/PreventOverrideForFilesInShell** and **SmartScreen/EnableSmartScreenInShell** should also be enabled. + ADMX Info: From c616fa2a955e7b3e8f6d32daefa3bbd7e986ffe9 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Sat, 13 Jul 2019 12:05:56 -0500 Subject: [PATCH 061/137] Update policy-csp-remotedesktopservices.md --- .../client-management/mdm/policy-csp-remotedesktopservices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-remotedesktopservices.md b/windows/client-management/mdm/policy-csp-remotedesktopservices.md index 6621ddedd2..b25f998de2 100644 --- a/windows/client-management/mdm/policy-csp-remotedesktopservices.md +++ b/windows/client-management/mdm/policy-csp-remotedesktopservices.md @@ -222,7 +222,7 @@ This policy setting specifies whether to prevent the mapping of client drives in By default, an RD Session Host server maps client drives automatically upon connection. Mapped drives appear in the session folder tree in File Explorer or Computer in the format on . You can use this policy setting to override this behavior. -If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2003, Windows 8, and Windows XP. +If you enable this policy setting, client drive redirection is not allowed in Remote Desktop Services sessions, and Clipboard file copy redirection is not allowed on computers running Windows Server 2019 and Windows 10. If you disable this policy setting, client drive redirection is always allowed. In addition, Clipboard file copy redirection is always allowed if Clipboard redirection is allowed. From d63930fbb415f68f585e309cde3715d0d6ef088a Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Sat, 13 Jul 2019 12:30:06 -0500 Subject: [PATCH 062/137] Update configure-network-connections-windows-defender-antivirus.md --- .../configure-network-connections-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 71db8e1517..330f12547b 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -151,7 +151,7 @@ MpCmdRun -ValidateMapsConnection ``` > [!NOTE] -> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1703 or higher. +> You need to open an administrator-level version of the command prompt. Right-click the item in the Start menu, click **Run as administrator** and click **Yes** at the permissions prompt. This command will only work on Windows 10, version 1607 LTSB or higher. See [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](command-line-arguments-windows-defender-antivirus.md) for more information on how to use the *mpcmdrun.exe* utility. From 8bef8fafafe6a2d7c7732b540fd3989d352671a8 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Sat, 13 Jul 2019 13:03:55 -0500 Subject: [PATCH 063/137] Update attack-surface-reduction-exploit-guard.md --- .../attack-surface-reduction-exploit-guard.md | 28 +++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index e16b905b59..c966fef145 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -89,6 +89,8 @@ This rule blocks the following file types from launching from email in Microsoft - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 + Intune name: Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) SCCM name: Block executable content from email client and webmail @@ -101,6 +103,8 @@ This rule blocks Office apps from creating child processes. This includes Word, This is a typical malware behavior, especially malware that abuses Office as a vector, using VBA macros and exploit code to download and attempt to run additional payload. Some legitimate line-of-business applications might also use behaviors like this, including spawning a command prompt or using PowerShell to configure registry settings. +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 + Intune name: Office apps launching child processes SCCM name: Block Office application from creating child processes @@ -113,6 +117,8 @@ This rule prevents Office apps, including Word, Excel, and PowerPoint, from crea This rule targets a typical behavior where malware uses Office as a vector to break out of Office and save malicious components to disk, where they persist and survive a computer reboot. This rule prevents malicious code from being written to disk. +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 + Intune name: Office apps/macros creating executable content SCCM name: Block Office applications from creating executable content @@ -125,6 +131,8 @@ Attackers might attempt to use Office apps to migrate malicious code into other This rule applies to Word, Excel, and PowerPoint. +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 + Intune name: Office apps injecting code into other processes (no exceptions) SCCM name: Block Office applications from injecting code into other processes @@ -140,6 +148,8 @@ Malware written in JavaScript or VBS often acts as a downloader to fetch and lau >[!IMPORTANT] >File and folder exclusions don't apply to this attack surface reduction rule. +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 + Intune name: js/vbs executing payload downloaded from Internet (no exceptions) SCCM name: Block JavaScript or VBScript from launching downloaded executable content @@ -150,6 +160,8 @@ GUID: D3E037E1-3EB8-44C8-A917-57927947596D Script obfuscation is a common technique that both malware authors and legitimate applications use to hide intellectual property or decrease script loading times. This rule detects suspicious properties within an obfuscated script. +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 + Intune name: Obfuscated js/vbs/ps/macro code SCCM name: Block execution of potentially obfuscated scripts. @@ -160,6 +172,8 @@ GUID: 5BEB7EFE-FD9A-4556-801D-275E5FFC04CC Office VBA provides the ability to use Win32 API calls, which malicious code can abuse. Most organizations don't use this functionality, but might still rely on using other macro capabilities. This rule allows you to prevent using Win32 APIs in VBA macros, which reduces the attack surface. +This rule was introduced in: Windows 10 1709, Windows Server 1809, Windows Server 2019, SCCM CB 1710 + Intune name: Win32 imports from Office macro code SCCM name: Block Win32 API calls from Office macros @@ -180,6 +194,8 @@ This rule blocks the following file types from launching unless they either meet > >You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to. +This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 + Intune name: Executables that don't meet a prevalence, age, or trusted list criteria. SCCM name: Block executable files from running unless they meet a prevalence, age, or trusted list criteria @@ -193,6 +209,8 @@ This rule provides an extra layer of protection against ransomware. It scans exe >[!NOTE] >You must [enable cloud-delivered protection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus) to use this rule. +This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 + Intune name: Advanced ransomware protection SCCM name: Use advanced protection against ransomware @@ -205,6 +223,8 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i >[!NOTE] >In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat. + +This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 Intune name: Flag credential stealing from the Windows local security authority subsystem @@ -222,6 +242,8 @@ This rule blocks processes through PsExec and WMI commands from running, to prev >[!WARNING] >Only use this rule if you're managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands the SCCM client uses to function correctly. +This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 + Intune name: Process creation from PSExec and WMI commands SCCM name: Not applicable @@ -235,6 +257,8 @@ With this rule, admins can prevent unsigned or untrusted executable files from r - Executable files (such as .exe, .dll, or .scr) - Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) +This rule was introduced in: Windows 10 1803, Windows Server 1809, Windows Server 2019, SCCM CB 1802 + Intune name: Untrusted and unsigned processes that run from USB SCCM name: Block untrusted and unsigned processes that run from USB @@ -248,6 +272,8 @@ This rule prevents Outlook from creating child processes. It protects against so >[!NOTE] >This rule applies to Outlook and Outlook.com only. +This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810 + Intune name: Process creation from Office communication products (beta) SCCM name: Not yet available @@ -258,6 +284,8 @@ GUID: 26190899-1602-49e8-8b27-eb1d0a1ce869 Through social engineering or exploits, malware can download and launch additional payloads and break out of Adobe Reader. This rule prevents attacks like this by blocking Adobe Reader from creating additional processes. +This rule was introduced in: Windows 10 1809, Windows Server 1809, Windows Server 2019, SCCM CB 1810 + Intune name: Process creation from Adobe Reader (beta) SCCM name: Not applicable From 3d45604d93b4198c7e9d73e63cc7906eceefa3d0 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Sun, 14 Jul 2019 00:04:49 -0400 Subject: [PATCH 064/137] chore: Cleanup Micrsoft links Ran script from MS Docs Authoring Pack. - HTTP -> HTTPS - Remove link locale --- .../appendix-a-powershell-scripts-for-surface-hub.md | 4 ++-- ...erences-between-surface-hub-and-windows-10-enterprise.md | 2 +- devices/surface-hub/surface-hub-2s-phone-authenticate.md | 2 +- devices/surface-hub/surface-hub-2s-prepare-environment.md | 2 +- devices/surface-hub/surface-hub-2s-setup.md | 4 ++-- windows/client-management/mdm/assignedaccess-csp.md | 2 +- windows/deployment/deploy-m365.md | 2 +- windows/deployment/mbr-to-gpt.md | 4 ++-- windows/deployment/update/update-compliance-wd-av-status.md | 2 +- .../license-terms-windows-diagnostic-data-for-powershell.md | 2 +- ...ing-system-components-to-microsoft-services-using-MDM.md | 6 +++--- .../bitlocker/bitlocker-overview-and-requirements-faq.md | 2 +- .../information-protection/bitlocker/bitlocker-overview.md | 2 +- .../information-protection/tpm/tpm-recommendations.md | 2 +- .../advanced-hunting-best-practices.md | 2 +- .../microsoft-defender-atp/configuration-score.md | 2 +- .../microsoft-defender-atp/configure-machines-onboarding.md | 2 +- .../microsoft-defender-atp/configure-machines.md | 6 +++--- .../microsoft-defender-atp/raw-data-export-event-hub.md | 4 ++-- .../microsoft-defender-atp/raw-data-export-storage.md | 4 ++-- .../microsoft-defender-atp/raw-data-export.md | 6 +++--- .../microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md | 2 +- ...figure-network-connections-windows-defender-antivirus.md | 2 +- .../microsoft-defender-atp-mac-updates.md | 4 ++-- .../windows-defender-antivirus/troubleshoot-reporting.md | 2 +- .../windows-security-configuration-framework.md | 2 +- 26 files changed, 38 insertions(+), 38 deletions(-) diff --git a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md index 27ebc7924e..00620b9f7c 100644 --- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md +++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md @@ -534,7 +534,7 @@ if ($status.Count -gt 0) elseif ($v[0] -eq "F") { $color = "red" - $v += " Go to http://aka.ms/shubtshoot" + $v += " Go to https://aka.ms/shubtshoot" } Write-Host -NoNewline $k -ForegroundColor $color @@ -978,7 +978,7 @@ if ($status.Count -gt 0) elseif ($v[0] -eq "F") { $color = "red" - $v += " Go to http://aka.ms/shubtshoot for help" + $v += " Go to https://aka.ms/shubtshoot for help" } Write-Host -NoNewline $k -ForegroundColor $color diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md index cf30261837..73a50f66c9 100644 --- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md +++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md @@ -127,7 +127,7 @@ The administrative features in Windows 10 Enterprise, such as the Microsoft Mana ### Remote management and monitoring -Surface Hub supports remote management through mobile device management (MDM) solutions such as [Microsoft Intune](https://docs.microsoft.com/en-us/intune/) and monitoring through [Azure Monitor](https://azure.microsoft.com/services/monitor/). +Surface Hub supports remote management through mobile device management (MDM) solutions such as [Microsoft Intune](https://docs.microsoft.com/intune/) and monitoring through [Azure Monitor](https://azure.microsoft.com/services/monitor/). *Organization policies that this may affect:*
Surface Hub doesn't support installing Win32 agents required by most traditional PC management and monitoring tools, such as System Center Operations Manager. diff --git a/devices/surface-hub/surface-hub-2s-phone-authenticate.md b/devices/surface-hub/surface-hub-2s-phone-authenticate.md index ecf42be99d..924b5483ab 100644 --- a/devices/surface-hub/surface-hub-2s-phone-authenticate.md +++ b/devices/surface-hub/surface-hub-2s-phone-authenticate.md @@ -39,4 +39,4 @@ Password-less phone sign-in simplifies signing-in to your meetings and files on 3. If prompted, enter the PIN or biometric ID on your phone to complete sign-in. ## Learn more -For more information, see [Password-less phone sign-in with the Microsoft Authenticator app](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-authentication-phone-sign-in). +For more information, see [Password-less phone sign-in with the Microsoft Authenticator app](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-phone-sign-in). diff --git a/devices/surface-hub/surface-hub-2s-prepare-environment.md b/devices/surface-hub/surface-hub-2s-prepare-environment.md index 905baa519f..40ae6aeb82 100644 --- a/devices/surface-hub/surface-hub-2s-prepare-environment.md +++ b/devices/surface-hub/surface-hub-2s-prepare-environment.md @@ -44,6 +44,6 @@ If you affiliate Surface Hub 2S with on-premises Active Directory Domain Service ## Azure Active Directory -When choosing to affiliate your Surface Hub 2S with Azure AD, any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Alternatively, you can configure the Device Administrator role to sign in to the Settings app. For more information, see [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles#device-administrators). Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S. +When choosing to affiliate your Surface Hub 2S with Azure AD, any user in the Global Admins Security Group can sign in to the Settings app on Surface Hub 2S. Alternatively, you can configure the Device Administrator role to sign in to the Settings app. For more information, see [Administrator role permissions in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/users-groups-roles/directory-assign-admin-roles#device-administrators). Currently, no other group can be delegated to sign in to the Settings app on Surface Hub 2S. If you enabled Intune Automatic Enrollment for your organization, Surface Hub 2S will automatically enroll itself with Intune. The device’s Bitlocker key is automatically saved in Azure AD. When affiliating Surface Hub 2S with Azure AD, single sign-on and Easy Authentication will not work. diff --git a/devices/surface-hub/surface-hub-2s-setup.md b/devices/surface-hub/surface-hub-2s-setup.md index 610cdcc697..3ba8fce268 100644 --- a/devices/surface-hub/surface-hub-2s-setup.md +++ b/devices/surface-hub/surface-hub-2s-setup.md @@ -43,7 +43,7 @@ When you first start Surface Hub 2S, the device automatically enters first time ## Configuring device admin accounts -You can only set up device admins during first time Setup. For more information, refer to [Surface Hub 2S device affiliation](https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-prepare-environment#device-affiliation). +You can only set up device admins during first time Setup. For more information, refer to [Surface Hub 2S device affiliation](https://docs.microsoft.com/surface-hub/surface-hub-2s-prepare-environment#device-affiliation). In the **Setup admins for this device** window, select one of the following options: Active Directory Domain Services, Azure Active Directory, or Local admin. @@ -91,7 +91,7 @@ If you insert a USB thumb drive with a provisioning package into one of the USB ![* Choose provisioning package to use*](images/sh2-run13.png)
-3. If you created a multiple devices CSV file, you will be able to choose a device configuration. For more information, refer to [Create provisioning packages for Surface Hub 2S](https://docs.microsoft.com/en-us/surface-hub/surface-hub-2s-deploy#provisioning-multiple-devices-csv-file). +3. If you created a multiple devices CSV file, you will be able to choose a device configuration. For more information, refer to [Create provisioning packages for Surface Hub 2S](https://docs.microsoft.com/surface-hub/surface-hub-2s-deploy#provisioning-multiple-devices-csv-file). ![* Select a device account and friendly name from your configuration file*](images/sh2-run14.png)
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index ed052860e4..db19c6a962 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -134,7 +134,7 @@ Additionally, the Status payload includes the following fields: Supported operation is Get. **./Device/Vendor/MSFT/AssignedAccess/ShellLauncher** -Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shelllauncher). +Added in Windows 10,version 1803. This node accepts a ShellLauncherConfiguration xml as input. Click [link](#shelllauncherconfiguration-xsd) to see the schema. Shell Launcher V2 is introduced in Windows 10, version 1903 to support both UWP and Win32 apps as the custom shell. For more information, see [Shell Launcher](https://docs.microsoft.com/windows/configuration/kiosk-shelllauncher). > [!Note] > You cannot set both ShellLauncher and KioskModeApp at the same time on the device. diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md index 8c363af466..45e5fb53df 100644 --- a/windows/deployment/deploy-m365.md +++ b/windows/deployment/deploy-m365.md @@ -67,7 +67,7 @@ Examples of these two deployment advisors are shown below. ## M365 Enterprise poster -[![M365 Enterprise poster](images/m365e.png)](http://aka.ms/m365eposter) +[![M365 Enterprise poster](images/m365e.png)](https://aka.ms/m365eposter) ## Related Topics diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index 568b71cc11..09e1761cd6 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -419,7 +419,7 @@ This issue occurs because in Windows 10, version 1903 and later versions, MBR2GP To fix this issue, mount the Windows PE image (WIM), copy the missing file from the [Windows 10, version 1903 Assessment and Development Kit (ADK)](https://go.microsoft.com/fwlink/?linkid=2086042) source, and then commit the changes to the WIM. To do this, follow these steps: -1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image). +1. Mount the Windows PE WIM to a path (for example, C:\WinPE_Mount). For more information about how to mount WIM files, see [Mount an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#mount-an-image). 2. Copy the ReAgent files and the ReAgent localization files from the Window 10, version 1903 ADK source folder to the mounted WIM. @@ -446,7 +446,7 @@ To fix this issue, mount the Windows PE image (WIM), copy the missing file from >![Note] >If you aren't using an English version of Windows, replace "En-Us" in the path with the appropriate string that represents the system language. -3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). +3. After you copy all the files, commit the changes and unmount the Windows PE WIM. MBR2GPT.exe now functions as expected in Windows PE. For information about how to unmount WIM files while committing changes, see [Unmounting an image](https://docs.microsoft.com/windows-hardware/manufacture/desktop/mount-and-modify-a-windows-image-using-dism#unmounting-an-image). ## Related topics diff --git a/windows/deployment/update/update-compliance-wd-av-status.md b/windows/deployment/update/update-compliance-wd-av-status.md index 962f5cdcfd..716a071e38 100644 --- a/windows/deployment/update/update-compliance-wd-av-status.md +++ b/windows/deployment/update/update-compliance-wd-av-status.md @@ -39,4 +39,4 @@ Because of the way Windows Defender is associated with the rest of Windows devic ## Related topics -- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) +- [Windows Defender Antivirus pre-requisites](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting#confirm-pre-requisites) diff --git a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md index 58c89a6256..8a8a072615 100644 --- a/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md +++ b/windows/privacy/license-terms-windows-diagnostic-data-for-powershell.md @@ -46,7 +46,7 @@ d) use the software in any way that is against the law or to create or propagate e) share, publish, distribute, or lend the software, provide the software as a stand-alone hosted solution for others to use, or transfer the software or this agreement to any third party. -4. EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software, which include restrictions on destinations, end users, and end use. For further information on export restrictions, visit http://aka.ms/exporting. +4. EXPORT RESTRICTIONS. You must comply with all domestic and international export laws and regulations that apply to the software, which include restrictions on destinations, end users, and end use. For further information on export restrictions, visit https://aka.ms/exporting. 5. SUPPORT SERVICES. Microsoft is not obligated under this agreement to provide any support services for the software. Any support provided is “as is”, “with all faults”, and without warranty of any kind. diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md index 843d0975aa..84112c5107 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services-using-MDM.md @@ -107,7 +107,7 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | | [Defender/SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-submitsamplesconsent) | Stop sending file samples back to Microsoft. **Set to 2 (two)** | 23.1 Windows Defender Smartscreen | [Browser/AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsmartscreen) | Disable Windows Defender Smartscreen. **Set to 0 (zero)** | 23.2 Windows Defender Smartscreen EnableAppInstallControl | [SmartScreen/EnableAppInstallControl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-smartscreen#smartscreen-enableappinstallcontrol) | Controls whether users are allowed to install apps from places other than the Microsoft Store. **Set to 0 (zero)** -| 23.3 Windows Defender Potentially Unwanted Applications(PUA) Protection | [Defender/PUAProtection](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-puaprotection) | Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)** +| 23.3 Windows Defender Potentially Unwanted Applications(PUA) Protection | [Defender/PUAProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-puaprotection) | Specifies the level of detection for potentially unwanted applications (PUAs). **Set to 1 (one)** | 24. Windows Spotlight | [Experience/AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsspotlight) | Disable Windows Spotlight. **Set to 0 (zero)** | 25. Microsoft Store | [ApplicationManagement/DisableStoreOriginatedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-disablestoreoriginatedapps)| Boolean value that disables the launch of all apps from Microsoft Store that came pre-installed or were downloaded. **Set to 1 (one)** | | [ApplicationManagement/AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowappstoreautoupdate)| Specifies whether automatic update of apps from Microsoft Store are allowed. **Set to 0 (zero)** @@ -115,8 +115,8 @@ For Windows 10, the following MDM policies are available in the [Policy CSP](htt | 26. Windows Update Delivery Optimization | | The following Delivery Optimization MDM policies are available in the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). | | [DeliveryOptimization/DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodownloadmode)| Lets you choose where Delivery Optimization gets or sends updates and apps. **Set to 100 (one hundred)** | 27. Windows Update | [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) | Control automatic updates. **Set to 5 (five)** -| 27.1 Windows Update Allow Update Service | [Update/AllowUpdateService](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) | Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)** -| 27.2 Windows Update Service URL| [Update/UpdateServiceUrl](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) | Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with this Value: +| 27.1 Windows Update Allow Update Service | [Update/AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowupdateservice) | Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. **Set to 0 (zero)** +| 27.2 Windows Update Service URL| [Update/UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updateserviceurl) | Allows the device to check for updates from a WSUS server instead of Microsoft Update. **Set to String** with this Value: $CmdID$ diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md index a3625890b5..a6622c810c 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview-and-requirements-faq.md @@ -54,7 +54,7 @@ BitLocker supports TPM version 1.2 or higher. BitLocker support for TPM 2.0 requ > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. -> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. +> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. ## How can I tell if a TPM is on my computer? diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md index 9b9350921a..d15b81c76a 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-overview.md +++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md @@ -63,7 +63,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. -> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. +> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. The hard disk must be partitioned with at least two drives: diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index b058f905a9..a1a64bebe4 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -72,7 +72,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in > [!NOTE] > TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature. -> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/en-us/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. +> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](https://docs.microsoft.com/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI. ## Discrete, Integrated or Firmware TPM? diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md index c22f668986..fbe2aa1d4c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md @@ -37,7 +37,7 @@ The following best practices serve as a guideline of query performance best prac - When joining between two tables, project only needed columns from both sides of the join. >[!Tip] ->For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/en-us/azure/kusto/query/best-practices). +>For more guidance on improving query performance, read [Kusto query best practices](https://docs.microsoft.com/azure/kusto/query/best-practices). ## Query tips and pitfalls diff --git a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md index 919befad8e..1eadc36802 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configuration-score.md @@ -48,7 +48,7 @@ The goal is to remediate the issues in the security recommendations list to impr - **Related component** — **Accounts**, **Application**, **Network**, **OS**, or **Security controls** - **Remediation type** — **Configuration change** or **Software update** -See how you can [improve your security configuration](https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details. +See how you can [improve your security configuration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios#improve-your-security-configuration), for details. ## Related topics - [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md index f09ddf1096..249194856f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines-onboarding.md @@ -69,7 +69,7 @@ From the overview, create a configuration profile specifically for the deploymen *Assigning the new agent profile to all machines* >[!TIP] ->To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-profile-assign). +>To learn more about Intune profiles, read [Assign user and device profiles in Microsoft Intune](https://docs.microsoft.com/intune/device-profile-assign). >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-onboardconfigure-belowfoldlink) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md index 31fbc743c6..dc6f926ceb 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-machines.md @@ -47,13 +47,13 @@ In doing so, you benefit from: Machine configuration management works closely with Intune device management to establish the inventory of the machines in your organization and the baseline security configuration. You will be able to track and manage configuration issues on Intune-managed Windows 10 machines. -Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/en-us/intune/windows-enroll). +Before you can ensure your machines are configured properly, enroll them to Intune management. Intune enrollment is robust and has several enrollment options for Windows 10 machines. For more information about Intune enrollment options, read [Set up enrollment for Windows devices](https://docs.microsoft.com/intune/windows-enroll). >[!NOTE] ->To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/en-us/intune/licenses-assign). +>To enroll Windows devices to Intune, administrators must have already been assigned licenses. [Read about assigning licenses for device enrollment](https://docs.microsoft.com/intune/licenses-assign). >[!TIP] ->To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). +>To optimize machine management through Intune, [connect Intune to Microsoft Defender ATP](https://docs.microsoft.com/intune/advanced-threat-protection#enable-windows-defender-atp-in-intune). ## Known issues and limitations in this preview During preview, you might encounter a few known limitations: diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md index 74282e67bc..6dfcdb8e95 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-event-hub.md @@ -27,7 +27,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w ## Before you begin: -1. Create an [event hub](https://docs.microsoft.com/en-us/azure/event-hubs/) in your tenant. +1. Create an [event hub](https://docs.microsoft.com/azure/event-hubs/) in your tenant. 2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****. ## Enable raw data streaming: @@ -86,4 +86,4 @@ To get the data types for event properties do the following: - [Overview of Advanced Hunting](overview-hunting.md) - [Microsoft Defender ATP streaming API](raw-data-export.md) - [Stream Microsoft Defender ATP events to your Azure storage account](raw-data-export-storage.md) -- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/) +- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md index 1cea01f7d1..d969ecb9ab 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export-storage.md @@ -27,7 +27,7 @@ Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://w ## Before you begin: -1. Create a [Storage account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) in your tenant. +1. Create a [Storage account](https://docs.microsoft.com/azure/storage/common/storage-account-overview) in your tenant. 2. Log in to your [Azure tenant](https://ms.portal.azure.com/), go to **Subscriptions > Your subscription > Resource Providers > Register to **Microsoft.insights****. ## Enable raw data streaming: @@ -86,4 +86,4 @@ In order to get the data types for our events properties do the following: - [Overview of Advanced Hunting](overview-hunting.md) - [Microsoft Defender Advanced Threat Protection Streaming API](raw-data-export.md) - [Stream Microsoft Defender Advanced Threat Protection events to your Azure storage account](raw-data-export-storage.md) -- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) +- [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview) diff --git a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md index 1349b4a57b..3da3cdc512 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md +++ b/windows/security/threat-protection/microsoft-defender-atp/raw-data-export.md @@ -27,7 +27,7 @@ ms.topic: article ## Stream Advanced Hunting events to Event Hubs and/or Azure storage account. -Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/en-us/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/en-us/azure/event-hubs/). +Microsoft Defender ATP supports streaming all the events available through [Advanced Hunting](overview-hunting.md) to an [Event Hubs](https://docs.microsoft.com/azure/event-hubs/) and/or [Azure storage account](https://docs.microsoft.com/azure/event-hubs/). ## In this section @@ -39,5 +39,5 @@ Topic | Description ## Related topics - [Overview of Advanced Hunting](overview-hunting.md) -- [Azure Event Hubs documentation](https://docs.microsoft.com/en-us/azure/event-hubs/) -- [Azure Storage Account documentation](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-overview) +- [Azure Event Hubs documentation](https://docs.microsoft.com/azure/event-hubs/) +- [Azure Storage Account documentation](https://docs.microsoft.com/azure/storage/common/storage-account-overview) diff --git a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md index e3f2bdf6ef..499d34f2f0 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md +++ b/windows/security/threat-protection/microsoft-defender-atp/threat-and-vuln-mgt-scenarios.md @@ -118,7 +118,7 @@ Security Administrators like you can request for the IT Administrator to remedia 4. Go to the **Remediation** page to view the status of your remediation request. -See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/en-us/intune/atp-manage-vulnerabilities) for details. +See [Use Intune to remediate vulnerabilities identified by Microsoft Defender ATP](https://docs.microsoft.com/intune/atp-manage-vulnerabilities) for details. >[!NOTE] >If your request involves remediating more than 10,000 machines, we can only send 10,000 machines for remediation to Intune. diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index 19c45e73de..d6235da27e 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -81,7 +81,7 @@ See [Manage Windows Defender Antivirus with the mpcmdrun.exe commandline tool](c You can download a sample file that Windows Defender Antivirus will detect and block if you are properly connected to the cloud. Download the file by visiting the following link: -- http://aka.ms/ioavtest +- https://aka.ms/ioavtest >[!NOTE] >This file is not an actual piece of malware. It is a fake file that is designed to test if you are properly connected to the cloud. diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md index 92ee617ff5..dde9d19622 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md +++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-updates.md @@ -34,7 +34,7 @@ If you decide to deploy updates by using your software distribution tools, you s ## Use msupdate -MAU includes a command line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate). +MAU includes a command line tool, called *msupdate*, that is designed for IT administrators so that they have more precise control over when updates are applied. Instructions for how to use this tool can be found in [Update Office for Mac by using msupdate](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate). In MAU, the application identifier for Microsoft Defender ATP for Mac is *WDAV00*. To download and install the latest updates for Microsoft Defender ATP for Mac, execute the following command from a Terminal window: @@ -141,4 +141,4 @@ To configure MAU, you can deploy this configuration profile from the management ## Resources -- [msupdate reference](https://docs.microsoft.com/en-us/deployoffice/mac/update-office-for-mac-using-msupdate) \ No newline at end of file +- [msupdate reference](https://docs.microsoft.com/deployoffice/mac/update-office-for-mac-using-msupdate) \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md index a194696c88..787e3d4728 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md +++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-reporting.md @@ -53,7 +53,7 @@ In order for devices to properly show up in Update Compliance, you have to meet > - If the endpoint is running Windows 10 version 1607 or earlier, [Windows 10 diagnostic data must be set to the Enhanced level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#enhanced-level). > - It has been 3 days since all requirements have been met -“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" +“You can use Windows Defender Antivirus with Update Compliance. You’ll see status for E3, B, F1, VL, and Pro licenses. However, for E5 licenses, you need to use the Microsoft Defender ATP portal (https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints). To learn more about licensing options, see Windows 10 product licensing options" If the above pre-requisites have all been met, you might need to proceed to the next step to collect diagnostic information and send it to us. diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md index fd0c3af5a7..824b53c0f6 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md @@ -40,7 +40,7 @@ This new security configuration framework, which we affectionately nickname the The security configuration framework divides configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices (Levels 1, 2, and 3). -Microsoft’s current guidance on [Privileged Access Workstations](http://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](http://aka.ms/privsec). +Microsoft’s current guidance on [Privileged Access Workstations](https://aka.ms/privsec) are part of the [Securing Privileged Access roadmap](https://aka.ms/privsec). Microsoft recommends reviewing and categorizing your devices, and then configuring them using the prescriptive guidance for that level. Level 1 should be considered the minimum baseline for an enterprise device, and Microsoft recommends increasing the protection based on both threat environment and risk appetite. From 04fcf4d3a2cdab869e4ff0a41d58c02780e05d8c Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Sun, 14 Jul 2019 00:51:46 -0400 Subject: [PATCH 065/137] fix: Replace generic "syntax" with language code --- ...schema-reference-for-ue-v-2x-both-uevv2.md | 322 +++++++++--------- ...ed-security-identifiers-with-powershell.md | 5 +- .../client-management/mdm/activesync-csp.md | 4 +- .../mdm/assignedaccess-csp.md | 4 +- .../mdm/certificatestore-csp.md | 10 +- .../mdm/cm-cellularentries-csp.md | 8 +- windows/client-management/mdm/cmpolicy-csp.md | 8 +- .../mdm/cmpolicyenterprise-csp.md | 8 +- .../mdm/customdeviceui-csp.md | 6 +- .../mdm/device-update-management.md | 4 +- .../mdm/deviceinstanceservice-csp.md | 4 +- .../client-management/mdm/devicelock-csp.md | 2 +- .../mdm/diagnosticlog-csp.md | 4 +- .../disconnecting-from-mdm-unenrollment.md | 2 +- windows/client-management/mdm/dmclient-csp.md | 8 +- .../mdm/dynamicmanagement-csp.md | 10 +- .../mdm/enable-admx-backed-policies-in-mdm.md | 10 +- ...dded-8-1-handheld-devices-to-windows-10.md | 2 +- .../mdm/enterprise-app-management.md | 58 ++-- .../mdm/enterpriseapn-csp.md | 2 +- .../mdm/enterpriseappmanagement-csp.md | 16 +- .../mdm/enterpriseassignedaccess-csp.md | 46 +-- .../mdm/enterprisedesktopappmanagement-csp.md | 34 +- .../mdm/enterpriseextfilessystem-csp.md | 6 +- .../mdm/enterprisemodernappmanagement-csp.md | 15 +- ...erated-authentication-device-enrollment.md | 12 +- windows/client-management/mdm/hotspot-csp.md | 2 +- ...rver-side-mobile-application-management.md | 2 +- windows/client-management/mdm/maps-csp.md | 4 +- .../client-management/mdm/messaging-csp.md | 2 +- .../mdm/mobile-device-enrollment.md | 4 +- windows/client-management/mdm/multisim-csp.md | 8 +- ...ew-in-windows-mdm-enrollment-management.md | 4 +- .../client-management/mdm/nodecache-csp.md | 16 +- windows/client-management/mdm/office-csp.md | 6 +- ...remise-authentication-device-enrollment.md | 12 +- .../mdm/passportforwork-csp.md | 2 +- .../mdm/personalization-csp.md | 2 +- .../policy-configuration-service-provider.md | 4 +- .../mdm/policy-csp-applicationmanagement.md | 6 +- .../mdm/policy-csp-deviceinstallation.md | 10 +- .../mdm/policy-csp-internetexplorer.md | 2 +- .../mdm/policy-csp-restrictedgroups.md | 2 +- .../mdm/policy-csp-userrights.md | 2 +- .../mdm/policy-csp-windowslogon.md | 2 +- .../mdm/registry-ddf-file.md | 2 +- .../client-management/mdm/remotefind-csp.md | 2 +- .../bitlocker-how-to-enable-network-unlock.md | 47 +-- .../pull-alerts-using-rest-api.md | 2 +- .../python-example-code.md | 12 +- 50 files changed, 379 insertions(+), 388 deletions(-) diff --git a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md index cf5d567d3a..fd3074b66a 100644 --- a/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md +++ b/mdop/uev-v2/application-template-schema-reference-for-ue-v-2x-both-uevv2.md @@ -240,7 +240,7 @@ Version identifies the version of the settings location template for administrat **Hint:** You can save notes about version changes using XML comment tags ``, for example: -``` syntax +```xml `, for example: -``` syntax - - 4 + Version 1 Jul 05, 2012 Initial template created by Generator - Denise@Contoso.com + Version 2 Jul 31, 2012 Added support for app.exe v2.1.3 - Mark@Contoso.com + Version 3 Jan 01, 2013 Added font settings support - Mark@Contoso.com + Version 4 Jan 31, 2013 Added support for plugin settings - Tony@Contoso.com + --> +4 ``` **Important**   @@ -1216,25 +1215,25 @@ Author identifies the creator of the settings location template. Two optional ch Processes contains at least one `` element, which in turn contains the following child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. The Filename child element is mandatory and the others are optional. A fully populated element contains tags similar to this example: -``` syntax - - MyApplication.exe - Win64 - MyApplication - MyApplication.exe - - - - - - - - - - - - - +```xml + + MyApplication.exe + Win64 + MyApplication + MyApplication.exe + + + + + + + + + + + + + ``` ### Filename @@ -1291,14 +1290,14 @@ UE-V does not support ARM processors in this version. ProductName is an optional element used to identify a product for administrative purposes or reporting. ProductName differs from Filename in that there are no regular expression restrictions on its value. This allows for more easily understood descriptions of a process where the executable name may not be obvious. For example: -``` syntax - - MyApplication.exe - My Application 6.x by Contoso.com - - - - +```xml + + MyApplication.exe + My Application 6.x by Contoso.com + + + + ``` ### FileDescription @@ -1311,23 +1310,22 @@ FileDescription is an optional tag that allows for an administrative description For example, in a suited application, it might be useful to provide reminders about the function of two executables (MyApplication.exe and MyApplicationHelper.exe), as shown here: -``` syntax +```xml - - - MyApplication.exe - My Application Main Engine - - - - - - MyApplicationHelper.exe - My Application Background Process Executable - - - - + + MyApplication.exe + My Application Main Engine + + + + + + MyApplicationHelper.exe + My Application Background Process Executable + + + + ``` @@ -1345,44 +1343,44 @@ The product and file version elements may be left unspecified. Doing so makes th Product version: 1.0 specified in the UE-V Generator produces the following XML: -``` syntax - - - - +```xml + + + + ``` **Example 2:** File version: 5.0.2.1000 specified in the UE-V Generator produces the following XML: -``` syntax - - - - - - +```xml + + + + + + ``` **Incorrect Example 1 – incomplete range:** Only the Minimum attribute is present. Maximum must be included in a range as well. -``` syntax - - - +```xml + + + ``` **Incorrect Example 2 – Minor specified without Major element:** Only the Minor element is present. Major must be included as well. -``` syntax - - - +```xml + + + ``` ### FileVersion @@ -1399,19 +1397,19 @@ Including a FileVersion element for an application allows for more granular fine The child elements and syntax rules for FileVersion are identical to those of ProductVersion. -``` syntax - - MSACCESS.EXE - Win32 - - - - - - - - - +```xml + + MSACCESS.EXE + Win32 + + + + + + + + + ``` ### Application Element diff --git a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md index 90350a2913..f4075f53b1 100644 --- a/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md +++ b/windows/application-management/app-v/appv-install-the-appv-databases-and-convert-the-associated-security-identifiers-with-powershell.md @@ -42,7 +42,7 @@ Before attempting this procedure, you should read and understand the information 2. To open a Windows PowerShell console, click **Start** and type **PowerShell**. Right-click **Windows PowerShell** and select **Run as Administrator**. - ``` syntax + ```powershell <# .SYNOPSIS This Windows PowerShell script will take an array of account names and try to convert each of them to the corresponding SID in standard and hexadecimal formats. @@ -59,9 +59,6 @@ Before attempting this procedure, you should read and understand the information .\ConvertToSID.ps1 $accountsArray | Write-Output -FilePath .\SIDs.txt -Width 200 #> - []() - - []() function ConvertSIDToHexFormat {    param([System.Security.Principal.SecurityIdentifier]$sidToConvert) diff --git a/windows/client-management/mdm/activesync-csp.md b/windows/client-management/mdm/activesync-csp.md index f8b87748fa..9761cd0e66 100644 --- a/windows/client-management/mdm/activesync-csp.md +++ b/windows/client-management/mdm/activesync-csp.md @@ -60,13 +60,13 @@ When managing over OMA DM, make sure to always use a unique GUID. Provisioning w Braces { } are required around the GUID. In OMA Client Provisioning, you can type the braces. For example: -``` syntax +```xml ``` For OMA DM, you must use the ASCII values of %7B and %7D for the opening and closing braces, respectively. For example, if the GUID is "C556E16F-56C4-4EDB-9C64-D9469EE1FBE0", type: -``` syntax +```xml ./Vendor/MSFT/ActiveSync/Accounts/%7BC556E16F-56C4-4EDB-9C64-D9469EE1FBE0%7D diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md index ed052860e4..778c8e5395 100644 --- a/windows/client-management/mdm/assignedaccess-csp.md +++ b/windows/client-management/mdm/assignedaccess-csp.md @@ -796,7 +796,7 @@ StatusConfiguration Get StatusConfiguration Replace On -```syntax +```xml @@ -1219,7 +1219,7 @@ ShellLauncherConfiguration Get ## AssignedAccessAlert XSD -```syntax +```xml 1 @@ -379,7 +379,7 @@ Add a root certificate to the MDM server. Get all installed client certificates. -``` syntax +```xml 1 @@ -394,7 +394,7 @@ Get all installed client certificates. Delete a root certificate. -``` syntax +```xml 1 @@ -409,7 +409,7 @@ Delete a root certificate. Configure the device to enroll a client certificate through SCEP. -``` syntax +```xml 100 @@ -588,7 +588,7 @@ Configure the device to enroll a client certificate through SCEP. Configure the device to automatically renew an MDM client certificate with the specified renew period and retry interval. -``` syntax +```xml 1 diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 6ef3f48d8b..567dfd207e 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -198,7 +198,7 @@ The following diagram shows the CM\_CellularEntries configuration service provid To delete a connection, you must first delete any associated proxies and then delete the connection. The following example shows how to delete the proxy and then the connection. -``` syntax +```xml @@ -214,7 +214,7 @@ To delete a connection, you must first delete any associated proxies and then de Configuring a GPRS connection: -``` syntax +```xml @@ -231,7 +231,7 @@ Configuring a GPRS connection: Configuring an LTE connection: -``` syntax +```xml @@ -250,7 +250,7 @@ Configuring an LTE connection: Configuring a CDMA connection: -``` syntax +```xml diff --git a/windows/client-management/mdm/cmpolicy-csp.md b/windows/client-management/mdm/cmpolicy-csp.md index e9c0f37c15..1dfca8abb1 100644 --- a/windows/client-management/mdm/cmpolicy-csp.md +++ b/windows/client-management/mdm/cmpolicy-csp.md @@ -240,7 +240,7 @@ Specifies the type of connection being referenced. The following list describes Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. -``` syntax +```xml @@ -285,7 +285,7 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. -``` syntax +```xml @@ -334,7 +334,7 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C Adding an application-based mapping policy: -``` syntax +```xml @@ -401,7 +401,7 @@ Adding an application-based mapping policy: Adding a host-based mapping policy: -``` syntax +```xml diff --git a/windows/client-management/mdm/cmpolicyenterprise-csp.md b/windows/client-management/mdm/cmpolicyenterprise-csp.md index f601f858de..08d0040594 100644 --- a/windows/client-management/mdm/cmpolicyenterprise-csp.md +++ b/windows/client-management/mdm/cmpolicyenterprise-csp.md @@ -240,7 +240,7 @@ Specifies the type of connection being referenced. The following list describes Adding an application-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. -``` syntax +```xml @@ -285,7 +285,7 @@ Adding an application-based mapping policy. In this example, the ConnectionId fo Adding a host-based mapping policy. In this example, the ConnectionId for type CMST\_CONNECTION\_NAME is set to the name of the connection (“GPRSConn1”) that is configured with the CM\_CellularEntries configuration service provider. -``` syntax +```xml @@ -334,7 +334,7 @@ Adding a host-based mapping policy. In this example, the ConnectionId for type C Adding an application-based mapping policy: -``` syntax +```xml @@ -401,7 +401,7 @@ Adding an application-based mapping policy: Adding a host-based mapping policy: -``` syntax +```xml diff --git a/windows/client-management/mdm/customdeviceui-csp.md b/windows/client-management/mdm/customdeviceui-csp.md index 6e5b89a1b1..05add93e6a 100644 --- a/windows/client-management/mdm/customdeviceui-csp.md +++ b/windows/client-management/mdm/customdeviceui-csp.md @@ -38,7 +38,7 @@ Package Full Name of the App that needs be launched in the background. This can **Set StartupAppID** -``` syntax +```xml @@ -60,7 +60,7 @@ Package Full Name of the App that needs be launched in the background. This can **Get all background tasks** -``` syntax +```xml @@ -78,7 +78,7 @@ Package Full Name of the App that needs be launched in the background. This can **Add background task** -``` syntax +```xml diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md index 0888128b87..13a78b2032 100644 --- a/windows/client-management/mdm/device-update-management.md +++ b/windows/client-management/mdm/device-update-management.md @@ -648,7 +648,7 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego Example -``` syntax +```xml $CmdID$ @@ -919,7 +919,7 @@ The following screenshots of the administrator console shows the list of update Set auto update to notify and defer. -``` syntax +```xml diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md index 40379541ed..09d6af05e4 100644 --- a/windows/client-management/mdm/deviceinstanceservice-csp.md +++ b/windows/client-management/mdm/deviceinstanceservice-csp.md @@ -70,7 +70,7 @@ The parent node to group SIM2 specific information in case of dual SIM mode. The following sample shows how to query roaming status and phone number on the device. -``` syntax +```xml 2 @@ -88,7 +88,7 @@ The following sample shows how to query roaming status and phone number on the d Response from the phone. -``` syntax +```xml 3 1 diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md index b2cf37371d..246408076e 100644 --- a/windows/client-management/mdm/devicelock-csp.md +++ b/windows/client-management/mdm/devicelock-csp.md @@ -126,7 +126,7 @@ Required. This node has the same set of policy nodes as the **ProviderID** node. Set device lock policies: -``` syntax +```xml 13 diff --git a/windows/client-management/mdm/diagnosticlog-csp.md b/windows/client-management/mdm/diagnosticlog-csp.md index 98c675ebf6..44c558fde0 100644 --- a/windows/client-management/mdm/diagnosticlog-csp.md +++ b/windows/client-management/mdm/diagnosticlog-csp.md @@ -420,7 +420,7 @@ Default value is 0 meaning no keyword. Get provider **Keywords** -``` syntax +```xml @@ -440,7 +440,7 @@ Get provider **Keywords** Set provider **Keywords** -``` syntax +```xml diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md index 6c7e0be2f3..3cb1682333 100644 --- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md +++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md @@ -105,7 +105,7 @@ After the previous package is sent, the unenrollment process begins. When the server initiates disconnection, all undergoing sessions for the enrollment ID are aborted immediately to avoid deadlocks. The server will not get a response for the unenrollment, instead a generic alert notification is sent with messageid=1. -``` syntax +```xml 4 1226 diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 4dd6ad8b3d..7946edba39 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -70,7 +70,7 @@ Supported operation is Get. The following is a Get command example. -``` syntax +```xml 12 @@ -173,7 +173,7 @@ To work around the timeout, you can use this setting to keep the session alive b Here is an example of DM message sent by the device when it is in pending state: -``` syntax +```xml 1.2 @@ -229,7 +229,7 @@ Added in Windows 10, version 1607. The list of management server URLs in the fo -``` syntax +```xml 101 @@ -770,7 +770,7 @@ Note that <LocURI>./Vendor/MSFT/DMClient/Unenroll</LocURI> is suppor The following SyncML shows how to remotely unenroll the device. Note that this command should be inserted in the general DM packages sent from the server to the device. -``` syntax +```xml 2 diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index d8747df10d..e7d55aedc0 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -29,7 +29,7 @@ The following diagram shows the DynamicManagement configuration service provider

Default value is False. Supported operations are Get and Replace.

Example to turn on NotificationsEnabled:

-``` syntax +```xml 100 @@ -84,7 +84,7 @@ The following diagram shows the DynamicManagement configuration service provider Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 meters radius of the specified latitude/longitude -``` syntax +```xml 200 @@ -138,7 +138,7 @@ Disable Cortana based on Geo location and time, From 9am-5pm, when in the 100 me Disable camera using network trigger with time trigger, from 9-5, when ip4 gateway is 192.168.0.1 -``` syntax +```xml 300 @@ -193,7 +193,7 @@ Disable camera using network trigger with time trigger, from 9-5, when ip4 gatew Delete a context -``` syntax +```xml 400 @@ -206,7 +206,7 @@ Delete a context Get ContextStatus and SignalDefinition from a specific context -``` syntax +```xml 400 diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index 8e61116fdd..f97a70c2f7 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -64,7 +64,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( > [!NOTE] > The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type. -``` syntax +```xml @@ -114,7 +114,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( Here is the snippet from appv.admx: - ``` syntax + ```xml @@ -226,7 +226,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( > [!NOTE] > The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type. - ``` syntax + ```xml @@ -264,7 +264,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( The \ payload is \. Here is an example to disable AppVirtualization/PublishingAllowServer2. -``` syntax +```xml diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md index 645484d8fa..e05ab31e6f 100644 --- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md +++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md @@ -275,7 +275,7 @@ After the installation of updates is completed, the IT Admin can use the DURepor ## Example PowerShell script -``` syntax +```powershell param ( # [Parameter (Mandatory=$true, HelpMessage="Input File")] [String]$inputFile, diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md index 2502635341..b809041a65 100644 --- a/windows/client-management/mdm/enterprise-app-management.md +++ b/windows/client-management/mdm/enterprise-app-management.md @@ -78,7 +78,7 @@ Note that performing a full inventory of a device can be resource intensive on t Here is an example of a query for all apps on the device. -``` syntax +```xml 1 @@ -92,7 +92,7 @@ Here is an example of a query for all apps on the device. Here is an example of a query for a specific app for a user. -``` syntax +```xml 1 @@ -121,7 +121,7 @@ For detailed descriptions of each node, see [EnterpriseModernAppManagement CSP]( Here is an example of a query for all app licenses on a device. -``` syntax +```xml 1 @@ -135,7 +135,7 @@ Here is an example of a query for all app licenses on a device. Here is an example of a query for all app licenses for a user. -``` syntax +```xml 1 @@ -161,7 +161,7 @@ For more information about the AllowAllTrustedApps policy, see [Policy CSP](poli Here are some examples. -``` syntax +```xml 1 @@ -199,7 +199,7 @@ For more information about the AllowDeveloperUnlock policy, see [Policy CSP](pol Here is an example. -``` syntax +```xml 1 @@ -244,7 +244,7 @@ Here are the requirements for this scenario: Here are some examples. -``` syntax +```xml 1 @@ -281,7 +281,7 @@ In the SyncML, you need to specify the following information in the Exec command Here is an example of an offline license installation. -``` syntax +```xml 1 @@ -315,7 +315,7 @@ The Add command for the package family name is required to ensure proper removal Here is an example of a line-of-business app installation. -``` syntax +```xml 0 @@ -342,7 +342,7 @@ Here is an example of a line-of-business app installation. Here is an example of an app installation with dependencies. -``` syntax +```xml 0 @@ -376,7 +376,7 @@ Here is an example of an app installation with dependencies. Here is an example of an app installation with dependencies and optional packages. -``` syntax +```xml 0 @@ -438,7 +438,7 @@ Here is an example of app installation. > **Note**  This is only supported in Windows 10 for desktop editions. -``` syntax +```xml 0 @@ -475,7 +475,7 @@ Here is an example of app installation with dependencies. > **Note**  This is only supported in Windows 10 for desktop editions. -``` syntax +```xml 0 @@ -526,7 +526,7 @@ When an app is installed successfully, the node is cleaned up and no longer pres Here is an example of a query for a specific app installation. -``` syntax +```xml 2 @@ -540,7 +540,7 @@ Here is an example of a query for a specific app installation. Here is an example of a query for all app installations. -``` syntax +```xml 2 @@ -558,7 +558,7 @@ Application installations can take some time to complete, hence they are done as Here is an example of an alert. -``` syntax +```xml 4 1226 @@ -594,7 +594,7 @@ To uninstall an app, you delete it under the origin node, package family name, a Here is an example for uninstalling all versions of an app for a user. -``` syntax +```xml 1 @@ -608,7 +608,7 @@ Here is an example for uninstalling all versions of an app for a user. Here is an example for uninstalling a specific version of the app for a user. -``` syntax +```xml 1 @@ -631,7 +631,7 @@ Removing provisioned app occurs in the device context. Here is an example for removing a provisioned app from a device. -``` syntax +```xml 1 @@ -645,7 +645,7 @@ Here is an example for removing a provisioned app from a device. Here is an example for removing a specific version of a provisioned app from a device: -``` syntax +```xml 1 @@ -663,7 +663,7 @@ You can remove app licenses from a device per app based on the content ID. Here is an example for removing an app license for a user. -``` syntax +```xml 1 @@ -677,7 +677,7 @@ Here is an example for removing an app license for a user. Here is an example for removing an app license for a provisioned package (device context). -``` syntax +```xml 1 @@ -697,7 +697,7 @@ For user-based uninstallation, use ./User in the LocURI, and for provisioning, u Here is an example. There is only one uninstall for hosted and store apps. -``` syntax +```xml 1226 @@ -723,7 +723,7 @@ To update an app from Microsoft Store, the device requires contact with the stor Here is an example of an update scan. -``` syntax +```xml 1 @@ -737,7 +737,7 @@ Here is an example of an update scan. Here is an example of a status check. -``` syntax +```xml 1 @@ -766,7 +766,7 @@ Turning off updates only applies to updates from the Microsoft Store at the devi Here is an example. -``` syntax +```xml 1 @@ -795,7 +795,7 @@ You can install app on non-system volumes, such as a secondary partition or remo Here is an example. -``` syntax +```xml 1 @@ -832,7 +832,7 @@ The RestrictAppDataToSystemVolume policy in [Policy CSP](policy-configuration-se Here is an example. -``` syntax +```xml 1 @@ -873,7 +873,7 @@ The valid values are 0 (off, default value) and 1 (on). Here is an example. -``` syntax +```xml 1 diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md index 2b091686b2..d2b3bddc1d 100644 --- a/windows/client-management/mdm/enterpriseapn-csp.md +++ b/windows/client-management/mdm/enterpriseapn-csp.md @@ -132,7 +132,7 @@ The following image shows the EnterpriseAPN configuration service provider in tr ## Examples -``` syntax +```xml diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md index e5e5177782..486334505b 100644 --- a/windows/client-management/mdm/enterpriseappmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md @@ -209,7 +209,7 @@ The Microsoft Store application has a GUID of d5dc1ebb-a7f1-df11-9264-00237de2db Use the following SyncML format to query to see if the application is installed on a managed device: -``` syntax +```xml 1 @@ -222,7 +222,7 @@ Use the following SyncML format to query to see if the application is installed Response from the device (it contains list of subnodes if this app is installed in the device). -``` syntax +```xml 3 1 @@ -266,7 +266,7 @@ The value actually applied to the device can be queried via the nodes under the Enroll enterprise ID “4000000001” for the first time: -``` syntax +```xml 2 @@ -293,7 +293,7 @@ Enroll enterprise ID “4000000001” for the first time: Update the enrollment token (for example, to update an expired application enrollment token): -``` syntax +```xml 2 @@ -310,7 +310,7 @@ Update the enrollment token (for example, to update an expired application enrol Query all installed applications that belong to enterprise id “4000000001”: -``` syntax +```xml 2 @@ -325,7 +325,7 @@ Query all installed applications that belong to enterprise id “4000000001”: Response from the device (that contains two installed applications): -``` syntax +```xml 3 1 @@ -444,7 +444,7 @@ To perform an XAP update, create the Name, URL, Version, and DownloadInstall nod -``` syntax +```xml 2 ` node among with other `` nodes, it shares most grammar with the Application Node, **folderId** is mandatory, **folderName** is optional, which is the folder name displayed on Start. **folderId** is a unique unsigned integer for each folder. Folder example: -``` syntax +```xml Large @@ -123,7 +123,7 @@ Folder example: ``` An application that belongs in the folder would add an optional attribute **ParentFolderId**, which maps to **folderId** of the folder. In this case, the location of this application will be located inside the folder. -``` syntax +```xml Medium @@ -252,7 +252,7 @@ For example, in place of SettingPageDisplay, you would use ms-settings:display. Here is an example for Windows 10, version 1703. -``` syntax +```xml @@ -327,14 +327,14 @@ Starting in Windows 10, version 1703, Quick action settings no longer require an In this example, all settings pages and quick action settings are allowed. An empty \ node indicates that none of the settings are blocked. -``` syntax +```xml ``` In this example for Windows 10, version 1511, all System setting pages are enabled. Note that the System page group is added as well as all of the System subpage names. -``` syntax +```xml @@ -350,7 +350,7 @@ In this example for Windows 10, version 1511, all System setting pages are ena ``` Here is an example for Windows 10, version 1703. -``` syntax +```xml @@ -382,7 +382,7 @@ Buttons | The following list identifies the hardware buttons on the device that > Custom buttons are hardware buttons that can be added to devices by OEMs. Buttons example: -``` syntax +```xml @@ -407,7 +407,7 @@ The Search and custom buttons can be remapped or configured to open a s To remap a button in lockdown XML, you supply the button name, the button event (typically "press"), and the product ID for the application the button will open. -``` syntax +```xml