Merge branch 'master' into v-gmoor-fix-pr-4952

windows/security/identity-protection/credential-guard/dg-readiness-tool.md

@@ -678,7 +678,7 @@ function CheckDriverCompat
     if($verifier_state.ToString().Contains("No drivers are currently verified."))
     {
         LogAndConsole "Enabling Driver verifier"
-        verifier.exe /flags 0x02000000 /all /log.code_integrity
+        verifier.exe /flags 0x02000000 /all /bootmode oneboot /log.code_integrity
 
         LogAndConsole "Enabling Driver Verifier and Rebooting system"
         Log $verifier_state

windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md

@@ -81,7 +81,13 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
 The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list.  However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities.
 
 > [!NOTE]
-> The domain controller's certificate must chain to a root in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a third-party CA, this may not be done by default. If the domain controller certificate does not chain to a root in the NTAuth store, user authentication will fail.
+> The certificate for the CA issuing the domain controller certificate must be included in the NTAuth store. By default, the Active Directory Certificate Authority's root certificate is added to the NTAuth store. If you are using a multi-tier CA hierarchy or a third-party CA, this may not be done by default. If the Domain Controller certificate does not directly chain to a CA certificate in the NTAuth store, user authentication will fail.
+
+The following PowerShell command can be used to check all certificates in the NTAuth store:
+
+```powershell
+Certutil -viewstore -enterprise NTAuth
+```
 
 ### Publish Certificate Templates to a Certificate Authority
 

windows/security/identity-protection/vpn/vpn-connection-type.md

@@ -42,6 +42,9 @@ There are many options for VPN clients. In Windows 10, the built-in plug-in and
     - [SSTP](https://technet.microsoft.com/library/ff687819.aspx)
 
         SSTP is supported for Windows desktop editions only. SSTP cannot be configured using mobile device management (MDM), but it is one of the protocols attempted in the **Automatic** option.
+
+        > [!NOTE]
+        > When a VPN plug-in is used, the adapter will be listed as an SSTP adapter, even though the VPN protocol used is the plug-in's protocol.
         
 - Automatic
 
@@ -63,11 +66,13 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.m
 
 The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
 
-![Available connection types](images/vpn-connection-intune.png)
+> [!div class="mx-imgBorder"]
+> ![Available connection types](images/vpn-connection-intune.png)
      
 In Intune, you can also include custom XML for third-party plug-in profiles:
 
-![Custom XML](images/vpn-custom-xml-intune.png)
+> [!div class="mx-imgBorder"]
+> ![Custom XML](images/vpn-custom-xml-intune.png)
 
 
 ## Related topics
@@ -85,4 +90,3 @@ In Intune, you can also include custom XML for third-party plug-in profiles:
 
 
 
-