diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 75cb7255c8..ef3a69ff52 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -20,7 +20,7 @@ We've tried to make editing an existing, public file as simple as possible.
1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**.
- 
+ 
2. Log into (or sign up for) a GitHub account.
@@ -28,7 +28,7 @@ We've tried to make editing an existing, public file as simple as possible.
3. Click the **Pencil** icon (in the red box) to edit the content.
- 
+ 
4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
- **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
@@ -37,11 +37,11 @@ We've tried to make editing an existing, public file as simple as possible.
5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
- 
+ 
6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account.
- 
+ 
The **Comparing changes** screen appears to see what the changes are between your fork and the original content.
@@ -49,7 +49,7 @@ We've tried to make editing an existing, public file as simple as possible.
If there are no problems, you’ll see the message, **Able to merge**.
- 
+ 
8. Click **Create pull request**.
diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
index 4fc4fb1ecc..d4f9600d8b 100644
--- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
@@ -34,11 +34,11 @@ Before you start, you need to make sure you have the following:
1. Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
- 
+ 
2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
- 
+ 
3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
@@ -280,13 +280,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con
1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
- 
+ 
2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
- 
+ 
4. Select the check boxes next to the following classes, and then click **OK**:
@@ -393,12 +393,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam
### SCCM Report Sample – ActiveX.rdl
Gives you a list of all of the ActiveX-related sites visited by the client computer.
-
+
### SCCM Report Sample – Site Discovery.rdl
Gives you a list of all of the sites visited by the client computer.
-
+
## View the collected XML data
After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
@@ -436,7 +436,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit
1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
- 
+ 
2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
index 47322f0c03..923d4dfe04 100644
--- a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
@@ -27,11 +27,11 @@ ms.date: 07/27/2017
Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu.
-
+
The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic.
-
+
Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
@@ -47,11 +47,11 @@ This lets you create an ASP form that accepts the incoming POST messages.
3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
- 
+ 
4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
- 
+ 
5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.
Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
@@ -72,7 +72,7 @@ This code logs your POST fields to your IIS log file, where you can review all o
### IIS log file information
This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode.
-
+
## Using the GitHub sample to collect your data
@@ -99,14 +99,14 @@ The required packages are automatically downloaded and included in the solution.
1. Right-click on the name, PhoneHomeSample, and click **Publish**.
- 
+ 
2. In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
**Important**
Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.
- 
+ 
After you finish the publishing process, you need to test to make sure the app deployed successfully.
@@ -131,7 +131,7 @@ The required packages are automatically downloaded and included in the solution.
- Go to `https:///List` to see the report results.
If you’re already on the webpage, you’ll need to refresh the page to see the results.
- 
+ 
### Troubleshooting publishing errors
@@ -141,7 +141,7 @@ If you have errors while you’re publishing your project, you should try to upd
1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
- 
+ 
2. Click **Updates** on the left side of the tool, and click the **Update All** button.
You may need to do some additional package cleanup to remove older package versions.
diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
index 4651adf5cf..4573423115 100644
--- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -9,7 +9,7 @@ centralized control, you can create one global list of websites that render usin
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** setting.
Turning this setting on also requires you to create and store a site list.
2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
@@ -24,7 +24,7 @@ All of your managed devices must have access to this location if you want them t
2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file.
For example:
+  -->
- **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"`
diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
index b34f9be63f..c8ef3d030c 100644
--- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -33,7 +33,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
- 
+ 
2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
@@ -45,7 +45,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
3. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
- 
+ 
Your **Value data** location can be any of the following types:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 1acd936993..65fbb8eaaf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -38,11 +38,11 @@ Before you start, you need to make sure you have the following:
1. Go to the [Microsoft Security Bulletin](/security-updates/) page, and change the filter to **Windows Internet Explorer 11**.
- 
+ 
2. Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
- 
+ 
3. Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
@@ -284,13 +284,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con
1. From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
- 
+ 
2. Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
3. Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
- 
+ 
4. Select the check boxes next to the following classes, and then click **OK**:
@@ -397,12 +397,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam
### SCCM Report Sample – ActiveX.rdl
Gives you a list of all of the ActiveX-related sites visited by the client computer.
-
+
### SCCM Report Sample – Site Discovery.rdl
Gives you a list of all of the sites visited by the client computer.
-
+
## View the collected XML data
After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
@@ -440,7 +440,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit
1. Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
- 
+ 
2. Go to your XML file to add the included sites to the tool, and then click **Open**.
Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index e8d1ec3d7d..5cfa201d18 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -48,7 +48,7 @@ The compatibility improvements made in IE11 lets older websites just work in the
## Document mode selection flowchart
This flowchart shows how IE11 works when document modes are used.
-
+
[Click this link to enlarge image](img-ie11-docmode-lg.md)
## Known Issues with Internet Explorer 8 document mode in Enterprise Mode
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index 333686dc07..9ec7ddf862 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -45,7 +45,7 @@ To see if this fix might help you, run through this process one step at a time,
1. Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool.
- 
+ 
2. Starting with the **11 (Default)** option, test your broken scenario.
If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](/previous-versions/windows/internet-explorer/ie-developer/samples/dn255001(v=vs.85)).
@@ -62,7 +62,7 @@ There are two versions of the Enterprise Mode site list schema and the Enterpris
1. Open the Enterprise Mode Site List Manager, and click **Add**.
- 
+ 
2. Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.
Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11.
@@ -74,7 +74,7 @@ For more information about Enterprise Mode, see [What is Enterprise Mode?](what-
### Review your Enterprise Mode site list
Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like:
-
+
And the underlying XML code will look something like:
diff --git a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
index 30de0a2c97..a285c99103 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/img-ie11-docmode-lg.md
@@ -16,7 +16,7 @@ ms.author: dansimp
Return to: [Deprecated document modes and Internet Explorer 11](deprecated-document-modes.md)
-
+
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 75283c1f64..4eed39657f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -62,15 +62,15 @@ When IE blocks an outdated ActiveX control, you’ll see a notification bar simi
**Internet Explorer 9 through Internet Explorer 11**
-
+
**Windows Internet Explorer 8**
-
+
Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE:
-
+
## How do I fix an outdated ActiveX control or app?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 6edccdda73..9424e5e32f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -27,7 +27,7 @@ You can use the Group Policy setting, **Set a default associations configuration
1. Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.
Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
- 
+ 
2. Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.
If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index dd26f8e369..b42426f1d7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -31,11 +31,11 @@ ms.date: 07/27/2017
Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu.
-
+
The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic.
-
+
Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
@@ -51,11 +51,11 @@ When you turn logging on, you need a valid URL that points to a server that can
3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
- 
+ 
4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
- 
+ 
5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.
Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
@@ -76,7 +76,7 @@ When you turn logging on, you need a valid URL that points to a server that can
### IIS log file information
This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode.
-
+
## Using the GitHub sample to collect your data
@@ -103,14 +103,14 @@ For logging, you’re going to need a valid URL that points to a server that can
5. Right-click on the name, PhoneHomeSample, and click **Publish**.
- 
+ 
6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
**Important**
Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website.
- 
+ 
After you finish the publishing process, you need to test to make sure the app deployed successfully.
@@ -135,7 +135,7 @@ For logging, you’re going to need a valid URL that points to a server that can
- Go to `https:///List` to see the report results.
If you’re already on the webpage, you’ll need to refresh the page to see the results.
- 
+ 
### Troubleshooting publishing errors
@@ -145,7 +145,7 @@ If you have errors while you’re publishing your project, you should try to upd
1. From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
- 
+ 
2. Click **Updates** on the left side of the tool, and click the **Update All** button.
You may need to do some additional package cleanup to remove older package versions.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index 14bd40e745..ec77071c73 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -28,7 +28,7 @@ Jump to:
[Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website.
-
+
Sites in the \ section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \ section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View.
@@ -84,7 +84,7 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern
- Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab.
- 
+ 
- Run the site in each document mode until you find the mode in which the site works.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 8c84054dc3..1b32fa64ad 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -39,7 +39,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.
Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
- 
+ 
2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
@@ -51,7 +51,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:
- 
+ 
- **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index b4db0fb7a4..897b27ceed 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -37,7 +37,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
- 
+ 
2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
@@ -49,7 +49,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
- 
+ 
Your **Value data** location can be any of the following types:
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index fd6904f4a8..54ae269373 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -33,32 +33,32 @@ During installation, you must pick a version of IEAK 11, either **External** or
| Feature | Internal | External |
|-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
-| Welcome screen |  |  |
-| File locations |  |  |
-| Platform selection |  |  |
-| Language selection |  |  |
-| Package type selection |  |  |
-| Feature selection |  |  |
-| Automatic Version Synchronization (AVS) |  |  |
-| Custom components |  |  |
-| Internal install |  |  |
-| User experience |  |  |
-| Browser user interface |  |  |
-| Search providers |  |  |
-| Important URLs – Home page and support |  |  |
-| Accelerators |  |  |
-| Favorites, Favorites bar, and feeds |  |  |
-| Browsing options |  |  |
-| First Run wizard and Welcome page options |  |  |
-| Connection manager |  |  |
-| Connection settings |  |  |
-| Automatic configuration |  |  |
-| Proxy settings |  |  |
-| Security and privacy settings |  |  |
-| Add a root certificate |  |  |
-| Programs |  |  |
-| Additional settings |  |  |
-| Wizard complete |  |  |
+| Welcome screen |  |  |
+| File locations |  |  |
+| Platform selection |  |  |
+| Language selection |  |  |
+| Package type selection |  |  |
+| Feature selection |  |  |
+| Automatic Version Synchronization (AVS) |  |  |
+| Custom components |  |  |
+| Internal install |  |  |
+| User experience |  |  |
+| Browser user interface |  |  |
+| Search providers |  |  |
+| Important URLs – Home page and support |  |  |
+| Accelerators |  |  |
+| Favorites, Favorites bar, and feeds |  |  |
+| Browsing options |  |  |
+| First Run wizard and Welcome page options |  |  |
+| Connection manager |  |  |
+| Connection settings |  |  |
+| Automatic configuration |  |  |
+| Proxy settings |  |  |
+| Security and privacy settings |  |  |
+| Add a root certificate |  |  |
+| Programs |  |  |
+| Additional settings |  |  |
+| Wizard complete |  |  |
---
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index d0251e80ba..92cf989109 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -20,17 +20,17 @@ manager: dansimp
-This guide shows you how to quickly and easily try a few transformational tools from Microsoft Education in 5 quick steps.
+This guide shows you how to quickly and easily try a few transformational tools from Microsoft Education in 5 quick steps.
| Tool | Description |
| :---: |:--- |
-| [](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
-| [](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)** Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
-| [](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
-| [](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** Open [OneNote](#edu-task4) and create an example group project for your class. |
-| [](#edu-task5) | **Curious about telling stories through video?** Try the [Photos app](#edu-task5) to make your own example video. |
-| [](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
-| [](#edu-task7) | **Want to provide a personal math tutor for your students?** Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
+| [](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
+| [](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?[1](#footnote1)** Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
+| [](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
+| [](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** Open [OneNote](#edu-task4) and create an example group project for your class. |
+| [](#edu-task5) | **Curious about telling stories through video?** Try the [Photos app](#edu-task5) to make your own example video. |
+| [](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
+| [](#edu-task7) | **Want to provide a personal math tutor for your students?** Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
@@ -41,7 +41,7 @@ manager: dansimp
-
+
## 1. Log in and connect to the school network
To try out the educator tasks, start by logging in as a teacher.
@@ -55,7 +55,7 @@ To try out the educator tasks, start by logging in as a teacher.
-
+
## 2. Significantly improve student reading speed and comprehension
> [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y]
@@ -78,7 +78,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
4. Select the **Immersive Reader** button.
- 
+ 
5. Press the **Play** button to hear text read aloud.
@@ -86,14 +86,14 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
| Text to Speech | Text Preferences | Grammar Options | Line Focus |
| :------------: | :--------------: | :-------------: | :--------: |
- |  |  |  |  |
+ |  |  |  |  |
-
+
## 3. Spark communication, critical thinking, and creativity in the classroom
> [!VIDEO https://www.youtube.com/embed/riQr4Dqb8B8]
@@ -114,7 +114,7 @@ Take a guided tour of Microsoft Teams and test drive this digital hub.
-
+
## 4. Expand classroom collaboration and interaction between students
> [!VIDEO https://www.youtube.com/embed/dzDSWMb_fIE]
@@ -135,16 +135,16 @@ When you're not using the pen, just use the magnet to stick it to the left side
3. Follow the instructions for the project. Look for the **Try this!** callouts to experiment with these engaging activities.
- Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling.
- 
+ 
- Type anywhere on the page! Just click your cursor where you want to place text.
- Use the checkmark in the **Home** tab to keep track of completed tasks.
- 
+ 
- To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
- 
+ 
@@ -178,7 +178,7 @@ Use video to create a project summary.
8. Drag the videos to the Storyboard, one by one. Your project should look roughly like this:
- 
+ 
9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**.
@@ -191,7 +191,7 @@ Use video to create a project summary.
4. Play back your effect.
5. Select **Done** when you have it where you want it.
- 
+ 
12. Select **Music** and select a track from the **Recommended** music collection.
1. The music will update automatically to match the length of your video project, even as you make changes.
@@ -208,7 +208,7 @@ Check out this use case video of the Photos team partnering with the Bureau Of F
-
+
## 6. Get kids to further collaborate and problem solve
> [!VIDEO https://www.youtube.com/embed/QI_bRNUugog]
@@ -226,7 +226,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
3. Scroll down to the **Details** section and select **Download World**.
- 
+ 
4. When prompted, save the world.
@@ -250,7 +250,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram.
- 
+ 
12. Access and adapt over 300 lesson plans, spanning all grades and subjects, to meet your needs. Enjoy exploring new worlds and happy crafting.
@@ -260,13 +260,13 @@ Today, we'll explore a Minecraft world through the eyes of a student.
2. Click **Class Resources**.
3. Click **Find a Lesson**.
- 
+ 
-
+
## 7. Use Windows Ink to provide a personal math tutor for your students
The **Math Assistant** and **Ink Replay** features available in the OneNote app give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph.
@@ -275,15 +275,15 @@ The **Math Assistant** and **Ink Replay** features available in the OneNote app
To get started:
1. Open the OneNote app for Windows 10 (not OneNote 2016).
- 
+ 
2. In the top left corner, click on the **<** arrow to access your notebooks and pages.
- 
+ 
3. Click **Add Page** to launch a blank work space.
- 
+ 
4. Make sure your pen is paired to the device. To pair, see Connect to Bluetooth devices.
@@ -292,26 +292,26 @@ To solve the equation 3x+4=7, follow these instructions:
2. If you wrote the equation using digital ink, use the **Lasso tool** to circle the equation. If you typed the equation, highlight it using your mouse.
- 
+ 
3. On the **Draw** tab, click the **Math** button.
- 
+ 
4. From the drop-down menu in the **Math** pane, select the option to **Solve for x**. You can now see the final solution of the equation.
- 
+ 
5. From the second drop-down below, choose **Steps for Solving Linear Formula**, which shows you the step-by-step solution of this equation.
6. On the **View** tab, click the **Replay** button. Use your mouse to select the written equation and watch your text in replay. Replay is great for students to review how the teacher solved the equation and for teachers to review how students approached a problem.
- 
+ 
To graph the equation 3x+4=7, follow these instructions:
1. From the drop-down menu in the **Math** pane, select the option to **Graph Both Sides in 2D**. You can play with the interactive graph of your equation - use a single finger to move the graph position or two fingers to change the **zoom** level.
- 
+ 
2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md
index f21a0ddcf4..2ea43581c9 100644
--- a/education/trial-in-a-box/index.md
+++ b/education/trial-in-a-box/index.md
@@ -16,7 +16,7 @@ ms.date: 12/11/2017
# Microsoft Education Trial in a Box
-
+
@@ -28,9 +28,9 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea
-| [](educator-tib-get-started.md) | [](itadmin-tib-get-started.md) |
+| [](educator-tib-get-started.md) | [](itadmin-tib-get-started.md) |
| :---: | :---: |
-| **Educator**Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills. [Get started](educator-tib-get-started.md) | **IT Admin**Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage. [Get started](itadmin-tib-get-started.md) |
+| **Educator**Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills. [Get started](educator-tib-get-started.md) | **IT Admin**Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage. [Get started](itadmin-tib-get-started.md) |
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index be9a131941..911f893986 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -20,15 +20,15 @@ manager: dansimp
-Learn how to quickly deploy and manage devices for your school in 5 quick steps.
+Learn how to quickly deploy and manage devices for your school in 5 quick steps.
| | |
| :---: |:--- |
-| [](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. |
-| [](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. |
-| [](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. |
-| [](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
-| [](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
+| [](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. |
+| [](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. |
+| [](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. |
+| [](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
+| [](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
@@ -42,7 +42,7 @@ If you run into any problems while following the steps in this guide, or you hav
-
+
## 1. Log in to Device A with your IT Admin credentials and connect to the school network
To try out the IT admin tasks, start by logging in as an IT admin.
@@ -56,7 +56,7 @@ To try out the IT admin tasks, start by logging in as an IT admin.
-
+
## 2. Configure Device B with Set up School PCs
Now you're ready to learn how to configure a brand new device. You will start on **Device A** by downloading and running the Set up School PCs app. Then, you will configure **Device B**.
@@ -66,11 +66,11 @@ If you've previously used Set up School PCs to provision student devices, you ca
1. From the **Start** menu, find and then click **Microsoft Store** to launch the Store.
- 
+ 
2. Search for the **Set up School PCs** app.
- 
+ 
3. Click **Install**.
@@ -78,7 +78,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
1. On **Device A**, launch the Set up School PCs app.
- 
+ 
2. Click **Get started**.
3. Select **Sign-in**.
@@ -95,7 +95,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
We recommend checking the highlighted settings below:
- 
+ 
- **Remove apps pre-installed by the device manufacturer** - If you select this option, this will reset the machine and the provisioning process will take longer (about 30 minutes).
- **Allow local storage (not recommended for shared devices)** lets students save files to the **Desktop** and **Documents** folder on the student PC.
@@ -108,7 +108,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test.
- 
+ 
1. Specify if you want to create a Take a Test button on the students' sign-in screens.
2. Select **Advanced settings** to allow keyboard text suggestions to appear and to allow teachers to monitor online tests.
@@ -120,7 +120,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
8. **Add recommended apps** lets you choose from a set of recommended Microsoft Store apps to provision.
- 
+ 
The recommended apps include the following:
* **Office 365 for Windows 10 S (Education Preview)** - Optional. This works well for the Trial in a Box PCs running Windows 10 S. However, if you try to install this app on other editions of Windows 10, setup will fail. Also note that if you select **Office 365 for Windows 10 S (Education Preview)**, it will take about 30-45 minutes longer for Set up School PCs to create the provisioning package as the app downloads Office 365 for Windows 10 S (Education Preview) from the Microsoft Store.
@@ -131,7 +131,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
To change any of the settings, select the page or section (such as **Sign-in** or **Settings**) to go back to that page and make your changes.
- 
+ 
10. Accept the summary and then insert a USB drive in **Device A**. Use the USB drive that came in the Trial in a Box accessories box to save the provisioning package.
11. Select the drive and then **Save** to create the provisioning package.
@@ -153,7 +153,7 @@ A provisioning package is a method for applying settings to Windows 10 without n
1. Start with **Device B** turned off or with the PC on the first-run setup screen. In Windows 10 S Fall Creators Update, the first-run setup screen says **Let's start with region. Is this right?**.
- 
+ 
If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.**
@@ -166,20 +166,20 @@ You can complete the rest of the IT admin tasks using **Device A**.
-
+
## 3. Express configure Intune for Education to manage devices, users, and policies
Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
1. Log into the Intune for Education console.
2. On the Intune for Education dashboard, click **Launch Express Configuration** or select the **Express configuration**.
- 
+ 
3. In the **Welcome to Intune for Education** screen, click **Get started** and follow the prompts until you get to the **Choose group** screen.
4. In the **Choose group** screen, select **All Users** so that all apps and settings that we select during express setup will apply to this group.
5. In the **Choose apps** screen, you will see a selection of desktop (Win32) apps, Web apps, and Microsoft Store apps.
- 
+ 
6. Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in step 5.
@@ -197,7 +197,7 @@ Intune for Education provides an **Express configuration** option so you can get
-
+
## 4. Find apps from the Microsoft Store for Education and deploy them to managed devices in your tenant
The Microsoft Store for Education is where you can shop for more apps for your school.
@@ -205,7 +205,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
2. In the **Store apps** section, select **+ New app** to go to the Microsoft Store for Education.
3. Select **Sign in** and start shopping for apps for your school.
- 
+ 
4. Check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express configuration for Intune for Education. For example, these apps are free:
- Duolingo - Learn Languages for Free
@@ -222,7 +222,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
The apps will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
- 
+ 
In the **Private store** column of the **Products & services** page, the status for some apps will indicate that it's "In private store" while others will say "Adding to private store" or "Not applicable". Learn more about this in Distribute apps using your private store.
@@ -231,7 +231,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
-
+
## 5. Create custom folders that will appear on each managed device's Start menu
Update settings for all devices in your tenant by adding the **Documents** and **Downloads** folders to all devices managed in Intune for Education.
@@ -239,7 +239,7 @@ Update settings for all devices in your tenant by adding the **Documents** and *
2. Select **Group > All Devices > Settings** and expand **Windows interface settings**.
3. In **Choose folders that appear in the Start menu**, select **Documents** and **Downloads**.
- 
+ 
4. **Save** your changes.
diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md
index 9cb32351de..627a78c9ef 100644
--- a/education/trial-in-a-box/support-options.md
+++ b/education/trial-in-a-box/support-options.md
@@ -38,7 +38,7 @@ For more information about checking for updates, and how to optionally turn on a
> [!NOTE]
> For the alternate email address, make sure you use a different address from your Office 365 email address.
- 
+ 
4. Click **Save**.
@@ -46,17 +46,17 @@ For more information about checking for updates, and how to optionally turn on a
1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console.
- 
+ 
You will see a sidebar window open up on the right-hand side of the screen.
- 
+ 
If you chose to have a support representative call you, a new support ticket will be opened and you can track these in **Support tickets**.
- 
+ 
-2. Click the **question button**  in the top navigation of the sidebar window.
+2. Click the **question button**  in the top navigation of the sidebar window.
3. In the field below **Need help?**, enter a description of your help request.
4. Click the **Get help button**.
5. In the **Let us call you** section, enter a phone number where you can be reached.
@@ -69,7 +69,7 @@ Forget your password? Follow these steps to recover it.
1. Go to https://portal.office.com
2. Select **Can't access your account** and follow the prompts to get back into your account.
- 
+ 
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index 00b99a4c75..c0ac95e03e 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -61,7 +61,7 @@ You can set the policy using one of these methods:
- When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example:
- 
+ 
## Trigger Autopilot Reset
Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use.
@@ -70,7 +70,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**.
- 
+ 
This will open up a custom login screen for Autopilot Reset. The screen serves two purposes:
@@ -78,7 +78,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
- 
+ 
2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
@@ -97,7 +97,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
- Is returned to a known good managed state, connected to Azure AD and MDM.
- 
+ 
Once provisioning is complete, the device is again ready for use.
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index b104042dbc..ea30225b3e 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -65,7 +65,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f
**Figure 1** - Enter the details for the Windows edition change
- 
+ 
3. The change will automatically be applied to the group you selected.
@@ -78,7 +78,7 @@ You can use Windows Configuration Designer to create a provisioning package that
**Figure 2** - Enter the license key
- 
+ 
3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education.
@@ -123,7 +123,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi
**Figure 3** - Check the box to confirm
- 
+ 
5. Click **Change all my devices**.
@@ -169,13 +169,13 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
**Figure 4** - Select how you'd like to set up the device
- 
+ 
2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**.
**Figure 5** - Enter the account details
- 
+ 
3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription.
@@ -188,21 +188,21 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
**Figure 6** - Go to **Access work or school** in Settings
- 
+ 
2. In **Access work or school**, click **Connect**.
3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom.
**Figure 7** - Select the option to join the device to Azure Active Directory
- 
+ 
4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD.
5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD.
**Figure 8** - Verify the device connected to Azure AD
- 
+ 
#### Step 2: Sign in using Azure AD account
@@ -286,7 +286,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change
**Figure 12** - Revert to Windows 10 Pro
- 
+ 
4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**.
5. Click **Close** in the **Success** page.
@@ -304,7 +304,7 @@ You need to synchronize these identities so that users will have a *single ident
**Figure 13** - On-premises AD DS integrated with Azure AD
-
+
For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
- [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity)
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 59da859362..2fb2324ddc 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -118,7 +118,7 @@ At the end of this section, you should have a list of Chromebook user and device
You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices.
-
+
Figure 1. Google Admin Console
@@ -221,7 +221,7 @@ Table 3. Settings in the Security node in the Google Admin Console
In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
-
+
Figure 2. Locally-configured settings on Chromebook
@@ -497,7 +497,7 @@ Table 6 is a decision matrix that lists the device, user, and app management pro
Table 6. Device, user, and app management products and technologies
-
+
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index f662b8ac78..27b3806af5 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -94,19 +94,19 @@ Use one of these methods to set this policy.
- Data type: Integer
- Value: 0
- 
+ 
### Group Policy
Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
-
+
### Provisioning tools
- [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
- 
+ 
## SetEduPolicies
**SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
@@ -123,7 +123,7 @@ Use one of these methods to set this policy.
- Data type: Boolean
- Value: true
- 
+ 
### Group Policy
**SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc).
@@ -147,7 +147,7 @@ For example:
- [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package)
- Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
- 
+ 
## Ad-free search with Bing
Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States.
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 5ca4cb7ea0..9dcdd7ca81 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -34,21 +34,21 @@ Proper preparation is essential for a successful district deployment. To avoid c
As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 1. Typical district configuration for this guide*
A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses.
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 2. Typical school configuration for this guide*
Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses.
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 3. Typical classroom configuration in a school*
@@ -181,7 +181,7 @@ The high-level process for deploying and configuring devices within individual c
9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration.
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 4. How district configuration works*
@@ -768,7 +768,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 5, the
> Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)).
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 5. Automatic synchronization between AD DS and Azure AD*
@@ -779,7 +779,7 @@ For more information about how to perform this step, see the [Integrate on-premi
In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
> [!div class="mx-imgBorder"]
-> 
+> 
*Figure 6. Bulk import into Azure AD from other sources*
@@ -812,14 +812,14 @@ You can deploy the Azure AD Connect tool:
- **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
> [!div class="mx-imgBorder"]
- > 
+ > 
*Figure 7. Azure AD Connect on premises*
- **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
> [!div class="mx-imgBorder"]
- > 
+ > 
*Figure 8. Azure AD Connect in Azure*
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 3b464f9fa6..318b892188 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -30,13 +30,13 @@ Proper preparation is essential for a successful school deployment. To avoid com
As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
-
+
*Figure 1. Typical school configuration for this guide*
Figure 2 shows the classroom configuration this guide uses.
-
+
*Figure 2. Typical classroom configuration in a school*
@@ -112,7 +112,7 @@ The high-level process for deploying and configuring devices within individual c
6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
-
+
*Figure 3. How school configuration works*
@@ -346,7 +346,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 4, the
**Note** Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)?f=255&MSPPError=-2147217396).
-
+
*Figure 4. Automatic synchronization between AD DS and Azure AD*
@@ -356,7 +356,7 @@ For more information about how to perform this step, see the [Integrate on-premi
In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
-
+
*Figure 5. Bulk import into Azure AD from other sources*
@@ -383,13 +383,13 @@ You can deploy the Azure AD Connect tool by using one of the following methods:
- **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
- 
+ 
*Figure 6. Azure AD Connect on premises*
- **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
- 
+ 
*Figure 7. Azure AD Connect in Azure*
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index eaa2f7c35b..03a761c858 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -55,11 +55,11 @@ To turn off access to contacts for all apps on individual Windows devices:
1. On the computer, go to **Settings** and select **Privacy**.
- 
+ 
2. Under the list of **Privacy** areas, select **Contacts**.
- 
+ 
3. Turn off **Let apps access my contacts**.
@@ -73,7 +73,7 @@ For IT-managed Windows devices, you can use a Group Policy to turn off the setti
If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off.
-
+
The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts.
@@ -83,7 +83,7 @@ To allow only certain apps to have access to contacts, you can:
* Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce.
- 
+ 
## Skype and Xbox settings
@@ -109,7 +109,7 @@ Skype uses the user’s contact details to deliver important information about t
To manage and edit your profile in the Skype UWP app, follow these steps:
-1. In the Skype UWP app, select the user profile icon  to go to the user’s profile page.
+1. In the Skype UWP app, select the user profile icon  to go to the user’s profile page.
2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal.
@@ -127,7 +127,7 @@ To manage and edit your profile in the Skype UWP app, follow these steps:
6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
- 
+ 
* To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**).
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 586d6ea6b8..f4ea0cf4ef 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -39,7 +39,7 @@ Admins can control whether or not teachers are automatically assigned the **Basi
2. Click **Manage**, and then click **Settings**.
3. On **Shop**, select or clear **Make everyone a Basic Purchaser**.
-
+
> [!NOTE]
> **Make everyone a Basic Purchaser** is on by default.
@@ -52,7 +52,7 @@ When **Make everyone a Basic Purchaser** is turned off, admins can manually assi
2. Click **Manage**, and then choose **Permissions**.
3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**.
- 
+ 
**Blocked Basic Purchasers**
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 78f1759c45..a89e29de02 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -29,7 +29,7 @@ ms.topic: conceptual
Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution.
-
+
## Prerequisites
@@ -39,11 +39,11 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
- Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
- If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
-
+
[Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md)
-
+
[Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
\ No newline at end of file
diff --git a/education/windows/index.md b/education/windows/index.md
index 81e3f97634..cf961bfe83 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -14,15 +14,15 @@ ms.date: 10/13/2017
# Windows 10 for Education
-
+
-##  Learn
+##  Learn
Windows 10 editions for education customers
Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.
Compare each Windows edition
Find out more about the features and functionality we support in each edition of Windows.
Get Windows 10 Education or Windows 10 Pro Education
When you've made your decision, find out how to buy Windows for your school.
-##  Plan
+##  Plan
Windows 10 configuration recommendations for education customers
Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.
Deployment recommendations for school IT administrators
Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.
@@ -30,14 +30,14 @@ ms.date: 10/13/2017
Take tests in Windows 10
Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.
Chromebook migration guide
Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.
-##  Deploy
+##  Deploy
Set up Windows devices for education
Depending on your school's device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.
Deploy Windows 10 in a school
Get step-by-step guidance to help you deploy Windows 10 in a school environment.
Deploy Windows 10 in a school district
Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.
Test Windows 10 S on existing Windows 10 education devices
Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.
-##  Switch
+##  Switch
Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S
If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index e3900603b6..a728b75a41 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -50,15 +50,15 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**.
-
+
2. Enter your email address, and select Educator, Administrator, or Student. If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one.
-
+
3. Select **Get the app**. This will take you to the Microsoft Store for Education to download the app. You will also receive an email with instructions and a link to the Store.
-
+
4. Sign in to Microsoft Store for Education with your email address.
@@ -66,7 +66,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
-
+
Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
@@ -113,11 +113,11 @@ After you've finished the purchase, you can find your invoice by checking **Mine
2. Click **Minecraft: Education Edition** in the list of apps.
3. On **Minecraft: Education Edition**, click **View Bills**.
- 
+ 
4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf.
- 
+ 
The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check.
@@ -133,11 +133,11 @@ Admins can also add Minecraft: Education Edition to the private store. This allo
### Configure automatic subscription assignment
@@ -168,7 +168,7 @@ You can install the app on your PC. This gives you a chance to test the app and
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
-
+
3. Click **Install**.
@@ -180,33 +180,33 @@ Enter email addresses for your students, and each student will get an email with
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**.
- 
+ 
3. Click **Invite people**.
4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.
- 
+ 
**To finish Minecraft install (for students)**
1. Students will receive an email with a link that will install the app on their PC.
- 
+ 
2. Click **Get the app** to start the app install in Microsoft Store app.
3. In Microsoft Store app, click **Install**.
- 
+ 
After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. Microsoft Store app is preinstalled with Windows 10.
- 
+ 
When students click **My Library** they'll find apps assigned to them.
- 
+ 
### Download for others
Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
@@ -225,11 +225,11 @@ Minecraft: Education Edition will not install if there are updates pending for o
1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
2. Click the account button, and then click **Downloads and updates**.
- 
+ 
3. Click **Check for updates**, and install all available updates.
- 
+ 
4. Restart the computer before installing Minecraft: Education Edition.
@@ -238,7 +238,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
- 
+ 
2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
@@ -257,7 +257,7 @@ However, tenant admins can control whether or not teachers automatically sign up
To prevent educators from automatically signing up for Microsoft Store for Business
1. In Microsoft Store for Business, click **Settings**, and then click **Permissions**.
- 
+ 
2. Click **Allow educators in my organization to sign up for the Microsoft Store for Business.**
@@ -269,7 +269,7 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
- Acquire and manage the app
- Info on Support page (including links to documentation and access to support through customer service)
- 
+ 
**To assign Basic Purchaser role**
@@ -280,15 +280,15 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
2. Click **Settings**, and then choose **Permissions**.
- 
+ 
3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
- 
+ 
Microsoft Store for Business updates the list of people and permissions.
- 
+ 
-->
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
index 6d62b6bb55..02198518ca 100644
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -48,7 +48,7 @@ Active Directory** \> **Devices** \> **Device settings**.
for Azure AD by selecting **All** or **Selected**. If you choose the latter
option, select the teachers and IT staff to allow them to connect to Azure AD.
-
+
You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff.
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index 22d45b09fc..328b2f80a1 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -43,7 +43,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment (
**Figure 7** - Add the account to use for test-taking
- 
+ 
The account can be in one of the following formats:
- username
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 7d803777e5..f0bb65fa78 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -35,7 +35,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur
2.
2. On the **Finish** page, select **Switch to advanced editor**.
- 
+ 
**Next steps**
- [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
@@ -52,7 +52,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
2. Click **Advanced provisioning**.
- 
+ 
3. Name your project and click **Next**.
@@ -89,17 +89,17 @@ Universal apps that you can distribute in the provisioning package can be line-o
2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
- 
+ 
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
- 
+ 
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Microsoft Store for Business, you generate the license for the app on the app's download page.
- 
+ 
[Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps)
@@ -168,7 +168,7 @@ If your build is successful, the name of the provisioning package, output direct
**During initial setup, from a USB drive**
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
- 
+ 
2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
@@ -176,11 +176,11 @@ If your build is successful, the name of the provisioning package, output direct
3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
- 
+ 
4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
- 
+ 
5. Select **Yes, add it**.
@@ -188,11 +188,11 @@ If your build is successful, the name of the provisioning package, output direct
6. Read and accept the Microsoft Software License Terms.
- 
+ 
7. Select **Use Express settings**.
- 
+ 
8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
@@ -200,18 +200,18 @@ If your build is successful, the name of the provisioning package, output direct
9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
- 
+ 
10. Sign in with your domain, Azure AD, or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
- 
+ 
**After setup, from a USB drive, network folder, or SharePoint site**
On a desktop computer, navigate to **Settings** > **Accounts** > **Work access** > **Add or remove a management package** > **Add a package**, and select the package to install.
-
+
-->
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index b401df97ef..e1acdf9f1d 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -27,7 +27,7 @@ Choose the tool that is appropriate for how your students will sign in (Active D
You can use the following diagram to compare the tools.
-
+
## In this section
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index 3044c770e5..10e2d2f7e0 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -39,7 +39,7 @@ If you set up Take a Test, this adds a **Take a Test** button on the student PC'
**Figure 1** - Configure Take a Test in the Set up School PCs app
-
+
### Set up a test account in Intune for Education
You can set up a test-taking account in Intune for Education. To do this, follow these steps:
@@ -49,7 +49,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
**Figure 2** - Add a test profile in Intune for Education
- 
+ 
3. In the new profile page:
1. Enter a name for the profile.
@@ -60,7 +60,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
**Figure 3** - Add information about the test profile
- 
+ 
After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
@@ -68,13 +68,13 @@ You can set up a test-taking account in Intune for Education. To do this, follow
**Figure 4** - Assign the test account to a group
- 
+ 
5. In the **Groups** page, click **Change group assignments**.
**Figure 5** - Change group assignments
- 
+ 
6. In the **Change group assignments** page:
1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group.
@@ -82,7 +82,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
**Figure 6** - Select the group(s) that will use the test account
- 
+ 
And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests.
@@ -136,7 +136,7 @@ To set up a test account through Windows Configuration Designer, follow these st
**Figure 7** - Add the account to use for test-taking
- 
+ 
The account can be in one of the following formats:
- username
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 1286a5aec8..9d26301975 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -30,13 +30,13 @@ To configure the assessment URL and a dedicated testing account on a single PC,
**Figure 1** - Use the Settings app to set up a test-taking account
- 
+ 
4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account.
**Figure 2** - Choose the test-taking account
- 
+ 
> [!NOTE]
> If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 7e016c22c0..f9ba6a9479 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -32,7 +32,7 @@ Many schools use online testing for formative and summative assessments. It's cr
## How to use Take a Test
-
+
There are several ways to configure devices for assessments, depending on your use case:
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 136499ee4c..6f0d1d4341 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -65,7 +65,7 @@ After Minecraft: Education Edition licenses have been purchased, either directly
- You can assign the app to others.
- You can download the app to distribute.
-
+
### Install for me
You can install the app on your PC. This gives you a chance to work with the app before using it with your students.
@@ -73,7 +73,7 @@ You can install the app on your PC. This gives you a chance to work with the app
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**, and then click **Install**.
-
+
3. Click **Install**.
@@ -84,13 +84,13 @@ Enter email addresses for your students, and each student will get an email with
1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com).
2. Click **Manage**.
-
+
3. Click **Invite people**.
4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
- 
+ 
You can assign the app to students with work or school accounts.
If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin.
@@ -100,20 +100,20 @@ Enter email addresses for your students, and each student will get an email with
Students will receive an email with a link that will install the app on their PC.
-
+
1. Click **Get the app** to start the app install in Microsoft Store app.
2. In Microsoft Store app, click **Install**.
- 
+ 
After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**.
- 
+ 
When students click **My Library** they'll find apps assigned to them.
- 
+ 
### Download for others
Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
@@ -132,11 +132,11 @@ Minecraft: Education Edition will not install if there are updates pending for o
1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
2. Click the account button, and then click **Downloads and updates**.
- 
+ 
3. Click **Check for updates**, and install all available updates.
- 
+ 
4. Restart the computer before installing Minecraft: Education Edition.
@@ -145,7 +145,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
- 
+ 
2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 3f31119391..ca36e12e5a 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -103,7 +103,7 @@ We strongly recommend that you avoid changing preset policies. Changes can slow
The **Set up School PCs** app guides you through the configuration choices for the student PCs. To begin, open the app on your PC and click **Get started**.
- 
+ 
### Package name
Type a unique name to help distinguish your school's provisioning packages. The name appears:
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 4294d7199e..3b6a109ef3 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -18,7 +18,7 @@ ms.topic: conceptual
# Get started: Deploy and manage a full cloud IT solution for your business
-
+
**Applies to:**
@@ -61,7 +61,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 1** - Try or buy Office 365
- 
+ 
2. Fill out the sign up form and provide information about you and your company.
3. Create a user ID and password to use to sign into your account.
@@ -76,7 +76,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 2** - Microsoft 365 admin center
- 
+ 
6. Select the **Admin** tile to go to the admin center.
@@ -86,7 +86,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 3** - Admin center
- 
+ 
8. Go back to the
admin center to add or buy a domain.
@@ -94,14 +94,14 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 4** - Option to add or buy a domain
- 
+ 
2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*.
**Figure 5** - Microsoft-provided domain
- 
+ 
- If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain.
- If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order.
@@ -110,7 +110,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
**Figure 6** - Domains
- 
+ 
### 1.2 Add users and assign product licenses
Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Microsoft 365 admin center.
@@ -123,7 +123,7 @@ When adding users, you can also assign admin privileges to certain users in your
**Figure 7** - Add users
- 
+ 
2. In the **Home > Active users** page, add users individually or in bulk.
- To add users one at a time, select **+ Add a user**.
@@ -132,7 +132,7 @@ When adding users, you can also assign admin privileges to certain users in your
**Figure 8** - Add an individual user
- 
+ 
- To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
@@ -140,13 +140,13 @@ When adding users, you can also assign admin privileges to certain users in your
**Figure 9** - Import multiple users
- 
+ 
3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them.
**Figure 10** - List of active users
- 
+ 
### 1.3 Add Microsoft Intune
Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see
What is Intune?
@@ -160,14 +160,14 @@ Microsoft Intune provides mobile device management, app management, and PC manag
**Figure 11** - Assign Intune licenses
- 
+ 
5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
6. Select **Intune**. This will take you to the Intune management portal.
**Figure 12** - Microsoft Intune management portal
- 
+ 
Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution).
@@ -185,21 +185,21 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
**Figure 13** - Access to Azure AD is not available
- 
+ 
3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365.
4. Click **Azure subscription**. This will take you to a free trial sign up screen.
**Figure 14** - Sign up for Microsoft Azure
- 
+ 
5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**.
6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**.
**Figure 15** - Start managing your Azure subscription
- 
+ 
This will take you to the
Microsoft Azure portal.
@@ -216,26 +216,26 @@ To add Azure AD group(s), we will use the
Microsoft Store for Business using the same tenant account that you used to sign into Intune.
4. Accept the EULA.
@@ -312,20 +312,20 @@ In this part of the walkthrough, we'll be working on the
Intune management portal, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
**Figure 26** - Configure Store for Business sync in Intune
- 
+ 
9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
**Figure 27** - Enable Microsoft Store for Business sync in Intune
- 
+ 
The **Microsoft Store for Business** page will refresh and it will show the details from the sync.
@@ -348,7 +348,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
**Figure 28** - Shop for Store apps
- 
+ 
2. Click to select an app, such as **Reader**. This opens the app page.
3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page.
@@ -358,7 +358,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
**Figure 29** - App inventory shows the purchased apps
- 
+ 
> [!NOTE]
> Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync).
@@ -372,7 +372,7 @@ If you need to sync your most recently purchased apps and have it appear in your
**Figure 30** - Force a sync in Intune
- 
+ 
**To view purchased apps**
- In the
Intune management portal, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly.
@@ -393,7 +393,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi
**Figure 31** - First screen in Windows device setup
- 
+ 
> [!NOTE]
> During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection.
@@ -403,13 +403,13 @@ To set up new Windows devices, go through the Windows initial device setup or fi
**Figure 32** - Choose how you'll connect your Windows device
- 
+ 
4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
**Figure 33** - Sign in using one of the accounts you added
- 
+ 
5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup.
@@ -430,7 +430,7 @@ In the
Intune management
**Figure 34** - Check the PC name on your device
- 
+ 
2. Log in to the Intune management portal.
3. Select **Groups** and then go to **Devices**.
@@ -441,7 +441,7 @@ In the
Intune management
**Figure 35** - Check that the device appears in Intune
- 
+ 
## 3. Manage device settings and features
You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
@@ -460,7 +460,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 36** - Reconfigure an app's deployment setting in Intune
- 
+ 
6. Click **Finish**.
7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
@@ -470,7 +470,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 37** - Confirm that additional apps were deployed to the device
- 
+ 
### 3.2 Configure other settings in Intune
@@ -486,7 +486,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 38** - Add a configuration policy
- 
+ 
7. Click **Save Policy**. A confirmation window will pop up.
8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now.
@@ -495,7 +495,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 39** - The new policy should appear in the **Policies** list.
- 
+ 
**To turn off Windows Hello and PINs during device setup**
1. In the Intune management portal, select **Admin**.
@@ -504,7 +504,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
**Figure 40** - Policy to disable Windows Hello for Business
- 
+ 
4. Click **Save**.
@@ -531,32 +531,32 @@ For other devices, such as those personally-owned by employees who need to conne
**Figure 41** - Add an Azure AD account to the device
- 
+ 
4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user.
**Figure 42** - Enter the account details
- 
+ 
5. You will be asked to update the password so enter a new password.
6. Verify the details to make sure you're connecting to the right organization and then click **Join**.
**Figure 43** - Make sure this is your organization
- 
+ 
7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**.
**Figure 44** - Confirmation that the device is now connected
- 
+ 
8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources.
**Figure 45** - Device is now enrolled in Azure AD
- 
+ 
9. You can confirm that the new device and user are showing up as Intune-managed by going to the
Intune management portal and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
diff --git a/smb/index.md b/smb/index.md
index cc4c596a1c..a6ae7f1200 100644
--- a/smb/index.md
+++ b/smb/index.md
@@ -17,16 +17,16 @@ audience: itpro
# Windows 10 for SMB
-
+
-##  Learn
+##  Learn
Windows 10 for business
Learn how Windows 10 and Windows devices can help your business.
SMB blog
Read about the latest stories, technology insights, and business strategies for SMBs.
How to buy
Go here when you're ready to buy or want to learn more about Microsoft products you can use to help transform your business.
-##  Deploy
+##  Deploy
Get started: Deploy and manage a full cloud IT solution for your business
Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index 73c2ce1f3d..882b7e57ba 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -55,7 +55,7 @@ There are a couple of things we need to know when you pay for apps. You can add
2. Select **Manage**, and then select **Settings**.
3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**.
-
+
## Allow app requests
diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md
index 26bb2598f8..bee1e82435 100644
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@@ -51,7 +51,7 @@ invoice and descriptions for each term.
The **Invoice Summary** is on the top of the first page and shows information about your billing profile and how you pay.
-
+
| Term | Description |
@@ -68,7 +68,7 @@ The **Invoice Summary** is on the top of the first page and shows information ab
The **Billing Summary** shows the charges against the billing profile since the previous billing period, any credits that were applied, tax, and the total amount due.
-
+
| Term | Description |
| --- | --- |
@@ -91,7 +91,7 @@ The total amount due for each service family is calculated by subtracting Azure
`Total = Charges/Credits - Azure Credit + Tax`
-
+
| Term |Description |
| --- | --- |
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index bb29be21a9..3bdd7d61bc 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -91,7 +91,7 @@ Get-MSStoreInventory
>1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/).
>2. Click **Manage** and then choose **Apps & software**.
>3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example:
->
+>
## View people assigned to a product
Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands:
diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
index 784e422a8a..0a66d2a739 100644
--- a/store-for-business/troubleshoot-microsoft-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -36,23 +36,23 @@ The private store for your organization is a page in Microsoft Store app that co
1. Click the people icon in Microsoft Store app, and click **Sign in**.
- 
+ 
2. Click **Add account**, and then click **Work or school account**.
- 
+ 
3. Type the email account and password, and click **Sign in**.
- 
+ 
4. You should see the private store for your organization. In our example, the page is named **Contoso publishing**.
- 
+ 
Click the private store to see apps in your private store.
- 
+ 
## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 66f34fdabe..4b0cd1e47d 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -26,7 +26,7 @@ Microsoft Store for Business and Education regularly releases new and improved f
:::row:::
:::column span="1":::
- 
+ 
:::column-end:::
:::column span="1":::
**Use security groups with Private store apps**
On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store.
[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education
@@ -38,7 +38,7 @@ Microsoft Store for Business and Education regularly releases new and improved f
We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
| | |
|-----------------------|---------------------------------|
-|  |**Performance improvements in private store**
We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.
[Get more info](./manage-private-store-settings.md#private-store-performance)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
+|  |**Performance improvements in private store**
We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them.
[Get more info](./manage-private-store-settings.md#private-store-performance)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
|
| **Manage Windows device deployment with Windows Autopilot Deployment**
In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.
[Get more info](add-profile-to-devices.md)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
|  |**Request an app**
People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases.
[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
||  |**Private store collections**
You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom.
[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)
**Applies to**:
Microsoft Store for Business
Microsoft Store for Education |
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 2150c9e7c3..8efc8effad 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -46,7 +46,7 @@ You'll need to set up:
- LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
The process and timing look like this:
-
+
##
Add an LOB publisher (Admin)
Admins need to invite developer or ISVs to become an LOB publisher.
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index b0bdee5283..130ad633ee 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -423,7 +423,7 @@ The process then configures the client for package or connection group additions
This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user).
-
+
**Package add file and registry data**
@@ -454,7 +454,7 @@ During the Publishing Refresh operation, the specific publishing operation, **Pu
Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details.
-
+
**Package add file and registry data—global**
@@ -481,7 +481,7 @@ After the Publishing Refresh process, the user launches and then relaunches an A
7. The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as-needed basis.
- 
+ 
**Package add file and registry data—stream**
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index 501a6eae9f..4183212c31 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -20,9 +20,9 @@ This checklist outlines the recommended steps and items to consider when deployi
|Status|Task|References|Notes|
|---|---|---|---|
-||Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)||
-||Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)||
-||Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
[How to deploy the App-V server](appv-deploy-the-appv-server.md)||
+||Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)||
+||Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)||
+||Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)
[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)
[How to deploy the App-V server](appv-deploy-the-appv-server.md)||
>[!NOTE]
>Keep track of server names and associated URLs you create during installation. You'll need this information throughout the installation process.
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index e8785b3d7f..9bde5d0531 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -28,7 +28,7 @@ The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit
1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
2. Select the **Get Windows ADK for Windows 10** button on the page to start the ADK installer. Make sure that **Microsoft Application Virtualization (App-V) Sequencer** is selected during the installation.
- 
+ 
3. To open the Sequencer, go to the **Start** menu and select **Microsoft Application Virtualization (App-V) Sequencer**.
See [Creating and managing virtual applications](appv-creating-and-managing-virtualized-applications.md) and the [Application Virtualization Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx) for information about creating virtual applications with the Sequencer.
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index e838f04c45..50887ca724 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -23,12 +23,12 @@ This checklist can be used to help you plan for preparing your organization for
|Status|Task|References|Notes|
|---|---|---|---|
-||Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)||
-||Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)||
-||If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)||
-||Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)||
-||If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)||
-||Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)||
+||Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)||
+||Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)||
+||If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)||
+||Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)||
+||If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)||
+||Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)||
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index d123957cd1..0a72c19e87 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -23,15 +23,15 @@ Enterprise users want the same ability to enable or limit background activity. I
Users have the ability to control background activity for their device through two interfaces in the **Settings** app: the **Background apps** page and the **Battery usage by app** page. The **Background apps** page has a master switch to turn background activity on or off for all apps, and provides individual switches to control each app's ability to run in the background.
-
+
The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop:
-
+
Here is the set of available controls for mobile devices:
-
+
Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity).
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 0cda2dc8c9..4483687ba8 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -102,19 +102,19 @@ If a per-user service can't be disabled using a the security template, you can d
5. Right-click **Registry** > **New** > **Registry Item**.
- 
+ 
6. Make sure that HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path.
- 
+ 
7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**.
- 
+ 
8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**.
- 
+ 
9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8.
@@ -140,14 +140,14 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled):
-
+
> [!CAUTION]
> We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution.
Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry:
-
+
### Manage template services by modifying the Windows image
@@ -186,4 +186,4 @@ For example, you might see the following per-user services listed in the Service
You can query the service configuration from the command line. The **Type** value indicates whether the service is a user-service template or user-service instance.
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 4130fde7e5..8482a3497c 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -48,11 +48,11 @@ Refactoring also makes it easier to view running processes in Task Manager. You
For example, here are the running processes displayed in Task Manager in Windows 10 version 1607:
-
+
Compare that to the same view of running processes in Windows 10 version 1703:
-
+
@@ -66,7 +66,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
The default value of **1** prevents the service from being split.
For example, this is the registry key configuration for BFE:
-
+
## Memory footprint
@@ -77,7 +77,7 @@ Consider the following:
|Grouped Services (< 3.5GB) | Split Services (3.5GB+)
|--------------------------------------- | ------------------------------------------ |
-| | |
+| | |
> [!NOTE]
> The above represents the peak observed values.
diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index 260944a53c..6da0fdfdb9 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -23,11 +23,11 @@ ms.topic: article
Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users.
-
+
The tools in the folder might vary depending on which edition of Windows you are using.
-
+
These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index ac96c101cf..c2a8ea0c57 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -41,53 +41,53 @@ Check Windows Security Event log on the NPS Server for NPS events that correspon
In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
- 
+ 
*Example: event ID 6273 (Audit Failure)*
- 
+ 
*Example: event ID 6272 (Audit Success)*
The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to **..\Wired-AutoConfig/Operational**. See the following example:
-
+
Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure.
First, validate the type of EAP method that's used:
-
+
If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section.
-
+
The CAPI2 event log is useful for troubleshooting certificate-related issues.
By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**.
-
+
For information about how to analyze CAPI2 event logs, see
[Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication:
-
+
If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples:
-
+
*Client-side packet capture data*
-
+
*NPS-side packet capture data*
> [!NOTE]
> If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example:
-
+
## Audit policy
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 646585085e..d039c10c17 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -50,7 +50,7 @@ The kernel passes control to the session manager process (Smss.exe) which initia
Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
-
+
[Click to enlarge](img-boot-sequence.md)
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index ce4154396e..57d2cc10a8 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -152,7 +152,7 @@ The important components of the MSM include:
- Security Manager (SecMgr) - handles all pre and post-connection security operations.
- Authentication Engine (AuthMgr) – Manages 802.1x auth requests
- 
+ 
Each of these components has their own individual state machines which follow specific transitions.
Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
@@ -327,4 +327,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta
In the following example, the **View** settings are configured to **Show Only Filtered Lines**.
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index 69fa51d4e4..d59710d70b 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -54,4 +54,4 @@ To change the policy for an external storage device:
7. Select the policy that you want to use.
- 
+ 
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 275869bf99..4d8f35673e 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -24,7 +24,7 @@ ms.topic: article
From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
-
+
## Set up
@@ -40,7 +40,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
- 
+ 
3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
index b1077e5be6..6ce343dade 100644
--- a/windows/client-management/img-boot-sequence.md
+++ b/windows/client-management/img-boot-sequence.md
@@ -14,4 +14,4 @@ ms.prod: w10
Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)
-
+
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index 376916c1d3..9354d9c8c9 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -56,13 +56,13 @@ Page files extend how much "committed memory" (also known as "virtual memory") i
The system commit memory limit is the sum of physical memory and all page files combined. It represents the maximum system-committed memory (also known as the "system commit charge") that the system can support.
-
+
The system commit charge is the total committed or "promised" memory of all committed virtual memory in the system. If the system commit charge reaches the system commit limit, the system and processes might not get committed memory. This condition can cause freezing, crashing, and other malfunctions. Therefore, make sure that you set the system commit limit high enough to support the system commit charge during peak usage.
-
+
-
+
The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values.
diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md
index 263dd24430..db00986ab0 100644
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@@ -212,7 +212,7 @@ This policy setting will change the evaluation order in which Allow and Prevent
Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
-
_Device Installation policies flow chart_
+
_Device Installation policies flow chart_
@@ -261,17 +261,17 @@ To find device identification strings using Device Manager
4. Find the “Printers” section and find the target printer
- 
_Selecting the printer in Device Manager_
+ 
_Selecting the printer in Device Manager_
5. Double-click the printer and move to the ‘Details’ tab.
- 
_Open the ‘Details’ tab to look for the device identifiers_
+ 
_Open the ‘Details’ tab to look for the device identifiers_
6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies.
- 
+ 
- 
_HWID and Compatible ID_
+ 
_HWID and Compatible ID_
> [!TIP]
> You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs.
@@ -360,7 +360,7 @@ Creating the policy to prevent all printers from being installed:
6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
- 
_List of prevent Class GUIDs_
+ 
_List of prevent Class GUIDs_
7. Click ‘OK’.
@@ -399,7 +399,7 @@ Getting the right device identifier to prevent it from being installed:
1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously
- 
_Printer Hardware ID_
+ 
_Printer Hardware ID_
2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
@@ -417,7 +417,7 @@ Creating the policy to prevent a single printer from being installed:
5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0
- 
_Prevent Device ID list_
+ 
_Prevent Device ID list_
6. Click ‘OK’.
@@ -477,7 +477,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
- 
_List of prevent Class GUIDs_
+ 
_List of prevent Class GUIDs_
7. Click ‘OK’.
@@ -489,7 +489,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
- 
_Apply layered order of evaluation policy_
+ 
_Apply layered order of evaluation policy_
9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
@@ -497,7 +497,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
- 
_Allow Printer Hardware ID_
+ 
_Allow Printer Hardware ID_
12. Click ‘OK’.
@@ -532,22 +532,22 @@ Getting the right device identifier to prevent it from being installed and its l
3. Find the USB thumb-drive and select it.
- 
_Selecting the usb thumb-drive in Device Manager_
+ 
_Selecting the usb thumb-drive in Device Manager_
4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree.
- 
_Changing view in Device Manager to see the PnP connection tree_
+ 
_Changing view in Device Manager to see the PnP connection tree_
> [!NOTE]
> When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked.
- 
_When blocking one device, all the devices that are nested below it will be blocked as well_
+ 
_When blocking one device, all the devices that are nested below it will be blocked as well_
5. Double-click the USB thumb-drive and move to the ‘Details’ tab.
6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
- 
_USB device hardware IDs_
+ 
_USB device hardware IDs_
Creating the policy to prevent a single USB thumb-drive from being installed:
@@ -563,7 +563,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07
- 
_Prevent Device IDs list_
+ 
_Prevent Device IDs list_
6. Click ‘OK’.
@@ -620,7 +620,7 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I
- “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
- “Generic USB Hub” -> USB\USB20_HUB
-
_USB devices nested under each other in the PnP tree_
+
_USB devices nested under each other in the PnP tree_
These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine.
@@ -663,7 +663,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.
- 
_Apply layered order of evaluation policy_
+ 
_Apply layered order of evaluation policy_
10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
@@ -671,7 +671,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07
- 
_Allowed USB Device IDs list_
+ 
_Allowed USB Device IDs list_
13. Click ‘OK’.
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index a177277d07..f64ee0de0c 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -35,7 +35,7 @@ Policy paths:
**User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
-
+
## Configuring the Group Policy
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 22ba2d74a8..0e9dd8a789 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -92,7 +92,7 @@ For more information about how Windows 10 and Azure AD optimize access to work r
As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
-
+
## Settings and Configuration
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index b5b30659d6..7b77f47742 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -75,7 +75,7 @@ First, you create a default user profile with the customizations that you want,
> [!TIP]
> If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
>
- > 
+ > 
>
> Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
@@ -86,11 +86,11 @@ First, you create a default user profile with the customizations that you want,
1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
- 
+ 
1. In **Copy To**, under **Permitted to use**, click **Change**.
- 
+ 
1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
@@ -98,11 +98,11 @@ First, you create a default user profile with the customizations that you want,
- If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
- 
+ 
- If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
- 
+ 
1. Click **OK** to copy the default user profile.
@@ -139,9 +139,9 @@ When a user is configured with a mandatory profile, Windows 10 starts as though
| Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
| --- | --- | --- | --- | --- |
-| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled |  |  |  |  |
-| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled |  |  |  |  |
-| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled |  |  |  |  |
+| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled |  |  |  |  |
+| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled |  |  |  |  |
+| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled |  |  |  |  |
> [!NOTE]
> The Group Policy settings above can be applied in Windows 10 Professional edition.
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 930343209f..42722f7bd7 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -22,7 +22,7 @@ AccountManagement CSP is used to configure setting in the Account Manager servic
The following diagram shows the AccountManagement configuration service provider in tree format.
-
+
**./Vendor/MSFT/AccountManagement**
Root node for the AccountManagement configuration service provider.
diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
index 34f60116f4..64394a6989 100644
--- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
+++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
@@ -21,45 +21,45 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
- 
+ 
2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available.
- 
+ 
3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**.
- 
+ 
4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**.
- 
+ 
5. After you finish creating your Azure account, you can add an Azure AD subscription.
If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
- 
+ 
6. Select **Install software**.
- 
+ 
7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation.
- 
+ 
8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase.
- 
+ 
9. Continue with your purchase.
- 
+ 
10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....).
- 
+ 
When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications.
@@ -69,27 +69,27 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
1. Sign in to the Microsoft 365 admin center at
using your organization's account.
- 
+ 
2. On the **Home** page, select on the Admin tools icon.
- 
+ 
3. On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
- 
+ 
4. On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
- 
+ 
5. It may take a few minutes to process the request.
- 
+ 
6. You will see a welcome page when the process completes.
- 
+ 
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 3df830bda7..5669fcf0f8 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -263,16 +263,16 @@ Supported operations are Get, Add, Delete, and Replace.
The **Device Portal** page opens on your browser.
- 
+ 
8. On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
9. On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps.
- 
+ 
10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
- 
+ 
The following table shows the mapping of information to the AppLocker publisher rule field.
diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md
index 157bf6f4d0..4c8f6eaecd 100644
--- a/windows/client-management/mdm/appv-deploy-and-config.md
+++ b/windows/client-management/mdm/appv-deploy-and-config.md
@@ -23,7 +23,7 @@ manager: dansimp
[EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
-
+
(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index 82a11f3eb6..a65935c948 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -90,7 +90,7 @@ After the users accepts the Terms of Use, the device is registered in Azure AD a
The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
-
+
The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this topic.
@@ -173,7 +173,7 @@ IT administrators use the Azure AD app gallery to add an MDM for their organizat
The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software.
-
+
### Add cloud-based MDM to the app gallery
@@ -195,24 +195,24 @@ The following table shows the required information to create an entry in the Azu
-Application ID |
-The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app. |
+Application ID |
+The client ID of your MDM app that is configured within your tenant. This is the unique identifier for your multi-tenant app. |
-Publisher |
-A string that identifies the publisher of the app. |
+Publisher |
+A string that identifies the publisher of the app. |
-Application URL |
-A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment. |
+Application URL |
+A URL to the landing page of your app where your administrators can get more information about the MDM app and contains a link to the landing page of your app. This URL is not used for the actual enrollment. |
-Description |
-A brief description of your MDM app, which must be under 255 characters. |
+Description |
+A brief description of your MDM app, which must be under 255 characters. |
-Icons |
-A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215 |
+Icons |
+A set of logo icons for the MDM app. Dimensions: 45 X 45, 150 X 122, 214 X 215 |
@@ -261,19 +261,19 @@ An MDM page must adhere to a predefined theme depending on the scenario that is
-| FRX |
-OOBE |
-Dark theme + blue background color |
-Filename: Ui-dark.css |
-Filename: oobe-dekstop.css |
+FRX |
+OOBE |
+Dark theme + blue background color |
+Filename: Ui-dark.css |
+Filename: oobe-dekstop.css |
-| MOSET |
-Settings/
+ | MOSET |
+Settings/
Post OOBE |
-Light theme |
-Filename: Ui-light.css |
-Filename: settings-desktop.css |
+Light theme |
+Filename: Ui-light.css |
+Filename: settings-desktop.css |
@@ -302,20 +302,20 @@ The following parameters are passed in the query string:
-redirect_uri |
-After the user accepts or rejects the Terms of Use, the user is redirected to this URL. |
+redirect_uri |
+After the user accepts or rejects the Terms of Use, the user is redirected to this URL. |
-client-request-id |
-A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures. |
+client-request-id |
+A GUID that is used to correlate logs for diagnostic and debugging purposes. You use this parameter to log or trace the state of the enrollment request to help find the root cause in case of failures. |
-api-version |
-Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol. |
+api-version |
+Specifies the version of the protocol requested by the client. This provides a mechanism to support version revisions of the protocol. |
-mode |
-Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices. |
+mode |
+Specifies that the device is corporate owned when mode=azureadjoin. This parameter is not present for BYOD devices. |
@@ -342,20 +342,20 @@ The following claims are expected in the access token passed by Windows to the T
-Object ID |
-Identifier of the user object corresponding to the authenticated user. |
+Object ID |
+Identifier of the user object corresponding to the authenticated user. |
-UPN |
-A claim containing the user principal name (UPN) of the authenticated user. |
+UPN |
+A claim containing the user principal name (UPN) of the authenticated user. |
-TID |
-A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam. |
+TID |
+A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam. |
-Resource |
-A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com. |
+Resource |
+A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com. |
@@ -438,28 +438,28 @@ The following table shows the error codes.
-api-version |
-302 |
-invalid_request |
-unsupported version |
+api-version |
+302 |
+invalid_request |
+unsupported version |
-Tenant or user data are missing or other required prerequisites for device enrollment are not met |
-302 |
-unauthorized_client |
-unauthorized user or tenant |
+Tenant or user data are missing or other required prerequisites for device enrollment are not met |
+302 |
+unauthorized_client |
+unauthorized user or tenant |
-Azure AD token validation failed |
-302 |
-unauthorized_client |
-unauthorized_client |
+Azure AD token validation failed |
+302 |
+unauthorized_client |
+unauthorized_client |
-internal service error |
-302 |
-server_error |
-internal service error |
+internal service error |
+302 |
+server_error |
+internal service error |
@@ -486,104 +486,104 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
-MDM auto-discovery using email address to retrieve MDM discovery URL |
-Enrollment |
-Not applicable
+ | MDM auto-discovery using email address to retrieve MDM discovery URL |
+Enrollment |
+Not applicable
Discovery URL provisioned in Azure |
- |
+ |
-Uses MDM discovery URL |
-Enrollment
+ | Uses MDM discovery URL |
+Enrollment
Enrollment renewal
ROBO |
-Enrollment
+ | Enrollment
Enrollment renewal
ROBO |
-Enrollment
+ | Enrollment
Enrollment renewal
ROBO |
-Is MDM enrollment required? |
-Yes |
-Yes |
-No
+ | Is MDM enrollment required? |
+Yes |
+Yes |
+No
User can decline. |
-Authentication type |
-OnPremise
+ | Authentication type |
+OnPremise
Federated
Certificate |
-Federated |
-Federated |
+Federated |
+Federated |
-EnrollmentPolicyServiceURL |
-Optional (all auth) |
-Optional (all auth)
+ | EnrollmentPolicyServiceURL |
+Optional (all auth) |
+Optional (all auth)
|
-Optional (all auth)
+ | Optional (all auth)
|
-EnrollmentServiceURL |
-Required (all auth) |
-Used (all auth) |
-Used (all auth) |
+EnrollmentServiceURL |
+Required (all auth) |
+Used (all auth) |
+Used (all auth) |
-EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL |
-Highly recommended |
-Highly recommended |
-Highly recommended |
+EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL |
+Highly recommended |
+Highly recommended |
+Highly recommended |
-AuthenticationServiceURL used |
-Used (Federated auth) |
-Skipped |
-Skipped |
+AuthenticationServiceURL used |
+Used (Federated auth) |
+Skipped |
+Skipped |
-BinarySecurityToken |
-Custom per MDM |
-Azure AD issued token |
-Azure AD issued token |
+BinarySecurityToken |
+Custom per MDM |
+Azure AD issued token |
+Azure AD issued token |
-EnrollmentType |
-Full |
-Device |
-Full |
+EnrollmentType |
+Full |
+Device |
+Full |
-Enrolled certificate type |
-User certificate |
-Device certificate |
-User certificate |
+Enrolled certificate type |
+User certificate |
+Device certificate |
+User certificate |
-Enrolled certificate store |
-My/User |
-My/System |
-My/User |
+Enrolled certificate store |
+My/User |
+My/System |
+My/User |
-CSR subject name |
-User Principal Name |
-Device ID |
-User Principal Name |
+CSR subject name |
+User Principal Name |
+Device ID |
+User Principal Name |
-EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL |
-Not supported |
-Supported |
-Supported |
+EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL |
+Not supported |
+Supported |
+Supported |
-CSPs accessible during enrollment |
-Windows 10 support:
+ | CSPs accessible during enrollment |
+Windows 10 support:
- DMClient
- CertificateStore
@@ -598,8 +598,8 @@ With Azure integrated MDM enrollment, there is no discovery phase and the discov
- EnterpriseAppManagement (Windows Phone 8.1)
|
-same as traditional MDM enrollment |
-same as traditional MDM enrollment |
+same as traditional MDM enrollment |
+same as traditional MDM enrollment |
@@ -732,7 +732,7 @@ Response:
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
-
+
## Error codes
@@ -751,184 +751,184 @@ When a user is enrolled into MDM through Azure Active Directory Join and then di
-| 0x80180001 |
-"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR |
-There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
+0x80180001 |
+"idErrorServerConnectivity", // MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR |
+There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
-| 0x80180002 |
-"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR |
-There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
+0x80180002 |
+"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_AUTHENTICATION_ERROR |
+There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x80180003 |
-"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR |
-This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}. |
+0x80180003 |
+"idErrorAuthorizationFailure", // MENROLL_E_DEVICE_AUTHORIZATION_ERROR |
+This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x80180004 |
-"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR |
-There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}. |
+0x80180004 |
+"idErrorMDMCertificateError", // MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR |
+There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x80180005 |
-"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR |
-There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
+0x80180005 |
+"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR |
+There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
-| 0x80180006 |
-"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR |
-There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
+0x80180006 |
+"idErrorServerConnectivity", // MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR |
+There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
-| 0x80180007 |
-"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR |
-There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
+0x80180007 |
+"idErrorAuthenticationFailure", // MENROLL_E_DEVICE_INVALIDSECURITY_ERROR |
+There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x80180008 |
-"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR |
-There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
+0x80180008 |
+"idErrorServerConnectivity", // MENROLL_E_DEVICE_UNKNOWN_ERROR |
+There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
-| 0x80180009 |
-"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS |
-Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}. |
+0x80180009 |
+"idErrorAlreadyInProgress", // MENROLL_E_ENROLLMENT_IN_PROGRESS |
+Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x8018000A |
-"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED |
-This device is already enrolled. You can contact your system administrator with the error code {0}. |
+0x8018000A |
+"idErrorMDMAlreadyEnrolled", // MENROLL_E_DEVICE_ALREADY_ENROLLED |
+This device is already enrolled. You can contact your system administrator with the error code {0}. |
-| 0x8018000D |
-"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID |
-There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}. |
+0x8018000D |
+"idErrorMDMCertificateError", // MENROLL_E_DISCOVERY_SEC_CERT_DATE_INVALID |
+There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x8018000E |
-"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED |
-There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
+0x8018000E |
+"idErrorAuthenticationFailure", // MENROLL_E_PASSWORD_NEEDED |
+There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x8018000F |
-"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR |
-There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
+0x8018000F |
+"idErrorAuthenticationFailure", // MENROLL_E_WAB_ERROR |
+There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x80180010 |
-"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY |
-There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
+0x80180010 |
+"idErrorServerConnectivity", // MENROLL_E_CONNECTIVITY |
+There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
-| 0x80180012 |
-"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT |
-There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}. |
+0x80180012 |
+"idErrorMDMCertificateError", // MENROLL_E_INVALIDSSLCERT |
+There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x80180013 |
-"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED |
-Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}. |
+0x80180013 |
+"idErrorDeviceLimit", // MENROLL_E_DEVICECAPREACHED |
+Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}. |
-| 0x80180014 |
-"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED |
-This feature is not supported. Contact your system administrator with the error code {0}. |
+0x80180014 |
+"idErrorMDMNotSupported", // MENROLL_E_DEVICENOTSUPPORTED |
+This feature is not supported. Contact your system administrator with the error code {0}. |
-| 0x80180015 |
-"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED |
-This feature is not supported. Contact your system administrator with the error code {0}. |
+0x80180015 |
+"idErrorMDMNotSupported", // MENROLL_E_NOTSUPPORTED |
+This feature is not supported. Contact your system administrator with the error code {0}. |
-| 0x80180016 |
-"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW |
-The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}. |
+0x80180016 |
+"idErrorMDMRenewalRejected", // MENROLL_E_NOTELIGIBLETORENEW |
+The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x80180017 |
-"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE |
-The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}. |
+0x80180017 |
+"idErrorMDMAccountMaintenance", // MENROLL_E_INMAINTENANCE |
+The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}. |
-| 0x80180018 |
-"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE |
-There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}. |
+0x80180018 |
+"idErrorMDMLicenseError", // MENROLL_E_USERLICENSE |
+There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x80180019 |
-"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID |
-Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}. |
+0x80180019 |
+"idErrorInvalidServerConfig", // MENROLL_E_ENROLLMENTDATAINVALID |
+Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}. |
-| "rejectedTermsOfUse" |
-"idErrorRejectedTermsOfUse" |
-Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information. |
+"rejectedTermsOfUse" |
+"idErrorRejectedTermsOfUse" |
+Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information. |
-| 0x801c0001 |
-"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR |
-There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
+0x801c0001 |
+"idErrorServerConnectivity", // DSREG_E_DEVICE_MESSAGE_FORMAT_ERROR |
+There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
-| 0x801c0002 |
-"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR |
-There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
+0x801c0002 |
+"idErrorAuthenticationFailure", // DSREG_E_DEVICE_AUTHENTICATION_ERROR |
+There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x801c0003 |
-"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR |
-This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}. |
+0x801c0003 |
+"idErrorAuthorizationFailure", // DSREG_E_DEVICE_AUTHORIZATION_ERROR |
+This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x801c0006 |
-"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR |
-There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
+0x801c0006 |
+"idErrorServerConnectivity", // DSREG_E_DEVICE_INTERNALSERVICE_ERROR |
+There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
-| 0x801c000B |
-"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED |
-The server being contacted is not trusted. Contact your system administrator with the error code {0}. |
+0x801c000B |
+"idErrorUntrustedServer", // DSREG_E_DISCOVERY_REDIRECTION_NOT_TRUSTED |
+The server being contacted is not trusted. Contact your system administrator with the error code {0}. |
-| 0x801c000C |
-"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED |
-There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
+0x801c000C |
+"idErrorServerConnectivity", // DSREG_E_DISCOVERY_FAILED |
+There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
-| 0x801c000E |
-"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED |
-Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}. |
+0x801c000E |
+"idErrorDeviceLimit", // DSREG_E_DEVICE_REGISTRATION_QUOTA_EXCCEEDED |
+Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}. |
-| 0x801c000F |
-"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT |
-A reboot is required to complete device registration. |
+0x801c000F |
+"idErrorDeviceRequiresReboot", // DSREG_E_DEVICE_REQUIRES_REBOOT |
+A reboot is required to complete device registration. |
-| 0x801c0010 |
-"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR |
-Looks like you have an invalid certificate. Contact your system administrator with the error code {0}. |
+0x801c0010 |
+"idErrorInvalidCertificate", // DSREG_E_DEVICE_AIK_VALIDATION_ERROR |
+Looks like you have an invalid certificate. Contact your system administrator with the error code {0}. |
-| 0x801c0011 |
-"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR |
-There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
+0x801c0011 |
+"idErrorAuthenticationFailure", // DSREG_E_DEVICE_ATTESTATION_ERROR |
+There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x801c0012 |
-"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR |
-There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
+0x801c0012 |
+"idErrorServerConnectivity", // DSREG_E_DISCOVERY_BAD_MESSAGE_ERROR |
+There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0} |
-| 0x801c0013 |
-"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND |
-There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
+0x801c0013 |
+"idErrorAuthenticationFailure", // DSREG_E_TENANTID_NOT_FOUND |
+There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
-| 0x801c0014 |
-"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND |
-There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
+0x801c0014 |
+"idErrorAuthenticationFailure", // DSREG_E_USERSID_NOT_FOUND |
+There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}. |
diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index 21499425a9..ce25592491 100644
--- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -20,10 +20,10 @@ manager: dansimp
2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
3. Select **Microsoft Intune** and configure the blade.
-
+
Configure the blade
-
+
You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users).
diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md
index 0bb9326924..e07354fa81 100644
--- a/windows/client-management/mdm/bootstrap-csp.md
+++ b/windows/client-management/mdm/bootstrap-csp.md
@@ -27,7 +27,7 @@ The BOOTSTRAP configuration service provider sets the Trusted Provisioning Serve
The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
-
+
**CONTEXT-ALLOW**
Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.
diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md
index 46ee3a5e98..15a939f7eb 100644
--- a/windows/client-management/mdm/browserfavorite-csp.md
+++ b/windows/client-management/mdm/browserfavorite-csp.md
@@ -30,7 +30,7 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID
The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
-
+
***favorite name***
Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index 4fabdbc971..d1db6d514e 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -57,7 +57,7 @@ Using the WCD, create a provisioning package using the enrollment information re
1. Open the WCD tool.
2. Click **Advanced Provisioning**.
- 
+ 
3. Enter a project name and click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
@@ -74,20 +74,20 @@ Using the WCD, create a provisioning package using the enrollment information re
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
Here is the screenshot of the WCD at this point.
- 
+ 
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** > **ConnectivityProfiles** > **WLANSetting**).
10. When you are done adding all the settings, on the **File** menu, click **Save**.
11. On the main menu click **Export** > **Provisioning package**.
- 
+ 
12. Enter the values for your package and specify the package output location.
- 
- 
- 
+ 
+ 
+ 
13. Click **Build**.
- 
+ 
14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
15. Apply the package to your devices.
@@ -108,7 +108,7 @@ Using the WCD, create a provisioning package using the enrollment information re
5. Set **ExportCertificate** to False.
6. For **KeyLocation**, select **Software only**.
- 
+ 
7. Specify the workplace settings.
1. Got to **Workplace** > **Enrollments**.
2. Enter the **UPN** for the enrollment and then click **Add**.
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index 64372f26a8..e493bf16e1 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -21,12 +21,12 @@ The CellularSettings configuration service provider is used to configure cellula
The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
-
+
**DataRoam**
- Optional. Integer. Specifies the default roaming value. Valid values are:
+ Optional. Integer. Specifies the default roaming value. Valid values are:
-
+
diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md
index 5f319c9900..9a5f7e4425 100644
--- a/windows/client-management/mdm/change-history-for-mdm-documentation.md
+++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md
@@ -192,32 +192,32 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| BitLocker CSP |
-Added support for Windows 10 Pro starting in the version 1809.
+ | BitLocker CSP |
+Added support for Windows 10 Pro starting in the version 1809.
|
-| Office CSP |
-Added FinalStatus setting in Windows 10, version 1809.
+ | Office CSP |
+Added FinalStatus setting in Windows 10, version 1809.
|
-| RemoteWipe CSP |
-Added new settings in Windows 10, version 1809.
+ | RemoteWipe CSP |
+Added new settings in Windows 10, version 1809.
|
-| TenantLockdown CSP |
-Added new CSP in Windows 10, version 1809.
+ | TenantLockdown CSP |
+Added new CSP in Windows 10, version 1809.
|
-| WindowsDefenderApplicationGuard CSP |
-Added new settings in Windows 10, version 1809.
+ | WindowsDefenderApplicationGuard CSP |
+Added new settings in Windows 10, version 1809.
|
-| Policy DDF file |
-Posted an updated version of the Policy DDF for Windows 10, version 1809.
+ | Policy DDF file |
+Posted an updated version of the Policy DDF for Windows 10, version 1809.
|
-| Policy CSP |
-Added the following new policies in Windows 10, version 1809:
+ | Policy CSP |
+Added the following new policies in Windows 10, version 1809:
- Browser/AllowFullScreenMode
- Browser/AllowPrelaunch
@@ -270,47 +270,47 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| AssignedAccess CSP |
-Added the following note:
+ | AssignedAccess CSP |
+Added the following note:
- You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
|
-| PassportForWork CSP |
-Added new settings in Windows 10, version 1809.
+ | PassportForWork CSP |
+Added new settings in Windows 10, version 1809.
|
-| EnterpriseModernAppManagement CSP |
-Added NonRemovable setting under AppManagement node in Windows 10, version 1809.
+ | EnterpriseModernAppManagement CSP |
+Added NonRemovable setting under AppManagement node in Windows 10, version 1809.
|
-| Win32CompatibilityAppraiser CSP |
-Added new configuration service provider in Windows 10, version 1809.
+ | Win32CompatibilityAppraiser CSP |
+Added new configuration service provider in Windows 10, version 1809.
|
-| WindowsLicensing CSP |
-Added S mode settings and SyncML examples in Windows 10, version 1809.
+ | WindowsLicensing CSP |
+Added S mode settings and SyncML examples in Windows 10, version 1809.
|
-| SUPL CSP |
-Added 3 new certificate nodes in Windows 10, version 1809.
+ | SUPL CSP |
+Added 3 new certificate nodes in Windows 10, version 1809.
|
-| Defender CSP |
-Added a new node Health/ProductStatus in Windows 10, version 1809.
+ | Defender CSP |
+Added a new node Health/ProductStatus in Windows 10, version 1809.
|
-| BitLocker CSP |
-Added a new node AllowStandardUserEncryption in Windows 10, version 1809.
+ | BitLocker CSP |
+Added a new node AllowStandardUserEncryption in Windows 10, version 1809.
|
-| DevDetail CSP |
-Added a new node SMBIOSSerialNumber in Windows 10, version 1809.
+ | DevDetail CSP |
+Added a new node SMBIOSSerialNumber in Windows 10, version 1809.
|
-| Policy CSP |
-Added the following new policies in Windows 10, version 1809:
+ | Policy CSP |
+Added the following new policies in Windows 10, version 1809:
- ApplicationManagement/LaunchAppAfterLogOn
- ApplicationManagement/ScheduleForceRestartForUpdateFailures
@@ -360,24 +360,24 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| Wifi CSP |
-Added a new node WifiCost in Windows 10, version 1809.
+ | Wifi CSP |
+Added a new node WifiCost in Windows 10, version 1809.
|
-| Diagnose MDM failures in Windows 10 |
-Recent changes:
+ | Diagnose MDM failures in Windows 10 |
+Recent changes:
- Added procedure for collecting logs remotely from Windows 10 Holographic.
- Added procedure for downloading the MDM Diagnostic Information log.
|
-| BitLocker CSP |
-Added new node AllowStandardUserEncryption in Windows 10, version 1809.
+ | BitLocker CSP |
+Added new node AllowStandardUserEncryption in Windows 10, version 1809.
|
-| Policy CSP |
-Recent changes:
+ | Policy CSP |
+Recent changes:
- AccountPoliciesAccountLockoutPolicy/AccountLockoutDuration - removed from docs. Not supported.
- AccountPoliciesAccountLockoutPolicy/AccountLockoutThreshold - removed from docs. Not supported.
@@ -398,8 +398,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
|
-| WiredNetwork CSP |
-New CSP added in Windows 10, version 1809.
+ | WiredNetwork CSP |
+New CSP added in Windows 10, version 1809.
|
| |
@@ -419,8 +419,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| Policy DDF file |
-Updated the DDF files in the Windows 10 version 1703 and 1709.
+ | Policy DDF file |
+Updated the DDF files in the Windows 10 version 1703 and 1709.
- Download the Policy DDF file for Windows 10, version 1709
- Download the Policy DDF file for Windows 10, version 1703
@@ -444,35 +444,35 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| WindowsDefenderApplicationGuard CSP |
-Added the following node in Windows 10, version 1803:
+ | WindowsDefenderApplicationGuard CSP |
+Added the following node in Windows 10, version 1803:
- Settings/AllowVirtualGPU
- Settings/SaveFilesToHost
|
-| NetworkProxy CSP |
-Added the following node in Windows 10, version 1803:
+ | NetworkProxy CSP |
+Added the following node in Windows 10, version 1803:
|
-| Accounts CSP |
-Added a new CSP in Windows 10, version 1803.
+ | Accounts CSP |
+Added a new CSP in Windows 10, version 1803.
|
-| MDM Migration Analysis Tool (MMAT) |
-Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.
+ | MDM Migration Analysis Tool (MMAT) |
+Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.
|
-| CSP DDF files download |
-Added the DDF download of Windows 10, version 1803 configuration service providers.
+ | CSP DDF files download |
+Added the DDF download of Windows 10, version 1803 configuration service providers.
|
-| Policy CSP |
-Added the following new policies for Windows 10, version 1803:
+ | Policy CSP |
+Added the following new policies for Windows 10, version 1803:
- Bluetooth/AllowPromptedProximalConnections
- KioskBrowser/EnableEndSessionButton
@@ -500,41 +500,41 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| eUICCs CSP |
-Added the following node in Windows 10, version 1803:
+ | eUICCs CSP |
+Added the following node in Windows 10, version 1803:
|
-| DeviceStatus CSP |
-Added the following node in Windows 10, version 1803:
+ | DeviceStatus CSP |
+Added the following node in Windows 10, version 1803:
|
-| Understanding ADMX-backed policies |
-Added the following videos:
+ | Understanding ADMX-backed policies |
+Added the following videos:
|
-| AccountManagement CSP |
-Added a new CSP in Windows 10, version 1803.
+ | AccountManagement CSP |
+Added a new CSP in Windows 10, version 1803.
|
-| RootCATrustedCertificates CSP |
-Added the following node in Windows 10, version 1803:
+ | RootCATrustedCertificates CSP |
+Added the following node in Windows 10, version 1803:
|
-| Policy CSP |
-Added the following new policies for Windows 10, version 1803:
+ | Policy CSP |
+Added the following new policies for Windows 10, version 1803:
- ApplicationDefaults/EnableAppUriHandlers
- ApplicationManagement/MSIAllowUserControlOverInstall
@@ -556,16 +556,16 @@ This article lists new and updated articles for the Mobile Device Management (MD
|
-| Policy CSP - Bluetooth |
-Added new section ServicesAllowedList usage guide.
+ | Policy CSP - Bluetooth |
+Added new section ServicesAllowedList usage guide.
|
-| MultiSIM CSP |
-Added SyncML examples and updated the settings descriptions.
+ | MultiSIM CSP |
+Added SyncML examples and updated the settings descriptions.
|
-| RemoteWipe CSP |
-Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.
+ | RemoteWipe CSP |
+Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.
|
| |
@@ -585,8 +585,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| Policy CSP |
-Added the following new policies for Windows 10, version 1803:
+ | Policy CSP |
+Added the following new policies for Windows 10, version 1803:
- Display/DisablePerProcessDpiForApps
- Display/EnablePerProcessDpi
@@ -603,12 +603,12 @@ This article lists new and updated articles for the Mobile Device Management (MD
|
-| VPNv2 ProfileXML XSD |
-Updated the XSD and Plug-in profile example for VPNv2 CSP.
+ | VPNv2 ProfileXML XSD |
+Updated the XSD and Plug-in profile example for VPNv2 CSP.
|
-| AssignedAccess CSP |
-Added the following nodes in Windows 10, version 1803:
+ | AssignedAccess CSP |
+Added the following nodes in Windows 10, version 1803:
- Status
- ShellLauncher
@@ -617,12 +617,12 @@ This article lists new and updated articles for the Mobile Device Management (MD
Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.
|
-| MultiSIM CSP |
-Added a new CSP in Windows 10, version 1803.
+ | MultiSIM CSP |
+Added a new CSP in Windows 10, version 1803.
|
-| EnterpriseModernAppManagement CSP |
-Added the following node in Windows 10, version 1803:
+ | EnterpriseModernAppManagement CSP |
+Added the following node in Windows 10, version 1803:
- MaintainProcessorArchitectureOnUpdate
@@ -645,8 +645,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
|
-| Policy CSP |
-Added the following new policies for Windows 10, version 1803:
+ | Policy CSP |
+Added the following new policies for Windows 10, version 1803:
|
-| BitLocker CSP |
-Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.
+ | BitLocker CSP |
+Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.
|
-| EnterpriseModernAppManagement CSP |
-Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.
+ | EnterpriseModernAppManagement CSP |
+Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.
|
-| DMClient CSP |
-Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
+ | DMClient CSP |
+Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
- AADSendDeviceToken
- BlockInStatusPage
@@ -764,16 +764,16 @@ This article lists new and updated articles for the Mobile Device Management (MD
|
-| Defender CSP |
-Added new node (OfflineScan) in Windows 10, version 1803.
+ | Defender CSP |
+Added new node (OfflineScan) in Windows 10, version 1803.
|
-| UEFI CSP |
-Added a new CSP in Windows 10, version 1803.
+ | UEFI CSP |
+Added a new CSP in Windows 10, version 1803.
|
-| Update CSP |
-Added the following nodes in Windows 10, version 1803:
+ | Update CSP |
+Added the following nodes in Windows 10, version 1803:
|
@@ -820,8 +820,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| Policy CSP |
-Added the following policies for Windows 10, version 1709:
+ | Policy CSP |
+Added the following policies for Windows 10, version 1709:
- Authentication/AllowFidoDeviceSignon
- Cellular/LetAppsAccessCellularData
@@ -858,28 +858,28 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| Policy DDF file |
-Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.
+ | Policy DDF file |
+Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.
|
-| Policy CSP |
-Updated the following policies:
+ | Policy CSP |
+Updated the following policies:
- Defender/ControlledFolderAccessAllowedApplications - string separator is |.
- Defender/ControlledFolderAccessProtectedFolders - string separator is |.
|
-| eUICCs CSP |
-Added new CSP in Windows 10, version 1709.
+ | eUICCs CSP |
+Added new CSP in Windows 10, version 1709.
|
-| AssignedAccess CSP |
-Added SyncML examples for the new Configuration node.
+ | AssignedAccess CSP |
+Added SyncML examples for the new Configuration node.
|
-| DMClient CSP |
-Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.
+ | DMClient CSP |
+Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.
|
|
@@ -899,8 +899,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| Policy CSP |
-Added the following new policies for Windows 10, version 1709:
+ | Policy CSP |
+Added the following new policies for Windows 10, version 1709:
|
-| AssignedAccess CSP |
-Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.
+ | AssignedAccess CSP |
+Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.
|
-| Microsoft Store for Business and Microsoft Store |
-Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
+ | Microsoft Store for Business and Microsoft Store |
+Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
|
-| The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2 |
-The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
+ | The [MS-MDE2]: Mobile Device Enrollment Protocol Version 2 |
+The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
- UXInitiated - boolean value that indicates whether the enrollment is user initiated from the Settings page.
- ExternalMgmtAgentHint - a string the agent uses to give hints the enrollment server may need.
@@ -928,20 +928,20 @@ This article lists new and updated articles for the Mobile Device Management (MD
For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
|
-| EnterpriseAPN CSP |
-Added a SyncML example.
+ | EnterpriseAPN CSP |
+Added a SyncML example.
|
-| VPNv2 CSP |
-Added RegisterDNS setting in Windows 10, version 1709.
+ | VPNv2 CSP |
+Added RegisterDNS setting in Windows 10, version 1709.
|
-| Enroll a Windows 10 device automatically using Group Policy |
-Added new topic to introduce a new Group Policy for automatic MDM enrollment.
+ | Enroll a Windows 10 device automatically using Group Policy |
+Added new topic to introduce a new Group Policy for automatic MDM enrollment.
|
-| MDM enrollment of Windows-based devices |
-New features in the Settings app:
+ | MDM enrollment of Windows-based devices |
+New features in the Settings app:
- User sees installation progress of critical policies during MDM enrollment.
- User knows what policies, profiles, apps MDM has configured
@@ -967,23 +967,23 @@ This article lists new and updated articles for the Mobile Device Management (MD
-| Enable ADMX-backed policies in MDM |
-Added new step-by-step guide to enable ADMX-backed policies.
+ | Enable ADMX-backed policies in MDM |
+Added new step-by-step guide to enable ADMX-backed policies.
|
-| Mobile device enrollment |
-Added the following statement:
+ | Mobile device enrollment |
+Added the following statement:
- Devices that are joined to an on-premises Active Directory can enroll into MDM via the Work access page in Settings. However, the enrollment can only target the user enrolled with user-specific policies. Device targeted policies will continue to impact all users of the device.
|
-| CM_CellularEntries CSP |
-Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.
+ | CM_CellularEntries CSP |
+Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.
|
-| EnterpriseDataProtection CSP |
-Updated the Settings/EDPEnforcementLevel values to the following:
+ | EnterpriseDataProtection CSP |
+Updated the Settings/EDPEnforcementLevel values to the following:
- 0 (default) – Off / No protection (decrypts previously protected data).
- 1 – Silent mode (encrypt and audit only).
@@ -992,31 +992,31 @@ This article lists new and updated articles for the Mobile Device Management (MD
|
-| AppLocker CSP |
-Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.
+ | AppLocker CSP |
+Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.
|
-| DeviceManageability CSP |
-Added the following settings in Windows 10, version 1709:
+ | DeviceManageability CSP |
+Added the following settings in Windows 10, version 1709:
- Provider/ProviderID/ConfigInfo
- Provider/ProviderID/EnrollmentInfo
|
-| Office CSP |
-Added the following setting in Windows 10, version 1709:
+ | Office CSP |
+Added the following setting in Windows 10, version 1709:
- Installation/CurrentStatus
|
-| BitLocker CSP |
-Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.
+ | BitLocker CSP |
+Added information to the ADMX-backed policies. Changed the minimum personal identification number (PIN) length to 4 digits in SystemDrivesRequireStartupAuthentication and SystemDrivesMinimumPINLength in Windows 10, version 1709.
|
-| Firewall CSP |
-Updated the CSP and DDF topics. Here are the changes:
+ | Firewall CSP |
+Updated the CSP and DDF topics. Here are the changes:
- Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.
- Changed some data types from integer to bool.
@@ -1025,8 +1025,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
|
-| Policy DDF file |
-Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies:
+ | Policy DDF file |
+Added another Policy DDF file download for the 8C release of Windows 10, version 1607, which added the following policies:
- Browser/AllowMicrosoftCompatibilityList
- Update/DisableDualScan
@@ -1034,8 +1034,8 @@ This article lists new and updated articles for the Mobile Device Management (MD
|
-| Policy CSP |
-Added the following new policies for Windows 10, version 1709:
+ | Policy CSP |
+Added the following new policies for Windows 10, version 1709:
- Browser/ProvisionFavorites
- Browser/LockdownFavorites
diff --git a/windows/client-management/mdm/cleanpc-csp.md b/windows/client-management/mdm/cleanpc-csp.md
index a4433c6dcf..437a1a48c2 100644
--- a/windows/client-management/mdm/cleanpc-csp.md
+++ b/windows/client-management/mdm/cleanpc-csp.md
@@ -23,14 +23,14 @@ CleanPC
----CleanPCRetainingUserData
```
**./Device/Vendor/MSFT/CleanPC**
-The root node for the CleanPC configuration service provider.
+The root node for the CleanPC configuration service provider.
**CleanPCWithoutRetainingUserData**
-An integer specifying a CleanPC operation without any retention of user data.
+ An integer specifying a CleanPC operation without any retention of user data.
- The only supported operation is Execute.
+ The only supported operation is Execute.
**CleanPCRetainingUserData**
- An integer specifying a CleanPC operation with retention of user data.
+ An integer specifying a CleanPC operation with retention of user data.
- The only supported operation is Execute.
+ The only supported operation is Execute.
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 5063181c3f..44886adee0 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -20,31 +20,31 @@ This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capa
The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
-
+
***entryname***
- Defines the name of the connection.
+Defines the name of the connection.
-The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.
+The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.
**AlwaysOn**
-Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available.
+ Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available.
- A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS.
+ A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS.
- A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs.
+ A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs.
- There must be at least one AlwaysOn Internet connection provisioned for the mobile operator.
+ There must be at least one AlwaysOn Internet connection provisioned for the mobile operator.
**AuthType**
- Optional. Type: String. Specifies the method of authentication used for a connection.
+ Optional. Type: String. Specifies the method of authentication used for a connection.
- A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None".
+ A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None".
**ConnectionType**
- Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
+ Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available:
-
+
@@ -80,48 +80,48 @@ The following diagram shows the CM\_CellularEntries configuration service provid
**Desc.langid**
-Optional. Specifies the UI display string used by the defined language ID.
+ Optional. Specifies the UI display string used by the defined language ID.
- A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry.
+ A parameter name in the format of Desc.langid will be used as the language-specific identifier for the specified entry. For example, a parameter defined as Desc.0409 with a value of "GPRS Connection" will force "GPRS Connection" to be displayed in the UI to represent this connection when the device is set to English language (language ID 0409). Descriptions for multiple languages may be provisioned using this mechanism, and the system will automatically switch among them if the user changes language preferences on the device. If no Desc parameter is provisioned for a given language, the system will default to the name used to create the entry.
**Enabled**
- Specifies if the connection is enabled.
+ Specifies if the connection is enabled.
- A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled.
+ A value of "0" specifies that the connection is disabled. A value of "1" specifies that the connection is enabled.
**IpHeaderCompression**
- Optional. Specifies if IP header compression is enabled.
+ Optional. Specifies if IP header compression is enabled.
- A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled.
+ A value of "0" specifies that IP header compression for the connection is disabled. A value of "1" specifies that IP header compression for the connection is enabled.
**Password**
- Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN.
+ Required if AuthType is set to a value other than "None". Specifies the password used to connect to the APN.
**SwCompression**
- Optional. Specifies if software compression is enabled.
+ Optional. Specifies if software compression is enabled.
- A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled.
+ A value of "0" specifies that software compression for the connection is disabled. A value of "1" specifies that software compression for the connection is enabled.
**UserName**
- Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN.
+ Required if AuthType is set to a value other than "None". Specifies the user name used to connect to the APN.
**UseRequiresMappingsPolicy**
- Optional. Specifies if the connection requires a corresponding mappings policy.
+ Optional. Specifies if the connection requires a corresponding mappings policy.
- A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present.
+ A value of "0" specifies that the connection can be used for any general Internet communications. A value of "1" specifies that the connection is only used if a mapping policy is present.
- For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
+ For example, if the multimedia messaging service (MMS) APN should not have any other traffic except MMS, you can configure a mapping policy that sends MMS traffic to this connection. Then, you set the value of UseRequiresMappingsPolicy to be equal to "1" and Connection Manager will only use the connection for MMS traffic. Without this, Connection Manager will try to use the connection for any general purpose Internet traffic.
**Version**
- Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider.
+ Type: Int. Specifies the XML version number and is used to verify that the XML is supported by Connection Manager's configuration service provider.
- This value must be "1" if included.
+ This value must be "1" if included.
**GPRSInfoAccessPointName**
- Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT".
+ Specifies the logical name to select the GPRS gateway. For more information about allowable values, see GSM specification 07.07 "10.1.1 Define PDP Context +CGDCONT".
**Roaming**
- Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available:
+ Optional. Type: Int. This parameter specifies the roaming conditions under which the connection should be activated. The following conditions are available:
- 0 - Home network only.
- 1 (default)- All roaming conditions (home and roaming).
@@ -131,13 +131,13 @@ The following diagram shows the CM\_CellularEntries configuration service provid
- 5 - Roaming only.
**OEMConnectionID**
- Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
+ Optional. Type: GUID. Specifies a GUID to use to identify a specific connection in the modem. If a value is not specified, the default value is 00000000-0000-0000-0000-000000000000. This parameter is only used on LTE devices.
**ApnId**
- Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices.
+ Optional. Type: Int. Specifies the purpose of the APN. If a value is not specified, the default value is "0" (none). This parameter is only used on LTE devices.
**IPType**
- Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4".
+ Optional. Type: String. Specifies the network protocol of the connection. Available values are "IPv4", "IPv6", "IPv4v6", and "IPv4v6xlat". If a value is not specified, the default value is "IPv4".
> [!WARNING]
> Do not use IPv6 or IPv4v6xlat on a device or network that does not support IPv6. Data functionality will not work. In addition, the device will not be able to connect to a roaming network that does not support IPv6 unless you configure roaming connections with an IPType of IPv4v6.
@@ -145,14 +145,14 @@ The following diagram shows the CM\_CellularEntries configuration service provid
**ExemptFromDisablePolicy**
- Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt).
+ Added back in Windows 10, version 1511. Optional. Type: Int. This should only be specified for special purpose connections whose applications directly manage their disable state (such as MMS). A value of "0" specifies that the connection is subject to the disable policy used by general purpose connections (not exempt). A value of "1" specifies that the connection is exempt. If a value is not specified, the default value is "0" (not exempt).
- To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed.
+ To allow MMS when data is set to OFF, set both ExemptFromDisablePolicy and UseRequiresMappingsPolicy to "1". This indicates that the connection is a dedicated MMS connection and that it should not be disabled when all other connections are disabled. As a result, MMS can be sent and received when data is set to OFF. Note that sending MMS while roaming is still not allowed.
> [!IMPORTANT]
> Do not set ExemptFromDisablePolicy to "1", ExemptFromRoaming to "1", or UseRequiresMappingsPolicy to "1" for general purpose connections.
- To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should:
+ To avoid UX inconsistency with certain value combinations of ExemptFromDisablePolicy and AllowMmsIfDataIsOff, when you do not set ExemptFromDisablePolicy to 1 (default is 0), you should:
- Hide the toggle for AllowMmsIfDataIsOff by setting AllowMmsIfDataIsOffEnabled to 0 (default is 1)
- Set AllowMMSIfDataIsOff to 1 (default is 0)
@@ -160,16 +160,16 @@ The following diagram shows the CM\_CellularEntries configuration service provid
**ExemptFromRoaming**
- Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt).
+ Added back in Windows 10, version 1511. Optional. Type: Int. This should be specified only for special purpose connections whose applications directly manage their roaming state. It should never be used with general purpose connections. A value of "0" specifies that the connection is subject to the roaming policy (not exempt). A value of "1" specifies that the connection is exempt (unaffected by the roaming policy). If a value is not specified, the default value is "0" (not exempt).
**TetheringNAI**
- Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0".
+ Optional. Type: Int. CDMA only. Specifies if the connection is a tethering connection. A value of "0" specifies that the connection is not a tethering connection. A value of "1" specifies that the connection is a tethering connection. If a value is not specified, the default value is "0".
**IdleDisconnectTimeout**
- Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
+ Optional. Type: Int. Specifies how long an on-demand connection can be unused before Connection Manager tears the connection down. This value is specified in seconds. Valid value range is 5 to 60 seconds. If not specified, the default is 30 seconds.
> [!IMPORTANT]
-> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
+> You must specify the IdleDisconnectTimeout value when updating an on-demand connection to ensure that the desired value is still configured. If it is not specified, the default value of 30 seconds may be used.
> [!NOTE]
@@ -178,10 +178,10 @@ The following diagram shows the CM\_CellularEntries configuration service provid
**SimIccId**
- For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
+ For single SIM phones, this parm is optional. However, it is highly recommended to include this value when creating future updates. For dual SIM phones, this parm is required. Type: String. Specifies the SIM ICCID that services the connection.
**PurposeGroups**
- Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
+ Required. Type: String. Specifies the purposes of the connection by a comma-separated list of GUIDs representing purpose values. The following purpose values are available:
- Internet - 3E5545D2-1137-4DC8-A198-33F1C657515F
- LTE attach - 11A6FE68-5B47-4859-9CB6-1EAC96A8F0BD
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index cce8060fe3..d4793c91e6 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2555,36 +2555,36 @@ The following list shows the CSPs supported in HoloLens devices:
| Configuration service provider | HoloLens (1st gen) Development Edition | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
|------|--------|--------|--------|
-| [AccountManagement CSP](accountmanagement-csp.md) |  |  4 | 
-| [Accounts CSP](accounts-csp.md) |  |  |  |
-| [ApplicationControl CSP](applicationcontrol-csp.md) |  |  |  |
-| [AppLocker CSP](applocker-csp.md) |  |  |  |
-| [AssignedAccess CSP](assignedaccess-csp.md) |  |  4 |  |
-| [CertificateStore CSP](certificatestore-csp.md) |  | |  |
-| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) |  |  |  |
-| [DevDetail CSP](devdetail-csp.md) |  |  |  |
-| [DeveloperSetup CSP](developersetup-csp.md) |  |  2 (runtime provisioning via provisioning packages only; no MDM support)|  |
-| [DeviceManageability CSP](devicemanageability-csp.md) |  |  |  |
-| [DeviceStatus CSP](devicestatus-csp.md) |  |  |  |
-| [DevInfo CSP](devinfo-csp.md) |  |  |  |
-| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |  |
-| [DMAcc CSP](dmacc-csp.md) |  |  |  |
-| [DMClient CSP](dmclient-csp.md) |  |  |  |
-| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) |  |  |  10 |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |  |
-| [NetworkProxy CSP](networkproxy-csp.md) |  |  |  |
-| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) |  |  |  8|
-| [NodeCache CSP](nodecache-csp.md) |  |  |  |
-[PassportForWork CSP](passportforwork-csp.md) |  |  |  |
-| [Policy CSP](policy-configuration-service-provider.md) |  |  |  |
-| [RemoteFind CSP](remotefind-csp.md) |  |  4 |  |
-| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) |  |  4 |  |
-| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
-| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  10 |
-| [Update CSP](update-csp.md) |  |  |  |
-| [VPNv2 CSP](vpnv2-csp.md) |  |  |  |
-| [WiFi CSP](wifi-csp.md) |  |  |  |
-| [WindowsLicensing CSP](windowslicensing-csp.md) |  |  |  |
+| [AccountManagement CSP](accountmanagement-csp.md) |  |  4 | 
+| [Accounts CSP](accounts-csp.md) |  |  |  |
+| [ApplicationControl CSP](applicationcontrol-csp.md) |  |  |  |
+| [AppLocker CSP](applocker-csp.md) |  |  |  |
+| [AssignedAccess CSP](assignedaccess-csp.md) |  |  4 |  |
+| [CertificateStore CSP](certificatestore-csp.md) |  | |  |
+| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) |  |  |  |
+| [DevDetail CSP](devdetail-csp.md) |  |  |  |
+| [DeveloperSetup CSP](developersetup-csp.md) |  |  2 (runtime provisioning via provisioning packages only; no MDM support)|  |
+| [DeviceManageability CSP](devicemanageability-csp.md) |  |  |  |
+| [DeviceStatus CSP](devicestatus-csp.md) |  |  |  |
+| [DevInfo CSP](devinfo-csp.md) |  |  |  |
+| [DiagnosticLog CSP](diagnosticlog-csp.md) |  |  |  |
+| [DMAcc CSP](dmacc-csp.md) |  |  |  |
+| [DMClient CSP](dmclient-csp.md) |  |  |  |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) |  |  |  10 |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) |  |  |  |
+| [NetworkProxy CSP](networkproxy-csp.md) |  |  |  |
+| [NetworkQoSPolicy CSP](networkqospolicy-csp.md) |  |  |  8|
+| [NodeCache CSP](nodecache-csp.md) |  |  |  |
+[PassportForWork CSP](passportforwork-csp.md) |  |  |  |
+| [Policy CSP](policy-configuration-service-provider.md) |  |  |  |
+| [RemoteFind CSP](remotefind-csp.md) |  |  4 |  |
+| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only) |  |  4 |  |
+| [RootCATrustedCertificates CSP](rootcacertificates-csp.md) |  |  |  |
+| [TenantLockdown CSP](tenantlockdown-csp.md) |  |  |  10 |
+| [Update CSP](update-csp.md) |  |  |  |
+| [VPNv2 CSP](vpnv2-csp.md) |  |  |  |
+| [WiFi CSP](wifi-csp.md) |  |  |  |
+| [WindowsLicensing CSP](windowslicensing-csp.md) |  |  |  |
## CSPs supported in Microsoft Surface Hub
diff --git a/windows/client-management/mdm/developersetup-csp.md b/windows/client-management/mdm/developersetup-csp.md
index 2f1ccdb53c..f36f744684 100644
--- a/windows/client-management/mdm/developersetup-csp.md
+++ b/windows/client-management/mdm/developersetup-csp.md
@@ -35,48 +35,48 @@ DeveloperSetup
------------HttpsPort
```
**DeveloperSetup**
- The root node for the DeveloperSetup configuration service provider.
+ The root node for the DeveloperSetup configuration service provider.
**EnableDeveloperMode**
- A Boolean value that is used to enable Developer Mode on the device. The default value is false.
+ A Boolean value that is used to enable Developer Mode on the device. The default value is false.
- The only supported operation is Replace.
+ The only supported operation is Replace.
**DevicePortal**
- The node for the Windows Device Portal.
+ The node for the Windows Device Portal.
**DevicePortal/Authentication**
- The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal.
+ The node that describes the characteristics of the authentication mechanism that is used for the Windows Device Portal.
**DevicePortal/Authentication/Mode**
- An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal.
+ An integer value that specifies the mode of authentication that is used when making requests to the Windows Device Portal.
- The only supported operation is Replace.
+ The only supported operation is Replace.
**DevicePortal/Authentication/BasicAuth**
- The node that describes the credentials that are used for basic authentication with the Windows Device Portal.
+ The node that describes the credentials that are used for basic authentication with the Windows Device Portal.
**DevicePortal/Authentication/BasicAuth/Username**
- A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal.
+ A string value that specifies the user name to use when performing basic authentication with the Windows Device Portal.
The user name must contain only ASCII characters and cannot contain a colon (:).
- The only supported operation is Replace.
+ The only supported operation is Replace.
**DevicePortal/Authentication/BasicAuth/Password**
- A string value that specifies the password to use when authenticating requests against the Windows Device Portal.
+ A string value that specifies the password to use when authenticating requests against the Windows Device Portal.
- The only supported operation is Replace.
+ The only supported operation is Replace.
**DevicePortal/Connection**
- The node for configuring connections to the Windows Device Portal service.
+ The node for configuring connections to the Windows Device Portal service.
**DevicePortal/Connection/HttpPort**
- An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service.
+ An integer value that is used to configure the HTTP port for incoming connections to the Windows Device Portal service.
If authentication is enabled, HttpPort will redirect the user to the (required) HttpsPort.
- The only supported operation is Replace.
+ The only supported operation is Replace.
**DevicePortal/Connection/HttpsPort**
- An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service.
+ An integer value that is used to configure the HTTPS port for incoming connections to the Windows Device Portal service.
- The only supported operation is Replace.
\ No newline at end of file
+ The only supported operation is Replace.
\ No newline at end of file
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index 8e886f3661..bd80931f74 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -42,7 +42,7 @@ For more information about the CSPs, see [Update CSP](update-csp.md) and the upd
The following diagram provides a conceptual overview of how this works:
-
+
The diagram can be roughly divided into three areas:
@@ -56,7 +56,7 @@ The Microsoft Update Catalog is huge and contains many updates that are not need
This section describes how this is done. The following diagram shows the server-server sync protocol process.
-
+
MSDN provides much information about the Server-Server sync protocol. In particular:
@@ -140,56 +140,56 @@ The enterprise IT can configure auto-update polices via OMA DM using the [Policy
The following diagram shows the Update policies in a tree format.
-
+
**Update/ActiveHoursEnd**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
+ Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursStart) to manage a range of active hours where update reboots are not scheduled. This value sets the end time. There is a 12 hour maximum from start time.
> [!NOTE]
> The default maximum difference from start time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** below for more information.
- Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+ Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
- The default is 17 (5 PM).
+ The default is 17 (5 PM).
**Update/ActiveHoursMaxRange**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
- Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
+ Added in Windows 10, version 1703. Allows the IT admin to specify the max active hours range. This value sets max number of active hours from start time.
- Supported values are 8-18.
+ Supported values are 8-18.
- The default value is 18 (hours).
+ The default value is 18 (hours).
**Update/ActiveHoursStart**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
- Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
+ Added in Windows 10, version 1607. Allows the IT admin (when used with Update/ActiveHoursEnd) to manage a range of hours where update reboots are not scheduled. This value sets the start time. There is a 12 hour maximum from end time.
> [!NOTE]
> The default maximum difference from end time has been increased to 18 in Windows 10, version 1703. In this version of Windows 10, the maximum range of active hours can now be configured. See **Update/ActiveHoursMaxRange** above for more information.
- Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
+ Supported values are 0-23, where 0 is 12 AM, 1 is 1 AM, etc.
- The default value is 8 (8 AM).
+ The default value is 8 (8 AM).
**Update/AllowAutoUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
- Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
+ Enables the IT admin to manage automatic update behavior to scan, download, and install updates.
- Supported operations are Get and Replace.
+ Supported operations are Get and Replace.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 – Notify the user before downloading the update. This policy is used by the enterprise who wants to enable the end-users to manage data usage. With this option users are notified when there are updates that apply to the device and are ready for download. Users can download and install the updates from the Windows Update control panel.
- 1 – Auto install the update and then notify the user to schedule a device restart. Updates are downloaded automatically on non-metered networks and installed during "Automatic Maintenance" when the device is not in use and is not running on battery power. If automatic maintenance is unable to install updates for two days, Windows Update will install updates immediately. If the installation requires a restart, the end-user is prompted to schedule the restart time. The end-user has up to seven days to schedule the restart and after that, a restart of the device is forced. Enabling the end-user to control the start time reduces the risk of accidental data loss caused by applications that do not shutdown properly on restart.
@@ -202,16 +202,16 @@ The following diagram shows the Update policies in a tree format.
> This option should be used only for systems under regulatory compliance, as you will not get security updates as well.
- If the policy is not configured, end-users get the default behavior (Auto install and restart).
+ If the policy is not configured, end-users get the default behavior (Auto install and restart).
**Update/AllowMUUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
+ Added in Windows 10, version 1607. Allows the IT admin to manage whether to scan for app updates from Microsoft Update.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 – Not allowed or not configured.
- 1 – Allowed. Accepts updates received through Microsoft Update.
@@ -221,29 +221,29 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise and Windows 10 Education.
- Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution.
+ Allows the IT admin to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. This policy supports using WSUS for third party software and patch distribution.
- Supported operations are Get and Replace.
+ Supported operations are Get and Replace.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 – Not allowed or not configured. Updates from an intranet Microsoft update service location must be signed by Microsoft.
- 1 – Allowed. Accepts updates received through an intranet Microsoft update service location, if they are signed by a certificate found in the "Trusted Publishers" certificate store of the local computer.
- This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
+ This policy is specific to desktop and local publishing via WSUS for third party updates (binaries and updates not hosted on Microsoft Update) and allows IT to manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found on an intranet Microsoft update service location.
**Update/AllowUpdateService**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
+ Specifies whether the device could use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft.
- Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft
+ Even when Windows Update is configured to receive updates from an intranet update service, it will periodically retrieve information from the public Windows Update service to enable future connections to Windows Update, and other services like Microsoft Update or the Microsoft
- Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
+ Enabling this policy will disable that functionality, and may cause connection to public services such as the Microsoft to stop working.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 – Update service is not allowed.
- 1 (default) – Update service is allowed.
@@ -257,20 +257,20 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
+ Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart reminder notifications.
- Supported values are 15, 30, 60, 120, and 240 (minutes).
+ Supported values are 15, 30, 60, 120, and 240 (minutes).
- The default value is 15 (minutes).
+ The default value is 15 (minutes).
**Update/AutoRestartRequiredNotificationDismissal**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
+ Added in Windows 10, version 1703. Allows the IT Admin to specify the method by which the auto restart required notification is dismissed.
- The following list shows the supported values:
+ The following list shows the supported values:
- 1 (default) – Auto Dismissal.
- 2 – User Dismissal.
@@ -280,9 +280,9 @@ The following diagram shows the Update policies in a tree format.
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
+ Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from.
- The following list shows the supported values:
+ The following list shows the supported values:
- 16 (default) – User gets all applicable upgrades from Current Branch (CB).
- 32 – User gets upgrades from Current Branch for Business (CBB).
@@ -291,18 +291,18 @@ The following diagram shows the Update policies in a tree format.
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
- Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
+ Added in Windows 10, version 1607. Defers Feature Updates for the specified number of days.
- Supported values are 0-180.
+ Supported values are 0-180.
**Update/DeferQualityUpdatesPeriodInDays**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
+ Added in Windows 10, version 1607. Defers Quality Updates for the specified number of days.
- Supported values are 0-30.
+ Supported values are 0-30.
**Update/DeferUpdatePeriod**
> [!NOTE]
@@ -311,15 +311,15 @@ The following diagram shows the Update policies in a tree format.
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpdatePeriod for Windows 10, version 1511 devices.
- Allows IT Admins to specify update delays for up to four weeks.
+ Allows IT Admins to specify update delays for up to four weeks.
- Supported values are 0-4, which refers to the number of weeks to defer updates.
+ Supported values are 0-4, which refers to the number of weeks to defer updates.
- If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+ If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
- If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+ If the Allow Telemetry policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
-
+
@@ -336,16 +336,16 @@ The following diagram shows the Update policies in a tree format.
-OS upgrade |
-8 months |
-1 month |
-Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
+OS upgrade |
+8 months |
+1 month |
+Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
-Update |
-1 month |
-1 week |
-
+ Update |
+ 1 month |
+ 1 week |
+
Note
If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
@@ -361,10 +361,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
|
|
-Other/cannot defer |
-No deferral |
-No deferral |
-Any update category not enumerated above falls into this category.
+ | Other/cannot defer |
+No deferral |
+No deferral |
+Any update category not enumerated above falls into this category.
Definition Update - E0789628-CE08-4437-BE74-2495B842F43B |
@@ -380,71 +380,71 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use DeferUpgradePeriod for Windows 10, version 1511 devices.
-Allows IT Admins to specify additional upgrade delays for up to eight months.
+ Allows IT Admins to specify additional upgrade delays for up to eight months.
- Supported values are 0-8, which refers to the number of months to defer upgrades.
+ Supported values are 0-8, which refers to the number of months to defer upgrades.
- If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+ If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
- If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+ If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
**Update/EngagedRestartDeadline**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
+ Added in Windows 10, version 1703. Allows the IT Admin to specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. The deadline can be set between 2 and 30 days from the time the restart becomes pending. If configured, the pending restart will transition from Auto-restart to Engaged restart (pending user schedule) to be automatically executed within the specified period. If no deadline is specified or deadline is set to 0, the restart will not be automatically executed and will remain Engaged restart (pending user scheduling).
- Supported values are 2-30 days.
+ Supported values are 2-30 days.
- The default value is 0 days (not specified).
+ The default value is 0 days (not specified).
**Update/EngagedRestartSnoozeSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
+ Added in Windows 10, version 1703. Allows the IT Admin to control the number of days a user can snooze Engaged restart reminder notifications.
- Supported values are 1-3 days.
+ Supported values are 1-3 days.
- The default value is three days.
+ The default value is three days.
**Update/EngagedRestartTransitionSchedule**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
+ Added in Windows 10, version 1703. Allows the IT Admin to control the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. The period can be set between 2 and 30 days from the time the restart becomes pending.
- Supported values are 2-30 days.
+ Supported values are 2-30 days.
- The default value is seven days.
+ The default value is seven days.
**Update/ExcludeWUDriversInQualityUpdate**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
> Since this policy is not blocked, you will not get a failure message when you use it to configure a Windows 10 Mobile device. However, the policy will not take effect.
- Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
+ Added in Windows 10, version 1607. Allows IT Admins to exclude Windows Update (WU) drivers during updates.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 (default) – Allow Windows Update drivers.
- 1 – Exclude Windows Update drivers.
**Update/IgnoreMOAppDownloadLimit**
- Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+ Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for apps and their updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 (default) – Do not ignore MO download limit for apps and their updates.
- 1 – Ignore MO download limit (allow unlimited downloading) for apps and their updates.
- To validate this policy:
+ To validate this policy:
1. Enable the policy ensure the device is on a cellular network.
2. Run the scheduled task on your device to check for app updates in the background. For example, on a mobile device, run the following commands in TShell:
@@ -456,17 +456,17 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
**Update/IgnoreMOUpdateDownloadLimit**
- Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
+ Added in Windows 10, version 1703. Specifies whether to ignore the MO download limit (allow unlimited downloading) over a cellular network for OS updates. If lower-level limits (for example, mobile caps) are required, those limits are controlled by external policies.
> [!WARNING]
> Setting this policy might cause devices to incur costs from MO operators.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 (default) – Do not ignore MO download limit for OS updates.
- 1 – Ignore MO download limit (allow unlimited downloading) for OS updates.
- To validate this policy:
+ To validate this policy:
1. Enable the policy and ensure the device is on a cellular network.
2. Run the scheduled task on phone to check for OS updates in the background. For example, on a mobile device, run the following commands in TShell:
@@ -482,24 +482,24 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use PauseDeferrals for Windows 10, version 1511 devices.
- Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
+ Allows IT Admins to pause updates and upgrades for up to five weeks. Paused deferrals will be reset after five weeks.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 (default) – Deferrals are not paused.
- 1 – Deferrals are paused.
- If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+ If the "Specify intranet Microsoft update service location" policy is enabled, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
- If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
+ If the "Allow Telemetry" policy is enabled and the Options value is set to 0, then the "Defer upgrades by", "Defer updates by" and "Pause Updates and Upgrades" settings have no effect.
**Update/PauseFeatureUpdates**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, Windows 10 Education.
- Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
+ Added in Windows 10, version 1607. Allows IT Admins to pause Feature Updates for up to 60 days.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 (default) – Feature Updates are not paused.
- 1 – Feature Updates are paused for 60 days or until value set to back to 0, whichever is sooner.
@@ -509,9 +509,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
+ Added in Windows 10, version 1607. Allows IT Admins to pause Quality Updates.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 (default) – Quality Updates are not paused.
- 1 – Quality Updates are paused for 35 days or until value set back to 0, whichever is sooner.
@@ -523,9 +523,9 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> Don't use this policy in Windows 10, version 1607 devices, instead use the new policies listed in [Changes in Windows 10, version 1607 for update management](device-update-management.md#windows10version1607forupdatemanagement). You can continue to use RequireDeferUpgrade for Windows 10, version 1511 devices.
- Allows the IT admin to set a device to CBB train.
+ Allows the IT admin to set a device to CBB train.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 (default) – User gets upgrades from Current Branch.
- 1 – User gets upgrades from Current Branch for Business.
@@ -541,11 +541,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> If you previously used the **Update/PhoneUpdateRestrictions** policy in previous versions of Windows, it has been deprecated. Please use this policy instead.
- Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
+ Allows the IT admin to restrict the updates that are installed on a device to only those on an update approval list. It enables IT to accept the End User License Agreement (EULA) associated with the approved update on behalf of the end-user. EULAs are approved once an update is approved.
- Supported operations are Get and Replace.
+ Supported operations are Get and Replace.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 – Not configured. The device installs all applicable updates.
- 1 – The device only installs updates that are both applicable and on the Approved Updates list. Set this policy to 1 if IT wants to control the deployment of updates on devices, such as when testing is required prior to deployment.
@@ -555,24 +555,24 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
+ Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto-restart imminent warning notifications.
- Supported values are 15, 30, or 60 (minutes).
+ Supported values are 15, 30, or 60 (minutes).
- The default value is 15 (minutes).
+ The default value is 15 (minutes).
**Update/ScheduledInstallDay**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Enables the IT admin to schedule the day of the update installation.
+ Enables the IT admin to schedule the day of the update installation.
- The data type is a string.
+ The data type is a string.
- Supported operations are Add, Delete, Get, and Replace.
+ Supported operations are Add, Delete, Get, and Replace.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 (default) – Every day
- 1 – Sunday
@@ -588,35 +588,35 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Enables the IT admin to schedule the time of the update installation.
+ Enables the IT admin to schedule the time of the update installation.
- The data type is a string.
+ The data type is a string.
- Supported operations are Add, Delete, Get, and Replace.
+ Supported operations are Add, Delete, Get, and Replace.
- Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
+ Supported values are 0-23, where 0 = 12 AM and 23 = 11 PM.
- The default value is 3.
+ The default value is 3.
**Update/ScheduleRestartWarning**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
+ Added in Windows 10, version 1703. Allows the IT Admin to specify the period for auto restart warning reminder notifications.
- Supported values are 2, 4, 8, 12, or 24 (hours).
+ Supported values are 2, 4, 8, 12, or 24 (hours).
- The default value is 4 (hours).
+ The default value is 4 (hours).
**Update/SetAutoRestartNotificationDisable**
> [!NOTE]
> This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education
- Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
+ Added in Windows 10, version 1703. Allows the IT Admin to disable auto restart notifications for update installations.
- The following list shows the supported values:
+ The following list shows the supported values:
- 0 (default) – Enabled
- 1 – Disabled
@@ -628,11 +628,11 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
> [!Important]
> Starting in Windows 10, version 1703 this policy is not supported in IoT Enterprise.
- Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
+ Allows the device to check for updates from a WSUS server instead of Microsoft Update. This is useful for on-premises MDMs that need to update devices that cannot connect to the Internet.
- Supported operations are Get and Replace.
+ Supported operations are Get and Replace.
- The following list shows the supported values:
+ The following list shows the supported values:
- Not configured. The device checks for updates from Microsoft Update.
- Set to a URL, such as `http://abcd-srv:8530`. The device checks for updates from the WSUS server at the specified URL.
@@ -659,13 +659,13 @@ Example
> **Note** This policy is available on Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education.
- Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
+ Added in the January service release of Windows 10, version 1607. Specifies an alternate intranet server to host updates from Microsoft Update. You can then use this update service to automatically update computers on your network.
- This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
+ This setting lets you specify a server on your network to function as an internal update service. The Automatic Updates client will search this service for updates that apply to the computers on your network.
- To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
+ To use this setting, you must set two server name values: the server from which the Automatic Updates client detects and downloads updates, and the server to which updated workstations upload statistics. You can set both values to be the same server. An optional server name value can be specified to configure Windows Update agent, and download updates from an alternate download server instead of WSUS Server.
- Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
+ Value type is string and the default value is an empty string, "". If the setting is not configured, and if Automatic Updates is not disabled by policy or user preference, the Automatic Updates client connects directly to the Windows Update site on the Internet.
> [!Note]
> If the "Configure Automatic Updates" Group Policy is disabled, then this policy has no effect.
@@ -676,7 +676,7 @@ Example
The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
-
+
**Update**
The root node.
@@ -827,50 +827,50 @@ Here's the list of corresponding Group Policy settings in HKLM\\Software\\Polici
-BranchReadinessLevel |
-REG_DWORD |
-16: systems take Feature Updates on the Current Branch (CB) train
+ | BranchReadinessLevel |
+REG_DWORD |
+16: systems take Feature Updates on the Current Branch (CB) train
32: systems take Feature Updates on the Current Branch for Business
Other value or absent: receive all applicable updates (CB) |
-DeferQualityUpdates |
-REG_DWORD |
-1: defer quality updates
+ | DeferQualityUpdates |
+REG_DWORD |
+1: defer quality updates
Other value or absent: don’t defer quality updates |
-DeferQualityUpdatesPeriodInDays |
-REG_DWORD |
-0-30: days to defer quality updates |
+DeferQualityUpdatesPeriodInDays |
+REG_DWORD |
+0-30: days to defer quality updates |
-PauseQualityUpdates |
-REG_DWORD |
-1: pause quality updates
+ | PauseQualityUpdates |
+REG_DWORD |
+1: pause quality updates
Other value or absent: don’t pause quality updates |
-DeferFeatureUpdates |
-REG_DWORD |
-1: defer feature updates
+ | DeferFeatureUpdates |
+REG_DWORD |
+1: defer feature updates
Other value or absent: don’t defer feature updates |
-DeferFeatureUpdatesPeriodInDays |
-REG_DWORD |
-0-180: days to defer feature updates |
+DeferFeatureUpdatesPeriodInDays |
+REG_DWORD |
+0-180: days to defer feature updates |
-PauseFeatureUpdates |
-REG_DWORD |
-1: pause feature updates
+ | PauseFeatureUpdates |
+REG_DWORD |
+1: pause feature updates
Other value or absent: don’t pause feature updates |
-ExcludeWUDriversInQualityUpdate |
-REG_DWORD |
-1: exclude WU drivers
+ | ExcludeWUDriversInQualityUpdate |
+REG_DWORD |
+1: exclude WU drivers
Other value or absent: offer WU drivers |
@@ -889,9 +889,9 @@ Here is the list of older policies that are still supported for backward compati
The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields.
-
+
-
+
## SyncML example
@@ -945,5 +945,5 @@ Set auto update to notify and defer.
The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
-
+
diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md
index f24564545c..0db22bf159 100644
--- a/windows/client-management/mdm/deviceinstanceservice-csp.md
+++ b/windows/client-management/mdm/deviceinstanceservice-csp.md
@@ -26,7 +26,7 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile.
The following diagram shows the DeviceInstanceService configuration service provider in tree format.
-
+
**Roaming**
A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index cef65071ec..9933e58a23 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -32,7 +32,7 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
The following image shows the DeviceLock configuration service provider in tree format.
-
+
**Provider**
Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 6043b61d8c..92ed52968c 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -20,13 +20,13 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
1. On your managed device go to **Settings** > **Accounts** > **Access work or school**.
1. Click your work or school account, then click **Info.**
- 
+ 
1. At the bottom of the **Settings** page, click **Create report**.
- 
+ 
1. A window opens that shows the path to the log files. Click **Export**.
- 
+ 
1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
@@ -59,7 +59,7 @@ Starting with the Windows 10, version 1511, MDM logs are captured in the Event
Here's a screenshot:
-
+
In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer.
@@ -238,26 +238,26 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
1. Open eventvwr.msc.
2. Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
- 
+ 
3. Navigate to the etl file that you got from the device and then open the file.
4. Click **Yes** when prompted to save it to the new log format.
- 
+ 
- 
+ 
5. The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
- 
+ 
6. Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
- 
+ 
7. Now you are ready to start reviewing the logs.
- 
+ 
## Collect device state data
diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
index 35fe6568b0..5f48d033a0 100644
--- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
@@ -137,7 +137,7 @@ You can only use the Work Access page to unenroll under the following conditions
When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
-
+
When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state.
diff --git a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
index 46dd29b427..8290fa7eea 100644
--- a/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
+++ b/windows/client-management/mdm/dmprocessconfigxmlfiltered.md
@@ -62,25 +62,25 @@ HRESULT STDAPICALLTYPE DMProcessConfigXMLFiltered(
## Parameters
*pszXmlIn*
-
+
- [in] The null–terminated input XML buffer containing the configuration data. The parameter holds the XML that will be used to configure the phone. DMProcessConfigXMLFiltered accepts only OMA Client Provisioning XML (also known as WAP provisioning). It does not accept OMA DM SyncML XML (also known as SyncML).
*rgszAllowedCspNode*
-
+
- [in] Array of WCHAR\* that specify which configuration service provider nodes are allowed to be invoked.
*dwNumAllowedCspNodes*
-
+
- [in] Number of elements passed in rgszAllowedCspNode.
*pbstrXmlOut*
-
+
- [out] The resulting null–terminated XML from configuration. The caller of DMProcessConfigXMLFiltered is responsible for cleanup of the output buffer that the pbstrXmlOut parameter references. Use SysFreeString to free the memory.
@@ -104,24 +104,24 @@ Returns the standard **HRESULT** value **S\_OK** to indicate success. The follow
-CONFIG_E_OBJECTBUSY |
-Another instance of the configuration management service is currently running. |
+CONFIG_E_OBJECTBUSY |
+Another instance of the configuration management service is currently running. |
-CONFIG_E_ENTRYNOTFOUND |
-No metabase entry was found. |
+CONFIG_E_ENTRYNOTFOUND |
+No metabase entry was found. |
-CONFIG_E_CSPEXCEPTION |
-An exception occurred in one of the configuration service providers. |
+CONFIG_E_CSPEXCEPTION |
+An exception occurred in one of the configuration service providers. |
-CONFIG_E_TRANSACTIONINGFAILURE |
-A configuration service provider failed to roll back properly. The affected settings might be in an unknown state. |
+CONFIG_E_TRANSACTIONINGFAILURE |
+A configuration service provider failed to roll back properly. The affected settings might be in an unknown state. |
-CONFIG_E_BAD_XML |
-The XML input is invalid or malformed. |
+CONFIG_E_BAD_XML |
+The XML input is invalid or malformed. |
@@ -196,28 +196,28 @@ if ( bstr != NULL )
-Minimum supported client |
-None supported |
+Minimum supported client |
+None supported |
-Minimum supported server |
-None supported |
+Minimum supported server |
+None supported |
-Minimum supported phone |
-Windows Phone 8.1 |
+Minimum supported phone |
+Windows Phone 8.1 |
-Header |
-Dmprocessxmlfiltered.h |
+Header |
+Dmprocessxmlfiltered.h |
-Library |
-Dmprocessxmlfiltered.lib |
+Library |
+Dmprocessxmlfiltered.lib |
-DLL |
-Dmprocessxmlfiltered.dll |
+DLL |
+Dmprocessxmlfiltered.dll |
diff --git a/windows/client-management/mdm/dmsessionactions-csp.md b/windows/client-management/mdm/dmsessionactions-csp.md
index 8c5772b29c..ffdfc3e2b7 100644
--- a/windows/client-management/mdm/dmsessionactions-csp.md
+++ b/windows/client-management/mdm/dmsessionactions-csp.md
@@ -63,41 +63,41 @@ DMSessionActions
------------MaxTimeSessionsSkippedInLowPowerState
```
**./Device/Vendor/MSFT/DMSessionActions or ./User/Vendor/MSFT/DMSessionActions**
-Defines the root node for the DMSessionActions configuration service provider.
+Defines the root node for the DMSessionActions configuration service provider.
***ProviderID***
-Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
+Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
-Scope is dynamic. Supported operations are Get, Add, and Delete.
+Scope is dynamic. Supported operations are Get, Add, and Delete.
***ProviderID*/CheckinAlertConfiguration**
-Node for the custom configuration of alerts to be sent during MDM sync session.
+Node for the custom configuration of alerts to be sent during MDM sync session.
***ProviderID*/CheckinAlertConfiguration/Nodes**
-Required. Root node for URIs to be queried. Scope is dynamic.
+Required. Root node for URIs to be queried. Scope is dynamic.
-Supported operation is Get.
+Supported operation is Get.
***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID***
-Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
+Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
-Supported operations are Get, Add, and Delete.
+Supported operations are Get, Add, and Delete.
***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI**
-Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**AlertData**
-Node to query the custom alert per server configuration
-Value type is string. Supported operation is Get.
+Node to query the custom alert per server configuration
+Value type is string. Supported operation is Get.
**PowerSettings**
-Node for power-related configrations
+Node for power-related configrations
**PowerSettings/MaxSkippedSessionsInLowPowerState**
-Maximum number of continuous skipped sync sessions when the device is in low-power state.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Maximum number of continuous skipped sync sessions when the device is in low-power state.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**PowerSettings/MaxTimeSessionsSkippedInLowPowerState**
-Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md
index 3716a1c54a..3b59ea0c12 100644
--- a/windows/client-management/mdm/dynamicmanagement-csp.md
+++ b/windows/client-management/mdm/dynamicmanagement-csp.md
@@ -33,12 +33,12 @@ DynamicManagement
----AlertsEnabled
```
**DynamicManagement**
-The root node for the DynamicManagement configuration service provider.
+The root node for the DynamicManagement configuration service provider.
**NotificationsEnabled**
-Boolean value for sending notification to the user of a context change.
-Default value is False. Supported operations are Get and Replace.
-Example to turn on NotificationsEnabled:
+Boolean value for sending notification to the user of a context change.
+Default value is False. Supported operations are Get and Replace.
+Example to turn on NotificationsEnabled:
```xml
@@ -56,40 +56,40 @@ DynamicManagement
```
**ActiveList**
-A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..
-Supported operation is Get.
+A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..
+Supported operation is Get.
**Contexts**
-Node for context information.
-Supported operation is Get.
+Node for context information.
+Supported operation is Get.
***ContextID***
-Node created by the server to define a context. Maximum number of characters allowed is 38.
-Supported operations are Add, Get, and Delete.
+Node created by the server to define a context. Maximum number of characters allowed is 38.
+Supported operations are Add, Get, and Delete.
**SignalDefinition**
-Signal Definition XML.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Signal Definition XML.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**SettingsPack**
-Settings that get applied when the Context is active.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Settings that get applied when the Context is active.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**SettingsPackResponse**
-Response from applying a Settings Pack that contains information on each individual action.
-Value type is string. Supported operation is Get.
+Response from applying a Settings Pack that contains information on each individual action.
+Value type is string. Supported operation is Get.
**ContextStatus**
-Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.
-Value type is integer. Supported operation is Get.
+Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.
+Value type is integer. Supported operation is Get.
**Altitude**
-A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
-Value type is integer. Supported operations are Add, Get, Delete, and Replace.
+A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
+Value type is integer. Supported operations are Add, Get, Delete, and Replace.
**AlertsEnabled**
-A Boolean value for sending an alert to the server when a context fails.
-Supported operations are Get and Replace.
+A Boolean value for sending an alert to the server when a context fails.
+Supported operations are Get and Replace.
## Examples
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 43882781ec..2ef69ad6c3 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -24,35 +24,35 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
1. Run rasphone.exe.
- 
+ 
1. If you don't currently have a VPN connection and you see the following message, select **OK**.
- 
+ 
1. In the wizard, select **Workplace network**.
- 
+ 
1. Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
- 
+ 
1. Create a fake VPN connection. In the UI shown here, select **Properties**.
- 
+ 
1. In the **Test Properties** dialog, select the **Security** tab.
- 
+ 
1. On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
- 
+ 
1. From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
- 
+ 
1. Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
@@ -267,7 +267,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio
1. Follow steps 1 through 7 in the EAP configuration article.
1. In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this selects EAP TLS).
- 
+ 
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
@@ -277,11 +277,11 @@ Alternatively, you can use the following procedure to create an EAP configuratio
1. Select the **Properties** button underneath the drop-down menu.
1. On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
- 
+ 
1. On the **Configure Certificate Selection** menu, adjust the filters as needed.
- 
+ 
1. Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
1. Close the rasphone dialog box.
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index d6a0127bab..cfc9928a0b 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -47,19 +47,19 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
2. Under **Best match**, click **Edit group policy** to launch it.
- 
+ 
3. In **Local Computer Policy** navigate to the policy you want to configure.
In this example, navigate to **Administrative Templates > System > App-V**.
- 
+ 
4. Double-click **Enable App-V Client**.
The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
- 
+ 
3. Create the SyncML to enable the policy that does not require any parameter.
@@ -99,15 +99,15 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
- 
+ 
- 
+ 
2. Find the variable names of the parameters in the ADMX file.
You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
- 
+ 
3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx.
diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
index f4c951af17..bab52cb7fd 100644
--- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
@@ -84,7 +84,7 @@ After the upgrade to Windows 10 is complete, if you decide to push down a new we
The following diagram shows a high-level overview of the process.
-
+
## Step 1: Prepare a test device to download updates from Microsoft Update
@@ -107,15 +107,15 @@ Trigger the device to check for updates either manually or using Microsoft Endpo
1. Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline.
- 
+ 
2. Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step.
- 
+ 
3. Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
- 
+ 
4. Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.)
5. Follow the prompts for downloading the updates, but do not install the updates on the device.
@@ -216,11 +216,11 @@ The deployment process has three parts:
1. Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**.
- 
+ 
2. Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
- 
+ 
3. Select **Remediate noncompliant settings**, and then select **OK**.
@@ -231,7 +231,7 @@ The deployment process has three parts:
1. Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
2. Select **Remediate noncompliant settings**.
- 
+ 
3. Select **OK**.
@@ -242,11 +242,11 @@ The deployment process has three parts:
1. Create a configuration baseline item and give it a name (such as ControlledUpdates).
2. Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**.
- 
+ 
3. Deploy the configuration baseline to the appropriate device or device collection.
- 
+ 
4. Select **OK**.
@@ -472,57 +472,57 @@ Use this procedure for pre-GDR1 devices:
2. In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**.
3. Select **Create Configuration Item**.
- 
+ 
4. Enter a filename (such as GetDUReport), and then select **Mobile Device**.
5. On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**.
- 
+ 
6. On the **Additional Settings** page, select **Add**.
- 
+ 
7. On the **Browse Settings** page, select **Create Setting**.
- 
+ 
8. Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**.
9. In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**.
- 
+ 
10. On the **Browse Settings** page, select **Close**.
11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**.
- 
+ 
12. Close the **Create Configuration Item Wizard** page.
13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
14. Select the new created mobile device setting (such as DUReport), and then select **Select**.
15. Enter a dummy value (such as zzz) that is different from the one on the device.
- 
+ 
16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option.
17. Select **OK** to close the **Edit Rule** page.
18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**.
19. Select **Create Configuration Item**.
- 
+ 
20. Enter a baseline name (such as RetrieveDUReport).
21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport).
- 
+ 
22. Select **OK**, and then select **OK** again to complete the configuration baseline.
23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**.
- 
+ 
24. Select **Remediate noncompliant rules when supported**.
25. Select the appropriate device collection and define the schedule.
- 
+ 
26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**.
27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab.
28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
- 
+ 
29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here.
- 
+ 
30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 322e4dbc40..c9f13235e0 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -46,11 +46,11 @@ To ensure that the auto-enrollment feature is working as expected, you must veri
The following steps demonstrate required settings using the Intune service:
1. Verify that the user who is going to enroll the device has a valid Intune license.
- 
+ 
2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
- 
+ 
> [!IMPORTANT]
> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
@@ -62,23 +62,23 @@ The following steps demonstrate required settings using the Intune service:
You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
- 
+ 
Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
- 
+ 
This information can also be found on the Azure AD device list.
- 
+ 
5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
- 
+ 
6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
- 
+ 
7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune.
You may contact your domain administrators to verify if the group policy has been deployed successfully.
@@ -87,7 +87,7 @@ You may contact your domain administrators to verify if the group policy has bee
9. Verify that Microsoft Intune should allow enrollment of Windows devices.
- 
+ 
## Configure the auto-enrollment Group Policy for a single PC
@@ -102,18 +102,18 @@ Requirements:
Click Start, then in the text box type gpedit.
- 
+ 
2. Under **Best match**, click **Edit group policy** to launch it.
3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
> [!div class="mx-imgBorder"]
- > 
+ > 
4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
- 
+ 
5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
@@ -129,7 +129,7 @@ Requirements:
If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
- 
+ 
> [!Tip]
> You can avoid this behavior by using Conditional Access Policies in Azure AD.
@@ -139,7 +139,7 @@ Requirements:
7. Click **Info** to see the MDM enrollment information.
- 
+ 
If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
@@ -148,13 +148,13 @@ Requirements:
1. Click **Start**, then in the text box type **task scheduler**.
- 
+ 
2. Under **Best match**, click **Task Scheduler** to launch it.
3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
- 
+ 
To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
@@ -239,13 +239,13 @@ To collect Event Viewer logs:
3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully:
- 
+ 
If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons:
- The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed:
- 
+ 
To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information.
@@ -253,7 +253,7 @@ To collect Event Viewer logs:
The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
- 
+ 
> [!Note]
> This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.
@@ -262,24 +262,24 @@ To collect Event Viewer logs:
**Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**.
Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
- 
+ 
When the task is completed, a new event ID 102 is logged.
- 
+ 
Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required.
One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
- 
+ 
By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
- 
+ 
### Related topics
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index b809041a65..c29e2047ad 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -41,7 +41,7 @@ These classifications are represented as nodes in the EnterpriseModernAppManagem
The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
-
+
Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
diff --git a/windows/client-management/mdm/enterpriseapn-csp.md b/windows/client-management/mdm/enterpriseapn-csp.md
index c271c1dbe6..f82e763f75 100644
--- a/windows/client-management/mdm/enterpriseapn-csp.md
+++ b/windows/client-management/mdm/enterpriseapn-csp.md
@@ -39,40 +39,40 @@ EnterpriseAPN
--------HideView
```
**EnterpriseAPN**
-The root node for the EnterpriseAPN configuration service provider.
+The root node for the EnterpriseAPN configuration service provider.
**EnterpriseAPN/***ConnectionName*
-Name of the connection as seen by Windows Connection Manager.
+Name of the connection as seen by Windows Connection Manager.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/APNName**
-Enterprise APN name.
+Enterprise APN name.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IPType**
-This value can be one of the following:
+This value can be one of the following:
- IPv4 - only IPV4 connection type
- IPv6 - only IPv6 connection type
- IPv4v6 (default)- IPv4 and IPv6 concurrently.
- IPv4v6xlat - IPv6 with IPv4 provided by 46xlat
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IsAttachAPN**
-Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.
+Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/ClassId**
-GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.
+GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/AuthType**
-Authentication type. This value can be one of the following:
+Authentication type. This value can be one of the following:
- None (default)
- Auto
@@ -80,39 +80,39 @@ EnterpriseAPN
- CHAP
- MSCHAPv2
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/UserName**
-User name for use with PAP, CHAP, or MSCHAPv2 authentication.
+User name for use with PAP, CHAP, or MSCHAPv2 authentication.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Password**
-Password corresponding to the username.
+Password corresponding to the username.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IccId**
-Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
+Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/AlwaysOn**
-Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
+Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
-The default value is true.
+The default value is true.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Enabled**
-Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
+Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
-The default value is true.
+The default value is true.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Roaming**
-Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:
+Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:
- 0 - Disallowed
@@ -123,27 +123,27 @@ EnterpriseAPN
- 5 - UseOnlyForRoaming
-Default is 1 (all roaming allowed).
+Default is 1 (all roaming allowed).
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/Settings**
-Added in Windows 10, version 1607. Node that contains global settings.
+Added in Windows 10, version 1607. Node that contains global settings.
**EnterpriseAPN/Settings/AllowUserControl**
-Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
+Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
-The default value is false.
+The default value is false.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**EnterpriseAPN/Settings/HideView**
-Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
+Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
-The default value is false.
+The default value is false.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
## Examples
diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md
index 51c1a6581f..98249aad50 100644
--- a/windows/client-management/mdm/enterpriseappmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md
@@ -23,7 +23,7 @@ The EnterpriseAppManagement enterprise configuration service provider is used to
The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
-
+
***EnterpriseID***
Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.
diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
index 9a0893f98e..cb948488da 100644
--- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md
@@ -45,68 +45,68 @@ EnterpriseAppVManagement
------------Policy
```
**./Vendor/MSFT/EnterpriseAppVManagement**
-Root node for the EnterpriseAppVManagement configuration service provider.
+Root node for the EnterpriseAppVManagement configuration service provider.
**AppVPackageManagement**
-Used to query App-V package information (post-publish).
+Used to query App-V package information (post-publish).
**AppVPackageManagement/EnterpriseID**
-Used to query package information. Value is always "HostedInstall".
+Used to query package information. Value is always "HostedInstall".
**AppVPackageManagement/EnterpriseID/PackageFamilyName**
-Package ID of the published App-V package.
+Package ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName***
-Version ID of the published App-V package.
+Version ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name**
-Name specified in the published AppV package.
-Value type is string. Supported operation is Get.
+Name specified in the published AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version**
-Version specified in the published AppV package.
-Value type is string. Supported operation is Get.
+Version specified in the published AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher**
-Publisher as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Publisher as specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation**
-Local package path specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Local package path specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate**
-Date the app was installed, as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Date the app was installed, as specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users**
-Registered users for app, as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Registered users for app, as specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId**
- Package ID of the published App-V package.
-Value type is string. Supported operation is Get.
+ Package ID of the published App-V package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId**
-Version ID of the published App-V package.
-Value type is string. Supported operation is Get.
+Version ID of the published App-V package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri**
-Package URI of the published App-V package.
-Value type is string. Supported operation is Get.
+Package URI of the published App-V package.
+Value type is string. Supported operation is Get.
**AppVPublishing**
-Used to monitor publishing operations on App-V.
+Used to monitor publishing operations on App-V.
**AppVPublishing/LastSync**
-Used to monitor publishing status of last sync operation.
+Used to monitor publishing status of last sync operation.
**AppVPublishing/LastSync/LastError**
-Error code and error description of last sync operation.
-Value type is string. Supported operation is Get.
+Error code and error description of last sync operation.
+Value type is string. Supported operation is Get.
**AppVPublishing/LastSync/LastErrorDescription**
-Last sync error status. One of the following values may be returned:
+Last sync error status. One of the following values may be returned:
- SYNC\_ERR_NONE (0) - No errors during publish.
- SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish.
@@ -116,10 +116,10 @@ EnterpriseAppVManagement
- SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish.
- SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish.
-Value type is string. Supported operation is Get.
+Value type is string. Supported operation is Get.
**AppVPublishing/LastSync/SyncStatusDescription**
-Latest sync in-progress stage. One of the following values may be returned:
+Latest sync in-progress stage. One of the following values may be returned:
- SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle.
- SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress.
@@ -127,9 +127,9 @@ EnterpriseAppVManagement
- SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress.
- SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress.
-Value type is string. Supported operation is Get.
+Value type is string. Supported operation is Get.
-AppVPublishing/LastSync/SyncProgress
Latest sync state. One of the following values may be returned:
+AppVPublishing/LastSync/SyncProgress
Latest sync state. One of the following values may be returned:
- SYNC\_STATUS_IDLE (0) - App-V Sync is idle.
- SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing.
@@ -137,22 +137,22 @@ EnterpriseAppVManagement
- SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete.
- SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot.
-Value type is string. Supported operation is Get.
+Value type is string. Supported operation is Get.
**AppVPublishing/Sync**
-Used to perform App-V synchronization.
+Used to perform App-V synchronization.
**AppVPublishing/Sync/PublishXML**
-Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.
-Supported operations are Get, Delete, and Execute.
+Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.
+Supported operations are Get, Delete, and Execute.
**AppVDynamicPolicy**
-Used to set App-V Policy Configuration documents for publishing packages.
+Used to set App-V Policy Configuration documents for publishing packages.
**AppVDynamicPolicy/*ConfigurationId***
-ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
+ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
**AppVDynamicPolicy/*ConfigurationId*/Policy**
-XML for App-V Policy Configuration documents for publishing packages.
-Value type is xml. Supported operations are Add, Get, Delete, and Replace.
\ No newline at end of file
+XML for App-V Policy Configuration documents for publishing packages.
+Value type is xml. Supported operations are Add, Get, Delete, and Replace.
\ No newline at end of file
diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md
index 12f02b683f..58fdde76ab 100644
--- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md
+++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md
@@ -40,10 +40,10 @@ EnterpriseExtFileSystem
The following list describes the characteristics and parameters.
**./Vendor/MSFT/EnterpriseExtFileSystem**
-The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.
+The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.
**Persistent**
-The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.
+The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.
> **Important** There is a limit to the amount of data that can be persisted, which varies depending on how much disk space is available on one of the partitions. This data cap amount (that can be persisted) varies by manufacturer.
>
@@ -54,24 +54,24 @@ The following list describes the characteristics and parameters.
**NonPersistent**
-The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.
+The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.
-When the device is wiped, any data stored in the NonPersistent folder is deleted.
+When the device is wiped, any data stored in the NonPersistent folder is deleted.
**OemProfile**
-Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.
+Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.
***Directory***
-The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.
+The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.
-Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.
+Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.
-Use the Get command to return the list of child node names under Directory.
+Use the Get command to return the list of child node names under Directory.
-Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.
+Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.
***Filename***
-The name of a file in the device file system.
+The name of a file in the device file system.
Supported operations is Get.
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 12547591ba..3df7b51be2 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -24,7 +24,7 @@ The FileSystem configuration service provider is used to query, add, modify, and
The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
-
+
**FileSystem**
Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md
index 19fbe15c22..2d9fbf4570 100644
--- a/windows/client-management/mdm/firewall-csp.md
+++ b/windows/client-management/mdm/firewall-csp.md
@@ -103,68 +103,68 @@ Firewall
----------------Name
```
**./Vendor/MSFT/Firewall**
-Root node for the Firewall configuration service provider.
+Root node for the Firewall configuration service provider.
**MdmStore**
-Interior node.
-Supported operation is Get.
+Interior node.
+Supported operation is Get.
**MdmStore/Global**
-Interior node.
-Supported operations are Get.
+Interior node.
+Supported operations are Get.
**MdmStore/Global/PolicyVersionSupported**
-Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
-Value type in integer. Supported operation is Get.
+Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
+Value type in integer. Supported operation is Get.
**MdmStore/Global/CurrentProfiles**
-Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
-Value type in integer. Supported operation is Get.
+Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
+Value type in integer. Supported operation is Get.
**MdmStore/Global/DisableStatefulFtp**
-Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
-Default value is false.
-Data type is bool. Supported operations are Add, Get, Replace, and Delete.
+Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
+Default value is false.
+Data type is bool. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/SaIdleTime**
-This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 300.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 300.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/PresharedKeyEncoding**
-Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 1.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 1.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/IPsecExempt**
-This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/CRLcheck**
-This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:
+This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:
- 0 disables CRL checking
- 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.
- 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/PolicyVersion**
-This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
-Value type is string. Supported operation is Get.
+This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
+Value type is string. Supported operation is Get.
**MdmStore/Global/BinaryVersionSupported**
-This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
-Value type is string. Supported operation is Get.
+This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
+Value type is string. Supported operation is Get.
**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
-This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Boolean value. Supported operations are Add, Get, Replace, and Delete.
+This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Boolean value. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/EnablePacketQueue**
-This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
+This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
- 0x00 indicates that all queuing is to be disabled
@@ -172,71 +172,71 @@ Firewall
- 0x02 specifies that packets are to be queued after decryption is performed for forwarding
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/DomainProfile**
-Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**MdmStore/PrivateProfile**
-Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**MdmStore/PublicProfile**
-Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**/EnableFirewall**
-Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DisableStealthMode**
-Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/Shielded**
-Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
-Default value is false.
-Value type is bool. Supported operations are Get and Replace.
+Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
+Default value is false.
+Value type is bool. Supported operations are Get and Replace.
**/DisableUnicastResponsesToMulticastBroadcast**
-Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DisableInboundNotifications**
-Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AuthAppsAllowUserPrefMerge**
-Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/GlobalPortsAllowUserPrefMerge**
-Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalPolicyMerge**
-Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalIpsecPolicyMerge**
-Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DefaultOutboundAction**
-This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.
- 0x00000000 - allow
- 0x00000001 - block
-Default value is 0 (allow).
-Value type is integer. Supported operations are Add, Get and Replace.
+Default value is 0 (allow).
+Value type is integer. Supported operations are Add, Get and Replace.
Sample syncxml to provision the firewall settings to evaluate
@@ -263,70 +263,70 @@ Sample syncxml to provision the firewall settings to evaluate
```
**/DefaultInboundAction**
-This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
- 0x00000000 - allow
- 0x00000001 - block
-Default value is 1 (block).
-Value type is integer. Supported operations are Add, Get and Replace.
+Default value is 1 (block).
+Value type is integer. Supported operations are Add, Get and Replace.
**/DisableStealthModeIpsecSecuredPacketExemption**
-Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**FirewallRules**
-A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
**FirewallRules/_FirewallRuleName_**
-Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
-Supported operations are Add, Get, Replace, and Delete.
+Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App**
-Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
+Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
- PackageFamilyName
- FilePath
- FQBN
- ServiceName
-If not specified, the default is All.
-Supported operation is Get.
+If not specified, the default is All.
+Supported operation is Get.
**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
-This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/FilePath**
-This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/Fqbn**
-Fully Qualified Binary Name
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Fully Qualified Binary Name
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/ServiceName**
-This is a service name used in cases when a service, not an application, is sending or receiving traffic.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This is a service name used in cases when a service, not an application, is sending or receiving traffic.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Protocol**
-0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-If not specified, the default is All.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+0-255 number representing the ip protocol (TCP = 6, UDP = 17)
+If not specified, the default is All.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalPortRanges**
-Comma separated list of ranges. For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges. For example, 100-120,200,300-320.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/RemotePortRanges**
-Comma separated list of ranges, For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges, For example, 100-120,200,300-320.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/*FirewallRuleName*/LocalAddressRanges**
-Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
+Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
- "*" indicates any local address. If present, this must be the only token included.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask defaults to 255.255.255.255.
@@ -334,11 +334,11 @@ Sample syncxml to provision the firewall settings to evaluate
- An IPv4 address range in the format of "start address - end address" with no spaces included.
- An IPv6 address range in the format of "start address - end address" with no spaces included.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/*FirewallRuleName*/RemoteAddressRanges**
-List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
+List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
- "*" indicates any remote address. If present, this must be the only token included.
- "Defaultgateway"
@@ -355,70 +355,70 @@ Sample syncxml to provision the firewall settings to evaluate
- An IPv4 address range in the format of "start address - end address" with no spaces included.
- An IPv6 address range in the format of "start address - end address" with no spaces included.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
-The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
**FirewallRules/_FirewallRuleName_/Description**
-Specifies the description of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the description of the rule.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Enabled**
-Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
- If not specified - a new rule is enabled by default.
-Boolean value. Supported operations are Get and Replace.
+Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
+ If not specified - a new rule is enabled by default.
+Boolean value. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Profiles**
-Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
-If not specified, the default is All.
-Value type is integer. Supported operations are Get and Replace.
+Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
+If not specified, the default is All.
+Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Action**
-Specifies the action for the rule.
-Supported operation is Get.
+Specifies the action for the rule.
+Supported operation is Get.
**FirewallRules/_FirewallRuleName_/Action/Type**
-Specifies the action the rule enforces. Supported values:
+Specifies the action the rule enforces. Supported values:
-If not specified, the default is allow.
-Value type is integer. Supported operations are Get and Replace.
+If not specified, the default is allow.
+Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Direction**
-The rule is enabled based on the traffic direction as following. Supported values:
+The rule is enabled based on the traffic direction as following. Supported values:
- IN - the rule applies to inbound traffic.
- OUT - the rule applies to outbound traffic.
- If not specified, the default is Out.
-Value type is string. Supported operations are Get and Replace.
+Value type is string. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/InterfaceTypes**
-Comma separated list of interface types. Valid values:
+Comma separated list of interface types. Valid values:
- RemoteAccess
- Wireless
- Lan
-If not specified, the default is All.
-Value type is string. Supported operations are Get and Replace.
+If not specified, the default is All.
+Value type is string. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/EdgeTraversal**
-Indicates whether edge traversal is enabled or disabled for this rule.
-The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
-New rules have the EdgeTraversal property disabled by default.
-Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+Indicates whether edge traversal is enabled or disabled for this rule.
+The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
+New rules have the EdgeTraversal property disabled by default.
+Value type is bool. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList**
-Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Status**
-Provides information about the specific version of the rule in deployment for monitoring purposes.
-Value type is string. Supported operation is Get.
+Provides information about the specific version of the rule in deployment for monitoring purposes.
+Value type is string. Supported operation is Get.
**FirewallRules/_FirewallRuleName_/Name**
-Name of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Name of the rule.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 9f691cab8c..e570b9890d 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -26,18 +26,18 @@ The following is a list of functions performed by the Device HealthAttestation C
## Terms
**TPM (Trusted Platform Module)**
-TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.
+TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.
**DHA (Device HealthAttestation) feature**
-The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
+The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
**DHA-Enabled device (Device HealthAttestation enabled device)**
-A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
+A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
**DHA-Session (Device HealthAttestation session)**
-The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
+The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
-The following list of transactions is performed in one DHA-Session:
+The following list of transactions is performed in one DHA-Session:
- DHA-CSP and DHA-Service communication:
- DHA-CSP forwards device boot data (DHA-BootData) to DHA-Service
@@ -57,7 +57,7 @@ The following is a list of functions performed by the Device HealthAttestation C
DHA session data (Device HealthAttestation session data)
-The following list of data is produced or consumed in one DHA-Transaction:
+The following list of data is produced or consumed in one DHA-Transaction:
- DHA-BootData: the device boot data (TCG logs, PCR values, device/TPM certificate, boot and TPM counters) that are required for validating device boot health.
- DHA-EncBlob: an encrypted summary report that DHA-Service issues to a device after reviewing the DHA-BootData it receives from devices.
@@ -73,9 +73,9 @@ The following is a list of functions performed by the Device HealthAttestation C
DHA-Enabled MDM (Device HealthAttestation enabled device management solution)
-Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
-DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
-The following list of operations is performed by DHA-Enabled-MDM
+Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
+DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
+The following list of operations is performed by DHA-Enabled-MDM
- Enables the DHA feature on a DHA-Enabled device
- Issues device health attestation requests to enrolled/managed devices
@@ -84,8 +84,8 @@ The following is a list of functions performed by the Device HealthAttestation C
DHA-CSP (Device HealthAttestation Configuration Service Provider)
-The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
-The following list of operations is performed by DHA-CSP:
+The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
+The following list of operations is performed by DHA-CSP:
- Collects device boot data (DHA-BootData) from a managed device
- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
@@ -94,17 +94,17 @@ The following is a list of functions performed by the Device HealthAttestation C
DHA-Service (Device HealthAttestation Service)
-Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
+Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
-DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
-The following list of operations is performed by DHA-Service:
+DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
+The following list of operations is performed by DHA-Service:
- Receives device boot data (DHA-BootData) from a DHA-Enabled device
- Forwards DHA-BootData to Device Health Attestation Service (DHA-Service)
- Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device
- Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report)
-
+
@@ -120,8 +120,8 @@ The following is a list of functions performed by the Device HealthAttestation C
-| Device Health Attestation – Cloud (DHA-Cloud) |
-DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
+ | Device Health Attestation – Cloud (DHA-Cloud) |
+DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
- Available in Windows for free
- Running on a high-availability and geo-balanced cloud infrastructure
@@ -134,12 +134,12 @@ The following is a list of functions performed by the Device HealthAttestation C
- | No cost |
+No cost |
-| Device Health Attestation – On Premise (DHA-OnPrem) |
-DHA-OnPrem refers to DHA-Service that is running on premises:
+ | Device Health Attestation – On Premise (DHA-OnPrem) |
+DHA-OnPrem refers to DHA-Service that is running on premises:
- Offered to Windows Server 2016 customer (no added licensing cost for enabling/running DHA-Service)
- Hosted on an enterprise owned and managed server device/hardware
@@ -152,11 +152,11 @@ The following is a list of functions performed by the Device HealthAttestation C
|
-The operation cost of running one or more instances of Server 2016 on-premises. |
+The operation cost of running one or more instances of Server 2016 on-premises. |
-| Device Health Attestation - Enterprise-Managed Cloud (DHA-EMC) |
-DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
+ | Device Health Attestation - Enterprise-Managed Cloud (DHA-EMC) |
+DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
- Offered to Windows Server 2016 customers with no additional licensing cost (no added licensing cost for enabling/running DHA-Service)
- Supported by 1st and 3rd party DHA-Enabled device management solution providers that support on-premises and hybrid (Cloud + OnPrem) hardware attestation scenarios
@@ -168,7 +168,7 @@ The following is a list of functions performed by the Device HealthAttestation C
|
-The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure. |
+The operation cost of running Server 2016 on a compatible cloud service, such as Microsoft Azure. |
@@ -193,19 +193,19 @@ HealthAttestation
----MaxSupportedProtocolVersion
```
**./Vendor/MSFT/HealthAttestation**
-The root node for the device HealthAttestation configuration service provider.
+The root node for the device HealthAttestation configuration service provider.
**VerifyHealth** (Required)
-Notifies the device to prepare a device health verification request.
+Notifies the device to prepare a device health verification request.
-The supported operation is Execute.
+The supported operation is Execute.
**Status** (Required)
-Provides the current status of the device health request.
+Provides the current status of the device health request.
-The supported operation is Get.
+The supported operation is Get.
-The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.
+The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service
- 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device
@@ -213,35 +213,35 @@ HealthAttestation
- 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up
**ForceRetrieve** (Optional)
-Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
+Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
-Boolean value. The supported operation is Replace.
+Boolean value. The supported operation is Replace.
**Certificate** (Required)
-Instructs the DHA-CSP to forward DHA-Data to the MDM server.
+Instructs the DHA-CSP to forward DHA-Data to the MDM server.
-Value type is b64.The supported operation is Get.
+Value type is b64.The supported operation is Get.
**Nonce** (Required)
-Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
+Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
-The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
-The supported operations are Get and Replace.
+The supported operations are Get and Replace.
**CorrelationId** (Required)
-Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
+Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
-Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
+Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
**HASEndpoint** (Optional)
-Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
+Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
-Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
+Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
**TpmReadyStatus** (Required)
-Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
-Value type is integer. The supported operation is Get.
+Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
+Value type is integer. The supported operation is Get.
## **DHA-CSP integration steps**
@@ -508,14 +508,14 @@ The following list of data points are verified by the DHA-Service in DHA-Report
Each of these are described in further detail in the following sections, along with the recommended actions to take.
**Issued**
-The date and time DHA-report was evaluated or issued to MDM.
+The date and time DHA-report was evaluated or issued to MDM.
**AIKPresent**
-When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
+When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
-If AIKPresent = True (1), then allow access.
+If AIKPresent = True (1), then allow access.
-If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
+If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
@@ -523,24 +523,24 @@ Each of these are described in further detail in the following sections, along w
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**ResetCount** (Reported only for devices that support TPM 2.0)
-This attribute reports the number of times a PC device has hibernated or resumed.
+This attribute reports the number of times a PC device has hibernated or resumed.
**RestartCount** (Reported only for devices that support TPM 2.0)
-This attribute reports the number of times a PC device has rebooted
+This attribute reports the number of times a PC device has rebooted
**DEPPolicy**
-A device can be trusted more if the DEP Policy is enabled on the device.
+A device can be trusted more if the DEP Policy is enabled on the device.
-Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
+Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
-DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff**
- To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn**
-If DEPPolicy = 1 (On), then allow access.
+If DEPPolicy = 1 (On), then allow access.
-If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
@@ -548,15 +548,15 @@ Each of these are described in further detail in the following sections, along w
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**BitLockerStatus** (at boot time)
-When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
+When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
-Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
+Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
-If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
+If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
-If BitLockerStatus = 1 (On), then allow access.
+If BitLockerStatus = 1 (On), then allow access.
-If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
@@ -564,11 +564,11 @@ Each of these are described in further detail in the following sections, along w
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**BootManagerRevListVersion**
-This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
+This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
-If BootManagerRevListVersion = [CurrentVersion], then allow access.
+If BootManagerRevListVersion = [CurrentVersion], then allow access.
-If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
@@ -576,11 +576,11 @@ Each of these are described in further detail in the following sections, along w
- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
**CodeIntegrityRevListVersion**
-This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
+This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
-If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
+If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
-If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
@@ -588,11 +588,11 @@ Each of these are described in further detail in the following sections, along w
- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
**SecureBootEnabled**
-When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
+When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
-If SecureBootEnabled = 1 (True), then allow access.
+If SecureBootEnabled = 1 (True), then allow access.
-If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
@@ -600,16 +600,16 @@ Each of these are described in further detail in the following sections, along w
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**BootDebuggingEnabled**
-Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
+Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
-Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off**
- To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on**
-If BootdebuggingEnabled = 0 (False), then allow access.
+If BootdebuggingEnabled = 0 (False), then allow access.
-If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
@@ -617,11 +617,11 @@ Each of these are described in further detail in the following sections, along w
- Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script.
**OSKernelDebuggingEnabled**
-OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
+OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
-If OSKernelDebuggingEnabled = 0 (False), then allow access.
+If OSKernelDebuggingEnabled = 0 (False), then allow access.
-If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
@@ -629,15 +629,15 @@ Each of these are described in further detail in the following sections, along w
- Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue.
**CodeIntegrityEnabled**
-When code integrity is enabled, code execution is restricted to integrity verified code.
+When code integrity is enabled, code execution is restricted to integrity verified code.
-Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
+Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
-On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
-If CodeIntegrityEnabled = 1 (True), then allow access.
+If CodeIntegrityEnabled = 1 (True), then allow access.
-If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
@@ -645,16 +645,16 @@ Each of these are described in further detail in the following sections, along w
- Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks.
**TestSigningEnabled**
-When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
+When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
-Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off**
- To enable boot debugging, type **bcdedit.exe /set {current} testsigning on**
-If TestSigningEnabled = 0 (False), then allow access.
+If TestSigningEnabled = 0 (False), then allow access.
-If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI and MBI assets
@@ -662,33 +662,33 @@ Each of these are described in further detail in the following sections, along w
- Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script.
**SafeMode**
-Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
+Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
-If SafeMode = 0 (False), then allow access.
+If SafeMode = 0 (False), then allow access.
-If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
+If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**WinPE**
-Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
+Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
-If WinPE = 0 (False), then allow access.
+If WinPE = 0 (False), then allow access.
-If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
+If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
**ELAMDriverLoaded** (Windows Defender)
-To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
+To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
-In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.
+In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.
-If a device is expected to use a 3rd party antivirus program, ignore the reported state.
+If a device is expected to use a 3rd party antivirus program, ignore the reported state.
-If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
-If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
- Disallow all access
- Disallow access to HBI assets
@@ -696,61 +696,61 @@ Each of these are described in further detail in the following sections, along w
**Bcdedit.exe /set {current} vsmlaunchtype auto**
-If ELAMDriverLoaded = 1 (True), then allow access.
+If ELAMDriverLoaded = 1 (True), then allow access.
-If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
+If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue.
**VSMEnabled**
-Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.
+Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.
-VSM can be enabled by using the following command in WMI or a PowerShell script:
+VSM can be enabled by using the following command in WMI or a PowerShell script:
-bcdedit.exe /set {current} vsmlaunchtype auto
+bcdedit.exe /set {current} vsmlaunchtype auto
-If VSMEnabled = 1 (True), then allow access.
-If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If VSMEnabled = 1 (True), then allow access.
+If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Disallow access to HBI assets
- Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue
**PCRHashAlgorithmID**
-This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
+This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
**BootAppSVN**
-This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
+This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
-If reported BootAppSVN equals an accepted value, then allow access.
+If reported BootAppSVN equals an accepted value, then allow access.
- If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+ If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**BootManagerSVN**
-This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
+This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
-If reported BootManagerSVN equals an accepted value, then allow access.
+If reported BootManagerSVN equals an accepted value, then allow access.
-If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**TPMVersion**
-This attribute identifies the version of the TPM that is running on the attested device.
-TPMVersion node provides to replies "1" and "2":
+This attribute identifies the version of the TPM that is running on the attested device.
+TPMVersion node provides to replies "1" and "2":
- 1 means TPM specification version 1.2
- 2 means TPM specification version 2.0
-Based on the reply you receive from TPMVersion node:
+Based on the reply you receive from TPMVersion node:
- If reported TPMVersion equals an accepted value, then allow access.
- If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
@@ -758,63 +758,63 @@ Each of these are described in further detail in the following sections, along w
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**PCR0**
-The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
+The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
-Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
+Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
-If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
+If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
-If PCR[0] equals an accepted allow list value, then allow access.
+If PCR[0] equals an accepted allow list value, then allow access.
-If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
+If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**SBCPHash**
-SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
+SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
-If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
+ If SBCPHash is not present, or is an accepted allow-listed value, then allow access.
- If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
+If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Place the device in a watch list to monitor the device more closely for potential risks.
**CIPolicy**
-This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
+This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
-If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
+If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
-If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
+If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Place the device in a watch list to monitor the device more closely for potential risks.
**BootRevListInfo**
-This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
+This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
-If reported BootRevListInfo version equals an accepted value, then allow access.
+If reported BootRevListInfo version equals an accepted value, then allow access.
-If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**OSRevListInfo**
-This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
+This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
-If reported OSRevListInfo version equals an accepted value, then allow access.
+If reported OSRevListInfo version equals an accepted value, then allow access.
-If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access
- Direct the device to an enterprise honeypot, to further monitor the device's activities.
**HealthStatusMismatchFlags**
-HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
+HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
-In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
+In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
## **Device HealthAttestation CSP status and error codes**
@@ -825,204 +825,204 @@ Each of these are described in further detail in the following sections, along w
Description |
- | 0 |
- HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED |
- This is the initial state for devices that have never participated in a DHA-Session. |
+ 0 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_UNINITIALIZED |
+ This is the initial state for devices that have never participated in a DHA-Session. |
- | 1 |
- HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED |
- This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. |
+ 1 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_REQUESTED |
+ This state signifies that MDM client’s Exec call on the node VerifyHealth has been triggered and now the OS is trying to retrieve DHA-EncBlob from DHA-Server. |
- | 2 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED |
- This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. |
+ 2 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED |
+ This state signifies that the device failed to retrieve DHA-EncBlob from DHA-Server. |
- | 3 |
- HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE |
- This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. |
+ 3 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_COMPLETE |
+ This state signifies that the device has successfully retrieved DHA-EncBlob from the DHA-Server. |
- | 4 |
- HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL |
- Deprecated in Windows 10, version 1607. |
+ 4 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_PCR_FAIL |
+ Deprecated in Windows 10, version 1607. |
- | 5 |
- HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL |
- DHA-CSP failed to get a claim quote. |
+ 5 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_GETQUOTE_FAIL |
+ DHA-CSP failed to get a claim quote. |
- | 6 |
- HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY |
- DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. |
+ 6 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_DEVICE_NOT_READY |
+ DHA-CSP failed in opening a handle to Microsoft Platform Crypto Provider. |
- | 7 |
- HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL |
- DHA-CSP failed in retrieving Windows AIK |
+ 7 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_WINDOWS_AIK_FAIL |
+ DHA-CSP failed in retrieving Windows AIK |
- | 8 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL |
- Deprecated in Windows 10, version 1607. |
+ 8 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FROM_WEB_FAIL |
+ Deprecated in Windows 10, version 1607. |
- | 9 |
- HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION |
- Invalid TPM version (TPM version is not 1.2 or 2.0) |
+ 9 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_INVALID_TPM_VERSION |
+ Invalid TPM version (TPM version is not 1.2 or 2.0) |
- | 10 |
- HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL |
- Nonce was not found in the registry. |
+ 10 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_GETNONCE_FAIL |
+ Nonce was not found in the registry. |
- | 11 |
- HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL |
- Correlation ID was not found in the registry. |
+ 11 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_GETCORRELATIONID_FAIL |
+ Correlation ID was not found in the registry. |
- | 12 |
- HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL |
- Deprecated in Windows 10, version 1607. |
+ 12 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_GETCERT_FAIL |
+ Deprecated in Windows 10, version 1607. |
- | 13 |
- HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL |
- Deprecated in Windows 10, version 1607. |
+ 13 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_GETCLAIM_FAIL |
+ Deprecated in Windows 10, version 1607. |
- | 14 |
- HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL |
- Failure in Encoding functions. (Extremely unlikely scenario) |
+ 14 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_ENCODING_FAIL |
+ Failure in Encoding functions. (Extremely unlikely scenario) |
- | 15 |
- HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL |
- Deprecated in Windows 10, version 1607. |
+ 15 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_ENDPOINTOVERRIDE_FAIL |
+ Deprecated in Windows 10, version 1607. |
- | 16 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML |
- DHA-CSP failed to load the payload it received from DHA-Service |
+ 16 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_LOAD_XML |
+ DHA-CSP failed to load the payload it received from DHA-Service |
- | 17 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML |
- DHA-CSP received a corrupted response from DHA-Service. |
+ 17 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CORRUPT_XML |
+ DHA-CSP received a corrupted response from DHA-Service. |
- | 18 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML |
- DHA-CSP received an empty response from DHA-Service. |
+ 18 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_XML |
+ DHA-CSP received an empty response from DHA-Service. |
- | 19 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK |
- DHA-CSP failed in decrypting the AES key from the EK challenge. |
+ 19 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_AES_EK |
+ DHA-CSP failed in decrypting the AES key from the EK challenge. |
- | 20 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK |
- DHA-CSP failed in decrypting the health cert with the AES key. |
+ 20 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_DECRYPT_CERT_AES_EK |
+ DHA-CSP failed in decrypting the health cert with the AES key. |
- | 21 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB |
- DHA-CSP failed in exporting the AIK Public Key. |
+ 21 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EXPORT_AIKPUB |
+ DHA-CSP failed in exporting the AIK Public Key. |
- | 22 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY |
- DHA-CSP failed in trying to create a claim with AIK attestation data. |
+ 22 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_CLAIMAUTHORITYONLY |
+ DHA-CSP failed in trying to create a claim with AIK attestation data. |
- | 23 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB |
- DHA-CSP failed in appending the AIK Pub to the request blob. |
+ 23 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKPUB |
+ DHA-CSP failed in appending the AIK Pub to the request blob. |
- | 24 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT |
- DHA-CSP failed in appending the AIK Cert to the request blob. |
+ 24 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_APPEND_AIKCERT |
+ DHA-CSP failed in appending the AIK Cert to the request blob. |
- | 25 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE |
- DHA-CSP failed to obtain a Session handle. |
+ 25 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_INIT_HTTPHANDLE |
+ DHA-CSP failed to obtain a Session handle. |
- | 26 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE |
- DHA-CSP failed to connect to the DHA-Service. |
+ 26 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_GETTARGET_HTTPHANDLE |
+ DHA-CSP failed to connect to the DHA-Service. |
- | 27 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE |
- DHA-CSP failed to create a HTTP request handle. |
+ 27 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_CREATE_HTTPHANDLE |
+ DHA-CSP failed to create a HTTP request handle. |
- | 28 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION |
- DHA-CSP failed to set options. |
+ 28 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SET_INTERNETOPTION |
+ DHA-CSP failed to set options. |
- | 29 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS |
- DHA-CSP failed to add request headers. |
+ 29 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ADD_REQUESTHEADERS |
+ DHA-CSP failed to add request headers. |
- | 30 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST |
- DHA-CSP failed to send the HTTP request. |
+ 30 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_SEND_REQUEST |
+ DHA-CSP failed to send the HTTP request. |
- | 31 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE |
- DHA-CSP failed to receive a response from the DHA-Service. |
+ 31 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_RECEIVE_RESPONSE |
+ DHA-CSP failed to receive a response from the DHA-Service. |
- | 32 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS |
- DHA-CSP failed to query headers when trying to get HTTP status code. |
+ 32 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_QUERY_HEADERS |
+ DHA-CSP failed to query headers when trying to get HTTP status code. |
- | 33 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE |
- DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. |
+ 33 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_EMPTY_RESPONSE |
+ DHA-CSP received an empty response from DHA-Service even though HTTP status was OK. |
- | 34 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE |
- DHA-CSP received an empty response along with a HTTP error code from DHA-Service. |
+ 34 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_MISSING_RESPONSE |
+ DHA-CSP received an empty response along with a HTTP error code from DHA-Service. |
- | 35 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER |
- DHA-CSP failed to impersonate user. |
+ 35 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_IMPERSONATE_USER |
+ DHA-CSP failed to impersonate user. |
- | 36 |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR |
- DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. |
+ 36 |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_ACQUIRE_PDCNETWORKACTIVATOR |
+ DHA-CSP failed to acquire the PDC activators that are needed for network communication when the device is in Connected standby mode. |
- | 0xFFFF |
- HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN |
- DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. |
+ 0xFFFF |
+ HEALTHATTESTATION_CERT_RETRIEVAL_FAILED_UNKNOWN |
+ DHA-CSP failed due to an unknown reason, this error is highly unlikely to occur. |
- | 400 |
- Bad_Request_From_Client |
- DHA-CSP has received a bad (malformed) attestation request. |
+ 400 |
+ Bad_Request_From_Client |
+ DHA-CSP has received a bad (malformed) attestation request. |
- | 404 |
- Endpoint_Not_Reachable |
- DHA-Service is not reachable by DHA-CSP |
+ 404 |
+ Endpoint_Not_Reachable |
+ DHA-Service is not reachable by DHA-CSP |
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index 36a979715e..af7934b674 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -27,7 +27,7 @@ The HotSpot configuration service provider is used to configure and enable Inter
The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
-
+
**Enabled**
Required. Specifies whether to enable Internet sharing on the device. The default is false.
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 08a455f462..68633b48af 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat
MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.
-
+
MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index 12e50c7af7..f2da07d4e2 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -41,12 +41,12 @@ The Store for Business provides services that enable a management tool to synchr
-Application data |
-The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications. |
+Application data |
+The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications. |
-Licensing models |
-Offline vs. Online
+ | Licensing models |
+Offline vs. Online
Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store. |
@@ -59,13 +59,13 @@ The Store for Business provides services that enable a management tool to synchr
The following diagram provides an overview of app distribution from acquisition of an offline-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.
-
+
### Online-licensed application distribution
The following diagram provides an overview of app distribution from acquisition of an online-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application prior to issuing the policy to install the application.
-
+
## Integrate with Azure Active Directory
@@ -105,7 +105,7 @@ After registering your management tool with Azure AD, the management tool can ca
The diagram below shows the call patterns for acquiring a new or updated application.
-
+
**Here is the list of available operations**:
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index d1e7b033f2..6dbe747d92 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -25,7 +25,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l
You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
-
+
### Connect your device to an Active Directory domain (join a domain)
@@ -40,15 +40,15 @@ Joining your device to an Active Directory domain during the out-of-box-experien
1. On the **Who Owns this PC?** page, select **My work or school owns it**.
- 
+ 
2. Next, select **Join a domain**.
- 
+ 
3. You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue.
- 
+ 
### Use the Settings app
@@ -56,27 +56,27 @@ To create a local account and connect the device:
1. Launch the Settings app.
- 
+ 
2. Next, select **Accounts**.
- 
+ 
3. Navigate to **Access work or school**.
- 
+ 
4. Select **Connect**.
- 
+ 
5. Under **Alternate actions**, select **Join this device to a local Active Directory domain**.
- 
+ 
6. Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials.
- 
+ 
### Help with connecting to an Active Directory domain
@@ -101,11 +101,11 @@ To join a domain:
1. Select **My work or school owns it**, then select **Next.**
- 
+ 
2. Select **Join Azure AD**, and then select **Next.**
- 
+ 
3. Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services.
@@ -113,7 +113,7 @@ To join a domain:
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain.
- 
+ 
### Use the Settings app
@@ -121,27 +121,27 @@ To create a local account and connect the device:
1. Launch the Settings app.
- 
+ 
2. Next, navigate to **Accounts**.
- 
+ 
3. Navigate to **Access work or school**.
- 
+ 
4. Select **Connect**.
- 
+ 
5. Under **Alternate Actions**, selct **Join this device to Azure Active Directory**.
- 
+ 
6. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
- 
+ 
7. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
@@ -151,7 +151,7 @@ To create a local account and connect the device:
After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username.
- 
+ 
### Help with connecting to an Azure AD domain
@@ -183,19 +183,19 @@ To create a local account and connect the device:
1. Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**.
- 
+ 
2. Navigate to **Access work or school**.
- 
+ 
3. Select **Connect**.
- 
+ 
4. Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
- 
+ 
5. If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
@@ -205,11 +205,11 @@ To create a local account and connect the device:
Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up.
- 
+ 
6. After you complete the flow, your Microsoft account will be connected to your work or school account.
- 
+ 
### Connect to MDM on a desktop (enrolling in device management)
@@ -221,29 +221,29 @@ To create a local account and connect the device:
1. Launch the Settings app.
- 
+ 
2. Next, navigate to **Accounts**.
- 
+ 
3. Navigate to **Access work or school**.
- 
+ 
4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
- 
+ 
5. Type in your work email address.
- 
+ 
6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information.
Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen.
- 
+ 
After you complete the flow, your device will be connected to your organization’s MDM.
@@ -300,7 +300,7 @@ To connect your devices to MDM using deep links:
- IT admins can add this link to a welcome email that users can select to enroll into MDM.
- 
+ 
- IT admins can also add this link to an internal web page that users refer to enrollment instructions.
@@ -308,20 +308,20 @@ To connect your devices to MDM using deep links:
Type in your work email address.
- 
+ 
3. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
After you complete the flow, your device will be connected to your organization's MDM.
- 
+ 
## Manage connections
To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection.
-
+
### Info
@@ -335,7 +335,7 @@ Selecting the **Info** button will open a new page in the Settings app that prov
Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot.
-
+
> [!NOTE]
> Starting in Windows 10, version 1709, the **Manage** button is no longer available.
@@ -357,7 +357,7 @@ You can collect diagnostic logs around your work connections by going to **Setti
Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here.
-
+
diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md
index e9383e871f..69893ff362 100644
--- a/windows/client-management/mdm/messaging-csp.md
+++ b/windows/client-management/mdm/messaging-csp.md
@@ -17,40 +17,40 @@ The Messaging configuration service provider is used to configure the ability to
The following diagram shows the Messaging configuration service provider in tree format.
-
+
**./User/Vendor/MSFT/Messaging**
-Root node for the Messaging configuration service provider.
+Root node for the Messaging configuration service provider.
**AuditingLevel**
-Turns on the "Text" auditing feature.
-The following list shows the supported values:
+Turns on the "Text" auditing feature.
+The following list shows the supported values:
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**Auditing**
-Node for auditing.
-Supported operation is Get.
+Node for auditing.
+Supported operation is Get.
**Messages**
-Node for messages.
-Supported operation is Get.
+Node for messages.
+Supported operation is Get.
**Count**
-The number of messages to return in the Data setting. The default is 100.
-Supported operations are Get and Replace.
+The number of messages to return in the Data setting. The default is 100.
+Supported operations are Get and Replace.
**RevisionId**
-Retrieves messages whose revision ID is greater than RevisionId.
-Supported operations are Get and Replace.
+Retrieves messages whose revision ID is greater than RevisionId.
+Supported operations are Get and Replace.
**Data**
-The JSON string of text messages on the device.
-Supported operations are Get and Replace.
+The JSON string of text messages on the device.
+Supported operations are Get and Replace.
**SyncML example**
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 32f9b5ee66..ceacdde6dd 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -68,7 +68,7 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** > **Administrative Templates** > **Windows Components** > **MDM** > **Disable MDM Enrollment**.
-
+
Here is the corresponding registry key:
@@ -140,53 +140,53 @@ The enrollment server can decline enrollment messages using the SOAP Fault forma
-s: |
-MessageFormat |
-MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR |
-Message format is bad |
-80180001 |
+s: |
+MessageFormat |
+MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR |
+Message format is bad |
+80180001 |
-s: |
-Authentication |
-MENROLL_E_DEVICE_AUTHENTICATION_ERROR |
-User not recognized |
-80180002 |
+s: |
+Authentication |
+MENROLL_E_DEVICE_AUTHENTICATION_ERROR |
+User not recognized |
+80180002 |
-s: |
-Authorization |
-MENROLL_E_DEVICE_AUTHORIZATION_ERROR |
-User not allowed to enroll |
-80180003 |
+s: |
+Authorization |
+MENROLL_E_DEVICE_AUTHORIZATION_ERROR |
+User not allowed to enroll |
+80180003 |
-s: |
-CertificateRequest |
-MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR |
-Failed to get certificate |
-80180004 |
+s: |
+CertificateRequest |
+MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR |
+Failed to get certificate |
+80180004 |
-s: |
-EnrollmentServer |
-MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR |
- |
-80180005 |
+s: |
+EnrollmentServer |
+MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR |
+ |
+80180005 |
-a: |
-InternalServiceFault |
-MENROLL_E_DEVICE_INTERNALSERVICE_ERROR |
-The server hit an unexpected issue |
-80180006 |
+a: |
+InternalServiceFault |
+MENROLL_E_DEVICE_INTERNALSERVICE_ERROR |
+The server hit an unexpected issue |
+80180006 |
-a: |
-InvalidSecurity |
-MENROLL_E_DEVICE_INVALIDSECURITY_ERROR |
-Cannot parse the security header |
-80180007 |
+a: |
+InvalidSecurity |
+MENROLL_E_DEVICE_INVALIDSECURITY_ERROR |
+Cannot parse the security header |
+80180007 |
@@ -240,46 +240,46 @@ In Windows 10, version 1507, we added the deviceenrollmentserviceerror element.
-DeviceCapReached |
-MENROLL_E_DEVICECAPREACHED |
-User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help. |
-80180013 |
+DeviceCapReached |
+MENROLL_E_DEVICECAPREACHED |
+User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help. |
+80180013 |
-DeviceNotSupported |
-MENROLL_E_DEVICENOTSUPPORTED |
-Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device. |
-80180014 |
+DeviceNotSupported |
+MENROLL_E_DEVICENOTSUPPORTED |
+Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device. |
+80180014 |
-NotSupported |
-MENROLL_E_NOTSUPPORTED |
-Mobile device management generally not supported (would save an admin call) |
-80180015 |
+NotSupported |
+MENROLL_E_NOTSUPPORTED |
+Mobile device management generally not supported (would save an admin call) |
+80180015 |
-NotEligibleToRenew |
-MENROLL_E_NOTELIGIBLETORENEW |
-Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling. |
-80180016 |
+NotEligibleToRenew |
+MENROLL_E_NOTELIGIBLETORENEW |
+Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling. |
+80180016 |
-InMaintenance |
-MENROLL_E_INMAINTENANCE |
-Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved. |
-80180017 |
+InMaintenance |
+MENROLL_E_INMAINTENANCE |
+Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved. |
+80180017 |
-UserLicense |
-MENROLL_E_USERLICENSE |
-License of user is in bad state and blocking the enrollment. The user needs to call the admin. |
-80180018 |
+UserLicense |
+MENROLL_E_USERLICENSE |
+License of user is in bad state and blocking the enrollment. The user needs to call the admin. |
+80180018 |
-InvalidEnrollmentData |
-MENROLL_E_ENROLLMENTDATAINVALID |
-The server rejected the enrollment data. The server may not be configured correctly. |
-80180019 |
+InvalidEnrollmentData |
+MENROLL_E_ENROLLMENTDATAINVALID |
+The server rejected the enrollment data. The server may not be configured correctly. |
+80180019 |
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 1b5f5ecdd4..0b715c1a53 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -27,11 +27,11 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
-
+
The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
-
+
**NAPAUTHINFO**
Defines a group of authentication settings.
diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md
index f0fadc3fe5..19462512ee 100644
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@@ -45,79 +45,79 @@ NetworkQoSPolicy
--------DSCPAction
```
**NetworkQoSPolicy**
-The root node for the NetworkQoSPolicy configuration service provider.
+The root node for the NetworkQoSPolicy configuration service provider.
**Version**
-Specifies the version information.
+ Specifies the version information.
- The data type is int.
+ The data type is int.
- The only supported operation is Get.
+ The only supported operation is Get.
***Name***
- Node for the QoS policy name.
+ Node for the QoS policy name.
***Name*/IPProtocolMatchCondition**
- Specifies the IP protocol used to match the network traffic.
+ Specifies the IP protocol used to match the network traffic.
- Valid values are:
+ Valid values are:
- 0 (default) - Both TCP and UDP
- 1 - TCP
- 2 - UDP
- The data type is int.
+ The data type is int.
- The supported operations are Add, Get, Delete, and Replace.
+ The supported operations are Add, Get, Delete, and Replace.
***Name*/AppPathNameMatchCondition**
- Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.
+ Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe.
- The data type is char.
+ The data type is char.
- The supported operations are Add, Get, Delete, and Replace.
+ The supported operations are Add, Get, Delete, and Replace.
***Name*/SourcePortMatchCondition**
- Specifies a single port or a range of ports to be used to match the network traffic source.
+ Specifies a single port or a range of ports to be used to match the network traffic source.
- Valid values are:
+ Valid values are:
- A range of source ports: _[first port number]_-_[last port number]_
- A single source port: _[port number]_
- The data type is char.
+ The data type is char.
- The supported operations are Add, Get, Delete, and Replace.
+ The supported operations are Add, Get, Delete, and Replace.
***Name*/DestinationPortMatchCondition**
- Specifies a single source port or a range of ports to be used to match the network traffic destination.
+ Specifies a single source port or a range of ports to be used to match the network traffic destination.
- Valid values are:
+ Valid values are:
- A range of destination ports: _[first port number]_-_[last port number]_
- A single destination port: _[port number]_
- The data type is char.
+ The data type is char.
- The supported operations are Add, Get, Delete, and Replace.
+ The supported operations are Add, Get, Delete, and Replace.
***Name*/PriorityValue8021Action**
- Specifies the IEEE 802.1p priority value to apply to matching network traffic.
+ Specifies the IEEE 802.1p priority value to apply to matching network traffic.
- Valid values are 0-7.
+ Valid values are 0-7.
- The data type is int.
+ The data type is int.
- The supported operations are Add, Get, Delete, and Replace.
+ The supported operations are Add, Get, Delete, and Replace.
***Name*/DSCPAction**
- The differentiated services code point (DSCP) value to apply to matching network traffic.
+ The differentiated services code point (DSCP) value to apply to matching network traffic.
- Valid values are 0-63.
+ Valid values are 0-63.
- The data type is int.
+ The data type is int.
- The supported operations are Add, Get, Delete, and Replace.
+ The supported operations are Add, Get, Delete, and Replace.
## Related topics
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index ce79fdb702..272489e4a8 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -240,7 +240,7 @@ Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windo
The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine.
-
+
### MDM enrollment fails on the mobile device when traffic is going through proxy
@@ -439,7 +439,7 @@ Alternatively you can use the following procedure to create an EAP Configuration
1. Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article.
2. In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
- 
+ 
> [!NOTE]
> For PEAP or TTLS, select the appropriate method and continue following this procedure.
@@ -447,10 +447,10 @@ Alternatively you can use the following procedure to create an EAP Configuration
3. Click the **Properties** button underneath the drop down menu.
4. In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
- 
+ 
5. In the **Configure Certificate Selection** menu, adjust the filters as needed.
- 
+ 
6. Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
7. Close the rasphone dialog box.
8. Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering.
@@ -492,7 +492,7 @@ No. Only one MDM is allowed.
4. Click **Configure**.
5. Set quota to unlimited.
- 
+ 
### **What is dmwappushsvc?**
diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md
index 40757af748..5e8ad6957f 100644
--- a/windows/client-management/mdm/oma-dm-protocol-support.md
+++ b/windows/client-management/mdm/oma-dm-protocol-support.md
@@ -48,8 +48,8 @@ The following table shows the OMA DM standards that Windows uses.
-Data transport and session |
-
+Data transport and session |
+
Client-initiated remote HTTPS DM session over SSL. Remote HTTPS DM session over SSL. Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management. |
|
-Bootstrap XML |
- |
-DM protocol commands |
-The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.
+ | DM protocol commands |
+The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.
Add (Implicit Add supported) Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event. Meta XML tag in SyncHdr is ignored by the device. |
-OMA DM standard objects |
- |
-Security |
-
+Security |
+
Authenticate DM server initiation notification SMS message (not used by enterprise management) Application layer Basic and MD5 client authentication Authenticate server with MD5 credential at application level |
|
-Nodes |
-In the OMA DM tree, the following rules apply for the node name:
+ | Nodes |
+In the OMA DM tree, the following rules apply for the node name:
|
-Provisioning Files |
-Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.
+ | Provisioning Files |
+Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.
If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
NoteTo represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
@@ -133,12 +133,12 @@ The following table shows the OMA DM standards that Windows uses.
|
-WBXML support |
-Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification. |
+WBXML support |
+Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification. |
-Handling of large objects |
-In Windows 10, version 1511, client support for uploading large objects to the server was added. |
+Handling of large objects |
+In Windows 10, version 1511, client support for uploading large objects to the server was added. |
@@ -162,52 +162,52 @@ Common elements are used by other OMA DM element types. The following table list
-Chal |
-Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message. |
+Chal |
+Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message. |
-Cmd |
-Specifies the name of an OMA DM command referenced in a Status element. |
+Cmd |
+Specifies the name of an OMA DM command referenced in a Status element. |
-CmdID |
-Specifies the unique identifier for an OMA DM command. |
+CmdID |
+Specifies the unique identifier for an OMA DM command. |
-CmdRef |
-Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message. |
+CmdRef |
+Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message. |
-Cred |
-Specifies the authentication credential for the originator of the message. |
+Cred |
+Specifies the authentication credential for the originator of the message. |
-Final |
-Indicates that the current message is the last message in the package. |
+Final |
+Indicates that the current message is the last message in the package. |
-LocName |
-Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication. |
+LocName |
+Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication. |
-LocURI |
-Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard. |
+LocURI |
+Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard. |
-MsgID |
-Specifies a unique identifier for an OMA DM session message. |
+MsgID |
+Specifies a unique identifier for an OMA DM session message. |
-MsgRef |
-Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element. |
+MsgRef |
+Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element. |
-RespURI |
-Specifies the URI that the recipient must use when sending a response to this message. |
+RespURI |
+Specifies the URI that the recipient must use when sending a response to this message. |
-SessionID |
-Specifies the identifier of the OMA DM session associated with the containing message.
+ | SessionID |
+Specifies the identifier of the OMA DM session associated with the containing message.
Note If the server does not notify the device that it supports a new version (through SyncApplicationVersion node in the DMClient CSP), the desktop client returns the SessionID in integer in decimal format and the mobile device client returns 2 bytes as a string. If the server supports DM session sync version 2.0, which is used in Windows 10, the desktop and mobile device client returns 2 bytes.
@@ -216,28 +216,28 @@ Common elements are used by other OMA DM element types. The following table list
|
-Source |
-Specifies the message source address. |
+Source |
+Specifies the message source address. |
-SourceRef |
-Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element. |
+SourceRef |
+Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element. |
-Target |
-Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command. |
+Target |
+Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command. |
-TargetRef |
-Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element. |
+TargetRef |
+Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element. |
-VerDTD |
-Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message. |
+VerDTD |
+Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message. |
-VerProto |
-Specifies the major and minor version identifier of the OMA DM protocol specification used with the message. |
+VerProto |
+Specifies the major and minor version identifier of the OMA DM protocol specification used with the message. |
@@ -272,32 +272,32 @@ The following table shows the sequence of events during a typical DM session.
-1 |
-DM client is invoked to call back to the management server
+ | 1 |
+DM client is invoked to call back to the management server
Enterprise scenario – The device task schedule invokes the DM client. |
-The MO server sends a server trigger message to invoke the DM client.
+ | The MO server sends a server trigger message to invoke the DM client.
The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS. |
-2 |
-The device sends a message, over an IP connection, to initiate the session. |
-This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level. |
+2 |
+The device sends a message, over an IP connection, to initiate the session. |
+This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level. |
-3 |
-The DM server responds, over an IP connection (HTTPS). |
-The server sends initial device management commands, if any. |
+3 |
+The DM server responds, over an IP connection (HTTPS). |
+The server sends initial device management commands, if any. |
-4 |
-The device responds to server management commands. |
-This message includes the results of performing the specified device management operations. |
+4 |
+The device responds to server management commands. |
+This message includes the results of performing the specified device management operations. |
-5 |
-The DM server terminates the session or sends another command. |
-The DM session ends, or Step 4 is repeated. |
+5 |
+The DM server terminates the session or sends another command. |
+The DM session ends, or Step 4 is repeated. |
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index c73d5fdc8d..84ff8f5e34 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -23,13 +23,13 @@ The PassportForWork configuration service provider is used to provision Windows
The following diagram shows the PassportForWork configuration service provider in tree format.
-
+
### Device configuration diagram
The following diagram shows the PassportForWork configuration service provider in tree format.
-
+
**PassportForWork**
Root node for PassportForWork configuration service provider.
diff --git a/windows/client-management/mdm/personalization-csp.md b/windows/client-management/mdm/personalization-csp.md
index bf3d84f0f4..7a1a41565d 100644
--- a/windows/client-management/mdm/personalization-csp.md
+++ b/windows/client-management/mdm/personalization-csp.md
@@ -30,14 +30,14 @@ Personalization
----LockScreenImageStatus
```
**./Vendor/MSFT/Personalization**
-Defines the root node for the Personalization configuration service provider.
+Defines the root node for the Personalization configuration service provider.
**DesktopImageUrl**
-Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**DesktopImageStatus**
-Represents the status of the desktop image. Valid values:
+Represents the status of the desktop image. Valid values:
- 1 - Successfully downloaded or copied.
- 2 - Download or copy in progress.
@@ -47,18 +47,18 @@ Personalization
- 6 - Max retry failed.
- 7 - Blocked, SKU not allowed
-Supporter operation is Get.
+Supporter operation is Get.
> [!Note]
> This setting is only used to query status. To set the image, use the DesktopImageUrl setting.
**LockScreenImageUrl**
-Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**LockScreenImageStatus**
-Represents the status of the lock screen image. Valid values:
+Represents the status of the lock screen image. Valid values:
- 1 - Successfully downloaded or copied.
- 2 - Download or copy in progress.
@@ -68,7 +68,7 @@ Personalization
- 6 - Max retry failed.
- 7 - Blocked, SKU not allowed
-Supporter operation is Get.
+Supporter operation is Get.
> [!Note]
> This setting is only used to query status. To set the image, use the LockScreenImageUrl setting.
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index ddeb61f84a..a03f3f09f7 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -44,28 +44,28 @@ The Policy configuration service provider has the following sub-categories:
The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
-
+
**./Vendor/MSFT/Policy**
-The root node for the Policy configuration service provider.
+ The root node for the Policy configuration service provider.
- Supported operation is Get.
+ Supported operation is Get.
**Policy/Config**
- Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.
+ Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value.
- Supported operation is Get.
+ Supported operation is Get.
**Policy/Config/_AreaName_**
- The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.
+ The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value.
- Supported operations are Add, Get, and Delete.
+ Supported operations are Add, Get, and Delete.
**Policy/Config/_AreaName/PolicyName_**
- Specifies the name/value pair used in the policy.
+ Specifies the name/value pair used in the policy.
- The following list shows some tips to help you when configuring policies:
+ The following list shows some tips to help you when configuring policies:
- Separate substring values by the Unicode &\#xF000; in the XML file.
@@ -77,59 +77,59 @@ The following diagram shows the Policy configuration service provider in tree fo
- Value type is string.
**Policy/Result**
- Groups the evaluated policies from all providers that can be configured.
+ Groups the evaluated policies from all providers that can be configured.
- Supported operation is Get.
+ Supported operation is Get.
**Policy/Result/_AreaName_**
- The area group that can be configured by a single technology independent of the providers.
+ The area group that can be configured by a single technology independent of the providers.
- Supported operation is Get.
+ Supported operation is Get.
**Policy/Result/_AreaName/PolicyName_**
- Specifies the name/value pair used in the policy.
+ Specifies the name/value pair used in the policy.
- Supported operation is Get.
+ Supported operation is Get.
**Policy/ConfigOperations**
- Added in Windows 10, version 1703. The root node for grouping different configuration operations.
+ Added in Windows 10, version 1703. The root node for grouping different configuration operations.
- Supported operations are Add, Get, and Delete.
+ Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall**
- Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.
+ Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
- ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
+ ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
- Supported operations are Add, Get, and Delete.
+ Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall/_AppName_**
- Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
+ Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file.
- Supported operations are Add, Get, and Delete.
+ Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy**
- Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
+ Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported.
- Supported operations are Add, Get, and Delete.
+ Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_**
- Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import.
+ Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import.
- Supported operations are Add and Get. Does not support Delete.
+ Supported operations are Add and Get. Does not support Delete.
**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference**
- Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
+ Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported.
- Supported operations are Add, Get, and Delete.
+ Supported operations are Add, Get, and Delete.
**Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_**
- Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import.
+ Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import.
- Supported operations are Add and Get. Does not support Delete.
+ Supported operations are Add and Get. Does not support Delete.
## Policies
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 9d7aa06011..013edacaec 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -549,7 +549,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
```
You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
-:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image":::
+:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image.":::
@@ -743,7 +743,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
You can also block installation by using a custom profile in Intune.
-
+
@@ -863,7 +863,7 @@ You can also block installation and usage of prohibited peripherals by using a c
For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed.
-
+
@@ -977,7 +977,7 @@ You can also block installation and usage of prohibited peripherals by using a c
For example, this custom profile prevents installation of devices with matching device instance IDs.
-
+
To prevent installation of devices with matching device instance IDs by using custom profile in Intune:
1. Locate the device instance ID.
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index b394ffb753..3df3e81293 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -761,7 +761,7 @@ PIN enforces the following behavior for desktop and mobile devices:
The default value is 1. The following list shows the supported values and actual enforced values:
-
+
@@ -777,24 +777,24 @@ The default value is 1. The following list shows the supported values and actual
-Mobile |
-1,2,3,4 |
-Same as the value set |
+Mobile |
+1,2,3,4 |
+Same as the value set |
-Desktop Local Accounts |
- 1,2,3 |
-3 |
+Desktop Local Accounts |
+ 1,2,3 |
+3 |
-Desktop Microsoft Accounts |
-1,2 |
-<p2 |
+Desktop Microsoft Accounts |
+1,2 |
+<p2 |
-Desktop Domain Accounts |
-Not supported |
-Not supported |
+Desktop Domain Accounts |
+Not supported |
+Not supported |
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 4a109d3361..7152934f2d 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -177,6 +177,9 @@ The following list shows the supported values:
Allows the user to change Data Sense settings.
+> [!NOTE]
+> The **AllowDataSense** policy is not supported on Windows 10, version 2004 and later.
+
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index b02ba826b4..b033f662cc 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -7,7 +7,7 @@ ms.prod: w10
ms.technology: windows
author: manikadhiman
ms.localizationpriority: medium
-ms.date: 10/14/2020
+ms.date: 08/26/2021
ms.reviewer:
manager: dansimp
---
@@ -62,7 +62,7 @@ manager: dansimp
System/AllowUserToResetPhone
-
- System/AllowWuFBCloudProcessing
+ System/AllowWUfBCloudProcessing
-
System/BootStartDriverInitialization
@@ -747,7 +747,7 @@ The following list shows the supported values for Windows 8.1:
- 1 – Allowed, except for Secondary Data Requests.
- 2 (default) – Allowed.
-
@@ -790,7 +790,7 @@ The following list shows the supported values for Windows 10 version 1809 and ol
Most restrictive value is 0.
-
@@ -964,7 +964,7 @@ The following list shows the supported values:
-**System/AllowWuFBCloudProcessing**
+**System/AllowWUfBCloudProcessing**
@@ -985,6 +985,15 @@ If you disable or do not configure this policy setting, devices enrolled to the
+
+
+The following list shows the supported values:
+
+- 0 - Disabled.
+- 8 - Enabled.
+
+
+
**System/BootStartDriverInitialization**
diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md
index 1813782b4c..1fe9517d3d 100644
--- a/windows/client-management/mdm/policy-csp-update.md
+++ b/windows/client-management/mdm/policy-csp-update.md
@@ -1747,7 +1747,7 @@ Other/cannot defer:
Any update category not specifically enumerated above falls into this category.
- Definition Update - E0789628-CE08-4437-BE74-2495B842F43B
-
-
+
3. To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu.
diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md
index bb6d70d870..0d091fe1bb 100644
--- a/windows/configuration/ue-v/uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-for-windows.md
@@ -41,7 +41,7 @@ The diagram below illustrates how UE-V components work together to synchronize u
| **Component** | **Function** |
@@ -65,7 +65,7 @@ Use these UE-V components to create and manage custom templates for your third-p
-->
-
+
## Settings synchronized by default
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index bfc7cfa6f3..08853f5b22 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -44,7 +44,7 @@ If you want to use UE-V to synchronize user-defined settings for custom applicat
The workflow diagram below illustrates a typical UE-V deployment and the decisions you need to be prepared to make.
-
+
Update & Security --> Windows Update**.
- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update.
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index f822925011..e56e7a3b5b 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -93,11 +93,11 @@ Once the device is in the pending restart state, it will attempt to restart the
Notification users get for a quality update deadline:
-
+
Notification users get for a feature update deadline:
-
+
### Deadline with user engagement
@@ -130,17 +130,17 @@ Before the deadline the device will be in two states: auto-restart period and en
Notification users get for quality update engaged deadline:
-
+
Notification users get for a quality update deadline:
-
+
Notification users get for a feature update engaged deadline:
-
+
Notification users get for a feature update deadline:
-
+
diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md
index 93a5ab27b7..8589495141 100644
--- a/windows/deployment/update/wufb-manageupdate.md
+++ b/windows/deployment/update/wufb-manageupdate.md
@@ -40,7 +40,7 @@ If you don't need a wave deployment and have a small set of devices to manage, w
|Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled|
## Suggested configuration for a wave deployment
-
+
## Early validation and testing
Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings).
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 5ebee9c364..f7c75013e7 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -116,7 +116,7 @@ Some lines in the text below are shortened to enhance readability. The date and
setuperr.log content:
-
+
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
27:08, Error Gather failed. Last error: 0x00000000
@@ -129,7 +129,7 @@ Some lines in the text below are shortened to enhance readability. The date and
The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below):
-
+
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
@@ -139,7 +139,7 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f
setupact.log content:
-
+
27:00, Info Gather started at 10/5/2016 23:27:00
27:00, Info [0x080489] MIG Setting system object filter context (System)
27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
@@ -164,7 +164,7 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f
setupapi.dev.log content:
-
+
>>> [Device Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_8C4F]
>>> Section start 2019/09/26 20:13:01.623
cmd: rundll32.exe "C:\WINDOWS\Installer\MSI6E4C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_95972906 484 ChipsetWiX.CustomAction!Intel.Deployment.ChipsetWiX.CustomActions.InstallDrivers
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index e044463423..d9c4e34fd7 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -39,7 +39,6 @@ The Microsoft Virtual Agent provided by [Microsoft Support](https://support.micr
- Check the system drive for errors and attempt repairs. More information.
- Run the Windows Update troubleshooter. More information.
- Attempt to restore and repair system files. More information.
-- Check for unsigned drivers and update or repair them. More information.
- Update Windows so that all available recommended updates are installed, and ensure the computer is rebooted if this is necessary to complete installation of an update. More information.
- Temporarily uninstall non-Microsoft antivirus software.
More information.
@@ -156,76 +155,6 @@ To check and repair system files:
> [!NOTE]
> It may take several minutes for the command operations to be completed. For more information, see [Repair a Windows Image](/windows-hardware/manufacture/desktop/repair-a-windows-image) and [Use the System File Checker tool](https://support.microsoft.com/help/929833/use-the-system-file-checker-tool-to-repair-missing-or-corrupted-system).
-
-### Repair unsigned drivers
-
-[Drivers](/windows-hardware/drivers/gettingstarted/what-is-a-driver-) are files ending in *.dll or *.sys that are used to communicate with hardware components. Because drivers are so important, they are cryptographically signed to ensure they are genuine. Drivers with a *.sys extension that are not properly signed frequently block the upgrade process. Drivers might not be properly signed if you:
-- Disabled driver signature verification (highly not recommended).
-- A catalog file used to sign a driver is corrupt or missing.
-
- Catalog files (files with a *.cat extension) are used to sign drivers. If a catalog file is corrupt or missing, the driver will appear to be unsigned, even though it should be signed. To restore the catalog file, reinstall the driver or copy the catalog file from another device. You might need to analyze another device to determine the catalog file that is associated with the unsigned driver. All drivers should be signed to ensure the upgrade process works.
-
-To check your system for unsigned drivers:
-
-1. Click **Start**.
-2. Type **command**.
-3. Right-click **Command Prompt** and then left-click **Run as administrator**.
-4. If you are prompted by UAC, click **Yes**.
-5. Type **sigverif** and press ENTER.
-6. The File Signature Verification tool will open. Click **Start**.
-
- 
-
-7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers.
-8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired.
-9. Locate drivers in the log file that are unsigned, write down the location and file names. Also write down the catalog that is associated to the driver if it is provided. If the name of a catalog file is not provided you might need to analyze another device that has the same driver with sigverif and sigcheck (described below).
-10. The next step is to check that the driver reported as unsigned by sigverif.exe has a problem. In some cases, sigverif.exe might not be successful at locating the catalog file used to sign a driver, even though the catalog file exists. To perform a detailed driver check, download [sigcheck.zip](https://download.sysinternals.com/files/Sigcheck.zip) and extract the tool to a directory on your computer, for example: **C:\sigcheck**.
-
- [Sigcheck](/sysinternals/downloads/sigcheck) is a tool that you can download and use to review digital signature details of a file. To use sigcheck:
-
-11. In the command window, use the **cd** command to switch to the directory where you extracted sigcheck, for example **cd c:\sigcheck**.
-12. Using the list of unsigned drivers and their associated paths that you obtained from the File Signature Verification tool, run sigcheck to obtain details about the driver, including the catalog file used for signing. Type **sigcheck64 -i \** and press ENTER (or sigcheck -i for a 32 bit OS). See the following example:
- ```
- C:\Sigcheck>sigcheck64.exe -i c:\windows\system32\drivers\afd.sys
-
- Sigcheck v2.80 - File version and signature viewer
- Copyright (C) 2004-2020 Mark Russinovich
- Sysinternals - www.sysinternals.com
-
- c:\windows\system32\drivers\afd.sys:
- Verified: Signed
- Signing date: 6:18 PM 11/29/2017
- Signing date: 6:18 PM 11/29/2017
- Catalog: C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat
- Signers:
- Microsoft Windows
- Cert Status: This certificate or one of the certificates in the certificate chain is not time valid.
- Valid Usage: NT5 Crypto, Code Signing
- Cert Issuer: Microsoft Windows Verification PCA
- Serial Number: 33 00 00 00 4B 76 63 2D 24 A2 39 9A 8B 00 01 00 00 00 4B
- Thumbprint: B8037C46D0DB7A8CEE502407469B0EE3234D3365
- Algorithm: sha1RSA
- Valid from: 11:46 AM 3/1/2017
- Valid to: 11:46 AM 5/9/2018
- (output truncated)
- ```
- In the example above, the afd.sys driver is properly signed by the catalog file Package_163_for_KB4054518~31bf3856ad364e35~x86~~6.1.1.2.cat.
-
-
-13. Optionally, you can generate a list of drivers using driverquery.exe, which is included with Windows. To save a list of signed and unsigned drivers with driverquery, type **driverquery /si > c:\drivers.txt** and press ENTER. See the following example:
-
- ```cmd
- C:\>Driverquery /si
-
- DeviceName InfName IsSigned Manufacturer
- ============================== ============= ======== =========================
- Microsoft ISATAP Adapter nettun.inf TRUE Microsoft
- Generic volume shadow copy volsnap.inf TRUE Microsoft
- Generic volume volume.inf TRUE Microsoft
- (truncated)
- ```
- For more information about using driverquery, see [Two Minute Drill: DriverQuery.exe](https://techcommunity.microsoft.com/t5/ask-the-performance-team/two-minute-drill-driverquery-exe/ba-p/374977) and [driverquery](/windows-server/administration/windows-commands/driverquery).
-
### Update Windows
You should ensure that all important updates are installed before attempting to upgrade. This includes updates to hardware drivers on your computer.
@@ -268,7 +197,7 @@ To obtain the proper firmware drivers, search for the most updated driver versio
When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example:
-
+
### Verify disk space
@@ -280,13 +209,13 @@ In File Explorer, click on **Computer** or **This PC** on the left, then look un
The amount of space available on the system drive will be displayed under the drive. See the following example:
-
+
In the previous example, there is 703 GB of available free space on the system drive (C:).
To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example:
-
+
For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space).
diff --git a/windows/deployment/upgrade/resolution-procedures.md b/windows/deployment/upgrade/resolution-procedures.md
index 926355e4cc..9752ac670c 100644
--- a/windows/deployment/upgrade/resolution-procedures.md
+++ b/windows/deployment/upgrade/resolution-procedures.md
@@ -36,7 +36,7 @@ A frequently observed [result code](upgrade-error-codes.md#result-codes) is 0xC1
The device install log is particularly helpful if rollback occurs during the sysprep operation (extend code 0x30018).
-To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process. Also check to be sure that your drivers are properly signed. For more information, see [Remove unsigned drivers](quick-fixes.md#repair-unsigned-drivers).
+To resolve a rollback that was caused by driver conflicts, try running setup using a minimal set of drivers and startup programs by performing a [clean boot](https://support.microsoft.com/kb/929135) before initiating the upgrade process.
See the following general troubleshooting procedures associated with a result code of 0xC1900101:
@@ -49,7 +49,7 @@ See the following general troubleshooting procedures associated with a result co
| 0xC1900101 - 0x30018 | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Contact your hardware vendor to obtain updated device drivers.
Ensure that "Download and install updates (recommended)" is accepted at the start of the upgrade process. | A device driver has stopped responding to setup.exe during the upgrade process. |
| 0xC1900101 - 0x3000D | Disconnect all peripheral devices that are connected to the system, except for the mouse, keyboard and display.
Update or uninstall the display driver. | Installation failed during the FIRST_BOOT phase while attempting the MIGRATE_DATA operation.
This can occur due to a problem with a display driver. |
| 0xC1900101 - 0x4000D | Check supplemental rollback logs for a setupmem.dmp file, or event logs for any unexpected reboots or errors.
Review the rollback log and determine the stop code.
The rollback log is located in the $Windows.~BT\Sources\Rollback folder. An example analysis is shown below. This example is not representative of all cases:
Info SP Crash 0x0000007E detected
Info SP Module name :
Info SP Bugcheck parameter 1 : 0xFFFFFFFFC0000005
Info SP Bugcheck parameter 2 : 0xFFFFF8015BC0036A
Info SP Bugcheck parameter 3 : 0xFFFFD000E5D23728
Info SP Bugcheck parameter 4 : 0xFFFFD000E5D22F40
Info SP Cannot recover the system.
Info SP Rollback: Showing splash window with restoring text: Restoring your previous version of Windows.
Typically, there is a dump file for the crash to analyze. If you are not equipped to debug the dump, then attempt the following basic troubleshooting procedures:
1. Make sure you have enough disk space.
2. If a driver is identified in the bug check message, disable the driver or check with the manufacturer for driver updates.
3. Try changing video adapters.
4. Check with your hardware vendor for any BIOS updates.
5. Disable BIOS memory options such as caching or shadowing. | A rollback occurred due to a driver configuration issue.
Installation failed during the second boot phase while attempting the MIGRATE_DATA operation.
This can occur because of incompatible drivers. |
-| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
Ensure that you select the option to "Download and install updates (recommended)." Also be sure to [remove unsigned drivers](quick-fixes.md#repair-unsigned-drivers).
Computers that run Citrix VDA
You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
**Resolution**
To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
You can work around this problem in two ways:
**Workaround 1**
1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
2. Run the Windows upgrade again.
3. Reinstall Citrix VDA.
**Workaround 2**
If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
1. In Registry Editor, go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
3. Go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
4. Delete the **CtxMcsWbc** entry.
5. Restart the computer, and then try the upgrade again.
**Non-Microsoft information disclaimer**
The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. |
+| 0xC1900101 - 0x40017 | Clean boot into Windows, and then attempt the upgrade to Windows 10. For more information, see [How to perform a clean boot in Windows](https://support.microsoft.com/kb/929135).
Ensure that you select the option to "Download and install updates (recommended)."
Computers that run Citrix VDA
You may see this message after you upgrade a computer from Windows 10, version 1511 to Windows 10, version 1607. After the second system restart, the system generates this error and then rolls back to the previous version. This problem has also been observed in upgrades to Windows 8.1 and Windows 8.
This problem occurs because the computer has Citrix Virtual Delivery Agent (VDA) installed. Citrix VDA installs device drivers and a file system filter driver (CtxMcsWbc). This Citrix filter driver prevents the upgrade from writing changes to the disk, so the upgrade cannot complete and the system rolls back.
**Resolution**
To resolve this problem, install [Cumulative update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016](https://support.microsoft.com/help/3200970/cumulative-update-for-windows-10-version-1607-and-windows-server-2016).
You can work around this problem in two ways:
**Workaround 1**
1. Use the VDA setup application (VDAWorkstationSetup_7.11) to uninstall Citrix VDA.
2. Run the Windows upgrade again.
3. Reinstall Citrix VDA.
**Workaround 2**
If you cannot uninstall Citrix VDA, follow these steps to work around this problem:
1. In Registry Editor, go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}\CtxMcsWbc**
2. Change the value of the **Start** entry from **0** to **4**. This change disables the Citrix MCS cache service.
3. Go to the following subkey:
**HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e967-e325-11ce-bfc1-08002be10318}**
4. Delete the **CtxMcsWbc** entry.
5. Restart the computer, and then try the upgrade again.
**Non-Microsoft information disclaimer**
The non-Microsoft products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products. | Windows 10 upgrade failed after the second reboot.
This is usually caused by a faulty driver. For example: antivirus filter drivers or encryption drivers. |
## 0x800xxxxx
diff --git a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
index b22dd3682c..24ed5c4e2b 100644
--- a/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
+++ b/windows/deployment/upgrade/resolve-windows-10-upgrade-errors.md
@@ -25,7 +25,7 @@ ms.topic: article
This article contains a brief introduction to Windows 10 installation processes, and provides resolution procedures that IT administrators can use to resolve issues with Windows 10 upgrade.
-The article was originally one page, but has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
+The article has been divided into sub-topics of different technical levels. Basic level provides common procedures that can resolve several types of upgrade errors. Advanced level requires some experience with detailed troubleshooting methods.
The following four levels are assigned:
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 9e7a29631c..1e87d9bff7 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -25,14 +25,14 @@ ms.topic: article
>This is a 300 level topic (moderate advanced).
>See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
- [](https://go.microsoft.com/fwlink/?linkid=870142)
+ [](https://go.microsoft.com/fwlink/?linkid=870142)
## About SetupDiag
-Current downloadable version of SetupDiag: 1.6.2107.27002
->Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
+Current downloadable version of SetupDiag: 1.6.2107.27002.
+> Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
-SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
+SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful.
SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
@@ -344,6 +344,10 @@ Each rule name and its associated unique rule identifier are listed with a descr
## Release notes
+07/27/2021 - SetupDiag v1.6.2107.27002 is released with 61 rules, as a standalone tool available in the Download Center.
+- This version contains compliance updates and minor bug fixes.
+- With this release and subsequent releases, the version number of the downloadable SetupDiag tool is different from the one included with Windows Setup.
+
05/06/2021 - SetupDiag v1.6.1.0 is released with 61 rules, as a standalone tool available in the Download Center.
- This version of SetupDiag is included with Windows 10, version 21H1.
- A new rule is added: UserProfileSuffixMismatch.
@@ -563,7 +567,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f
## Sample registry key
-
+
## Related topics
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 580a08b67c..1cde13e1eb 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -61,7 +61,7 @@ Click **Submit** to send your feedback.
See the following example:
-
+
After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue. You can check on your feedback periodically to see what solutions have been provided.
@@ -69,7 +69,7 @@ After you click Submit, that's all you need to do. Microsoft will receive your f
After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed.
-
+
## Related topics
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
index 842e478dcf..d8183e1f62 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -20,12 +20,15 @@ ms.topic: article
**Applies to**
- Windows 10
->[!NOTE]
->This is a 300 level topic (moderately advanced).
->See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
+> [!NOTE]
+> This is a 300 level topic (moderately advanced).
+> See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.
If a Windows 10 upgrade is not successful, it can be very helpful to understand *when* an error occurred in the upgrade process.
+> [!IMPORTANT]
+> Use the [SetupDiag](setupdiag.md) tool before you begin manually troubleshooting an upgrade error. SetupDiag automates log file analysis, detecting and reporting details on many different types of known upgrade issues.
+
Briefly, the upgrade process consists of four phases that are controlled by [Windows Setup](/windows-hardware/manufacture/desktop/windows-setup-technical-reference): **Downlevel**, **SafeOS**, **First boot**, and **Second boot**. The computer will reboot once between each phase. Note: Progress is tracked in the registry during the upgrade process using the following key: **HKLM\System\Setup\mosetup\volatile\SetupProgress**. This key is volatile and only present during the upgrade process; it contains a binary value in the range 0-100.
These phases are explained in greater detail [below](#the-windows-10-upgrade-process). First, let's summarize the actions performed during each phase because this affects the type of errors that can be encountered.
@@ -59,31 +62,31 @@ When performing an operating system upgrade, Windows Setup uses phases described
1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered.
- 
+ 
2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017.
- 
+ 
3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D.
- 
+ 
4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017.
At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed.
- 
+ 
- 
+ 
- 
+ 
5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015.
**Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
-
+
DU = Driver/device updates.
OOBE = Out of box experience.
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index b5a1b6ea61..93173e687a 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -92,13 +92,13 @@ The following tables provide the corresponding phase and operation for values of
| Extend code: phase |
- | Hex | Phase
- | | 0 | SP_EXECUTION_UNKNOWN
- | | 1 | SP_EXECUTION_DOWNLEVEL
- | | 2 | SP_EXECUTION_SAFE_OS
- | | 3 | SP_EXECUTION_FIRST_BOOT
- | | 4 | SP_EXECUTION_OOBE_BOOT
- | | 5 | SP_EXECUTION_UNINSTALL
+ | | Hex | Phase
+ | | 0 | SP_EXECUTION_UNKNOWN
+ | | 1 | SP_EXECUTION_DOWNLEVEL
+ | | 2 | SP_EXECUTION_SAFE_OS
+ | | 3 | SP_EXECUTION_FIRST_BOOT
+ | | 4 | SP_EXECUTION_OOBE_BOOT
+ | | 5 | SP_EXECUTION_UNINSTALL
|
@@ -106,45 +106,45 @@ The following tables provide the corresponding phase and operation for values of
| Extend code: operation |
-| Hex | Operation
-| 0 | SP_EXECUTION_OP_UNKNOWN
-| 1 | SP_EXECUTION_OP_COPY_PAYLOAD
-| 2 | SP_EXECUTION_OP_DOWNLOAD_UPDATES
-| 3 | SP_EXECUTION_OP_INSTALL_UPDATES
-| 4 | SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
-| 5 | SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
-| 6 | SP_EXECUTION_OP_REPLICATE_OC
-| 7 | SP_EXECUTION_OP_INSTALL_DRVIERS
-| 8 | SP_EXECUTION_OP_PREPARE_SAFE_OS
-| 9 | SP_EXECUTION_OP_PREPARE_ROLLBACK
-| A | SP_EXECUTION_OP_PREPARE_FIRST_BOOT
-| B | SP_EXECUTION_OP_PREPARE_OOBE_BOOT
-| C | SP_EXECUTION_OP_APPLY_IMAGE
-| D | SP_EXECUTION_OP_MIGRATE_DATA
-| E | SP_EXECUTION_OP_SET_PRODUCT_KEY
-| F | SP_EXECUTION_OP_ADD_UNATTEND
+| Hex | Operation
+| 0 | SP_EXECUTION_OP_UNKNOWN
+| 1 | SP_EXECUTION_OP_COPY_PAYLOAD
+| 2 | SP_EXECUTION_OP_DOWNLOAD_UPDATES
+| 3 | SP_EXECUTION_OP_INSTALL_UPDATES
+| 4 | SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
+| 5 | SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
+| 6 | SP_EXECUTION_OP_REPLICATE_OC
+| 7 | SP_EXECUTION_OP_INSTALL_DRVIERS
+| 8 | SP_EXECUTION_OP_PREPARE_SAFE_OS
+| 9 | SP_EXECUTION_OP_PREPARE_ROLLBACK
+| A | SP_EXECUTION_OP_PREPARE_FIRST_BOOT
+| B | SP_EXECUTION_OP_PREPARE_OOBE_BOOT
+| C | SP_EXECUTION_OP_APPLY_IMAGE
+| D | SP_EXECUTION_OP_MIGRATE_DATA
+| E | SP_EXECUTION_OP_SET_PRODUCT_KEY
+| F | SP_EXECUTION_OP_ADD_UNATTEND
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
-| Hex | Operation
- | | 10 | SP_EXECUTION_OP_ADD_DRIVER
-| 11 | SP_EXECUTION_OP_ENABLE_FEATURE
-| 12 | SP_EXECUTION_OP_DISABLE_FEATURE
-| 13 | SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
-| 14 | SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
-| 15 | SP_EXECUTION_OP_CREATE_FILE
-| 16 | SP_EXECUTION_OP_CREATE_REGISTRY
-| 17 | SP_EXECUTION_OP_BOOT
-| 18 | SP_EXECUTION_OP_SYSPREP
-| 19 | SP_EXECUTION_OP_OOBE
-| 1A | SP_EXECUTION_OP_BEGIN_FIRST_BOOT
-| 1B | SP_EXECUTION_OP_END_FIRST_BOOT
-| 1C | SP_EXECUTION_OP_BEGIN_OOBE_BOOT
-| 1D | SP_EXECUTION_OP_END_OOBE_BOOT
-| 1E | SP_EXECUTION_OP_PRE_OOBE
-| 1F | SP_EXECUTION_OP_POST_OOBE
-| 20 | SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
+| Hex | Operation
+ | | 10 | SP_EXECUTION_OP_ADD_DRIVER
+| 11 | SP_EXECUTION_OP_ENABLE_FEATURE
+| 12 | SP_EXECUTION_OP_DISABLE_FEATURE
+| 13 | SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
+| 14 | SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
+| 15 | SP_EXECUTION_OP_CREATE_FILE
+| 16 | SP_EXECUTION_OP_CREATE_REGISTRY
+| 17 | SP_EXECUTION_OP_BOOT
+| 18 | SP_EXECUTION_OP_SYSPREP
+| 19 | SP_EXECUTION_OP_OOBE
+| 1A | SP_EXECUTION_OP_BEGIN_FIRST_BOOT
+| 1B | SP_EXECUTION_OP_END_FIRST_BOOT
+| 1C | SP_EXECUTION_OP_BEGIN_OOBE_BOOT
+| 1D | SP_EXECUTION_OP_END_OOBE_BOOT
+| 1E | SP_EXECUTION_OP_PRE_OOBE
+| 1F | SP_EXECUTION_OP_POST_OOBE
+| 20 | SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
|
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 57307ee3d0..c8a2c54c5a 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -33,9 +33,9 @@ The following table shows the methods and paths available to change the edition
> [!TIP]
> Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager.
- (X) = not supported
- (green checkmark) = supported, reboot required
- (blue checkmark) = supported, no reboot required
+ (X) = not supported
+ (green checkmark) = supported, reboot required
+ (blue checkmark) = supported, no reboot required
| Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
|-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
-| **Home > Pro** |  |  |  |  |  |  |
-| **Home > Pro for Workstations** |  |  |  |  |  |  |
-| **Home > Pro Education** |  |  |  |  |  |  |
-| **Home > Education** |  |  |  |  |  |  |
-| **Pro > Pro for Workstations** |  |  |  | 
(MSfB) |  |  |
-| **Pro > Pro Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro > Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
-| **Pro for Workstations > Pro Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro for Workstations > Education** |  |  |  | 
(MSfB) |  |  |
-| **Pro for Workstations > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
-| **Pro Education > Education** |  |  |  | 
(MSfB) |  |  |
-| **Enterprise > Education** |  |  |  | 
(MSfB) |  |  |
+| **Home > Pro** |  |  |  |  |  |  |
+| **Home > Pro for Workstations** |  |  |  |  |  |  |
+| **Home > Pro Education** |  |  |  |  |  |  |
+| **Home > Education** |  |  |  |  |  |  |
+| **Pro > Pro for Workstations** |  |  |  | 
(MSfB) |  |  |
+| **Pro > Pro Education** |  |  |  | 
(MSfB) |  |  |
+| **Pro > Education** |  |  |  | 
(MSfB) |  |  |
+| **Pro > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
+| **Pro for Workstations > Pro Education** |  |  |  | 
(MSfB) |  |  |
+| **Pro for Workstations > Education** |  |  |  | 
(MSfB) |  |  |
+| **Pro for Workstations > Enterprise** |  |  |  | 
(1703 - PC)
(1709 - MSfB) |  |  |
+| **Pro Education > Education** |  |  |  | 
(MSfB) |  |  |
+| **Enterprise > Education** |  |  |  | 
(MSfB) |  |  |
> [!NOTE]
> - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 08c4982f9c..50aad1782d 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -63,7 +63,7 @@ Ten parameters are listed in the event:
The event will also contain links to log files that can be used to perform a detailed diagnosis of the error. An example of this event from a successful upgrade is shown below.
-
+
## Related topics
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 84a87a0aac..52b489720f 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -49,7 +49,7 @@ You use a command-line option,**/hardlink** , to create a hard-link migration st
The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store.
-
+
## Local Store vs. Remote Store
diff --git a/windows/deployment/usmt/offline-migration-reference.md b/windows/deployment/usmt/offline-migration-reference.md
index be0c340cac..3406fdc071 100644
--- a/windows/deployment/usmt/offline-migration-reference.md
+++ b/windows/deployment/usmt/offline-migration-reference.md
@@ -187,13 +187,13 @@ The following system environment variables are necessary in the scenarios outlin
USMT_WORKING_DIR |
Full path to a working directory |
Required when USMT binaries are located on read-only media, which does not support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following:
-Set USMT_WORKING_DIR=[path to working directory]
|
+Set USMT_WORKING_DIR=[path to working directory]
MIG_OFFLINE_PLATFORM_ARCH |
32 or 64 |
While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn't function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following:
-Set MIG_OFFLINE_PLATFORM_ARCH=32
|
+Set MIG_OFFLINE_PLATFORM_ARCH=32
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 1a5ba3389e..e59e727ee5 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -293,7 +293,7 @@ The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes thr
ScanProgramFiles |
The ScanProgramFiles argument is valid only when the GenerateDocPatterns function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications.
For example, when set to TRUE, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The GenerateDocPatterns function generates this inclusion pattern for .doc files:
-<pattern type="File">C:\Program Files\Microsoft Office[.doc]</pattern>
+<pattern type="File">C:\Program Files\Microsoft Office[.doc]</pattern>
If a child folder of an included folder contains an installed application, ScanProgramFiles will also create an exclusion rule for the child folder. All folders under the application folder will be scanned recursively for registered file name extensions. |
False |
|
@@ -424,11 +424,11 @@ In the examples below, the source computer has a .txt file called "new text docu
Rule 1 |
-<pattern type="File">d:\new folder[new text document.txt]</pattern>
|
+<pattern type="File">d:\new folder[new text document.txt]</pattern>
|
Rule 2 |
-<pattern type="File">d:\new folder[]</pattern>
|
+<pattern type="File">d:\new folder[]</pattern>
|
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index 30930ac481..b94bc3041b 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -49,7 +49,7 @@ The following diagram shows a PC-refresh migration, also known as a computer ref
-
+
@@ -100,7 +100,7 @@ The following diagram shows a PC-replacement migration. First, the administrator
-
+
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index fdb0e895c5..c7dc4a18ce 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -414,7 +414,7 @@ For this example, the following table describes the resulting behavior if you ad
-<merge script="MigXmlHelper.DestinationPriority()">
+<merge script="MigXmlHelper.DestinationPriority()">
<objectSet>
<pattern type="File">c:\data* []</pattern>
</objectSet>
@@ -423,7 +423,7 @@ For this example, the following table describes the resulting behavior if you ad
During LoadState, only C:\Data\SampleA.txt will be restored.
|
|
-<merge script="MigXmlHelper.SourcePriority()">
+<merge script="MigXmlHelper.SourcePriority()">
<objectSet>
<pattern type="File">c:\data* []</pattern>
</objectSet>
@@ -432,7 +432,7 @@ For this example, the following table describes the resulting behavior if you ad
During LoadState, all the files will be restored, overwriting the existing files on the destination computer.
|
|
-<merge script="MigXmlHelper.SourcePriority()">
+<merge script="MigXmlHelper.SourcePriority()">
<objectSet>
<pattern type="File">c:\data\ [*]</pattern>
</objectSet>
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 5314d52e8e..5096af5a77 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -119,15 +119,15 @@ The following is a custom .xml file named CustomFile.xml that migrates My Videos
-<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
|
+<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
|
Verifies that My Videos exists on the source computer. |
-<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
|
+<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
|
Filters out the shortcuts in My Videos that do not resolve on the destination computer. This has no effect on files that are not shortcuts. For example, if there is a shortcut in My Videos on the source computer that points to C:\Folder1, that shortcut will be migrated only if C:\Folder1 exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering. |
-<pattern type="File">%CSIDL_MYVIDEO%* [*]</pattern>
|
+<pattern type="File">%CSIDL_MYVIDEO%* [*]</pattern>
|
Migrates My Videos for all users. |
@@ -176,19 +176,19 @@ This table describes the behavior in the following example .xml file.
-<pattern type="File">%ProgramFiles%\USMTTestFolder* [USMTTestFile.txt]</pattern>
|
+<pattern type="File">%ProgramFiles%\USMTTestFolder* [USMTTestFile.txt]</pattern>
|
Migrates all instances of the file Usmttestfile.txt from all sub-directories under %ProgramFiles%\USMTTestFolder. |
-<pattern type="File">%ProgramFiles%\USMTDIRTestFolder* []</pattern>
|
+<pattern type="File">%ProgramFiles%\USMTDIRTestFolder* []</pattern>
|
Migrates the whole directory under %ProgramFiles%\USMTDIRTestFolder. |
-<pattern type="Registry">HKCU\Software\USMTTESTKEY* [MyKey]</pattern>
|
+<pattern type="Registry">HKCU\Software\USMTTESTKEY* [MyKey]</pattern>
|
Migrates all instances of MyKey under HKCU\Software\USMTTESTKEY. |
-<pattern type="Registry">HKLM\Software\USMTTESTKEY* []</pattern>
|
+<pattern type="Registry">HKLM\Software\USMTTESTKEY* []</pattern>
|
Migrates the entire registry hive under HKLM\Software\USMTTESTKEY. |
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index 9f2a90a4f5..c97dfbadb0 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -3465,7 +3465,7 @@ Syntax:
Specify up to three <role> elements within a <component> — one "Binaries" role element, one "Settings" role element and one "Data" role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter. Specify one "Container" <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example: <component context="UserAndSystem" type="Application">
+<component context="UserAndSystem" type="Application">
<displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName>
<environment name="GlobalEnv" />
<role role="Container">
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index f32ee0d61e..10e7c2e418 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -55,7 +55,7 @@ The process proceeds as follows:
3. Client computers are activated by receiving the activation object from a domain controller during startup.
> [!div class="mx-imgBorder"]
- > 
+ > 
**Figure 10**. The Active Directory-based activation flow
@@ -80,31 +80,31 @@ When a reactivation event occurs, the client queries AD DS for the activation o
3. Add the Volume Activation Services role, as shown in Figure 11.
- 
+ 
**Figure 11**. Adding the Volume Activation Services role
4. Click the link to launch the Volume Activation Tools (Figure 12).
- 
+ 
**Figure 12**. Launching the Volume Activation Tools
5. Select the **Active Directory-Based Activation** option (Figure 13).
- 
+ 
**Figure 13**. Selecting Active Directory-Based Activation
6. Enter your KMS host key and (optionally) a display name (Figure 14).
- 
+ 
**Figure 14**. Entering your KMS host key
7. Activate your KMS host key by phone or online (Figure 15).
- 
+ 
**Figure 15**. Choosing how to activate your product
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index f9cfcf33ac..5fa4723874 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -80,39 +80,39 @@ This scenario is commonly used in larger organizations that do not find the over
2. Launch Server Manager.
3. Add the Volume Activation Services role, as shown in Figure 4.
- 
+ 
**Figure 4**. Adding the Volume Activation Services role in Server Manager
4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
- 
+ 
**Figure 5**. Launching the Volume Activation Tools
5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
- 
+ 
**Figure 6**. Configuring the computer as a KMS host
6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
- 
+ 
**Figure 7**. Installing your KMS host key
7. If asked to confirm replacement of an existing key, click **Yes**.
8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
- 
+ 
**Figure 8**. Activating the software
The KMS key can be activated online or by phone. See Figure 9.
- 
+ 
**Figure 9**. Choosing to activate online
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index b88d65def4..728b60519b 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -99,12 +99,12 @@ A MAK is used for one-time activation with Microsoft’s hosted activation servi
You can activate computers by using a MAK in two ways:
- **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
- 
+ 
**Figure 16**. MAK independent activation
- **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
- 
+ 
**Figure 17**. MAK proxy activation with the VAMT
diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md
index 4e2248db96..e671e92d02 100644
--- a/windows/deployment/volume-activation/add-remove-computers-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md
@@ -34,7 +34,7 @@ Before adding computers, ensure that the Windows Management Instrumentation (WMI
5. VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below.
To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane.
- 
+ 
**Important**
This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function.
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 87cb8d7b0f..5cbd41f410 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -45,7 +45,7 @@ Enable the VAMT to access client computers using the **Windows Firewall** Contro
Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel:
-
+
1. Open the Control Panel and double-click **Administrative Tools**.
2. Click **Windows Firewall with Advanced Security**.
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index f462f8655f..0b67293d6a 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -49,7 +49,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**.
- 
+ 
### Install VAMT using the ADK
@@ -73,7 +73,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
- 
+ 
For remote SQL Server, use `servername.yourdomain.com`.
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 45619726e9..91d2d8540b 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -45,7 +45,7 @@ VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type prod
VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
-
+
In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
@@ -54,7 +54,7 @@ The Isolated Lab environment is a workgroup that is physically separate from the
The following screenshot shows the VAMT graphical user interface.
-
+
VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 443e1e417b..71d990f500 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -120,7 +120,7 @@ In the core network, a centralized KMS solution is recommended. You can also use
A typical core network that includes a KMS host is shown in Figure 1.
-
+
**Figure 1**. Typical core network
@@ -140,7 +140,7 @@ If the isolated network cannot communicate with the core network’s KMS server,
If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network.
-
+
**Figure 2**. New KMS host in an isolated network
@@ -222,7 +222,7 @@ The flow of KMS activation is shown in Figure 3, and it follows this sequence:
7. If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
8. If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again.
-
+
**Figure 3**. KMS activation flow
diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
index 2716a475b8..118a656e49 100644
--- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
@@ -25,7 +25,7 @@ In this scenario, the Volume Activation Management Tool (VAMT) is deployed in th
- Retail
The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
-
+
## In This Topic
- [Install and start VAMT on a networked host computer](#bkmk-partone)
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 84e0a8ea19..d3b906680d 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -19,7 +19,7 @@ ms.topic: article
In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario:
-
+
## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index c8e7913ed2..562251c0a9 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -51,7 +51,7 @@ You can use the VAMT to complete the activation process in products by using MAK
The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
-
+
**Figure 18**. The VAMT showing the licensing status of multiple computers
@@ -59,7 +59,7 @@ The VAMT provides an overview of the activation and licensing status of computer
The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
-
+
**Figure 19**. The VAMT showing key types and usage
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 844c46ba14..55fd4c1684 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -30,7 +30,7 @@ The current known issues with the Volume Activation Management Tool (VAMT), vers
Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here.
-
+
This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 3bda096ca5..2a0f0da2a9 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -26,13 +26,13 @@ The following posters step through various options for deploying Windows 10 with
The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format.
-[](./media/Windows10AutopilotFlowchart.pdf)
+[](./media/Windows10AutopilotFlowchart.pdf)
## Deploy Windows 10 with Microsoft Endpoint Configuration Manager
The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format.
-[](./media/Windows10DeploymentConfigManager.pdf)
+[](./media/Windows10DeploymentConfigManager.pdf)
## See also
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 6bba5bcd04..7bbf4ab431 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -30,109 +30,109 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
- Traditional deployment methods use existing tools to deploy operating system images.
- | Category |
- Scenario |
- Description |
- More information |
+ | Category |
+ Scenario |
+ Description |
+ More information |
| Modern |
[Windows Autopilot](#windows-autopilot) |
-
+ |
Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
|
-
+ |
Overview of Windows Autopilot
|
- |
+ |
[In-place upgrade](#in-place-upgrade)
|
-
+ |
Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
|
-
+ |
Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
|
- |
+ |
Dynamic
|
-
+ |
[Subscription Activation](#windows-10-subscription-activation)
|
-
+ |
Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.
|
-
+ |
Windows 10 Subscription Activation
|
- |
+ |
[AAD / MDM](#dynamic-provisioning)
|
-
+ |
The device is automatically joined to AAD and configured by MDM.
|
-
+ |
Azure Active Directory integration with MDM
|
- |
+ |
[Provisioning packages](#dynamic-provisioning)
|
-
+ |
Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.
|
-
+ |
Configure devices without MDM
|
- |
+ |
Traditional
|
-
+ |
[Bare metal](#new-computer)
|
-
+ |
Deploy a new device, or wipe an existing device and deploy with a fresh image.
|
-
+ |
Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager
|
- |
+ |
[Refresh](#computer-refresh)
|
-
+ |
Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state.
|
-
+ |
Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
|
- |
+ |
[Replace](#computer-replace)
|
-
+ |
Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.
|
-
+ |
Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
|
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index a90baefd20..0e160f2943 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -42,7 +42,7 @@ Windows 10, version 1709 is available starting on 10/17/2017 in all relevant dis
For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images:
-
+
When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update.
@@ -69,7 +69,7 @@ This Semi-Annual Channel release of Windows 10 continues the Windows as a servic
See the following example for Windows 10, version 1709:
-
+
### Features on demand
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 7e6d238721..99a97d2f55 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -46,7 +46,7 @@ Topics and procedures in this guide are summarized in the following table. An es
-
+
| Topic | Description | Time
@@ -226,8 +226,8 @@ A reference image serves as the foundation for Windows 10 devices in your organi
26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
-
-
+
+
New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
@@ -284,7 +284,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example:
- 
+ 
### Create the deployment task sequence
@@ -459,7 +459,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes. When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
- 
+ 
This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 603113f920..d69cc3b5db 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -331,7 +331,7 @@ WDSUTIL /Set-Server /AnswerClients:None
- **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
See the following example:
- 
+ 
5. Click **OK**.
6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
@@ -803,7 +803,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
>Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter.
-
+
In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer.
@@ -907,7 +907,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
- 
+ 
If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated.
@@ -915,7 +915,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here. See the following example:
- 
+ 
>It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**.
@@ -976,7 +976,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example:
- 
+ 
### Create a device collection for PC1
@@ -1026,7 +1026,7 @@ In the Configuration Manager console, in the Software Library workspace under Op
4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example:
- 
+ 
>If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
@@ -1064,17 +1064,17 @@ In the Configuration Manager console, in the Software Library workspace under Op
3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**.
4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
- 
+ 
The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed. See the following example:
- 
+ 
You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
- 
+ 
## Related Topics
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 319121950d..3855f4698d 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -55,7 +55,7 @@ Topics and procedures in this guide are summarized in the following table. An es
-
+
| Topic | Description | Time |
@@ -83,7 +83,7 @@ One computer that meets the hardware and software specifications below is requir
Hardware requirements are displayed below:
-
+
@@ -150,7 +150,7 @@ Hardware requirements are displayed below:
The lab architecture is summarized in the following diagram:
-
+
- Computer 1 is configured to host four VMs on a private, PoC network.
- Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
@@ -179,7 +179,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
+
C:\>systeminfo
...
@@ -195,7 +195,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
-
+
C:\>coreinfo -v
Coreinfo v3.31 - Dump information on system CPU and memory topology
@@ -214,19 +214,19 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
- Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
+ Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
- Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
+ Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
>Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
- 
+ 
- 
+ 
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
@@ -256,7 +256,7 @@ After completing these steps, you will have three files in the **C:\VHD** direct
The following displays the procedures described in this section, both before and after downloading files:
-
+
C:>mkdir VHD
C:>cd VHD
C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
@@ -301,7 +301,7 @@ If you have a PC available to convert to VM (computer 2):
When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs.
-
+
@@ -331,13 +331,13 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to
- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
-
+
Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
-
+
PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
SystemName Caption Type
@@ -348,7 +348,7 @@ USER-PC1 Disk #0, Partition #1 GPT
On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
-
+
PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
SystemName Caption Type
@@ -372,7 +372,7 @@ Number Friendly Name OperationalStatus Tota
The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
-
+
@@ -449,13 +449,13 @@ Notes:
3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
+
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
@@ -471,7 +471,7 @@ Notes:
2. On the computer you wish to convert, open an elevated command prompt and type the following command:
- mountvol s: /s
+ mountvol s: /s
This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
@@ -482,13 +482,13 @@ Notes:
5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
+
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
@@ -506,13 +506,13 @@ Notes:
3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
- 
+ 
>Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
+
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
@@ -531,7 +531,7 @@ Notes:
To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-Set-VMhost -EnableEnhancedSessionMode $TRUE
+Set-VMhost -EnableEnhancedSessionMode $TRUE
>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
@@ -541,7 +541,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
+
Resize-VHD -Path c:\VHD\2012R2-poc-2.vhd -SizeBytes 100GB
$x = (Mount-VHD -Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
@@ -549,7 +549,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive:
-
+
Get-Volume -DriveLetter $x
Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd
@@ -563,7 +563,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
If you choose B) or C), then do not run the second command below.
-
+
New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
@@ -574,7 +574,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
-
+
(Get-VMHostNumaNode).MemoryAvailable
@@ -582,7 +582,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
-
+
(Get-VMHostNumaNode).MemoryAvailable/4
2775.5
@@ -592,7 +592,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later.
>**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
-
+
$maxRAM = 2700MB
New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
@@ -609,7 +609,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
To create a generation 1 VM (using c:\vhd\w7.vhdx):
-
+
New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
@@ -617,7 +617,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
To create a generation 2 VM (using c:\vhd\PC1.vhdx):
-
+
New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
@@ -629,7 +629,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
-
+
New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
Mount-VHD -Passthru |
Get-Disk -Number {$_.DiskNumber} |
@@ -641,7 +641,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell prompt):
-
+
New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
@@ -659,13 +659,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
4. Click **Command Prompt**.
5. Type the following command to save an image of the OS drive:
-
+
dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
-
+
diskpart
select disk 0
clean
@@ -681,7 +681,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
7. Type the following commands to restore the OS image and boot files:
-
+
dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
bcdboot c:\windows
exit
@@ -691,7 +691,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
-
+
Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
Set-VMDvdDrive -VMName PC1 -Path $null
@@ -700,7 +700,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands:
-
+
Start-VM DC1
vmconnect localhost DC1
@@ -710,7 +710,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
-
+
Rename-Computer DC1
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.1 -PrefixLength 24 -DefaultGateway 192.168.0.2
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
@@ -722,19 +722,19 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
-
+
Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
-
+
Restart-Computer
8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt:
-
+
$pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
@@ -743,7 +743,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
-
+
Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
Add-WindowsFeature -Name DHCP -IncludeManagementTools
netsh dhcp add securitygroups
@@ -754,7 +754,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
10. Next, add a DHCP scope and set option values:
-
+
Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
@@ -763,13 +763,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
-
+
Get-DnsServerForwarder
The following output should be displayed:
-
+
UseRootHint : True
Timeout(s) : 3
EnableReordering : True
@@ -779,7 +779,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
-
+
Add-DnsServerForwarder -IPAddress 192.168.0.2
@@ -791,7 +791,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
+
New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
@@ -810,7 +810,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
-
+
Start-VM PC1
vmconnect localhost PC1
@@ -821,7 +821,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
- 
+ 
>If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
@@ -866,7 +866,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
-
+
(Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
$pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
$user = "contoso\administrator"
@@ -879,12 +879,12 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
See the following example:
- 
+ 
19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
-
+
Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
@@ -895,7 +895,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
-
+
Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
@@ -906,7 +906,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
-
+
Start-VM SRV1
vmconnect localhost SRV1
@@ -915,7 +915,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
-
+
Rename-Computer SRV1
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.2 -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
@@ -927,7 +927,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt:
-
+
$pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
$user = "contoso\administrator"
$cred = New-Object System.Management.Automation.PSCredential($user,$pass)
@@ -937,7 +937,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
-
+
Install-WindowsFeature -Name DNS -IncludeManagementTools
Install-WindowsFeature -Name WDS -IncludeManagementTools
Install-WindowsFeature -Name Routing -IncludeManagementTools
@@ -947,7 +947,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
-
+
Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
IPAddress InterfaceAlias
@@ -964,7 +964,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
-
+
Install-RemoteAccess -VpnType Vpn
cmd /c netsh routing ip nat install
cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
@@ -974,13 +974,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
-
+
Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
-
+
ping www.microsoft.com
@@ -988,13 +988,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
**Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
-
+
Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
-
+
PS C:\> ping www.microsoft.com
Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
@@ -1012,7 +1012,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
-
+
runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
Restart-Computer
@@ -1025,7 +1025,7 @@ Use the following procedures to verify that the PoC environment is configured pr
1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
+
Get-Service NTDS,DNS,DHCP
DCDiag -a
Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
@@ -1047,7 +1047,7 @@ Use the following procedures to verify that the PoC environment is configured pr
2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
-
+
Get-Service DNS,RemoteAccess
Get-DnsServerForwarder
Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
@@ -1063,7 +1063,7 @@ Use the following procedures to verify that the PoC environment is configured pr
3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
-
+
whoami
hostname
nslookup www.microsoft.com
@@ -1082,7 +1082,7 @@ Use the following procedures to verify that the PoC environment is configured pr
-
+
Term
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 447ea81cfb..16e8c70c2a 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -65,7 +65,7 @@ To support Inherited Activation, both the host computer and the VM must be runni
The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
-
+
- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
@@ -117,11 +117,11 @@ If the device is running Windows 10, version 1809 or later:
- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
- 
+ 
- 
+ 
- 
+ 
### Windows 10 Education requirements
@@ -162,7 +162,7 @@ The device is AAD joined from **Settings > Accounts > Access work or school**.
The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
-
+
When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires.
@@ -171,10 +171,10 @@ Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, versio
The following figures summarize how the Subscription Activation model works:
Before Windows 10, version 1903:
-
+
After Windows 10, version 1903:
-
+
> [!NOTE]
>
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index d132aa99a6..fb930e1509 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -115,9 +115,9 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh
Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
- 
+ 
- 
+ 
If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
@@ -185,7 +185,7 @@ After entering these commands, connect to the VM that you just created and wait
See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
-
+
PS C:\autopilot> dir c:\iso
@@ -232,21 +232,21 @@ PS C:\autopilot>
Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
- 
- 
- 
- 
- 
- 
+ 
+ 
+ 
+ 
+ 
+ 
After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
- 
+ 
Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
> [!div class="mx-imgBorder"]
- > 
+ > 
To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
@@ -322,7 +322,7 @@ Follow these steps to run the PowerShell script:
> [!NOTE]
> Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
- 
+ 
You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
@@ -338,11 +338,11 @@ With the hardware ID captured in a file, prepare your Virtual Machine for Window
On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**.
-
+
Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
-
+
## Verify subscription level
@@ -350,13 +350,13 @@ For this lab, you need an AAD Premium subscription. You can tell if you have a
**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
-
+
If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
-
+
## Configure company branding
@@ -367,7 +367,7 @@ If you already have company branding configured in Azure Active Directory, you c
Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
-
+
When you are finished, click **Save**.
@@ -382,7 +382,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com
For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
-
+
## Register your VM
@@ -392,14 +392,14 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
- 
+ 
> [!NOTE]
> If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank.
- 
+ 
You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
@@ -407,7 +407,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
4. Click **Refresh** to verify your VM or device has been added. See the following example.
- 
+ 
### Autopilot registration using MSfB
@@ -426,11 +426,11 @@ Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.
Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
-
+
Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
-
+
## Create and assign a Windows Autopilot deployment profile
@@ -446,7 +446,7 @@ Pick one:
> [!NOTE]
> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list.
-
+
#### Create a device group
@@ -463,7 +463,7 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
3. Click **Members** and add the Autopilot VM to the group. See the following example:
> [!div class="mx-imgBorder"]
- > 
+ > 
4. Click **Create**.
@@ -472,12 +472,12 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
> [!div class="mx-imgBorder"]
-> 
+> 
Click on **Create profile** and then select **Windows PC**.
> [!div class="mx-imgBorder"]
-> 
+> 
On the **Create profile** blade, use the following values:
@@ -512,7 +512,7 @@ Click **Next** to continue with the **Assignments** settings:
2. Click the **Autopilot Lab** group, and then click **Select**.
3. Click **Next** to continue and then click **Create**. See the following example:
-
+
Click on **OK** and then click on **Create**.
@@ -529,7 +529,7 @@ First, sign in to the [Microsoft Store for Business](https://businessstore.micro
Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
-
+
Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
@@ -538,17 +538,17 @@ To CREATE the profile:
Select your device from the **Devices** list:
> [!div class="mx-imgBorder"]
-> 
+> 
On the Autopilot deployment dropdown menu, select **Create new profile**:
> [!div class="mx-imgBorder"]
-> 
+> 
Name the profile, choose your desired settings, and then click **Create**:
> [!div class="mx-imgBorder"]
-> 
+> 
The new profile is added to the Autopilot deployment list.
@@ -557,12 +557,12 @@ To ASSIGN the profile:
To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
> [!div class="mx-imgBorder"]
-> 
+> 
Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
> [!div class="mx-imgBorder"]
-> 
+> 
> [!IMPORTANT]
> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
@@ -572,7 +572,7 @@ Confirm the profile was successfully assigned to the intended device by checking
If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
> [!div class="mx-imgBorder"]
-> 
+> 
Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
@@ -583,12 +583,12 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
- Turn on the device
- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
-
+
Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
> [!div class="mx-imgBorder"]
-> 
+> 
Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
@@ -606,7 +606,7 @@ To use the device (or VM) for other purposes after completion of this lab, you w
You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu.
> [!div class="mx-imgBorder"]
-> 
+> 
This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
@@ -618,7 +618,7 @@ The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment
To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
> [!div class="mx-imgBorder"]
-> 
+> 
At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
@@ -686,7 +686,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
> [!div class="mx-imgBorder"]
-> 
+> 
After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
@@ -696,20 +696,20 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Windows app (Win32)**:
-
+
On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
> [!div class="mx-imgBorder"]
-> 
+> 
On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
-
+
On the **Program Configuration** blade, supply the install and uninstall commands:
@@ -721,7 +721,7 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
> [!NOTE]
> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-
+
Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
@@ -730,23 +730,23 @@ Click **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
> [!div class="mx-imgBorder"]
-> 
+> 
Next, configure the **Detection rules**. For our purposes, we will select manual format:
> [!div class="mx-imgBorder"]
-> 
+> 
Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
-
+
Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
**Return codes**: For our purposes, leave the return codes at their default values:
> [!div class="mx-imgBorder"]
-> 
+> 
Click **OK** to exit.
@@ -757,12 +757,12 @@ Click the **Add** button to finalize and save your app package.
Once the indicator message says the addition has completed.
> [!div class="mx-imgBorder"]
-> 
+> 
You will be able to find your app in your app list:
> [!div class="mx-imgBorder"]
-> 
+> 
#### Assign the app to your Intune profile
@@ -772,7 +772,7 @@ You will be able to find your app in your app list:
In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
> [!div class="mx-imgBorder"]
-> 
+> 
Select **Add Group** to open the **Add group** pane that is related to the app.
@@ -783,10 +783,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
> [!div class="mx-imgBorder"]
-> 
+> 
In the **Select groups** pane, click the **Select** button.
@@ -797,7 +797,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
> [!div class="mx-imgBorder"]
-> 
+> 
At this point, you have completed steps to add a Win32 app to Intune.
@@ -811,16 +811,16 @@ Log into the Azure portal and select **Intune**.
Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
-
+
Under **App Type**, select **Office 365 Suite > Windows 10**:
-
+
Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
> [!div class="mx-imgBorder"]
-> 
+> 
Click **OK**.
@@ -829,13 +829,13 @@ In the **App Suite Information** pane, enter a unique suite name, and a s
Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
> [!div class="mx-imgBorder"]
-> 
+> 
Click **OK**.
In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-
+
Click **OK** and then click **Add**.
@@ -847,7 +847,7 @@ Click **OK** and then click **Add**.
In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
> [!div class="mx-imgBorder"]
-> 
+> 
Select **Add Group** to open the **Add group** pane that is related to the app.
@@ -857,10 +857,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
Select **Included Groups** and assign the groups you previously created that will use this app:
-
+
> [!div class="mx-imgBorder"]
-> 
+> 
In the **Select groups** pane, click the **Select** button.
@@ -870,7 +870,7 @@ In the **Add group** pane, select **OK**.
In the app **Assignments** pane, select **Save**.
-
+
At this point, you have completed steps to add Office to Intune.
@@ -878,7 +878,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
-
+
## Glossary
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 0d04abd1e0..04f798b127 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -29,7 +29,7 @@ In this topic, you also learn about different types of reference images that you
Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
-
+
The Windows 10 ADK feature selection page.
@@ -50,7 +50,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
-Source D:\Sources\SxS -LimitAccess
```
-
+
Using DISM functions in PowerShell.
@@ -77,7 +77,7 @@ In addition to these tools, there are also XML templates that manage which data
- **Custom templates.** Custom templates that you create.
- **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
-
+
A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
@@ -100,7 +100,7 @@ These are the settings migrated by the default MigUser.xml and MigApp.xml templa
Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image.
-
+
Windows Imaging and Configuration Designer.
@@ -110,7 +110,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/
Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
-
+
Windows answer file opened in Windows SIM.
@@ -120,7 +120,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht
If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy.
-
+
The updated Volume Activation Management Tool.
@@ -138,7 +138,7 @@ Windows PE is a “Lite” version of Windows 10 and was created to act as a dep
The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box.
-
+
A machine booted with the Windows ADK default Windows PE boot image.
@@ -149,7 +149,7 @@ For more details on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manuf
Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE.
-
+
A Windows 10 client booted into Windows RE, showing Advanced options.
@@ -160,7 +160,7 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows-
Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
-
+
Windows Deployment Services using multicast to deploy three machines.
@@ -176,7 +176,7 @@ Also, there are a few new features related to TFTP performance:
- **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
- **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
-
+
TFTP changes are now easy to perform.
@@ -192,7 +192,7 @@ Lite Touch and Zero Touch are marketing names for the two solutions that MDT sup
-
+
The Deployment Workbench in, showing a task sequence.
@@ -203,7 +203,7 @@ For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configm
[Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
-
+
The SCM console showing a baseline configuration for a fictional client's computer security compliance.
@@ -228,7 +228,7 @@ For more information on the benefits of an MDOP subscription, see [Microsoft Des
There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
-
+
The User Experience selection screen in IEAK 11.
@@ -239,7 +239,7 @@ To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Inform
WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
-
+
The Windows Server Update Services console.
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index 930819c367..5852e85928 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -64,7 +64,7 @@ Note that this setting does not control whether your device sends diagnostic dat
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
- 
+ 
**To turn on data viewing through PowerShell**
@@ -134,7 +134,7 @@ When you're done reviewing your diagnostic data, we recommend turning off data v
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
- 
+ 
**To turn off data viewing through PowerShell**
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 3b40651ee2..dc9a127179 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -38,7 +38,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
- 
+ 
### Download the Diagnostic Data Viewer
Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
@@ -54,7 +54,7 @@ You can start this app from the **Settings** panel.
2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
- 
-OR-
+ 
-OR-
Go to **Start** and search for _Diagnostic Data Viewer_.
@@ -73,7 +73,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
>[!Important]
>Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time.
- 
+ 
- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.
@@ -83,7 +83,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
- To signify your contribution, you’ll see this icon () if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon ().
+ To signify your contribution, you’ll see this icon () if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon ().
- **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
@@ -99,7 +99,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
>[!Important]
>This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer.
- 
+ 
## View Office Diagnostic Data
By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830).
@@ -112,7 +112,7 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
- 
+ 
## Modifying the size of your data history
By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first.
@@ -139,7 +139,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel
Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.
-
+
**To view your Windows Error Reporting diagnostic data using the Control Panel**
@@ -147,7 +147,7 @@ Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Secu
Go to **Start** and search for _Problem Reports_.
The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
-
+
## Known Issues with Diagnostic Data Viewer
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index aad2616468..f1f0d9469a 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -57,60 +57,60 @@ The following table lists management options for each setting, beginning with Wi
| Setting | UI | Group Policy | Registry |
| - | :-: | :-: | :-: |
-| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
-| [2. Cortana and Search](#bkmk-cortana) | |  |  |
-| [3. Date & Time](#bkmk-datetime) |  |  |  |
-| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
-| [5. Find My Device](#find-my-device) |  |  |  |
-| [6. Font streaming](#font-streaming) | |  |  |
-| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
-| [8. Internet Explorer](#bkmk-ie) | |  |  |
-| [9. License Manager](#bkmk-licmgr) | | |  |
-| [10. Live Tiles](#live-tiles) | |  |  |
-| [11. Mail synchronization](#bkmk-mailsync) |  | |  |
-| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
-| [13. Microsoft Edge](#bkmk-edge) | |  |  |
-| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
-| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
-| [16. OneDrive](#bkmk-onedrive) | |  |  |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
+| [2. Cortana and Search](#bkmk-cortana) | |  |  |
+| [3. Date & Time](#bkmk-datetime) |  |  |  |
+| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
+| [5. Find My Device](#find-my-device) |  |  |  |
+| [6. Font streaming](#font-streaming) | |  |  |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
+| [8. Internet Explorer](#bkmk-ie) | |  |  |
+| [9. License Manager](#bkmk-licmgr) | | |  |
+| [10. Live Tiles](#live-tiles) | |  |  |
+| [11. Mail synchronization](#bkmk-mailsync) |  | |  |
+| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
+| [13. Microsoft Edge](#bkmk-edge) | |  |  |
+| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
+| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
+| [16. OneDrive](#bkmk-onedrive) | |  |  |
| [17. Preinstalled apps](#bkmk-preinstalledapps) |  | | |
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| [18.1 General](#bkmk-general) |  |  |  |
-| [18.2 Location](#bkmk-priv-location) |  |  |  |
-| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
-| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
-| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
-| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
-| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
-| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
-| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
-| [18.10 Call history](#bkmk-priv-callhistory) |  |  |  |
-| [18.11 Email](#bkmk-priv-email) |  |  |  |
-| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
-| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
-| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
-| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
-| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
-| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
-| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
-| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
-| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
-| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
-| [18.22 Activity History](#bkmk-act-history) |  | |  |
-| [18.23 Voice Activation](#bkmk-voice-act) |  | |  |
-| [19. Software Protection Platform](#bkmk-spp) | |  |  |
-| [20. Storage Health](#bkmk-storage-health) | |  |  |
-| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
-| [22. Teredo](#bkmk-teredo) | |  |  |
-| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
-| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
-| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
-| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
-| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
-| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
-| [29. Windows Update](#bkmk-wu) | |  |  |
+| [18.1 General](#bkmk-general) |  |  |  |
+| [18.2 Location](#bkmk-priv-location) |  |  |  |
+| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
+| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
+| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
+| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
+| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
+| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
+| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
+| [18.10 Call history](#bkmk-priv-callhistory) |  |  |  |
+| [18.11 Email](#bkmk-priv-email) |  |  |  |
+| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
+| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
+| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
+| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
+| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
+| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
+| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
+| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
+| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
+| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
+| [18.22 Activity History](#bkmk-act-history) |  | |  |
+| [18.23 Voice Activation](#bkmk-voice-act) |  | |  |
+| [19. Software Protection Platform](#bkmk-spp) | |  |  |
+| [20. Storage Health](#bkmk-storage-health) | |  |  |
+| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
+| [22. Teredo](#bkmk-teredo) | |  |  |
+| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
+| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
+| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
+| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
+| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
+| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
+| [29. Windows Update](#bkmk-wu) | |  |  |
| [30. Cloud Clipboard](#bkmk-clcp) | |  | |
-| [31. Services Configuration](#bkmk-svccfg) | |  |  |
+| [31. Services Configuration](#bkmk-svccfg) | |  |  |
### Settings for Windows Server 2016 with Desktop Experience
@@ -119,20 +119,20 @@ See the following table for a summary of the management settings for Windows Ser
| Setting | UI | Group Policy | Registry |
| - | :-: | :-: | :-: |
-| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
-| [2. Cortana and Search](#bkmk-cortana) | |  |  |
-| [3. Date & Time](#bkmk-datetime) |  |  |  |
-| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
-| [6. Font streaming](#font-streaming) | |  |  |
-| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
-| [8. Internet Explorer](#bkmk-ie) | |  |  |
-| [10. Live Tiles](#live-tiles) | |  |  |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
+| [2. Cortana and Search](#bkmk-cortana) | |  |  |
+| [3. Date & Time](#bkmk-datetime) |  |  |  |
+| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
+| [6. Font streaming](#font-streaming) | |  |  |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
+| [8. Internet Explorer](#bkmk-ie) | |  |  |
+| [10. Live Tiles](#live-tiles) | |  |  |
| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
-| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
-| [16. OneDrive](#bkmk-onedrive) | |  |  |
+| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
+| [16. OneDrive](#bkmk-onedrive) | |  |  |
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| [19. Software Protection Platform](#bkmk-spp) | |  |  |
-| [22. Teredo](#bkmk-teredo) | |  |  |
+| [19. Software Protection Platform](#bkmk-spp) | |  |  |
+| [22. Teredo](#bkmk-teredo) | |  |  |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
| [27. Apps for websites](#bkmk-apps-for-websites) | |  |  |
@@ -172,54 +172,54 @@ See the following table for a summary of the management settings for Windows Ser
| - | :-: | :-: | :-: |
| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | |  |  |
| [2. Cortana and Search](#bkmk-cortana) | |  |  |
-| [3. Date & Time](#bkmk-datetime) |  |  |  |
+| [3. Date & Time](#bkmk-datetime) |  |  |  |
| [4. Device metadata retrieval](#bkmk-devinst) | |  |  |
-| [5. Find My Device](#find-my-device) |  |  |  |
+| [5. Find My Device](#find-my-device) |  |  |  |
| [6. Font streaming](#font-streaming) | |  |  |
-| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
+| [7. Insider Preview builds](#bkmk-previewbuilds) |  |  |  |
| [8. Internet Explorer](#bkmk-ie) | |  |  |
| [10. Live Tiles](#live-tiles) | |  |  |
-| [11. Mail synchronization](#bkmk-mailsync) |  | |  |
+| [11. Mail synchronization](#bkmk-mailsync) |  | |  |
| [12. Microsoft Account](#bkmk-microsoft-account) | | |  |
| [13. Microsoft Edge](#bkmk-edge) | |  |  |
| [14. Network Connection Status Indicator](#bkmk-ncsi) | |  |  |
-| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
+| [15. Offline maps](#bkmk-offlinemaps) |  |  |  |
| [16. OneDrive](#bkmk-onedrive) | |  |  |
| [17. Preinstalled apps](#bkmk-preinstalledapps) |  | | |
| [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| [18.1 General](#bkmk-general) |  |  |  |
-| [18.2 Location](#bkmk-priv-location) |  |  |  |
-| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
-| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
-| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
-| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
-| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
-| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
-| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
-| [18.10 Call history](#bkmk-priv-callhistory) |  |  |  |
-| [18.11 Email](#bkmk-priv-email) |  |  |  |
-| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
-| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
-| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
-| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
-| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
-| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
-| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
-| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
-| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
-| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
-| [18.22 Activity History](#bkmk-act-history) |  | |  |
-| [18.23 Voice Activation](#bkmk-voice-act) |  | |  |
+| [18.1 General](#bkmk-general) |  |  |  |
+| [18.2 Location](#bkmk-priv-location) |  |  |  |
+| [18.3 Camera](#bkmk-priv-camera) |  |  |  |
+| [18.4 Microphone](#bkmk-priv-microphone) |  |  |  |
+| [18.5 Notifications](#bkmk-priv-notifications) |  |  | |
+| [18.6 Speech](#bkmk-priv-speech) |  |  |  |
+| [18.7 Account info](#bkmk-priv-accounts) |  |  |  |
+| [18.8 Contacts](#bkmk-priv-contacts) |  |  |  |
+| [18.9 Calendar](#bkmk-priv-calendar) |  |  |  |
+| [18.10 Call history](#bkmk-priv-callhistory) |  |  |  |
+| [18.11 Email](#bkmk-priv-email) |  |  |  |
+| [18.12 Messaging](#bkmk-priv-messaging) |  |  |  |
+| [18.13 Phone calls](#bkmk-priv-phone-calls) |  |  |  |
+| [18.14 Radios](#bkmk-priv-radios) |  |  |  |
+| [18.15 Other devices](#bkmk-priv-other-devices) |  |  |  |
+| [18.16 Feedback & diagnostics](#bkmk-priv-feedback) |  |  |  |
+| [18.17 Background apps](#bkmk-priv-background) |  |  |  |
+| [18.18 Motion](#bkmk-priv-motion) |  |  |  |
+| [18.19 Tasks](#bkmk-priv-tasks) |  |  |  |
+| [18.20 App Diagnostics](#bkmk-priv-diag) |  |  |  |
+| [18.21 Inking & Typing](#bkmk-priv-ink) |  | |  |
+| [18.22 Activity History](#bkmk-act-history) |  | |  |
+| [18.23 Voice Activation](#bkmk-voice-act) |  | |  |
| [19. Software Protection Platform](#bkmk-spp) | |  |  |
| [20. Storage Health](#bkmk-storage-health) | |  |  |
-| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
+| [21. Sync your settings](#bkmk-syncsettings) |  |  |  |
| [22. Teredo](#bkmk-teredo) | |  |  |
-| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
+| [23. Wi-Fi Sense](#bkmk-wifisense) |  |  |  |
| [24. Microsoft Defender Antivirus](#bkmk-defender) | |  |  |
-| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
+| [25. Windows Spotlight](#bkmk-spotlight) |  |  |  |
| [26. Microsoft Store](#bkmk-windowsstore) | |  |  |
-| [27. Apps for websites](#bkmk-apps-for-websites) | |  | |
-| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
+| [27. Apps for websites](#bkmk-apps-for-websites) | |  | |
+| [28. Delivery Optimization](#bkmk-updates) |  |  |  |
| [29. Windows Update](#bkmk-wu) | |  |  |
| [30. Cloud Clipboard](#bkmk-clcp) | |  | |
| [31. Services Configuration](#bkmk-svccfg) | |  |  |
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 8ac3729427..69dba47679 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -592,7 +592,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
> **Note** You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
- 
+ 
3. Close Active Directory Users and Computers.
@@ -600,13 +600,13 @@ In this procedure, the workstations are dedicated to domain administrators. By s
5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**.
- 
+ 
6. Name the GPO, and > **OK**.
7. Expand the GPO, right-click the new GPO, and > **Edit**.
- 
+ 
8. Configure which members of accounts can log on locally to these administrative workstations as follows:
@@ -625,7 +625,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
5. Click **Add User or Group**, type **Administrators**, and > **OK**.
- 
+ 
9. Configure the proxy configuration:
@@ -633,7 +633,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**.
- 
+ 
10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows:
@@ -696,11 +696,11 @@ In this procedure, the workstations are dedicated to domain administrators. By s
1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**.
- 
+ 
2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**.
- 
+ 
3. Click **OK** to complete the configuration.
@@ -738,11 +738,11 @@ For this procedure, do not link accounts to the OU that contain workstations for
3. Right-click **Group Policy Objects**, and > **New**.
- 
+ 
4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**.
- 
+ 
5. Right-click **New GPO**, and > **Edit**.
@@ -756,7 +756,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**.
- 
+ 
**Note**
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -778,7 +778,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
- 
+ 
**Note**
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -791,7 +791,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**.
- 
+ 
**Note**
You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -804,11 +804,11 @@ For this procedure, do not link accounts to the OU that contain workstations for
1. Right-click the workstation OU, and then > **Link an Existing GPO**.
- 
+ 
2. Select the GPO that you just created, and > **OK**.
- 
+ 
10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy.
@@ -831,7 +831,7 @@ It is a best practice to configure the user objects for all sensitive accounts i
As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it.
-
+
## Secure and manage domain controllers
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index d67808e585..6ad17afded 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -367,15 +367,15 @@ The following table shows the Group Policy and registry settings that are used t
3. In the console tree, right-click **Group Policy Objects**, and > **New**.
- 
+ 
4. In the **New GPO** dialog box, type <**gpo\_name**>, and > **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer.
- 
+ 
5. In the details pane, right-click <**gpo\_name**>, and > **Edit**.
- 
+ 
6. Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following:
@@ -391,7 +391,7 @@ The following table shows the Group Policy and registry settings that are used t
2. Right-click **Registry**, and > **New** > **Registry Item**.
- 
+ 
3. In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**.
@@ -407,7 +407,7 @@ The following table shows the Group Policy and registry settings that are used t
9. Verify this configuration, and > **OK**.
- 
+ 
8. Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
@@ -415,7 +415,7 @@ The following table shows the Group Policy and registry settings that are used t
2. Right-click the **Workstations** OU, and > **Link an existing GPO**.
- 
+ 
3. Select the GPO that you just created, and > **OK**.
@@ -495,11 +495,11 @@ The following table shows the Group Policy settings that are used to deny networ
4. In the **New GPO** dialog box, type <**gpo\_name**>, and then > **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer.
- 
+ 
5. In the details pane, right-click <**gpo\_name**>, and > **Edit**.
- 
+ 
6. Configure the user rights to deny network logons for administrative local accounts as follows:
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index e770d29de4..be0a573f71 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -52,7 +52,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice,
A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
-
+
The individual values of a SID are described in the following table.
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
index 26564af45a..293acd13c9 100644
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ b/windows/security/identity-protection/access-control/security-principals.md
@@ -42,7 +42,7 @@ The following diagram illustrates the Windows authorization and access control
**Authorization and access control process**
-
+
Security principals are closely related to the following components and technologies:
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index f055141697..9423de2923 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -52,11 +52,11 @@ On the device, perform the following steps: (add select certificate)
2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
- :::image type="content" alt-text="settings icon in mail app" source="images/mailsettings.png":::
+ :::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png":::
3. Tap **Email security**.
- :::image type="content" alt-text="email security settings" source="images/emailsecurity.png":::
+ :::image type="content" alt-text="email security settings." source="images/emailsecurity.png":::
4. In **Select an account**, select the account for which you want to configure S/MIME options.
@@ -77,7 +77,7 @@ On the device, perform the following steps: (add select certificate)
2. Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message.
- :::image type="content" alt-text="sign or encrypt message" source="images/signencrypt.png":::
+ :::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png":::
## Read signed or encrypted messages
@@ -93,5 +93,5 @@ When you receive a signed email, the app provide feature to install correspondin
3. Tap **Install.**
- :::image type="content" alt-text="message security information" source="images/installcert.png":::
+ :::image type="content" alt-text="message security information." source="images/installcert.png":::
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 8d0219c5dd..b122158529 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -33,7 +33,7 @@ When Windows Defender Credential Guard is enabled, Kerberos does not allow uncon
Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
-
+
## See also
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index c737034fd5..936172770d 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -45,7 +45,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
5. In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details.
- 
+ 
6. Close the Group Policy Management Console.
@@ -168,7 +168,7 @@ You can view System Information to check that Windows Defender Credential Guard
Here's an example:
> [!div class="mx-imgBorder"]
- > 
+ > 
You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 8a678b6ff4..fea29a3fc3 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -176,7 +176,7 @@ Certutil writes the binary information to the following registration location:
| Value | Binary contents from the certificate pin rules certificate trust list file |
| Data type | REG_BINARY |
-
+
### Deploying Enterprise Pin Rule Settings using Group Policy
@@ -203,7 +203,7 @@ Sign-in to the reference computer using domain administrator equivalent credenti
11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal). Click **OK** to save your settings and close the dialog box.
- 
+ 
12. Close the **Group Policy Management Editor** to save your settings.
13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
@@ -258,7 +258,7 @@ These dates must be properly formatted and represented in UTC.
You can use Windows PowerShell to format these dates.
You can then copy and paste the output of the cmdlet into the XML file.
-
+
For simplicity, you can truncate decimal point (.) and the numbers after it.
However, be certain to append the uppercase “Z” to the end of the XML date string.
@@ -272,7 +272,7 @@ However, be certain to append the uppercase “Z” to the end of the XML date s
You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date.
-
+
## Representing a Duration in XML
@@ -280,13 +280,13 @@ Some elements may be configured to use a duration rather than a date.
You must represent the duration as an XML timespan data type.
You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file.
-
+
## Converting an XML Duration
You can convert a XML formatted timespan into a timespan variable that you can read.
-
+
## Certificate Trust List XML Schema Definition (XSD)
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index b7018e4477..f80ffec25c 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -372,11 +372,11 @@ The Group Policy object contains the policy settings needed to trigger Windows H
7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
- 
+ 
8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**. The **Options** section populates the policy setting with default values.
- 
+ 
9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors).
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 16be1aa6bc..25d27e28d3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -38,23 +38,23 @@ Determining an adequate number of Windows Server domain controllers is important
Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:
-
+
The environment changes. The first change includes DC1 upgraded to Windows Server 2016 or later to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
-
+
The Windows Server 2016 or later domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2016 and above domain controller supports public key trust authentication. The Windows Server 2016 and above domain controller still understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 or later domain controller is added, but without deploying Windows Hello for Business to any more clients?
-
+
Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same.
-
+
Domain controllers 1 through 5 now share the public key trust authentication load where each domain controller handles 20 percent of the public key trust load but they each still handle 10 percent of the password and certificate trust authentication. These domain controllers still have a heavier load than domain controllers 6 through 10; however, the load is adequately distributed. Now look the scenario when half of the client computers are upgraded to Windows Hello for Business using a key-trust deployment.
-
+
You'll notice the distribution did not change. Each Windows Server 2016 or later domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index ab73eab4f9..f354ae19d4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -91,7 +91,7 @@ Sign-in the federation server with domain administrator equivalent credentials.
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
- 
+ 
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.
9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished.
10. Click **Enroll**.
@@ -184,7 +184,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials
1. Start **Server Manager**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
-
+
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
@@ -204,7 +204,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials
1. Start **Server Manager**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
-
+
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
@@ -456,7 +456,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
6. On the **Select server roles** page, click **Next**.
7. Select **Network Load Balancing** on the **Select features** page.
8. Click **Install** to start the feature installation.
- 
+ 
### Configure Network Load Balancing for AD FS
@@ -465,25 +465,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea
Sign-in a node of the federation farm with _Admin_ equivalent credentials.
1. Open **Network Load Balancing Manager** from **Administrative Tools**.
- 
+ 
2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.
- 
+ 
4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.
- 
+ 
7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.
- 
+ 
8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
9. In Port Rules, click Edit to modify the default port rules to use port 443.
- 
+ 
### Additional AD FS Servers
1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.
- 
+ 
## Configure DNS for Device Registration
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 0686de8a9a..57f12a0692 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -34,7 +34,7 @@ To locate the schema master role holder, open and command prompt and type:
```Netdom query fsmo | findstr -i “schema”```
-
+
The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index bafde6afc2..0bbce98b00 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -51,7 +51,7 @@ Three approaches are documented here:
1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
- 
+ 
1. On the **Compatibility** tab:
1. Clear the **Show resulting changes** check box
@@ -109,7 +109,7 @@ Three approaches are documented here:
1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
- 
+ 
1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
@@ -123,7 +123,7 @@ Three approaches are documented here:
1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
- 
+ 
1. On the Certificate Enrollment screen, click **Next**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 476aed7683..48a0d130df 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -29,7 +29,7 @@ When you set up Windows Hello in Windows 10, you may get an error during the **
The following image shows an example of an error during **Create a PIN**.
-
+
## Error mitigations
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 0ecc622ba4..2fbed0b012 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -97,20 +97,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
- 
+ 
1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
- 
+ 
> [!NOTE]
> After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
- :::image type="content" alt-text="PIN reset service permissions page" source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png":::
+ :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png":::
### Configure Windows devices to use PIN reset using Group Policy
@@ -210,7 +210,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
- **Data type:** String
- **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks)
- :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy" source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
+ :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
1. Click the Save button to save the custom configuration.
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 30dc6c78e6..b5361a656c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -55,7 +55,7 @@ Windows Hello for Business emulates a smart card for application compatibility.
Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
> [!div class="mx-imgBorder"]
-> 
+> 
> [!IMPORTANT]
> The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index a90f1587c2..1efcc90b24 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -31,7 +31,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
## Azure AD join authentication to Azure Active Directory
-
+
| Phase | Description |
| :----: | :----------- |
@@ -42,7 +42,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
## Azure AD join authentication to Active Directory using a Key
-
+
| Phase | Description |
@@ -56,7 +56,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
## Azure AD join authentication to Active Directory using a Certificate
-
+
| Phase | Description |
| :----: | :----------- |
@@ -69,7 +69,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
## Hybrid Azure AD join authentication using a Key
-
+
| Phase | Description |
| :----: | :----------- |
@@ -85,7 +85,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
> In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
## Hybrid Azure AD join authentication using a Certificate
-
+
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 0fb161ccb5..20008e7565 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -37,7 +37,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
## Azure AD joined provisioning in a Managed environment
-
+
| Phase | Description |
| :----: | :----------- |
@@ -48,7 +48,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Azure AD joined provisioning in a Federated environment
-
+
| Phase | Description |
| :----: | :----------- |
@@ -58,7 +58,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment
-
+
| Phase | Description |
@@ -76,7 +76,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
-
+
| Phase | Description |
@@ -94,7 +94,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Domain joined provisioning in an On-premises Key Trust deployment
-
+
| Phase | Description |
| :----: | :----------- |
@@ -105,7 +105,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Domain joined provisioning in an On-premises Certificate Trust deployment
-
+
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 8e0a208a86..13246cec6f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -40,19 +40,19 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing
Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect).
If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks.
-
+
### Azure Active Directory Device Registration
A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview).
You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory.
-
+
### CRL Distribution Point (CDP)
Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.
-
+
The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated.
@@ -122,16 +122,16 @@ You need to host your new certificate revocation list of a web server so Azure A
1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**.
2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and click **Add Virtual Directory...**.
3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you will host the certificate revocation list. For this example, the path **c:\cdp** is used. Click **OK**.
- 
+ 
> [!NOTE]
> Make note of this path as you will use it later to configure share and file permissions.
4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Click **Enable** in the details pane.
5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**.
6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.
- 
+ 
In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**. Click **Apply** in the actions pane.
- 
+ 
7. Close **Internet Information Services (IIS) Manager**.
#### Create a DNS resource record for the CRL distribution point URL
@@ -139,7 +139,7 @@ You need to host your new certificate revocation list of a web server so Azure A
1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**.
2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**.
3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Click **Add Host**. Click **OK** to close the **DNS** dialog box. Click **Done**.
-
+
4. Close the **DNS Manager**.
### Prepare a file share to host the certificate revocation list
@@ -151,12 +151,12 @@ These procedures configure NTFS and share permissions on the web server to allow
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**.
-
+
4. In the **Permissions for cdp$** dialog box, click **Add**.
5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**.
7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**.
8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
-
+
9. In the **Advanced Sharing** dialog box, click **OK**.
> [!Tip]
@@ -166,7 +166,7 @@ These procedures configure NTFS and share permissions on the web server to allow
1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
3. Click **Caching**. Select **No files or programs from the shared folder are available offline**.
-
+
4. Click **OK**.
#### Configure NTFS permission for the CDP folder
@@ -175,7 +175,7 @@ These procedures configure NTFS and share permissions on the web server to allow
2. Right-click the **cdp** folder and click **Properties**. Click the **Security** tab.
3. On the **Security** tab, click Edit.
5. In the **Permissions for cdp** dialog box, click **Add**.
-
+
6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**. Click **OK**.
7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**.
8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
@@ -192,11 +192,11 @@ The web server is ready to host the CRL distribution point. Now, configure the
2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
4. On the **Extensions** tab, click **Add**. Type http://crl.[domainname]/cdp/ in **location**. For example, ** or ** (do not forget the trailing forward slash).
- 
+ 
5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
6. Type **.crl** at the end of the text in **Location**. Click **OK**.
7. Select the CDP you just created.
- 
+ 
8. Select **Include in CRLs. Clients use this to find Delta CRL locations**.
9. Select **Include in the CDP extension of issued certificates**.
10. Click **Apply** save your selections. Click **No** when ask to restart the service.
@@ -213,7 +213,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
6. Type **.crl** at the end of the text in **Location**. Click **OK**.
7. Select the CDP you just created.
- 
+ 
8. Select **Publish CRLs to this location**.
9. Select **Publish Delta CRLs to this location**.
10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box.
@@ -222,7 +222,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish**
-
+
3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**.
#### Validate CDP Publishing
@@ -230,7 +230,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
Validate your new CRL distribution point is working.
1. Open a web browser. Navigate to http://crl.[yourdomain].com/cdp. You should see two files created from publishing your new CRL.
- 
+ 
### Reissue domain controller certificates
@@ -239,9 +239,9 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
1. Sign-in a domain controller using administrative credentials.
2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-
+
4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, click **Next**.
-
+
5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Click **Enroll**.
6. After the enrollment completes, click **Finish** to close the wizard.
7. Repeat this procedure on all your domain controllers.
@@ -259,7 +259,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
4. Click the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**.
5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
-
+
## Configure and Assign a Trusted Certificate Device Configuration Profile
@@ -276,13 +276,13 @@ Steps you will perform include:
2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
4. Click the **Certification Path** tab. In the **Certification path** view, select the top most node and click **View Certificate**.
-
+
5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.
-
+
6. In the **Certificate Export Wizard**, click **Next**.
7. On the **Export File Format** page of the wizard, click **Next**.
8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
-
+
9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**.
### Create and Assign a Trust Certificate Device Configuration Profile
@@ -291,12 +291,12 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**.
2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**.
-
+
3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**.
4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**.
-
+
5. In the **Enterprise Root Certificate** blade, click **Assignments**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**.
-
+
6. Sign out of the Microsoft Azure Portal.
> [!NOTE]
> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
@@ -310,7 +310,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Choose **Enroll devices**.
4. Select **Windows enrollment**.
5. Under **Windows enrollment**, select **Windows Hello for Business**.
- 
+ 
6. Select **Enabled** from the **Configure Windows Hello for Business** list.
7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index b8ce7af3da..e4ada9da90 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -82,7 +82,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni
2. Click **Login** and provide Azure credentials
3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go**
4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user.
- 
+ 
## Prepare the Network Device Enrollment Services (NDES) Service Account
@@ -259,15 +259,15 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
1. Open **Server Manager** on the NDES server.
2. Click **Manage**. Click **Add Roles and Features**.
3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**.
- 
+ 
4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
- 
+ 
Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
- 
+ 
5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
- 
+ 
6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
- 
+ 
7. Click **Next** on the **Web Server Role (IIS)** page.
8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
* **Web Server > Security > Request Filtering**
@@ -275,11 +275,11 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
* **Web Server > Application Development > ASP.NET 4.5**. .
* **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
* **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
- 
+ 
9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
> [!IMPORTANT]
> .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\
- 
+ 
### Configure the NDES service account
This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation
@@ -308,7 +308,7 @@ Sign-in the NDES server with access equivalent to _Domain Admins_.
> [!NOTE]
> If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs.
-
+
#### Configure the NDES Service account for delegation
The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation.
@@ -317,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
1. Open **Active Directory Users and Computers**
2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
- 
+ 
3. Select **Trust this user for delegation to specified services only**.
4. Select **Use any authentication protocol**.
5. Click **Add**.
6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**.
- 
+ 
7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
- 
+ 
10. Click **OK**. Close **Active Directory Users and Computers**.
### Configure the NDES Role and Certificate Templates
@@ -338,21 +338,21 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
> [!NOTE]
> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
-
+
1. Click the **Configure Active Directory Certificate Services on the destination server** link.
2. On the **Credentials** page, click **Next**.
- 
+ 
3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
- 
+ 
4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
- 
+ 
5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**.
- 
+ 
6. On the **RA Information**, click **Next**.
7. On the **Cryptography for NDES** page, click **Next**.
8. Review the **Confirmation** page. Click **Configure**.
- 
+ 
8. Click **Close** after the configuration completes.
#### Configure Certificate Templates on NDES
@@ -407,18 +407,18 @@ Sign-in a workstation with access equivalent to a _domain user_.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
- 
+ 
5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
> [!IMPORTANT]
> Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
6. Start **AADApplicationProxyConnectorInstaller.exe**.
7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
- 
+ 
8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
- 
+ 
9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**.
- 
+ 
10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
#### Create a Connector Group
@@ -427,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
3. Under **MANAGE**, click **Application proxy**.
- 
+ 
4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
- 
+ 
5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
6. Click **Save**.
@@ -443,7 +443,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
7. Under **Internal URL**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
- 
+ 
8. Select **Passthrough** from the **Pre Authentication** list.
9. Select **NDES WHFB Connectors** from the **Connector Group** list.
10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
@@ -465,7 +465,7 @@ Sign-in the NDES server with access equivalent to _local administrators_.
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
- 
+ 
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
9. Click **Enroll**
@@ -478,12 +478,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
- 
+ 
3. Click **Bindings...*** under **Actions**. Click **Add**.
- 
+ 
4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
- 
+ 
6. Select **http** from the **Site Bindings** list. Click **Remove**.
7. Click **Close** on the **Site Bindings** dialog box.
8. Close **Internet Information Services (IIS) Manager**.
@@ -509,10 +509,10 @@ Sign-in the NDES server with access equivalent to _local administrator_.
A web page similar to the following should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
-
+
Confirm the web site uses the server authentication certificate.
-
+
## Configure Network Device Enrollment Services to work with Microsoft Intune
@@ -527,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane.
- 
+ 
4. Select **Allow unlisted file name extensions**.
5. Select **Allow unlisted verbs**.
6. Select **Allow high-bit characters**.
@@ -554,7 +554,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
- 
+ 
4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
5. Sign-out of the Microsoft Endpoint Manager admin center.
@@ -564,26 +564,26 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
3. On the **Microsoft Intune** page, click **Next**.
- 
+ 
4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
5. On the **Destination Folder** page, click **Next**.
6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
- 
+ 
7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
- 
+ 
> [!NOTE]
> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
- 
+ 
> [!NOTE]
> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
- 
+ 
### Configure the Intune Certificate Connector
Sign-in the NDES server with access equivalent to _domain administrator_.
@@ -594,10 +594,10 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
> If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**.
2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply**
- 
+ 
3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
- 
+ 
> [!IMPORTANT]
> The user account must have a valid Intune license assigned. If the user account does not have a valid Intune license, the sign-in fails.
@@ -614,7 +614,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival
1. Start the **Certification Authority** management console.
2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
- 
+ 
4. Close the **Certification Authority**
#### Enable the NDES Connector for certificate revocation
@@ -622,7 +622,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**).
2. Click the **Advanced** tab. Select **Specify a different account username and password**. Type the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
- 
+ 
3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
### Test the NDES Connector
@@ -641,7 +641,7 @@ Sign-in the NDES server with access equivalent to _domain admin_.
```
where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
- 
+ 
6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
@@ -656,7 +656,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**.
6. Provide a **Group description**, if applicable.
7. Select **Assigned** from the **Membership type** list.
- 
+ 
8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
9. Click **Create**.
@@ -666,7 +666,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
2. Select **Devices**, and then click **Configuration Profiles**.
3. Select **Create Profile**.
- 
+ 
4. Select **Windows 10 and later** from the **Platform** list.
5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
@@ -689,7 +689,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
- 
+ 
17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
18. Click **Next**.
19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
@@ -702,7 +702,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
3. Click **WHFB Certificate Enrollment**.
4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
- 
+ 
6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
7. Click **Review + Save**, and then **Save**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index e80dc75f72..9e100bc146 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -70,7 +70,7 @@ To locate the schema master role holder, open and command prompt and type:
```Netdom query fsmo | findstr -i schema```
-
+
The command should return the name of the domain controller where you need to run adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
@@ -114,14 +114,14 @@ When you are ready to install, follow the **Configuring federation with AD FS**
### Create AD objects for AD FS Device Authentication
If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
-
+
> [!NOTE]
> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1.
1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
-
+
2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
@@ -132,7 +132,7 @@ If your AD FS farm is not already configured for Device Authentication (you can
> [!NOTE]
> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
-
+
The above PSH creates the following objects:
@@ -140,11 +140,11 @@ The above PSH creates the following objects:
- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
-
+
4. Once this is done, you will see a successful completion message.
-
+
### Create Service Connection Point (SCP) in Active Directory
If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
@@ -155,13 +155,13 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure
> [!NOTE]
> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
-
+
2. Provide your Azure AD global administrator credentials
`PS C:>$aadAdminCred = Get-Credential`
-
+
3. Run the following PowerShell command
@@ -517,7 +517,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>
- Container Device Registration Service DKM under the above container
-
+
- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>
- read/write access to the specified AD connector account name on the new object
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index cfaf049efd..35bd16ed3e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -27,22 +27,22 @@ ms.reviewer:
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
-
+
The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**.
-
+
The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
-
+
After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment.
-
+
The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.
* A successful single factor authentication (username and password at sign-in)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 9caf362da6..e60e0b15f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -27,22 +27,22 @@ ms.reviewer:
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
-
+
The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name. The user clicks **Setup a PIN**.
-
+
The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment. Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA. The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
-
+
After a successful MFA, the provisioning flow asks the user to create and validate a PIN. This PIN must observe any PIN complexity requirements that you deployed to the environment.
-
+
The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.
* A successful single factor authentication (username and password at sign-in)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 99491fb5c3..4e83f31ec3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -73,7 +73,7 @@ Sign-in the federation server with domain administrator equivalent credentials.
5. Click **Next** on the **Select Certificate Enrollment Policy** page.
6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
- 
+ 
8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished.
9. Click **Enroll**.
@@ -155,7 +155,7 @@ Use the following procedures to configure AD FS when your environment uses **Win
Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
1. Start **Server Manager**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
- 
+ 
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
@@ -175,7 +175,7 @@ Use the following procedures to configure AD FS when your environment uses **Win
Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
1. Start **Server Manager**.
2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
- 
+ 
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
@@ -262,7 +262,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
6. On the **Select server roles** page, click **Next**.
7. Select **Network Load Balancing** on the **Select features** page.
8. Click **Install** to start the feature installation
- 
+ 
### Configure Network Load Balancing for AD FS
@@ -270,25 +270,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea
Sign-in a node of the federation farm with _Admin_ equivalent credentials.
1. Open **Network Load Balancing Manager** from **Administrative Tools**.
- 
+ 
2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.
- 
+ 
4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.
- 
+ 
7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.
- 
+ 
8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
9. In Port Rules, click Edit to modify the default port rules to use port 443.
- 
+ 
### Additional AD FS Servers
1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.
- 
+ 
## Configure DNS for Device Registration
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 00fa16c254..1a2b17c308 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -69,7 +69,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup
>[!NOTE]
>Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
-
+
Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 3ff85f511f..e7d6a0cea8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -35,11 +35,11 @@ People who are currently using virtual or physical smart cards for authenticatio
When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
-
+
Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
-
+
They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
@@ -55,7 +55,7 @@ People can go to **Settings** > **Accounts** > **Work or school**, select
If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
-
+
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 87e71bc747..2b1c101fc0 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -21,7 +21,7 @@ ms.reviewer:
## Four steps to password freedom
Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom.
-
+
### 1. Develop a password replacement offering
@@ -203,24 +203,24 @@ Windows provides two ways to prevent your users from using passwords. You can us
##### Security Policy
You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
-
+
**Windows Server 2016 and earlier**
The policy name for these operating systems is **Interactive logon: Require smart card**.
-
+
**Windows 10, version 1703 or later using Remote Server Administrator Tools**
The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
-
+
When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
#### Excluding the password credential provider
You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**
-
+
The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
-
+
Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
@@ -261,7 +261,7 @@ The account options on a user account includes an option -- **Smart card is requ
> [!NOTE]
> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller.
-
+
**SCRIL setting for a user on Active Directory Users and Computers.**
When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because:
@@ -270,13 +270,13 @@ When you configure a user account for SCRIL, Active Directory changes the affect
- the user is not asked to change their password
- domain controllers do not allow passwords for interactive authentication
-
+
**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.**
> [!NOTE]
> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically.
-
+
**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.**
> [!NOTE]
@@ -286,7 +286,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect
Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users.
In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages.
-
+
> [!NOTE]
> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 5e24e71b64..2ad3bb1f3b 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -54,7 +54,7 @@ It’s important to keep in mind that there are no physical containers on disk,
The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
-
+
Containers can contain several types of key material:
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 57bbf194fc..65fa656745 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -34,13 +34,13 @@ Administrator credentials are highly privileged and must be protected. By using
The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works:
-
+
The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
-
+
As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
@@ -152,7 +152,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
2. Double-click **Restrict delegation of credentials to remote servers**.
- 
+ 
3. Under **Use the following restricted mode**:
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 635a9631d6..d5c9651f0f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -34,7 +34,7 @@ Smart card support is required to enable many Remote Desktop Services scenarios.
In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.
-
+
**Remote Desktop redirection**
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 0663f9a479..63cbad9b26 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -52,7 +52,7 @@ Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CT
After receiving the SAS, the UI then generates the sign-in tile from the information received from the registered credential providers. The following graphic shows the architecture for credential providers in the Windows operating system.
-
+
**Figure 1** **Credential provider architecture**
@@ -88,7 +88,7 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor
Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
-
+
**Figure 2** **Base CSP and smart card minidriver architecture**
@@ -236,7 +236,7 @@ Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set
In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system.
-
+
**Figure 3** **Smart card selection behavior**
@@ -314,7 +314,7 @@ For other operations, the caller may be able to acquire a "verify" context again
Figure 4 shows the Cryptography architecture that is used by the Windows operating system.
-
+
**Figure 4** **Cryptography architecture**
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index ae671b4ace..dbcf86ee67 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -38,7 +38,7 @@ The following figure shows the flow of the certificate propagation service. The
**Certificate propagation service**
-
+
1. A signed-in user inserts a smart card.
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index ef209588b9..a220e7e658 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -89,7 +89,7 @@ If you enable the **Allow signature keys valid for Logon** credential provider p
The following diagram illustrates how smart card sign-in works in the supported versions of Windows.
-
+
**Smart card sign-in flow**
@@ -206,21 +206,21 @@ SSL/TLS can map certificates that do not have SAN, and the mapping is done by us
**Certificate revocation list distribution points**
-
+
**UPN in Subject Alternative Name field**
-
+
**Subject and Issuer fields**
-
+
This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC.
**High-level flow of certificate processing for sign-in**
-
+
The certificate object is parsed to look for content to perform user account mapping.
@@ -236,7 +236,7 @@ The following figure illustrates the process of mapping user accounts for sign-i
**Certificate processing logic**
-
+
NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy).
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index fa36cf563f..3f72307e25 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -26,7 +26,7 @@ The smart card removal policy service is applicable when a user has signed in wi
**Smart card removal policy service**
-
+
The numbers in the previous figure represent the following actions:
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 10ffd31a84..76159c664d 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -34,7 +34,7 @@ In order to better understand how this process happens, let's look at the Window
The following shows how the logon process for an administrator differs from the logon process for a standard user.
-
+
By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
@@ -56,7 +56,7 @@ With UAC enabled, Windows 10 prompts for consent or prompts for credentials of
The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
-
+
**The credential prompt**
@@ -64,7 +64,7 @@ The credential prompt is presented when a standard user attempts to perform a ta
The following is an example of the UAC credential prompt.
-
+
**UAC elevation prompts**
@@ -81,7 +81,7 @@ The elevation prompt color-coding is as follows:
Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item.
-
+
The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
@@ -99,7 +99,7 @@ While malware could present an imitation of the secure desktop, this issue canno
The following diagram details the UAC architecture.
-
+
To better understand each component, review the table below:
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index badf574468..4468785ff0 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -24,7 +24,7 @@ This topic for the IT professional discusses the factors to consider when you de
Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram.
-
+
Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index 6fb462eb81..044f7c1fe1 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -28,7 +28,7 @@ A crucial aspect of TPM virtual smart cards is their ability to securely store a
The following diagram illustrates the secure key hierarchy and the process of accessing the user key.
-
+
The following keys are stored on the hard disk:
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index 6810a79d95..c6ad4e0710 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -62,21 +62,21 @@ On your domain server, you need to create a template for the certificate that yo
2. Click **File**, and then click **Add/Remove Snap-in**.
- 
+ 
3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
- 
+ 
4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
- 
+ 
6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
- 
+ 
7. On the **General** tab:
@@ -102,23 +102,23 @@ On your domain server, you need to create a template for the certificate that yo
12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
- 
+ 
13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
- 
+ 
15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
> **Note** It can take some time for your template to replicate to all servers and become available in this list.
- 
+ 
16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
- 
+ 
## Step 2: Create the TPM virtual smart card
@@ -128,7 +128,7 @@ In this step, you will create the virtual smart card on the client computer by u
1. On a domain-joined computer, open a Command Prompt window with Administrative credentials.
- 
+ 
2. At the command prompt, type the following, and then press ENTER:
@@ -150,11 +150,11 @@ The virtual smart card must be provisioned with a sign-in certificate for it to
2. Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**.
- 
+ 
3. Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1).
- 
+ 
4. If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**.
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 789da743aa..4d3f59ff0a 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -74,7 +74,7 @@ For more information about these Windows APIs, see:
To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card.
-
+
A TPM-based virtual smart card is labeled **Security Device** in the user interface.
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 9665848076..2c0a581e8d 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -51,7 +51,7 @@ See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EA
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
-
+
## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 2c1405d9e0..44b05da541 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -89,11 +89,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
-
+
After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
-
+
## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 393bf3b90b..66baa88e46 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -87,7 +87,7 @@ Two client-side configuration service providers are leveraged for VPN device com
The VPN client side connection flow works as follows:
> [!div class="mx-imgBorder"]
-> 
+> 
When a VPNv2 Profile is configured with \ \true<\/Enabled> the VPN client uses this connection flow:
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index e65b9b6d8b..465f79924f 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -23,7 +23,7 @@ Virtual private networks (VPNs) are point-to-point connections across a private
There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured.
-
+
## Built-in VPN client
@@ -67,12 +67,12 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
> [!div class="mx-imgBorder"]
-> 
+> 
In Intune, you can also include custom XML for third-party plug-in profiles:
> [!div class="mx-imgBorder"]
-> 
+> 
## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index fcc360257b..70cec8d554 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -64,7 +64,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
-
+
The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 69940276c8..96eae8c6ac 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -312,7 +312,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
10. Set Data type to **String (XML file)**.
11. Upload the profile XML file.
12. Click **OK**.
- 
+ 
13. Click **OK**, then **Create**.
14. Assign the profile.
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index a33e2b0f3f..ea0cb1c3ae 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -53,11 +53,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
-
+
Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.
-
+
## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index bd1a32dde4..c84ab32cb0 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -59,7 +59,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune.
-
+
## LockDown VPN
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 2c1a02b8db..62a4cf6cf0 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -31,7 +31,7 @@ This guide explains how credential theft attacks occur and the strategies and co
- Respond to suspicious activity
- Recover from a breach
-
+
## Attacks that steal credentials
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index fc9b15fdef..23b9d93073 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -89,7 +89,7 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p
In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
-
+
Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup.
Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
@@ -110,7 +110,7 @@ This Kernel DMA Protection is available only for new systems beginning with Wind
You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled:
-
+
If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index 4864bdf4d4..cd0b6543e6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -34,31 +34,31 @@ This article depicts the BitLocker deployment comparison chart.
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |
|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|Cloud or on premises | Cloud | On premises | On premises |
-|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client |
|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
-|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |
-|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
+|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
-|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |
-|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | |
-|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
-|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
+|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
+|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | |
+|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
+|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index eaccfb9c9f..a72324edf4 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -298,18 +298,18 @@ This policy can be configured using GPO under **Computer Configuration** > **Adm
It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
*\./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\*
-
+
Example of customized recovery screen:
-
+
### BitLocker recovery key hints
BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
-
+
> [!IMPORTANT]
> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account.
@@ -339,7 +339,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** The hint for the Microsoft Account and the custom URL are displayed.
-
+
#### Example 2 (single recovery key with single backup)
@@ -354,7 +354,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the custom URL is displayed.
-
+
#### Example 3 (single recovery key with multiple backups)
@@ -369,7 +369,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the Microsoft Account hint is displayed.
-
+
#### Example 4 (multiple recovery passwords)
@@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
-
+
#### Example 5 (multiple recovery passwords)
@@ -429,7 +429,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** The hint for the most recent key is displayed.
-
+
## Using additional recovery information
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index c6483a8057..e8045e225c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -52,7 +52,7 @@ manage-bde -status
```
This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
-
+
The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
index 2a08e910d0..664fb40db0 100644
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@@ -58,7 +58,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
The output of such a command resembles the following.
- 
+ 
- To export BitLocker-related information:
```ps
@@ -77,7 +77,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
The output of such a command resembles the following.
- 
+ 
> [!NOTE]
> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
index d41b2c7bf1..6268e09343 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@@ -82,11 +82,11 @@ To verify that this issue has occurred, follow these steps:
1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows.
- 
+ 
If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
- 
+ 
> [!NOTE]
> GPOs that change the security descriptors of services have been known to cause this issue.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index bab9c21e3e..1def746b1f 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -45,11 +45,11 @@ To install the tool, follow these steps:
1. Accept the default installation path.
- 
+ 
1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit—Controller + Studio**.
- 
+ 
1. Finish the installation.
@@ -60,7 +60,7 @@ To use TBSLogGenerator, follow these steps:
This folder contains the TBSLogGenerator.exe file.
- 
+ 
1. Run the following command:
```cmd
@@ -78,19 +78,19 @@ To use TBSLogGenerator, follow these steps:
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
```
- 
+ 
The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file.
- 
+ 
The content of this text file resembles the following.
-
+
To find the PCR information, go to the end of the file.
- 
+ 
## Use PCPTool to decode Measured Boot logs
@@ -114,4 +114,4 @@ where the variables represent the following values:
The content of the XML file resembles the following.
-
+
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index 60c34a7bb6..611dc64098 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -20,7 +20,7 @@ ms.custom: bitlocker
This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
-
+
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
@@ -43,7 +43,7 @@ For information about how to verify that Intune policies are enforcing BitLocker
Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following:
-
+
### Cause
@@ -64,7 +64,7 @@ For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure
In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
-
+
### Cause
@@ -100,7 +100,7 @@ You can resolve this issue by verifying the configuration of the disk partitions
The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.
-
+
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
@@ -108,11 +108,11 @@ To verify the configuration of the disk partitions, open an elevated Command Pro
diskpart
list volume
```
-
+
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
-
+
#### Step 2: Verify the status of WinRE
@@ -123,7 +123,7 @@ reagentc /info
```
The output of this command resembles the following.
-
+
If the **Windows RE status** is not **Enabled**, run the following command to enable it:
@@ -141,7 +141,7 @@ bcdedit /enum all
The output of this command resembles the following.
-
+
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
@@ -163,7 +163,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
- 
+ 
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
> [!NOTE]
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
@@ -192,11 +192,11 @@ Manage-bde -protectors -get %systemdrive%
In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
-
+
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
-
+
#### 2. Verify the Secure Boot state
@@ -204,9 +204,9 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **Secure Boot State** setting is **On**, as follows:
- 
+ 
1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.
- 
+ 
> [!NOTE]
> You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
@@ -290,7 +290,7 @@ If your device runs Windows 10 version 1703 or later, supports Modern Standby (a
If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
-
+
The OMA-URI references for these settings are as follows:
@@ -316,7 +316,7 @@ The Intune 1901 release provides settings that you can use to configure automati
- Support Modern Standby
- Use Windows 10 version 1803 or later
-
+
The OMA-URI references for these settings are as follows:
@@ -331,17 +331,17 @@ The OMA-URI references for these settings are as follows:
During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
-
+
-
+
You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
-
+
On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device**
-
\ No newline at end of file
+
\ No newline at end of file
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 31fc1097a4..768d8cdd75 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -53,7 +53,7 @@ By default, peripherals with DMA Remapping incompatible drivers will be blocked
## User experience
-
+
By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged.
The peripheral will continue to function normally if the user locks the screen or logs out of the system.
@@ -77,7 +77,7 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do
Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
-
+
### Using System information
@@ -85,7 +85,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
2. Check the value of **Kernel DMA Protection**.
- 
+ 
3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
@@ -113,11 +113,11 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O
DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping).
Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
-
+
*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image.
-
+
### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 721ae1e1e3..3d8754473d 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -55,7 +55,7 @@ Windows 10 supports four features to help prevent rootkits and bootkits from lo
Figure 1 shows the Windows 10 startup process.
-.png)
+.png)
**Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage**
@@ -115,7 +115,7 @@ Depending on the implementation and configuration, the server can now determine
Figure 2 illustrates the Measured Boot and remote attestation process.
-.png)
+.png)
**Figure 2. Measured Boot proves the PC’s health to a remote server**
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index 06d8c54066..dd9e12558e 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -84,7 +84,7 @@ Identity providers have flexibility in how they provision credentials on client
• **Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
-
+
*Figure 1: TPM Cryptographic Key Management*
@@ -126,7 +126,7 @@ The TPM provides the following way for scenarios to use the measurements recorde
When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
-
+
*Figure 2: Process used to create evidence of boot software and configuration using a TPM*
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 4a5ddd2df2..5a5e12feb9 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -91,7 +91,7 @@ It's possible that you might revoke data from an unenrolled device only to later
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
- 
+ 
If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type:
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index a605d96688..909073181d 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -34,11 +34,11 @@ Follow these steps to associate your WIP policy with your organization's existin
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
- 
+ 
3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
- 
+ 
4. In the **Custom OMA-URI Settings** blade, click **Add**.
@@ -54,7 +54,7 @@ Follow these steps to associate your WIP policy with your organization's existin
- **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
- 
+ 
6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
@@ -73,7 +73,7 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro
The policy is deployed to the selected users' devices.
- 
+ 
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index f13e30a044..32511b9cd5 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -36,12 +36,12 @@ After you've installed and set up Configuration Manager for your organization, y
1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
- 
+ 
2. Click the **Create Configuration Item** button.
The **Create Configuration Item Wizard** starts.
- 
+ 
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
@@ -55,11 +55,11 @@ The **Create Configuration Item Wizard** starts.
5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
- 
+ 
6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
- 
+ 
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
@@ -81,7 +81,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
The **Add app rule** box appears.
- 
+ 
2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
@@ -141,7 +141,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
The **Add app rule** box appears.
- 
+ 
2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
@@ -218,7 +218,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
- 
+ 
3. Right-click in the right-hand pane, and then click **Create New Rule**.
@@ -226,33 +226,33 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
4. On the **Before You Begin** page, click **Next**.
- 
+ 
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
- 
+ 
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
- 
+ 
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
- 
+ 
8. On the updated **Publisher** page, click **Create**.
- 
+ 
9. Review the Local Security Policy snap-in to make sure your rule is correct.
- 
+ 
10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
- 
+ 
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
@@ -286,7 +286,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
The **Add app rule** box appears.
- 
+ 
2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
@@ -353,7 +353,7 @@ You can specify multiple domains owned by your enterprise by separating them wit
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
- 
+ 
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
@@ -372,7 +372,7 @@ There are no default locations included with WIP, you must add each of your netw
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
- 
+ 
@@ -431,7 +431,7 @@ There are no default locations included with WIP, you must add each of your netw
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
- 
+ 
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
@@ -440,7 +440,7 @@ There are no default locations included with WIP, you must add each of your netw
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
-
+
**To set your optional settings**
1. Choose to set any or all of the optional settings:
@@ -467,7 +467,7 @@ After you've finished configuring your policy, you can review all of your info o
**To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
- 
+ 
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 17dcaff4f3..0442c3778a 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -50,7 +50,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**:
- 
+ 
## Create a WIP policy
@@ -58,7 +58,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**.
- 
+ 
3. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
@@ -70,11 +70,11 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
- **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM.
- 
+ 
4. Click **Protected apps** and then click **Add apps**.
- 
+ 
You can add these types of apps:
@@ -89,7 +89,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**.
-
+
### Add Store apps
@@ -99,7 +99,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK**
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
-
+
To add multiple Store apps, click the ellipsis **…**.
@@ -201,7 +201,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**.
-
+
If you’re unsure about what to include for the publisher, you can run this PowerShell command:
@@ -242,7 +242,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
- 
+ 
3. Right-click in the right-hand blade, and then click **Create New Rule**.
@@ -250,7 +250,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
4. On the **Before You Begin** page, click **Next**.
- 
+ 
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
@@ -262,25 +262,25 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365.
- 
+ 
8. On the updated **Publisher** page, click **Create**.
- 
+ 
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
- 
+ 
9. Review the Local Security Policy snap-in to make sure your rule is correct.
- 
+ 
10. In the left blade, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
- 
+ 
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
@@ -320,7 +320,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
3. Right-click **Executable Rules** > **Create New Rule**.
- 
+ 
4. On the **Before You Begin** page, click **Next**.
@@ -328,11 +328,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
6. On the **Conditions** page, click **Path** and then click **Next**.
- 
+ 
7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files".
- 
+ 
8. On the **Exceptions** page, add any exceptions and then click **Next**.
@@ -351,11 +351,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
1. In **Protected apps**, click **Import apps**.
- 
+ 
Then import your file.
- 
+ 
2. Browse to your exported AppLocker policy file, and then click **Open**.
@@ -366,7 +366,7 @@ If your app is incompatible with WIP, but still needs to be used with enterprise
1. In **Client apps - App protection policies**, click **Exempt apps**.
- 
+ 
2. In **Exempt apps**, click **Add apps**.
@@ -391,7 +391,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**.
- 
+ 
|Mode |Description |
|-----|------------|
@@ -413,11 +413,11 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field.
- 
+ 
3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
- 
+ 
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations.
@@ -426,7 +426,7 @@ There are no default locations included with WIP, you must add each of your netw
To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
-
+
Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**.
@@ -558,7 +558,7 @@ Decide if you want Windows to look for additional network settings:
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
-
+
## Upload your Data Recovery Agent (DRA) certificate
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
@@ -573,12 +573,12 @@ After you create and deploy your WIP policy to your employees, Windows begins to
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
- 
+ 
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
-
+
**Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
@@ -613,7 +613,7 @@ After you've decided where your protected apps can access enterprise data on you
You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied.
-
+
## Related topics
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index 524199cf73..8d929e1db4 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -34,7 +34,7 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll
The policy is deployed to the selected users' devices.
- 
+ 
>[!NOTE]
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index b54cc7cbe1..dd3fb2529e 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -36,13 +36,13 @@ You need to add the Enterprise Context column to the **Details** tab of the Task
The **Select columns** box appears.
- 
+ 
3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box.
The **Enterprise Context** column should now be available in Task Manager.
- 
+ 
## Review the Enterprise Context
The **Enterprise Context** column shows you what each app can do with your enterprise data:
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 1e97616ee8..e2f9ce0a1f 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -38,11 +38,11 @@ In the **Website learning report**, you can view a summary of the devices that h
1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
- 
+ 
1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**.
- 
+ 
Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
@@ -75,7 +75,7 @@ The information needed for the following steps can be found using Device Health,
4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
- 
+ 
5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
@@ -87,7 +87,7 @@ The information needed for the following steps can be found using Device Health,
`O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US`
- 
+ 
6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 1ede3ef4ed..ea4b252a30 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -58,7 +58,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
3. Double-click **Turn on Virtualization Based Security**.
4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
- 
+ 
5. Click **Ok** to close the editor.
@@ -279,7 +279,7 @@ This field lists the computer name. All valid values for computer name.
Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
-
+
## Troubleshooting
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index cbcb5ff098..9b2b985db5 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -102,10 +102,10 @@ Validated Editions: Home, Pro, Enterprise, Education
-
-
-
-
+
+
+
+
@@ -172,10 +172,10 @@ Validated Editions: Home, Pro, Enterprise, Education
-
-
-
-
+
+
+
+
@@ -236,10 +236,10 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-
-
-
-
+
+
+
+
@@ -305,11 +305,11 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-
-
-
-
-
+
+
+
+
+
@@ -393,10 +393,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
-
-
-
-
+
+
+
+
@@ -486,10 +486,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
-
-
-
-
+
+
+
+
@@ -584,10 +584,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
-
-
-
-
+
+
+
+
@@ -682,10 +682,10 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
-
-
-
-
+
+
+
+
@@ -861,10 +861,10 @@ Validated Editions: Windows 7, Windows 7 SP1
-
-
-
-
+
+
+
+
@@ -985,10 +985,10 @@ Validated Editions: Ultimate Edition
-
-
-
-
+
+
+
+
@@ -1103,10 +1103,10 @@ Validated Editions: Ultimate Edition
-
-
-
-
+
+
+
+
@@ -1144,10 +1144,10 @@ Validated Editions: Ultimate Edition
-
-
-
-
+
+
+
+
@@ -1178,10 +1178,10 @@ Validated Editions: Ultimate Edition
-
-
-
-
+
+
+
+
@@ -1205,10 +1205,10 @@ Validated Editions: Ultimate Edition
-
-
-
-
+
+
+
+
@@ -1232,10 +1232,10 @@ Validated Editions: Ultimate Edition
-
-
-
-
+
+
+
+
@@ -1269,10 +1269,10 @@ Validated Editions: Ultimate Edition
-
-
-
-
+
+
+
+
@@ -1310,10 +1310,10 @@ Validated Editions: Ultimate Edition
-
-
-
-
+
+
+
+
@@ -1340,10 +1340,10 @@ Validated Editions: Ultimate Edition
-
-
-
-
+
+
+
+
@@ -1367,10 +1367,10 @@ Validated Editions: Ultimate Edition
-
-
-
-
+
+
+
+
@@ -1419,10 +1419,10 @@ Validated Editions: Standard, Datacenter
-
-
-
-
+
+
+
+
@@ -1489,10 +1489,10 @@ Validated Editions: Standard, Datacenter
-
-
-
-
+
+
+
+
@@ -1553,10 +1553,10 @@ Validated Editions: Standard, Datacenter
-
-
-
-
+
+
+
+
@@ -1623,10 +1623,10 @@ Validated Editions: Standard, Datacenter, Storage Server
-
-
-
-
+
+
+
+
@@ -2024,10 +2024,10 @@ Validated Editions: Server, Storage Server
-
-
-
-
+
+
+
+
@@ -2065,10 +2065,10 @@ Validated Editions: Server, Storage Server
-
-
-
-
+
+
+
+
@@ -2112,10 +2112,10 @@ Validated Editions: Server, Storage Server
-
-
-
-
+
+
+
+
@@ -2161,10 +2161,10 @@ Validated Editions: Server, Storage Server
-
-
-
-
+
+
+
+
@@ -2196,10 +2196,10 @@ Validated Editions: Server, Storage Server
-
-
-
-
+
+
+
+
@@ -2223,10 +2223,10 @@ Validated Editions: Server, Storage Server
-
-
-
-
+
+
+
+
@@ -2255,8 +2255,8 @@ The following tables are organized by cryptographic algorithms with their modes,
-
-
+
+
@@ -3007,8 +3007,8 @@ AES
-
+
+
@@ -3159,8 +3159,8 @@ AES
-
+
+
@@ -3517,8 +3517,8 @@ SHS: SHA-1 (BYTE)
-
-
+
+
@@ -3978,8 +3978,8 @@ Some of the previously validated components for this validation have been remove
-
-
+
+
@@ -4399,8 +4399,8 @@ SHS
-
+
+
@@ -5229,8 +5229,8 @@ Random Number Generator (RNG)
-
-
+
+
@@ -5282,8 +5282,8 @@ Random Number Generator (RNG)
-
-
+
+
@@ -6285,8 +6285,8 @@ Some of the previously validated components for this validation have been remove
| |
|
| |