+ ### Enable Azure AD Premium When you create your Office 365 subscription, you create an Office 365 tenant that includes an Azure AD directory. Azure AD is the centralized repository for all your student and faculty accounts in Office 365, Intune, and other Azure AD–integrated apps. Azure AD is available in Free, Basic, and Premium editions. Azure AD Free, which is included in Office 365 Education, has fewer features than Azure AD Basic, which in turn has fewer features than Azure AD Premium. @@ -450,6 +451,7 @@ Several methods are available to bulk-import user accounts into AD DS domains. T | Windows PowerShell | This scripting language natively supports cmdlets to manage AD DS objects, including user and group objects. Select this method if you’re comfortable with Window PowerShell scripting. For more information about using Windows PowerShell, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
+ ### Create a source file that contains the user and group accounts After you have selected your user and group account bulk import method, you’re ready to create the source file that contains the user and group account. You’ll use the source file as the input to the import process. The source file format depends on the method you selected. Table 6 lists the source file format for the bulk import methods. @@ -464,6 +466,7 @@ After you have selected your user and group account bulk import method, you’re | Windows PowerShell | Windows PowerShell can use any .csv file format you want to create as a source file for the bulk-import process. To create the .csv file, use software such as Excel. For examples of how to format your source file in CSV format, see [Import Bulk Users to Active Directory](https://blogs.technet.microsoft.com/bettertogether/2011/01/09/import-bulk-users-to-active-directory/) and [PowerShell: Bulk create AD Users from CSV file](https://social.technet.microsoft.com/wiki/contents/articles/24541.powershell-bulk-create-ad-users-from-csv-file.aspx). |
+ ### Import the user accounts into AD DS With the bulk-import source file finished, you’re ready to import the user and group accounts into AD DS. The steps for importing the file are slightly different for each method. @@ -575,6 +578,7 @@ After you create the Microsoft Store for Business portal, configure it by using | Private store | Allows you to change the organization name used in your Microsoft Store for Business portal. When you create your portal, the private store uses the organization name that you used to create your Office 365 subscription. For more information, see [Distribute apps using your private store](https://technet.microsoft.com/itpro/windows/manage/distribute-apps-from-your-private-store). |
+
### Find, acquire, and distribute apps in the portal
Now that you have created your Microsoft Store for Business portal, you’re ready to find, acquire, and distribute apps that you will add to your portal. You do this by using the Inventory page in Microsoft Store for Business.
@@ -1269,6 +1273,7 @@ Follow the same steps described in the
+
### Summary
Now, you have identified the tasks you need to perform monthly, at the end of an academic year or semester, and as required. Your school configuration should match the typical school configuration that you saw in the [Plan a typical school configuration](#plan-a-typical-school-configuration) section. By performing these maintenance tasks you help ensure that your school stays secure and is configured as you specified.
@@ -1278,5 +1283,4 @@ Now, you have identified the tasks you need to perform monthly, at the end of an
The data type is int. Supported operation is Get. + +
The data type is integer. Supported operation is Get. **MaintenanceHoursSimple/Hours**
Node for maintenance schedule. @@ -212,12 +212,12 @@ The following diagram shows the SurfaceHub CSP management objects in tree format **MaintenanceHoursSimple/Hours/StartTime**
Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. -
The data type is int. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **MaintenanceHoursSimple/Hours/Duration**
Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. -
The data type is int. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **InBoxApps**
Node for the in-box app settings. @@ -228,7 +228,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format **InBoxApps/SkypeForBusiness/DomainName**
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see Set up Skype for Business Online. -
The data type is char. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **InBoxApps/Welcome**
Node for the welcome screen. @@ -236,7 +236,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format **InBoxApps/Welcome/AutoWakeScreen**
Automatically turn on the screen using motion sensors. -
The data type is bool. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath**
Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). @@ -251,7 +251,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format - 0 - Organizer and time only - 1 - Organizer, time, and subject. Subject is hidden in private meetings. -
The data type is int. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **InBoxApps/WirelessProjection**
Node for the wireless projector app settings. @@ -259,12 +259,12 @@ The following diagram shows the SurfaceHub CSP management objects in tree format **InBoxApps/WirelessProjection/PINRequired**
Users must enter a PIN to wirelessly project to the device. -
The data type is bool. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/WirelessProjection/Enabled**
Enables wireless projection to the device. -
The data type is bool. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/WirelessProjection/Channel**
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. @@ -293,7 +293,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). -
The data type is int. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **InBoxApps/Connect**
Added in Windows 10, version 1703. Node for the Connect app. @@ -303,7 +303,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings. -
The data type is bool. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **Properties**
Node for the device properties. @@ -316,7 +316,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format **Properties/DefaultVolume**
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45. -
The data type is int. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **Properties/ScreenTimeout**
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. @@ -368,7 +368,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format -
The data type is int. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **Properties/SessionTimeout**
Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. @@ -420,7 +420,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format -
The data type is int. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **Properties/SleepTimeout**
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. @@ -472,35 +472,35 @@ The following diagram shows the SurfaceHub CSP management objects in tree format -
The data type is int. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **Properties/AllowSessionResume**
Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out.
If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. -
The data type is bool. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **Properties/AllowAutoProxyAuth**
Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication.
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. -
The data type is bool. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **Properties/DisableSigninSuggestions**
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings.
If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate. -
The data type is bool. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **Properties/DoNotShowMyMeetingsAndFiles**
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365.
If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown. -
The data type is bool. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **MOMAgent**
Node for the Microsoft Operations Management Suite.
diff --git a/windows/configuration/kiosk-mdm-bridge.md b/windows/configuration/kiosk-mdm-bridge.md
index 33cf15dabb..b08ebebd2c 100644
--- a/windows/configuration/kiosk-mdm-bridge.md
+++ b/windows/configuration/kiosk-mdm-bridge.md
@@ -31,59 +31,59 @@ Here’s an example to set AssignedAccess configuration:
3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
4. Execute the following script:
-```ps
+```xml
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
$obj.Configuration = @"
-<?xml version="1.0" encoding="utf-8" ?>
-<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
- <Profiles>
- <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
- <AllAppsList>
- <AllowedApps>
- <App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
- <App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
- <App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- <App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
- <App DesktopAppPath="%windir%\system32\mspaint.exe" />
- <App DesktopAppPath="C:\Windows\System32\notepad.exe" />
- </AllowedApps>
- </AllAppsList>
- <StartLayout>
- <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
- <LayoutOptions StartTileGroupCellWidth="6" />
- <DefaultLayoutOverride>
- <StartLayoutCollection>
- <defaultlayout:StartLayout GroupCellWidth="6">
- <start:Group Name="Group1">
- <start:Tile Size="4x4" Column="0" Row="0" AppUserModelID="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
- <start:Tile Size="2x2" Column="4" Row="2" AppUserModelID="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
- <start:Tile Size="2x2" Column="4" Row="0" AppUserModelID="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
- <start:Tile Size="2x2" Column="4" Row="4" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
- <start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
- </start:Group>
- <start:Group Name="Group2">
- <start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs\Accessories\Paint.lnk" />
- <start:DesktopApplicationTile Size="2x2" Column="0" Row="0" DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\Accessories\Notepad.lnk" />
- </start:Group>
- </defaultlayout:StartLayout>
- </StartLayoutCollection>
- </DefaultLayoutOverride>
- </LayoutModificationTemplate>
- ]]>
- </StartLayout>
- <Taskbar ShowTaskbar="true"/>
- </Profile>
- </Profiles>
- <Configs>
- <Config>
- <Account>MultiAppKioskUser</Account>
- <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
- </Config>
- </Configs>
-</AssignedAccessConfiguration>
+
+ Well-Known SID/RID S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon) Type User Default container CN=Users, DC=<domain>, DC= Default members None Default member of Domain Guests Guests Protected by ADMINSDHOLDER? No Safe to move out of default container? Can be moved out, but we do not recommend it. Safe to delegate management of this group to non-Service admins? No
Performs diagnostics on the Windows 8.1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
For more information about this update, see
Performs diagnostics on the Windows 7 SP1 systems that participate in the Windows Customer Experience Improvement Program. These diagnostics help determine whether compatibility issues might be encountered when the latest Windows operating system is installed.
For more information about this update, see
**Set to: Enable** |
| Allow Microsoft Compatibility List | Choose whether to use the Microsoft Compatibility List in Microsoft Edge.
**Set to: Disabled** |
-Alternatively, you can configure the these Registry keys as described:
+Alternatively, you can configure the following Registry keys as described:
| Registry Key | Registry path |
| - | - |
@@ -914,7 +914,7 @@ To turn off **Let websites provide locally relevant content by accessing my lang
- Create a new REG_DWORD registry setting named **HttpAcceptLanguageOptOut** in **HKEY_CURRENT_USER\\Control Panel\\International\\User Profile** with a value of 1.
-To turn off **Let apps on my other devices open apps and continue experiences on this devices**:
+To turn off **Let apps on my other devices open apps and continue experiences on this device**:
- Turn off the feature in the UI.
@@ -1412,7 +1412,7 @@ To turn this off:
-or-
-- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access dignostic information about other apps**
+- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access diagnostic information about other apps**
-or-
@@ -1596,7 +1596,7 @@ You can disconnect from the Microsoft Antimalware Protection Service.
>1. Ensure Windows and Windows Defender are fully up to date.
>2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to >the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make >the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link >and then scroll down to the Tamper Protection toggle to set it to **Off**.
-- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop down box named **Join Microsoft MAPS**
+- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Windows Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS**
-OR-
diff --git a/windows/release-information/status-windows-10-1507.yml b/windows/release-information/status-windows-10-1507.yml
index ce1f513a1a..6a2eec1758 100644
--- a/windows/release-information/status-windows-10-1507.yml
+++ b/windows/release-information/status-windows-10-1507.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "
@@ -72,6 +73,15 @@ sections:
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 10240.18244
June 11, 2019
KB4503291Mitigated June 12, 2019
05:43 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 10240.18094
January 08, 2019
KB4480962Mitigated April 25, 2019
02:00 PM PTUnable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details >OS Build 10240.18215
May 14, 2019
KB4499154Resolved
KB4505051May 19, 2019
02:00 PM PT
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
index 28aefbeb37..9ed4799d06 100644
--- a/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
+++ b/windows/release-information/status-windows-10-1607-and-windows-server-2016.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topOS Build 10240.18244
June 11, 2019
KB4503291Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 14393.3025
June 11, 2019
KB4503267Mitigated June 12, 2019
05:43 PM PTSome applications may fail to run as expected on clients of AD FS 2016
Some applications may fail to run as expected on clients of Active Directory Federation Services 2016 (AD FS 2016)
See details >OS Build 14393.2941
April 25, 2019
KB4493473Mitigated June 07, 2019
04:25 PM PTDevices running Windows Server 2016 with Hyper-V seeing Bitlocker error 0xC0210000
Some devices running Windows Server with Hyper-V enabled may start into Bitlocker recovery with error 0xC0210000
See details >OS Build 14393.2969
May 14, 2019
KB4494440Mitigated May 23, 2019
09:57 AM PTCluster service may fail if the minimum password length is set to greater than 14
The cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.
See details >OS Build 14393.2639
November 27, 2018
KB4467684Mitigated April 25, 2019
02:00 PM PT
diff --git a/windows/release-information/status-windows-10-1703.yml b/windows/release-information/status-windows-10-1703.yml
index 7f3a342f47..c30a03c5ce 100644
--- a/windows/release-information/status-windows-10-1703.yml
+++ b/windows/release-information/status-windows-10-1703.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topOS Build 14393.3025
June 11, 2019
KB4503267Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PTSome applications may fail to run as expected on clients of AD FS 2016
Back to topOS Build 14393.2941
April 25, 2019
KB4493473Mitigated Last updated:
June 07, 2019
04:25 PM PT
Opened:
June 04, 2019
05:55 PM PTOpening Internet Explorer 11 may fail
Back to topOS Build 14393.2999
May 23, 2019
KB4499177Resolved
KB4503267Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 15063.1868
June 11, 2019
KB4503279Mitigated June 12, 2019
05:43 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 15063.1563
January 08, 2019
KB4480973Mitigated April 25, 2019
02:00 PM PTOpening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details >OS Build 15063.1839
May 28, 2019
KB4499162Resolved
KB4503279June 11, 2019
10:00 AM PTUnable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details >OS Build 15063.1805
May 14, 2019
KB4499181Resolved
KB4505055May 19, 2019
02:00 PM PT
"
diff --git a/windows/release-information/status-windows-10-1709.yml b/windows/release-information/status-windows-10-1709.yml
index 378cc71da1..d6799cbaca 100644
--- a/windows/release-information/status-windows-10-1709.yml
+++ b/windows/release-information/status-windows-10-1709.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topOS Build 15063.1868
June 11, 2019
KB4503279Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PTOpening Internet Explorer 11 may fail
Back to topOS Build 15063.1839
May 28, 2019
KB4499162Resolved
KB4503279Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 16299.1217
June 11, 2019
KB4503284Mitigated June 12, 2019
05:43 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 16299.904
January 08, 2019
KB4480978Mitigated April 25, 2019
02:00 PM PTOpening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details >OS Build 16299.1182
May 28, 2019
KB4499147Resolved
KB4503284June 11, 2019
10:00 AM PTUnable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details >OS Build 16299.1143
May 14, 2019
KB4498946Resolved
KB4505062May 19, 2019
02:00 PM PT
"
diff --git a/windows/release-information/status-windows-10-1803.yml b/windows/release-information/status-windows-10-1803.yml
index 69ffbe452f..1f4862558b 100644
--- a/windows/release-information/status-windows-10-1803.yml
+++ b/windows/release-information/status-windows-10-1803.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topOS Build 16299.1217
June 11, 2019
KB4503284Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PTOpening Internet Explorer 11 may fail
Back to topOS Build 16299.1182
May 28, 2019
KB4499147Resolved
KB4503284Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 17134.829
June 11, 2019
KB4503286Mitigated June 12, 2019
05:43 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 17134.523
January 08, 2019
KB4480966Mitigated April 25, 2019
02:00 PM PTOpening Internet Explorer 11 may fail
Internet Explorer 11 may fail to open if Default Search Provider is not set or is malformed.
See details >OS Build 17134.799
May 21, 2019
KB4499183Resolved
KB4503286June 11, 2019
10:00 AM PTIssue using PXE to start a device from WDS
Using PXE to start a device from a WDS server configured to use Variable Window Extension may cause the connection to the WDS server to terminate prematurely.
See details >OS Build 17134.648
March 12, 2019
KB4489868Resolved
KB4503286June 11, 2019
10:00 AM PT
"
diff --git a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
index 4ddd5019f9..af3528cf49 100644
--- a/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
+++ b/windows/release-information/status-windows-10-1809-and-windows-server-2019.yml
@@ -65,6 +65,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topOS Build 17134.829
June 11, 2019
KB4503286Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PTOpening Internet Explorer 11 may fail
Back to topOS Build 17134.799
May 21, 2019
KB4499183Resolved
KB4503286Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PT
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 17763.557
June 11, 2019
KB4503327Mitigated June 12, 2019
05:43 PM PTDevices with some Asian language packs installed may receive an error
After installing the KB4493509 devices with some Asian language packs installed may receive the error, \"0x800f0982 - PSFX_E_MATCHING_COMPONENT_NOT_F
See details >OS Build 17763.437
April 09, 2019
KB4493509Mitigated May 03, 2019
10:59 AM PTPrinting from Microsoft Edge or other UWP apps, you may receive the error 0x80070007
Attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive an error.
See details >OS Build 17763.379
March 12, 2019
KB4489899Mitigated May 02, 2019
04:47 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, \"STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)\".
See details >OS Build 17763.253
January 08, 2019
KB4480116Mitigated April 09, 2019
10:00 AM PT
"
diff --git a/windows/release-information/status-windows-10-1903.yml b/windows/release-information/status-windows-10-1903.yml
index 0c64ca5a1d..713ffe86b5 100644
--- a/windows/release-information/status-windows-10-1903.yml
+++ b/windows/release-information/status-windows-10-1903.yml
@@ -69,6 +69,7 @@ sections:
Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topOS Build 17763.557
June 11, 2019
KB4503327Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PTOpening Internet Explorer 11 may fail
Back to topOS Build 17763.529
May 21, 2019
KB4497934Resolved
KB4503327Resolved:
June 11, 2019
10:00 AM PT
Opened:
June 05, 2019
05:49 PM PTLoss of functionality in Dynabook Smartphone Link app
After updating to Windows 10, version 1903, you may experience a loss of functionality when using the Dynabook Smartphone Link application.
See details >OS Build 18362.116
May 20, 2019
KB4505057Investigating May 24, 2019
03:10 PM PTDisplay brightness may not respond to adjustments
Microsoft and Intel have identified a driver compatibility issue on devices configured with certain Intel display drivers.
See details >OS Build 18362.116
May 21, 2019
KB4505057Investigating May 21, 2019
04:47 PM PTAudio not working with Dolby Atmos headphones and home theater
Users may experience audio loss with Dolby Atmos headphones or Dolby Atmos home theater.
See details >OS Build 18362.116
May 21, 2019
KB4505057Investigating May 21, 2019
07:17 AM PTEvent Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >OS Build 18362.175
June 11, 2019
KB4503293Mitigated June 12, 2019
05:43 PM PTError attempting to update with external USB device or memory card attached
PCs with an external USB device or SD memory card attached may get error: \"This PC can't be upgraded to Windows 10.\"
See details >OS Build 18362.116
May 21, 2019
KB4505057Mitigated June 11, 2019
12:34 PM PTGamma ramps, color profiles, and night light settings do not apply in some cases
Microsoft has identified some scenarios where gamma ramps, color profiles and night light settings may stop working.
See details >OS Build 18362.116
May 21, 2019
KB4505057Mitigated May 24, 2019
11:02 AM PTUnable to discover or connect to Bluetooth devices
Microsoft has identified compatibility issues with some versions of Realtek and Qualcomm Bluetooth radio drivers.
See details >OS Build 18362.116
May 21, 2019
KB4505057Mitigated May 21, 2019
04:48 PM PT
+ "
+
- title: May 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
index aae03cfacf..b9c2807c45 100644
--- a/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
+++ b/windows/release-information/status-windows-7-and-windows-server-2008-r2-sp1.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topOS Build 18362.175
June 11, 2019
KB4503293Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >June 11, 2019
KB4503292Mitigated June 12, 2019
05:43 PM PTIE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details >May 14, 2019
KB4499164Mitigated June 07, 2019
02:57 PM PTSystem may be unresponsive after restart with certain McAfee antivirus products
Devices with McAfee Endpoint Security Threat Prevention 10.x, Host Intrusion Prevention 8.0, or VirusScan Enterprise 8.8 may be slow or unresponsive at startup.
See details >April 09, 2019
KB4493472Mitigated April 25, 2019
02:00 PM PTUnable to access some gov.uk websites
gov.uk websites that don’t support “HSTS” may not be accessible
See details >May 14, 2019
KB4499164Resolved
KB4505050May 18, 2019
02:00 PM PT
"
diff --git a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
index c57eb16042..8aa99cced1 100644
--- a/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
+++ b/windows/release-information/status-windows-8.1-and-windows-server-2012-r2.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topJune 11, 2019
KB4503292Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PTIE11 may stop working when loading or interacting with Power BI reports
Back to topMay 14, 2019
KB4499164Mitigated Last updated:
June 07, 2019
02:57 PM PT
Opened:
June 07, 2019
02:57 PM PT
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >June 11, 2019
KB4503276Mitigated June 12, 2019
05:43 PM PTIE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details >May 14, 2019
KB4499151Mitigated June 07, 2019
02:57 PM PTJapanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details >April 25, 2019
KB4493443Mitigated May 15, 2019
05:53 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details >January 08, 2019
KB4480963Mitigated April 25, 2019
02:00 PM PT
"
diff --git a/windows/release-information/status-windows-server-2008-sp2.yml b/windows/release-information/status-windows-server-2008-sp2.yml
index a38199a095..712250b6be 100644
--- a/windows/release-information/status-windows-server-2008-sp2.yml
+++ b/windows/release-information/status-windows-server-2008-sp2.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topJune 11, 2019
KB4503276Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PTIE11 may stop working when loading or interacting with Power BI reports
Back to topMay 14, 2019
KB4499151Mitigated Last updated:
June 07, 2019
02:57 PM PT
Opened:
June 07, 2019
02:57 PM PT
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >June 11, 2019
KB4503273Mitigated June 12, 2019
05:43 PM PTSystem unresponsive after restart if Sophos Endpoint Protection installed
Devices with Sophos Endpoint Protection installed and managed by Sophos Central or Sophos Enterprise Console (SEC) may become unresponsive upon restart.
See details >April 09, 2019
KB4493471Resolved May 14, 2019
01:21 PM PTSystem may be unresponsive after restart if Avira antivirus software installed
Devices with Avira antivirus software installed may become unresponsive upon restart.
See details >April 09, 2019
KB4493471Resolved May 14, 2019
01:19 PM PTAuthentication may fail for services after the Kerberos ticket expires
Authentication may fail for services that require unconstrained delegation after the Kerberos ticket expires.
See details >March 12, 2019
KB4489880Resolved
KB4499149May 14, 2019
10:00 AM PT
+ "
+
- title: April 2019
- items:
- type: markdown
diff --git a/windows/release-information/status-windows-server-2012.yml b/windows/release-information/status-windows-server-2012.yml
index 4b03573e5d..9136d15fb3 100644
--- a/windows/release-information/status-windows-server-2012.yml
+++ b/windows/release-information/status-windows-server-2012.yml
@@ -60,6 +60,7 @@ sections:
- type: markdown
text: "Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topJune 11, 2019
KB4503273Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PT
Summary Originating update Status Last updated Event Viewer may close or you may receive an error when using Custom Views
When trying to expand, view or create Custom Views in Event Viewer, you may receive an error and the app may stop responding or close.
See details >June 11, 2019
KB4503285Mitigated June 12, 2019
05:43 PM PTIE11 may stop working when loading or interacting with Power BI reports
Power BI reports that contain line charts with markers may cause Internet Explorer 11 to stop working
See details >May 14, 2019
KB4499171Mitigated June 07, 2019
02:57 PM PTJapanese IME doesn't show the new Japanese Era name as a text input option
If previous dictionary updates are installed, the Japanese input method editor (IME) doesn't show the new Japanese Era name as a text input option.
See details >April 25, 2019
KB4493462Mitigated May 15, 2019
05:53 PM PTCertain operations performed on a Cluster Shared Volume may fail
Certain operations, such as rename, performed on files or folders on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
See details >January 08, 2019
KB4480975Mitigated April 25, 2019
02:00 PM PT
"
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index f7a788e6f8..1bd0ee3c7b 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -117,6 +117,74 @@ When enabling the Guest account, only grant limited rights and permissions. For
In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
+## HelpAssistant account (installed with a Remote Assistance session)
+
+
+The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
+
+HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
+
+**Security considerations**
+
+The SIDs that pertain to the default HelpAssistant account include:
+
+- SID: S-1-5-<domain>-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services.
+
+- SID: S-1-5-<domain>-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+
+For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
+
+For details about the HelpAssistant account attributes, see the following table.
+
+**HelpAssistant account attributes**
+
+Details Originating update Status History Event Viewer may close or you may receive an error when using Custom Views
Back to topJune 11, 2019
KB4503285Mitigated Last updated:
June 12, 2019
05:43 PM PT
Opened:
June 12, 2019
11:11 AM PTIE11 may stop working when loading or interacting with Power BI reports
Back to topMay 14, 2019
KB4499171Mitigated Last updated:
June 07, 2019
02:57 PM PT
Opened:
June 07, 2019
02:57 PM PT
+
### DefaultAccount
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 8713d91370..978d72142a 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -83,7 +83,7 @@ The special identity groups are described in the following tables:
- [This Organization](#this-organization)
-- [Window Manager\\Window Manager Group](#window-manager-window-manager-group)
+- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group)
## Anonymous Logon
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index 3d74e8a3b3..8d6b7d474a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -151,7 +151,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Windows Server 2012 or later Domain Controllers
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
Sign-in the federation server with _domain administrator_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
index c4ffbeb3a0..58616c9d65 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
@@ -27,9 +27,6 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
[Hybrid Azure AD joined in Managed environments](#hybrid-azure-ad-joined-in-managed-environments)
+
+
+
+Attribute
+Value
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
[Hybrid Azure AD joined in Federated environments](#hybrid-azure-ad-joined-in-federated-environments)
-
-
-
## Azure AD joined in Managed environments
@@ -44,7 +41,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|G | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Azure AD joined in Federated environments
@@ -60,7 +57,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|H | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|I | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Hybrid Azure AD joined in Managed environments
@@ -75,7 +72,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
## Hybrid Azure AD joined in Federated environments
@@ -89,4 +86,4 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
|F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
|G | If Azure AD Connect device write-back is enabled, Azure AD Connect requests updates from Azure Active Directory at its next synchronization cycle (device write-back is required for hybrid deployment using certificate trust). Azure Active Directory correlates the device object with a matching synchronized computer object. Azure AD Connect receives the device object that includes the object GUID and computer SID and writes the device object to Active Directory.|
-[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+[Return to top](#windows-hello-for-business-and-device-registration)
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
index ca78d68e98..ef7fb31fff 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@@ -22,9 +22,9 @@ ms.reviewer:
- Windows 10
Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories:
-- [Registration](#Registration)
-- [Provisioning](#Provisioning)
-- [Authentication](#Authentication)
+- [Registration](#registration)
+- [Provisioning](#provisioning)
+- [Authentication](#authentication)
## Registration
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index fbb7791800..24f1ffb00b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -90,7 +90,7 @@ Steps you will perform include:
- [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point)
- [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list)
-- [Configure the new CRL distribution point in the issuing certificate authority](#Configure-the-new-crl-distribution-point-in-the-issuing-certificate-authority)
+- [Configure the new CRL distribution point and Publishing location in the issuing certificate authority](#configure-the-new-crl-distribution-point-and-publishing-location-in-the-issuing-certificate-authority)
- [Publish CRL](#publish-a-new-crl)
- [Reissue domain controller certificates](#reissue-domain-controller-certificates)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index b826287e64..c8c3fee1a5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -29,14 +29,14 @@ Windows Hello for Business involves configuring distributed technologies that ma
* [Active Directory](#active-directory)
* [Public Key Infrastructure](#public-key-infrastructure)
* [Azure Active Directory](#azure-active-directory)
-* [Active Directory Federation Services](#active-directory-federation-services)
+* [Multifactor Authentication Services](#multifactor-authentication-services)
New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization.
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI.
-## Active Directory ##
+## Active Directory
This document expects you have Active Directory deployed with an _adequate_ number of Windows Server 2016 domain controllers for each site. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
Lab environments and isolated proof of concepts may want to limit the number of domain controllers. The purpose of these environments is to experiment and learn. Reducing the number of domain controllers can prevent troubleshooting issue, such as Active Directory replication, which is unrelated to activity's goal.
@@ -83,7 +83,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based URL.
-### Section Review ###
+### Section Review
> [!div class="checklist"]
> * Minimum Windows Server 2012 Certificate Authority.
@@ -92,7 +92,7 @@ If you do not have an existing public key infrastructure, please review [Certifi
> * Root certificate authority certificate (Azure AD Joined devices).
> * Highly available certificate revocation list (Azure AD Joined devices).
-## Azure Active Directory ##
+## Azure Active Directory
You’ve prepared your Active Directory. Hybrid Windows Hello for Business deployment needs Azure Active Directory to host your cloud-based identities.
The next step of the deployment is to follow the [Creating an Azure AD tenant](https://docs.microsoft.com/azure/active-directory/develop/active-directory-howto-tenant) process to provision an Azure tenant for your organization.
@@ -104,12 +104,13 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h
> * Create an Azure Active Directory Tenant.
> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary.
-## Multifactor Authentication Services ##
+## Multifactor Authentication Services
Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA or a third-party MFA adapter
Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
-### Azure Multi-Factor Authentication (MFA) Cloud ###
+### Azure Multi-Factor Authentication (MFA) Cloud
+
> [!IMPORTANT]
> As long as your users have licenses that include Azure Multi-Factor Authentication, there's nothing that you need to do to turn on Azure MFA. You can start requiring two-step verification on an individual user basis. The licenses that enable Azure MFA are:
> * Azure Multi-Factor Authentication
@@ -118,16 +119,16 @@ Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.co
>
> If you have one of these subscriptions or licenses, skip the Azure MFA Adapter section.
-#### Azure MFA Provider ####
+#### Azure MFA Provider
If your organization uses Azure MFA on a per-consumption model (no licenses), then review the [Create a Multifactor Authentication Provider](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider) section to create an Azure MFA Authentication provider and associate it with your Azure tenant.
-#### Configure Azure MFA Settings ####
+#### Configure Azure MFA Settings
Once you have created your Azure MFA authentication provider and associated it with an Azure tenant, you need to configure the multi-factor authentication settings. Review the [Configure Azure Multi-Factor Authentication settings](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-whats-next) section to configure your settings.
-#### Azure MFA User States ####
+#### Azure MFA User States
After you have completed configuring your Azure MFA settings, you want to review configure [User States](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-user-states) to understand user states. User states determine how you enable Azure MFA for your users.
-### Azure MFA via ADFS ###
+### Azure MFA via ADFS
Alternatively, you can configure Windows Server 2016 Active Directory Federation Services (AD FS) to provide additional multi-factor authentication. To configure, read the [Configure AD FS 2016 and Azure MFA](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-ad-fs-2016-and-azure-mfa) section.
### Section Review
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 07bcd4e0ba..1573d9e947 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -28,13 +28,14 @@ Hybrid environments are distributed systems that enable organizations to use on-
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
* [Directories](#directories)
-* [Public Key Infrastructure](#public-key-infastructure)
+* [Public Key Infrastructure](#public-key-infrastructure)
* [Directory Synchronization](#directory-synchronization)
-* [Federation](#federation)
+* [Federation](#federation-with-azure)
* [MultiFactor Authentication](#multifactor-authentication)
* [Device Registration](#device-registration)
-## Directories ##
+## Directories
+
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription.
@@ -43,7 +44,7 @@ You can deploy Windows Hello for Business in any environment with Windows Server
Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs.
-### Section Review ###
+### Section Review
> [!div class="checklist"]
> * Active Directory Domain Functional Level
@@ -54,7 +55,7 @@ Review these requirements and those from the Windows Hello for Business planning
-## Public Key Infrastructure ##
+## Public Key Infrastructure
The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
@@ -83,7 +84,8 @@ The minimum required enterprise certificate authority that can be used with Wind
-## Directory Synchronization ##
+## Directory Synchronization
+
The two directories used in hybrid deployments must be synchronized. You need Azure Active Directory Connect to synchronize user accounts in the on-premises Active Directory with Azure Active Directory.
Organizations using older directory synchronization technology, such as DirSync or Azure AD sync need to upgrade to Azure AD Connect.
@@ -96,17 +98,20 @@ Organizations using older directory synchronization technology, such as DirSync
-## Federation with Azure ##
+## Federation with Azure
+
You can deploy Windows Hello for Business key trust in non-federated and federated environments. For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication). For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2.
-### Section Review ###
+### Section Review
+
> [!div class="checklist"]
> * Non-federated environments
> * Federated environments
-## Multifactor Authentication ##
+## Multifactor Authentication
+
Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication (MFA) service or they can use multifactor authentication provided by AD FS beginning with Windows Server 2012 R2, which includes an adapter model that enables third parties to integrate their MFA into AD FS. The MFA enabled by an Office 365 license is sufficient for Azure AD.
@@ -119,17 +124,20 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
-## Device Registration ##
+## Device Registration
+
Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory.
-### Section Checklist ###
+### Section Checklist
+
> [!div class="checklist"]
> * Device Registration with Azure Device Registration
-### Next Steps ###
+### Next Steps
+
Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**.
For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 969530cb43..161f924588 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -67,6 +67,9 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO�**
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
+>[!IMPORTANT]
+>If you don't find options in GPO, you have to load the [PolicyDefinitions folder](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra).
+
### Windows Hello for Business Group Policy
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 13cf3b5a0e..0c493ddc5d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -150,7 +150,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Windows Server 2016, 2012 R2 or later Domain Controllers
-Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
+Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008-r2-domain-controllers) section.
Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
1. Start **Server Manager**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
index fd1a237822..9b6ae813f1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
@@ -174,7 +174,7 @@ Update the server using Windows Update until the server has no required or optio
#### Configure the IIS Server’s Certificate
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section.
+To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-servers-certificate) section.
#### Create WebServices SDK user account
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index d0df6caa9a..2549af8feb 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -192,7 +192,7 @@ Control Flow Guard (CFG) is a mitigation that does not need configuration within
| **Heap protections**
help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.
**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. |
| **Kernel pool protections**
help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.
**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. |
| **Control Flow Guard**
helps mitigate exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.
**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. |
-| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. |
+| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.
**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. |
### SMB hardening improvements for SYSVOL and NETLOGON shares
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index 72ecea3686..c06a9f2d2f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -54,7 +54,7 @@ As a cloud service, it is required that computers have access to the internet an
| *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com|
| *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com|
| *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com|
-| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission |*.blob.core.windows.net|
+| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net |
| *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs |
| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols |
| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com|
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png
new file mode 100644
index 0000000000..1d68a3dcce
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_32_Main_App_Fix.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png
new file mode 100644
index 0000000000..03fa2f0b9c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_33_SecurityPrivacySettings_NoPrompt.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png
new file mode 100644
index 0000000000..99e4d16920
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_34_MAU.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
index c261037801..da0118cedb 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-manually.md
@@ -25,7 +25,7 @@ ms.topic: conceptual
[Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for Mac](microsoft-defender-atp-mac.md)
>[!IMPORTANT]
->This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available, and this topic only applies to enterprise customers who have been accepted into the preview program. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>This topic relates to the pre-release version of Microsoft Defender ATP for Mac. Microsoft Defender ATP for Mac is not yet widely available. Microsoft makes no warranties, express or implied, with respect to the information provided here.
## Prerequisites and system requirements
@@ -79,7 +79,62 @@ To complete this process, you must have admin privileges on the machine.
The installation will proceed.
> [!NOTE]
-> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
+> If you don't select **Allow**, the installation will proceed after 5 minutes. Defender ATP will be loaded, but real-time protection will be disabled.
+
+### Fixing disabled Real Time Protection
+
+If you did not enable Microsoft's driver during installation, then Defender's application will display a banner prompting you to enable it:
+
+ 
+
+You can also run ```mdatp --health```. It will report if Real Time Protection is enabled but not available:
+
+```bash
+mavel-mojave:~ testuser$ mdatp --health
+...
+realTimeProtectionAvailable : false
+realTimeProtectionEnabled : true
+...
+```
+
+> [!NOTE]
+> You have a 30 minute window to enable Real Time Protection from the warning banner, immediately following installation.
+
+The warning banner containing a **Fix** button, which allows you to quickly enable Real Time Protection, without having to open a command prompt. Select the **Fix** button. It will prompt the **Security & Privacy** system window, where you will have to **Allow** system software from developers "Microsoft Corporation".
+
+If you don't see a prompt, it means that 30 or more minutes have already passed, and Real Time Protection has still not been enabled:
+
+
+
+In this case, you will need to perform the following steps to enable Real Time Protection instead.
+
+1. In Terminal, attempt to install the driver. (The operation will fail)
+ ```bash
+ mavel-mojave:~ testuser$ sudo kextutil /Library/Extensions/wdavkext.kext
+ Kext rejected due to system policy:
-
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 4104a10a84..647debfcee 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -22,13 +22,17 @@ manager: dansimp
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+
>[!IMPORTANT]
>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, version 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
+
+Attack surface reduction rules help prevent behaviors malware often uses to infect computers with malicious code. You can set attack surface reduction rules for computers running Windows 10, versions 1704 and 1709 or later, Windows Server 2016 1803 or later, or Windows Server 2019.
+
To use attack surface reduction rules, you need a Windows 10 Enterprise license. If you have a Windows E5 license, it gives you the advanced management capabilities to power them. These include monitoring, analytics, and workflows available in [Microsoft Defender Advanced Threat Protection](../microsoft-defender-atp/microsoft-defender-advanced-threat-protection.md), as well as reporting and configuration capabilities in the Microsoft 365 Security Center. These advanced capabilities aren't available with an E3 license or with Windows 10 Enterprise without subscription, but you can use attack surface reduction rule events in Event Viewer to help facilitate deployment.
+
Attack surface reduction rules target behaviors that malware and malicious apps typically use to infect computers, including:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
@@ -63,6 +67,8 @@ Event ID | Description
1121 | Event when rule fires in Block-mode
1122 | Event when rule fires in Audit-mode
+The "engine version" of attack surface reduction events in the event log, is generated by Microsoft Defender ATP, not the operating system. Microsoft Defender ATP is integrated with Windows 10, so this feature works on all machines with Windows 10 installed.
+
## Attack surface reduction rules
@@ -207,7 +213,7 @@ GUID: c1db55ab-c21a-4637-bb3f-a12568109d35
### Block credential stealing from the Windows local security authority subsystem (lsass.exe)
-Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Windows Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
+Local Security Authority Subsystem Service (LSASS) authenticates users who log in to a Windows computer. Microsoft Defender Credential Guard in Windows 10 normally prevents attempts to extract credentials from LSASS. However, some organizations can't enable Credential Guard on all of their computers because of compatibility issues with custom smartcard drivers or other programs that load into the Local Security Authority (LSA). In these cases, attackers can use tools like Mimikatz to scrape cleartext passwords and NTLM hashes from LSASS. This rule helps mitigate that risk by locking down LSASS.
>[!NOTE]
>In some apps, the code enumerates all running processes and attempts to open them with exhaustive permissions. This rule denies the app's process open action and logs the details to the security event log. This rule can generate a lot of noise. If you have an app that overly enumerates LSASS, you need to add it to the exclusion list. By itself, this event log entry doesn't necessarily indicate a malicious threat.
@@ -284,3 +290,5 @@ GUID: e6db77e5-3df2-4cf1-b95a-636979351e5b
- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
+- [Compatibility of Microsoft Defender with other antivirus/antimalware](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility)
+
diff --git a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
index 851b77b568..ea78e8de16 100644
--- a/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
+++ b/windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md
@@ -29,10 +29,6 @@ To configure Windows Defender Firewall with Advanced Security to log dropped pac
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
-In this topic:
-
-- [To configure the Windows Defender Firewall with Advanced Security log](#to-configure-the-windows-firewall-log)
-
## To configure the Windows Defender Firewall with Advanced Security log
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
diff --git a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
index bba537328b..17d43619ee 100644
--- a/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
+++ b/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
@@ -29,12 +29,6 @@ This procedure shows you how to open the Windows Defender Firewall with Advanced
To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations.
-## Opening Windows Defender Firewall
-
-- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui)
-
-- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt)
-
## To open Windows Defender Firewall using the UI
Click Start, type **Windows Defender Firewall**, and the press ENTER.
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
index 239517c529..e9ada36273 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-configuration-framework.md
@@ -35,7 +35,7 @@ This new security configuration framework, which we affectionately nickname the
- [Level 2 enterprise enhanced security](level-2-enterprise-enhanced-security.md) – We recommend this configuration for devices where users access sensitive or confidential information. Some of the controls may have an impact to app compat, and therefore will often go through an audit-configure-enforce workflow. Recommendations for this level are generally accessible to most organizations and are designed to be deployable within 90 days.
- [Level 3 enterprise high security](level-3-enterprise-high-security.md) – We recommend this configuration for devices run by an organization with a larger or more sophisticated security team, or for specific users or groups who are at uniquely high risk (as one example, one organization identified users who handle data whose theft would directly and seriously impact their stock price). An organization likely to be targeted by well-funded and sophisticated adversaries should aspire to this configuration. Recommendations for this level can be complex (for example, removing local admin rights for some organizations can be a long project in and of itself) and can often go beyond 90 days.
- [Level 4 DevOps workstation](level-4-enterprise-devops-security.md) – We recommend this configuration for developers and testers, who are an attractive target both for supply chain attacks and access to servers and systems containing high value data or where critical business functions could be disrupted. Level 4 guidance is coming soon!
-- [Level 1 administrator workstation](level-5-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 5 guidance is coming soon!
+- [Level 5 administrator workstation](level-5-enterprise-administrator-security.md) – Administrators (particularly of identity or security systems) present the highest risk to the organization, through data theft, data alteration, or service disruption. Level 5 guidance is coming soon!
The security configuration framework divides configuration into Productivity Devices and Privileged Access Workstations. This document will focus on Productivity Devices
.
+</td>
+</tr>
+<tr>
<td>0xC1900201</td>
<td>The system did not pass the minimum requirements to install the update.</td>
<td>Contact the hardware vendor to get the latest updates.</td>
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 0837197376..1bfb00bab7 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -145,7 +145,7 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
## Deploy Windows 10 Enterprise features
-Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows-10-pro-and-enterprise-editions)?
+Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)?
The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features.
diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md
index 4d5afba15c..401c84e8fe 100644
--- a/windows/deployment/windows-autopilot/enrollment-status.md
+++ b/windows/deployment/windows-autopilot/enrollment-status.md
@@ -23,7 +23,7 @@ ms.topic: article
- Windows 10
-The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete.
+The Windows Autopilot Enrollment Status Page displays the status of the complete device configuration process. Incorporating feedback from customers, this provides information to the user to show that the device is being configured. The Enrollment Status Page can be also configured to prevent access to the desktop until the configuration process is complete.
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index ae3d498b81..b8f7179b74 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -27,7 +27,7 @@ ms.date: 05/16/2019
If you're looking for content on what each diagnostic data level means and how to configure it in your organization, see [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md).
-Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro.
+Learn about the network connections that Windows components make to Microsoft in addition to the privacy settings that affect the data which is shared with either Microsoft or apps and how they can be managed by an IT Pro.
If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
@@ -233,7 +233,7 @@ For more information, see [Automatic Root Certificates Update Configuration](htt
Although not recommended, you can turn off Automatic Root Certificates Update, which also prevents updates to the disallowed certificate list and the pin rules list.
> [!CAUTION]
-> By not automatically downloading the root certificates, the device might have not be able to connect to some websites.
+> By not automatically downloading the root certificates, the device might have not been able to connect to some websites.
For Windows 10, Windows Server 2016 with Desktop Experience, and Windows Server 2016 Server Core:
@@ -418,7 +418,7 @@ To turn off Insider Preview builds for Windows 10:
### <a href=){kind=link}