Merge pull request #3685 from MicrosoftDocs/FromPrivateRepo

From private repo
2025-05-12 13:27:23 +00:00 · 2019-05-14 15:35:52 -07:00 · 2019-05-14 15:35:52 -07:00 · 83c4e47385
commit 83c4e47385
parent 2cd9e84282 c658ff628a
13 changed files with 50 additions and 44 deletions
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -1398,8 +1398,8 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <ul>
 <li>ApplicationManagement/LaunchAppAfterLogOn</li>
 <li>ApplicationManagement/ScheduleForceRestartForUpdateFailures </li>
-<li>Authentication/EnableFastFirstSignIn</li>
+<li>Authentication/EnableFastFirstSignIn (Preview mode only)</li>
-<li>Authentication/EnableWebSignIn</li>
+<li>Authentication/EnableWebSignIn (Preview mode only)</li>
 <li>Authentication/PreferredAadTenantDomainName</li>
 <li>Browser/AllowFullScreenMode</li>
 <li>Browser/AllowPrelaunch</li>
@ -1943,8 +1943,8 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <ul>
 <li>ApplicationManagement/LaunchAppAfterLogOn</li>
 <li>ApplicationManagement/ScheduleForceRestartForUpdateFailures </li>
-<li>Authentication/EnableFastFirstSignIn</li>
+<li>Authentication/EnableFastFirstSignIn (Preview mode only)</li>
-<li>Authentication/EnableWebSignIn</li>
+<li>Authentication/EnableWebSignIn (Preview mode only)</li>
 <li>Authentication/PreferredAadTenantDomainName</li>
 <li>Defender/CheckForSignaturesBeforeRunningScan</li>
 <li>Defender/DisableCatchupFullScan </li>
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -364,10 +364,10 @@ The following diagram shows the Policy configuration service provider in tree fo
    <a href="./policy-csp-authentication.md#authentication-allowsecondaryauthenticationdevice" id="authentication-allowsecondaryauthenticationdevice">Authentication/AllowSecondaryAuthenticationDevice</a>
  </dd>
  <dd>
-    <a href="./policy-csp-authentication.md#authentication-enablefastfirstsignin" id="authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a>
+    <a href="./policy-csp-authentication.md#authentication-enablefastfirstsignin" id="authentication-enablefastfirstsignin">Authentication/EnableFastFirstSignIn</a> (Preview mode only)
  </dd>
  <dd>
-    <a href="./policy-csp-authentication.md#authentication-enablewebsignin" id="authentication-enablewebsignin">Authentication/EnableWebSignIn</a>
+    <a href="./policy-csp-authentication.md#authentication-enablewebsignin" id="authentication-enablewebsignin">Authentication/EnableWebSignIn</a> (Preview mode only)
  </dd>
  <dd>
    <a href="./policy-csp-authentication.md#authentication-preferredaadtenantdomainname" id="authentication-preferredaadtenantdomainname">Authentication/PreferredAadTenantDomainName</a>
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@ -354,6 +354,9 @@ The following list shows the supported values:
 <!--/Scope-->
 <!--Description-->
 > [!Warning]
 > This policy is only in preview mode and therefore not meant or recommended for production purposes.
 This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
 Value type is integer. Supported values:
@ -412,9 +415,12 @@ Value type is integer. Supported values:
 <!--/Scope-->
 <!--Description-->
 > [!Warning]
 > This policy is only in preview mode and therefore not meant or recommended for production purposes.
 "Web Sign-in" is a new way of signing into a Windows PC. It enables Windows logon support for non-ADFS federated providers (e.g. SAML). 
-> [!Note]  
+> [!Note]
 > Web Sign-in is only supported on Azure AD Joined PCs.
 Value type is integer. Supported values:
@ -514,4 +520,4 @@ Footnotes:
 - 3 - Added in Windows 10, version 1709.
 - 4 - Added in Windows 10, version 1803.
 - 5 - Added in Windows 10, version 1809.
- 6 - Added in the next major release of Windows 10.
+- 6 - Added in Windows 10, version 1903.
--- a/windows/deployment/update/waas-delivery-optimization-reference.md
+++ b/windows/deployment/update/waas-delivery-optimization-reference.md
@ -5,9 +5,9 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-author: JaimeO
+author: greg-lindsay
 ms.localizationpriority: medium
-ms.author: jaimeo
+ms.author: greglin
 ms.collection: M365-modern-desktop
 ms.topic: article
 ---
@ -37,7 +37,7 @@ In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimiz
 | --- | --- | --- |
 | [Download mode](#download-mode) | DODownloadMode | 1511 |
 | [Group ID](#group-id)  | DOGroupID | 1511 |
-| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
+| [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) | DOMinRAMAllowedToPeer | 1703 |
 | [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) | DOMinDiskSizeAllowedToPeer | 1703 |
 | [Max Cache Age](#max-cache-age) | DOMaxCacheAge | 1511 |
 | [Max Cache Size](#max-cache-size)  | DOMaxCacheSize | 1511 |
@ -70,7 +70,7 @@ Delivery Optimization uses locally cached updates. In cases where devices have a
 - The system drive is the default location for the Delivery Optimization cache. [Modify Cache Drive](#modify-cache-drive) allows administrators to change that location.
 >[!NOTE]
->It is possible to configure preferred cache devices. For more information, see [Set “preferred” cache devices for Delivery Optimization](#set-preferred-cache-devices).
+>It is possible to configure preferred cache devices. For more information, see [Group ID](#group-id).
 All cached files have to be above a set minimum size. This size is automatically set by the Delivery Optimization cloud services, but when local storage is sufficient and the network isn't strained or congested, administrators might choose to change it to obtain increased performance. You can set the minimum size of files to cache by adjusting [Minimum Peer Caching Content File Size](#minimum-peer-caching-content-file-size).
@ -89,7 +89,7 @@ Additional options available that control the impact Delivery Optimization has o
 - [Delay foreground download from http (in secs)](#delay-foreground-download-from-http-in-secs) allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use P2P.
 Administrators can further customize scenarios where Delivery Optimization will be used with the following settings:
- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
+- [Minimum RAM (inclusive) allowed to use Peer Caching](#minimum-ram-inclusive-allowed-to-use-peer-caching) sets the minimum RAM required for peer caching to be enabled.
 - [Minimum disk size allowed to use Peer Caching](#minimum-disk-size-allowed-to-use-peer-caching) sets the minimum disk size required for peer caching to be enabled.
 - [Enable Peer Caching while the device connects via VPN](#enable-peer-caching-while-the-device-connects-via-vpn) allows clients connected through VPN to use peer caching.
 - [Allow uploads while the device is on battery while under set Battery level](#allow-uploads-while-the-device-is-on-battery-while-under-set-battery-level) controls the minimum battery level required for uploads to occur. You must enable this policy to allow upload while on battery.
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@ -5,9 +5,9 @@ keywords: oms, operations management suite, wdav, updates, downloads, log analyt
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-author: JaimeO
+author: greg-lindsay
 ms.localizationpriority: medium
-ms.author: jaimeo
+ms.author: greglin
 ms.collection: M365-modern-desktop
 ms.topic: article
 ---
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
@ -25,8 +25,8 @@ IT admins can perform a local Windows Autopilot Reset to quickly remove personal
 To enable local Autopilot Reset in Windows 10:
-1. [Enable the policy for the feature](#enable-autopilot-reset)
+1. [Enable the policy for the feature](#enable-local-autopilot-reset)
-2. [Trigger a reset for each device](#trigger-autopilot-reset)
+2. [Trigger a reset for each device](#trigger-local-autopilot-reset)
 ## Enable local Windows Autopilot Reset
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@ -80,7 +80,7 @@ The following services are required:
 Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work.  These procedures install additional components that may need to be updated.
-#### Configure the IIS Server’s Certificate
+#### Configure the IIS Server Certificate
 The TLS protocol protects all the communication to and from the MFA server. To enable this protection, you must configure the default web site to use the previously enrolled server authentication certificate.
@ -171,9 +171,9 @@ To do this, please follow the instructions mentioned in the previous [Install th
 Update the server using Windows Update until the server has no required or optional updates as the Azure MFA Server software may require one or more of these updates for the installation and software to correctly work.  These procedures install additional components that may need to be updated.
-#### Configure the IIS Server’s Certificate
+#### Set the IIS Server Certificate
-To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server’s-certificate) section.
+To do this, please follow the instructions mentioned in the previous [Configure the IIS Server’s Certificate](#configure-the-iis-server-certificate) section.
 #### Create WebServices SDK user account
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@ -28,7 +28,7 @@ Windows Hello for Business involves configuring distributed technologies that ma
 * [Active Directory](#active-directory)
 * [Public Key Infrastructure](#public-key-infrastructure)
 * [Azure Active Directory](#azure-active-directory)
-* [Multi-factor Authentication Services](#multi-factor-authentication-services)
+* [Multifactor Authentication Services](#multifactor-authentication-services)
 New installations are considerably more involved than existing implementations because you are building the entire infrastructure.  Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment.  If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration.
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/08/2019
+ms.date: 05/13/2019
 ---
 # Customize attack surface reduction rules
@ -31,20 +31,18 @@ You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
 ## Exclude files and folders
-You can exclude files and folders from being evaluated by all attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running. 
+You can exclude files and folders from being evaluated by attack surface reduction rules. This means that even if an attack surface reduction rule detects that the file contains malicious behavior, the file will not be blocked from running. 
 This could potentially allow unsafe files to run and infect your devices.
 >[!WARNING]
->Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+>This could potentially allow unsafe files to run and infect your devices. Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
 > 
 >If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you cannot specify if the exclusions should only be applied to individual rules: the exclusions will apply to all rules that are enabled (or placed in audit mode) and that allow exclusions.
+An exclusion applies to all rules that allow exclusions. You can specify an individual file, folder path, or the fully qualified domain name for a resource, but you cannot limit an exclusion to certain rules.
 An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
 Attack surface reduction supports environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
 If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
 Exclusions apply to all attack surface reduction rules.
 Rule description | GUID 
 -|:-:|-
@ -76,9 +74,9 @@ See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) to
 4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item. 
-### Use PowerShell to exclude files and folderss
+### Use PowerShell to exclude files and folders
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
    ```PowerShell
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/07/2019
+ms.date: 05/13/2019
 ---
 # Customize controlled folder access
@ -89,13 +89,14 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.m
 You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature. 
 >[!IMPORTANT]
->By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
+>By default, Windows adds apps that it considers friendly to the allowed list—apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
 >You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
 You can use the Windows Security app or Group Policy to add and remove apps that should be allowed to access protected folders.
 When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
 An allowed application or service only has write access to a controlled folder after it starts. For example, if you allow an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
 ### Use the Windows Defender Security app to allow specific apps
 1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
@ -106,7 +107,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
 4. Click **Add an allowed app** and follow the prompts to add apps.
-    ![Screenshot of the add an allowed app button](images/cfa-allow-app.png)
+    ![Screenshot of how to add an allowed app button](images/cfa-allow-app.png)
 ### Use Group Policy to allow specific apps
@ -120,7 +121,7 @@ When you add an app, you have to specify the app's location. Only the app in tha
 ### Use PowerShell to allow specific apps
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
+1. Type **powershell** in the Start menu, right-click **Windows PowerShell** and click **Run as administrator**
 2. Enter the following cmdlet:
    ```PowerShell
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/09/2019
+ms.date: 05/13/2019
 ---
 # Enable attack surface reduction rules
@ -51,7 +51,7 @@ You can exclude files and folders from being evaluated by most attack surface re
 >- Block process creations originating from PSExec and WMI commands
 >- Block JavaScript or VBScript from launching downloaded executable content
-You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
+You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to. An exclusion is applied only when when the excluded application or service starts. For example, if you add an exclusion for an update service that is already running, the update service will continue to trigger events until the service is stopped and restarted.
 ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/09/2019
+ms.date: 05/13/2019
 ---
 # Enable controlled folder access
@ -63,7 +63,7 @@ For more information about disabling local list merging, see [Prevent or allow u
   ![Enable controlled folder access in Intune](images/enable-cfa-intune.png)
   >[!NOTE]
-   >Wilcard is supported for applications, but not for folders. Subfolders are not protected. 
+   >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted. 
 1. Click **OK** to save each open blade and click **Create**. 
 1. Click the profile **Assignments**, assign to **All Users & All Devices**, and click **Save**.
@ -79,7 +79,7 @@ Use the [./Vendor/MSFT/Policy/Config/ControlledFolderAccessProtectedFolders](htt
 1. Enter a name and a description, click **Controlled folder access**, and click **Next**.
 1. Choose whether block or audit changes, allow other apps, or add other folders, and click **Next**.
   >[!NOTE]
-   >Wilcard is supported for applications, but not for folders. Subfolders are not protected.  
+   >Wilcard is supported for applications, but not for folders. Subfolders are not protected. Allowed apps will continue to trigger events until they are restarted.
 1. Review the settings and click **Next** to create the policy.
 1. After the policy is created, click **Close**. 
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/10/2019
+ms.date: 05/13/2019
 ---
 # Enable network protection
@ -22,6 +22,7 @@ ms.date: 05/10/2019
 [Network protection](network-protection-exploit-guard.md) helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. 
 You can [audit network protection](evaluate-network-protection.md) in a test environment to see which apps would be blocked before you enable it.  
 You can enable network protection by using any of these methods:
 - [Microsoft Intune](#intune)