Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

2025-06-21 05:13:40 +00:00 · 2018-10-31 15:41:18 -07:00
parent 230f915025 fa2d06bc38
commit 8dd8e99269
35 changed files with 297 additions and 202 deletions
--- a/windows/deployment/planning/windows-10-fall-creators-deprecation.md
+++ b/windows/deployment/planning/windows-10-fall-creators-deprecation.md
@ -6,7 +6,7 @@ ms.mktglfcycl: plan
 ms.localizationpriority: medium
 ms.sitesec: library
 author: lizap
-ms.date: 10/09/2017
+ms.date: 10/30/2018
 ---
 # Features that are removed or deprecated in Windows 10 Fall Creators Update

@ -31,7 +31,7 @@ For more information about a listed feature or functionality and its replacemen
 |**Reading List** <br> Functionality to be integrated into Microsoft Edge.| X | |
 |**Resilient File System (ReFS)**  <br>  Creation ability will be available in the following editions only: Windows 10 Enterprise and Windows 10 Pro for Workstations.  Creation ability will be removed from all other editions. All other editions will have Read and Write ability. <br> (added: August 17, 2017)| | X |
 |**RSA/AES Encryption for IIS**  <br>  We recommend that users use CNG encryption provider.| | X |
-|**Screen saver functionality in Themes** <br>  To be disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep is now deprecated but continues to be functional. Lockscreen features and policies are preferred. | X | X |
+|**Screen saver functionality in Themes** <br>  Disabled in Themes (classified as **Removed** in this table). Screen saver functionality in Group Policies, Control Panel, and Sysprep continues to be functional. Lockscreen features and policies are preferred. | X | X |
 |**Sync your settings** <br> Back-end changes: In future releases, the back-end storage for the current sync process will change. A single cloud storage system will be used for Enterprise State Roaming and all other users. The "Sync your settings" options and the Enterprise State Roaming feature will continue to work. <br>(updated: August 17, 2017) |  | X |
 |**Syskey.exe** <br> Removing this nonsecure security feature. We recommend that users use BitLocker instead. For more information, see the following Knowledge Base article: [4025993 Syskey.exe utility is no longer supported in Windows 10 RS3 and Windows Server 2016 RS3](https://support.microsoft.com/help/4025993/syskey-exe-utility-is-no-longer-supported-in-windows-10-rs3-and-window)| X | |
 |**System Image Backup (SIB) Solution** <br> We recommend that users use full-disk backup solutions from other vendors.| | X |
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@ -21,3 +21,4 @@
 ## Getting started
 ### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md)
 ## [Troubleshooting](troubleshooting.md)
+## [Support](autopilot-support.md)
--- a/windows/deployment/windows-autopilot/autopilot-faq.md
+++ b/windows/deployment/windows-autopilot/autopilot-faq.md
@ -0,0 +1,19 @@
+---
+title: Windows Autopilot support
+description: Support information for Windows Autopilot
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.date: 10/31/2018
+---
+
+# Windows Autopilot FAQ
+
+**Applies to: Windows 10**
+
+This document is pending publication. Please check back soon.
--- a/windows/deployment/windows-autopilot/autopilot-support.md
+++ b/windows/deployment/windows-autopilot/autopilot-support.md
@ -0,0 +1,43 @@
+---
+title: Windows Autopilot support
+description: Support information for Windows Autopilot
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greg-lindsay
+ms.date: 10/31/2018
+---
+
+# Windows Autopilot support information
+
+**Applies to: Windows 10**
+
+The following table displays support information for the Windows Autopilot program.  
+
+Before contacting the resources listed below for Windows Autopilot-related issues, check the [Windows Autopilot FAQ](autopilot-faq.md).
+
+| Audience | Support contact |
+| --- | --- |
+OEM or Channel Partner registering devices as a CSP (via MPC) | Use the help resources available in MPC. Whether you are a named partner or a channel partner (distributor, reseller, SI, etc.), if you’re a CSP registering Autopilot devices through MPC (either manually or through the MPC API), your first-line of support should be the help resources within MPC. |
+| OEM registering devices using OEM Direct API | Contact MSOEMOPS@microsoft.com. Response time depends on priority: <br>Low – 120 hours <br>Normal – 72 hours <br>High – 24 hours <br>Immediate – 4 hours |
+| OEM with a PFE | Reach out to your PFE for support.  |
+| Partners with a Partner Technology Strategist (PTS) |  If you have a PTS (whether you’re a CSP or not), you may first try working through your account’s specific Partner Technology Strategist (PTS). |
+| Partners with an Ecosystem PM | If you have an Ecosystem PM (whether you’re a CSP or not), you may first try working through your account’s specific Ecosystem PM, especially for technical issues.  |
+| Enterprise customers | Contact your Technical Account Manager (TAM), or Account Technology Strategist (ATS), or Customer Service Support (CSS) representative.  |
+| End-user | Contact your IT administrator.  |
+| Microsoft Partner Center (MPC) users |  Use the [help resources](https://partner.microsoft.com/support) available in MPC. |
+| Microsoft Store for Business (MSfB) users | Use the help resources available in MSfB.  |
+| Intune users | From the Microsoft Azure portal, click [Help + support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/overview).  |
+| Microsoft 365 Business | Support is accessible directly through the Microsoft 365 Business portal when logged in:  https://support.microsoft.com/en-us.  |
+| Queries relating to MDA testing | Contact MDAHelp@microsoft.com.  |
+| All other queries, or when unsure who to contact | Contact msoemops@microsoft.com. |
+
+
+
+
+
+
--- a/windows/deployment/windows-autopilot/enrollment-status.md
+++ b/windows/deployment/windows-autopilot/enrollment-status.md
@ -10,28 +10,36 @@ ms.pagetype: deploy
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
+ms.date: 10/31/2018
 ---

 # Windows Autopilot Enrollment Status page

 The Windows Autopilot Enrollment Status page displaying the status of the complete device configuration process.  Incorporating feedback from customers, this provides information to the user to show that the device is being set up and can be configured to prevent access to the desktop until the configuration is complete. 
 
- ![Enrollment Status Page](images/enrollment-status-page.png)
+ ![Enrollment status page](images/enrollment-status-page.png)

 ## Available settings

- The following settings can be configured:
+ The following settings can be configured to customize behavior of the enrollment status page:

- - Show app and profile installation progress.  When enabled, the Enrollment Status page is displayed.
- - Block device use until all apps and profiles are installed.  When enabled, the Enrollment Status page will be displayed until the device configuraton process is complete.  When not enabled, the user can dismiss the page at any time.
- - Allow users to reset device if installation errors occur.
- - Allow users to use device if installation errors occur.
- - Show error when installation takes longer than the specified number of minutes.
- - Show custom error message when an error occurs.
- - Allow users to collect logs about installation errors.
+<table>
+<th align=left>Setting<th align=left>Yes<th align=left>No
+<tr><td>Show app and profile installation progress<td>The enrollment status page is displayed.<td>The enrollment status page is not displayed.
+<tr><td>Block device use until all apps and profiles are installed<td>The settings in this table are made available to customize behavior of the enrollment status page, so that the user can address potential installation issues.
+<td>The enrollment status page is displayed with no additional options to address installation failures.
+<tr><td>Allow users to reset device if installation error occurs<td>A <b>Reset device</b> button is displayed if there is an installation failure.<td>The <b>Reset device</b> button is not displayed if there is an installation failure.
+<tr><td>Allow users to use device if installation error occurs<td>A <b>Continue anyway</b> button is displayed if there is an installation failure.<td>The <b>Continue anyway</b> button is not displayed if there is an installation failure.
+<tr><td>Show error when installation takes longer than specified number of minutes<td colspan=2>Specify the number of minutes to wait for installation to complete. A default value of 60 minutes is entered.
+<tr><td>Show custom message when an error occurs<td>A text box is provided where you can specify a custom message to display in case of an installation error.<td>The default message is displayed: <br><b>Oh no! Something didn't do what it was supposed to.  Please contact your IT department.<b>
+<tr><td>Allow users to collect logs about installation errors<td>If there is an installation error, a <b>Collect logs</b> button is displayed. <br>If the user clicks this button they are asked to choose a location to save the log file <b>MDMDiagReport.cab</b><td>The <b>Collect logs</b> button is not displayed if there is an installation error.
+</table>

-## Installation progress tracked
+See the following example:
+
+ ![Enrollment status page settings](images/esp-settings.png)
+
+## Installation progress tracking

 The Enrollment Status page tracks a subset of the available MDM CSP policies that are delivered to the device as part of the complete device configuration process.  The specific types of policies that are tracked include:

--- a/windows/deployment/windows-autopilot/existing-devices.md
+++ b/windows/deployment/windows-autopilot/existing-devices.md
@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/22/2018
+ms.date: 10/31/2018
 ---

 # Windows Autopilot for existing devices
@ -295,6 +295,6 @@ The Task Sequence will download content, reboot, format the drives and install W

 ### Register the device for Windows Autopilot

-Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. There is currently no automatic registration into Windows Autopilot. Therefore, once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset.
+Devices provisioned through Autopilot will only receive the guided OOBE Autopilot experience on first boot. Once updated to Windows 10, the device should be registered to ensure a continued Autopilot experience in the event of PC reset. You can enable automatic registration for an assigned group using the **Convert all targeted devices to Autopilot** setting. For more information, see [Create an Autopilot deployment profile](https://docs.microsoft.com/en-us/intune/enrollment-autopilot#create-an-autopilot-deployment-profile).

-For more information, see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices).
+Also see [Adding devices to Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/add-devices).
--- a/windows/deployment/windows-autopilot/images/esp-settings.png
+++ b/windows/deployment/windows-autopilot/images/esp-settings.png
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
@ -17,10 +17,10 @@ ms.date: 08/19/2018

 Device Registration is a prerequisite to Windows Hello for Business provisioning.  Device registration occurs regardless of a cloud, hybrid, or on-premises deployments.  For cloud and hybrid deployments, devices register with Azure Active Directory. For on-premises deployments, devices registered with the enterprise device registration service hosted by Active Directory Federation Services (AD FS).

-[Azure AD joined in Managed environments](#Azure-AD-joined-in-Managed-environments)<br>
-[Azure AD joined in Federated environments](#Azure-AD-joined-in-Federated-environments)<br>
-[Hybrid Azure AD joined in Managed environments](#HybridAzure-AD-joined-in-Managed-environments)<br>
-[Hybrid Azure AD joined in Federated environments](#Hybrid-Azure-AD-joined-in-Federated-environments)<br>
+[Azure AD joined in Managed environments](#azure-ad-joined-in-managed-environments)<br>
+[Azure AD joined in Federated environments](#azure-ad-joined-in-federated-environments)<br>
+[Hybrid Azure AD joined in Managed environments](#hybrid-azure-ad-joined-in-managed-environments)<br>
+[Hybrid Azure AD joined in Federated environments](#hybrid-azure-ad-joined-in-federated-environments)<br>



@ -47,7 +47,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
 | :----: | :----------- |
 |A | The most common way Azure AD joined devices register with Azure is during the out-of-box-experience (OOBE) where it loads the Azure AD join web application in the Cloud Experience Host (CXH) application.  The application sends a GET request to the Azure OpenID configuration endpoint to discover authorization endpoints.  Azure returns the OpenID configuration, which includes the authorization endpoints, to application as JSON document.|
 |B | The application builds a sign-in request for the authorization end point and collects user credentials.|
-|C |  After the user provides their user name (in UPN format), the application sends a GET request to Azure to discover corresponding realm information for the user.  This determines if the environment is managed or federated.  Azure returns the information in a JSON object.  The application determines the environment is managed (non-federated).<br>The application redirects to the AuthURL value (on-premises STS sign-in page) in the returned JSON realm object.  The application collects credentials through the STS web page.|
+|C |  After the user provides their user name (in UPN format), the application sends a GET request to Azure to discover corresponding realm information for the user.  This determines if the environment is managed or federated.  Azure returns the information in a JSON object.  The application determines the environment is federated.<br>The application redirects to the AuthURL value (on-premises STS sign-in page) in the returned JSON realm object.  The application collects credentials through the STS web page.|
 |D | The application POST the credential to the on-premises STS, which may require additional factors of authentication.  The on-premises STS authenticates the user and returns a token.   The application POSTs the token to Azure Active Directory for authentication.  Azure Active Directory validates the token and returns an ID token with claims.|
 |E | The application looks for MDM terms of use (the mdm_tou_url claim). If present, the application retrieves the terms of use from the claim's value, present the contents to the user, and waits for the user to accept the terms of use.  This step is optional and skipped if the claim is not present or if the claim value is empty.|
 |F | The application sends a device registration discovery request to the Azure Device Registration Service (ADRS).  Azure DRS returns a discovery data document, which returns tenant specific URIs to complete device registration.|
@ -77,8 +77,8 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
 | Phase  | Description  |
 | :----: | :----------- |
 | A | The user signs in to a domain joined Windows 10 computers using domain credentials.  This can be user name and password or smart card authentication.  The user sign-in triggers the Automatic Device Join task.|
-|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com).  The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
-|C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication.  The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated.  Azure Active Directory returns an ID token to the running task.
+|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com).  The value returned in the keywords attribute determines directs device registration to Azure Device Registration Service (ADRS).|
+|C | For the federated environments, the computer authenticates ADFS/STS using Windows integrated authentication.  The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated.  Azure Active Directory returns an ID token to the running task.
 |D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv).  The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv.  Next, the application derives second key pair from the TPM's storage root key.  This is the transport key (tkpub/tkpriv).|
 |E | To provide SSO for on-premises federated application, the task requests an enterprise PRT from the on-premises STS. Windows Server 2016 running the Active Directory Federation Services role validate the request and return it the running task.|
 |F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data.  Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.  Device registration completes by receiving the device ID and the device certificate from Azure DRS.  The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer.  With device registration complete, the task exits.|
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@ -8,33 +8,33 @@ ms.pagetype: security
 author: mikestephens-MS
 ms.author: mstephen
 localizationpriority: high
-ms.date: 08/19/2018
+ms.date: 10/08/2018
 ---
 # Technology and Terms

 **Applies to:**
 -   Windows 10

- [Attestation Identity Keys](#Attestation-Identity-Keys)
- [Azure AD Joined](#Azure-AD-Joined)
- [Azure AD Registered](#Azure-AD-Registered)
- [Certificate Trust](#Certificate-Trust)
- [Cloud Deployment](#Cloud-Deployment)
- [Deployment Type](#Deployment-Type)
- [Endorsement Key](#Endorsement-Key)
- [Federated Environment](#Federated-Environment)
- [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined)
- [Hybrid Deployment](#Hybrid-Deployment)
- [Join Type](#Join-Type)
- [Key Trust](#Key-Trust)
- [Managed Environment](#Managed-Environment)
- [On-premises Deployment](#Onpremises-Deployment)
- [Pass-through Authentication](#Passthrough-Authentication)
- [Password Hash Synchronization](#Password-Hash-Synchronization)
- [Primary Refresh Token](#Primary-Refresh-Token) 
- [Storage Root Key](#Storage-Root-Key)
- [Trust Type](#Trust-Type)
- [Trusted Platform Module](#Trusted-Platform-Module)
+- [Attestation Identity Keys](#attestation-identity-keys)
+- [Azure AD Joined](#azure-ad-joined)
+- [Azure AD Registered](#azure-ad-registered)
+- [Certificate Trust](#certificate-trust)
+- [Cloud Deployment](#cloud-deployment)
+- [Deployment Type](#deployment-type)
+- [Endorsement Key](#endorsement-key)
+- [Federated Environment](#federated-environment)
+- [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)
+- [Hybrid Deployment](#hybrid-deployment)
+- [Join Type](#join-type)
+- [Key Trust](#key-trust)
+- [Managed Environment](#managed-environment)
+- [On-premises Deployment](#on-premises-deployment)
+- [Pass-through Authentication](#passthrough-authentication)
+- [Password Hash Synchronization](#password-hash-synchronization)
+- [Primary Refresh Token](#primary-refresh-token) 
+- [Storage Root Key](#storage-root-key)
+- [Trust Type](#trust-type)
+- [Trusted Platform Module](#trusted-platform-module)
 <hr>

 ## Attestation Identity Keys
@ -44,58 +44,57 @@ Because the endorsement certificate is unique for each device and does not chang
 > The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
 > The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.

-Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft 
-Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device.
+Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device.

 Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.

 In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.

 ### Related topics
-[Endorsement Key](#Endorsement-Key), [Storage Root Key](#Storage-Root-Key), [Trusted Platform Module](#Trusted-Platform-Module)
+[Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)

 ### More information
 - [Windows Client Certificate Enrollment Protocol: Glossary](https://msdn.microsoft.com/library/cc249746.aspx#gt_70efa425-6b46-462f-911d-d399404529ab)
 - [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)


-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Azure AD Joined
 Azure AD Join is intended for organizations that desire to be cloud-first or cloud-only. There is no restriction on the size or type of organizations that can deploy Azure AD Join. Azure AD Join works well even in an hybrid environment and can enable access to on-premise applications and resources.
 ### Related topics
-[Join Type](#Join-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined)
+[Join Type](#join-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)

 ### More information
 - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction).

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Azure AD Registered
 The goal of Azure AD registered devices is to provide you with support for the Bring Your Own Device (BYOD) scenario. In this scenario, a user can access your organization's Azure Active Directory controlled resources using a personal device. 
 ### Related topics
-[Azure AD Joined](#Azure-AD-Joined), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Join Type](#Join-Type)
+[Azure AD Joined](#azure-ad-joined), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Join Type](#join-type)

 ### More information
 - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction)


-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Certificate Trust
 The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory.  The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers.

 ### Related topics
-[Deployment Type](#Deployment-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Hybrid Deployment](#Hybrid-Deployment), [Key Trust](#Key-Trust), [On-premises Deployment](#Onpremises-Deployment), [Trust Type](#Trust-Type)
+[Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type)

 ### More information 
 - [Windows Hello for Business Planning Guide](hello-planning-guide.md)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Cloud Deployment
 The Windows Hello for Business Cloud deployment is exclusively for organizations using cloud-based identities and resources.  Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD joined or Azure AD registered device join types.

 ### Related topics
-[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Deployment Type](#Deployment-Type), [Join Type](#Join-Type)
+[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Deployment Type](#deployment-type), [Join Type](#join-type)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Deployment Type
 Windows Hello for Business has three deployment models to accommodate the needs of different organizations.  The three deployment models include:
 - Cloud
@ -103,12 +102,12 @@ Windows Hello for Business has three deployment models to accommodate the needs
 - On-Premises

 ### Related topics
-[Cloud Deployment](#Cloud-Deployment), [Hybrid Deployment](#Hybrid-Deployment), [On-premises Deployment](#Onpremises-Deployment)
+[Cloud Deployment](#cloud-deployment), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment)

 ### More information
 - [Windows Hello for Business Planning Guide](hello-planning-guide.md)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Endorsement Key

 The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
@ -121,115 +120,120 @@ The endorsement key is often accompanied by one or two digital certificates:

 -   One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
 -   The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+
 For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.

 ### Related topics
-[Attestation Identity Keys](#Attestation-Identity-Keys), [Storage Root Key](#Storage-Root-Key), [Trusted Platform Module](#Trusted-Platform-Module)
+[Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)

 ### More information
 - [Understand the TPM endorsement key](https://go.microsoft.com/fwlink/p/?LinkId=733952).
 - [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Federated Environment
 Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure Active Directory and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they do not have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide additional authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.

 ### Related topics
-[Hybrid Deployment](#Hybrid-Deployment), [Managed Environment](#Managed-Environment), [Pass-through authentication](#Passthrough-authentication), [Password Hash Sync](#Password-Hash-Sync)
+[Hybrid Deployment](#hybrid-deployment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Sync](#password-hash-sync)

 ### More information
 - [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Hybrid Azure AD Joined
 For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
 - IT departments to manage work-owned devices from a central location.
 - Users to sign in to their devices with their Active Directory work or school accounts. 
 Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use System Center Configuration Manager (SCCM) or group policy (GP) to manage them.
+
 If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.

 ### Related topics
-[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Deployment](#Hybrid-Deployment)
+[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Deployment](#hybrid-deployment)

 ### More information
 - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Hybrid Deployment
 The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that is synchronized with Azure Active Directory.  Hybrid deployments support devices that are Azure AD registered, Azure AD joined, and hybrid Azure AD joined.  The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.

 ### Related topics
-[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), 
+[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), 

 ### More information
 - [Windows Hello for Business Planning Guide](hello-planning-guide.md)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Join type
 Join type is how devices are associated with Azure Active Directory. For a device to authenticate to Azure Active Directory it must be registered or joined.
+
 Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device.
+
 When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune .
+
 Joining a device is an extension to registering a device. This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.

 ### Related topics
-[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined)
+[Azure AD Joined](#azure-ad-joined), [Azure AD Registered](#azure-ad-registered), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined)

 ### More information
 - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/azure/active-directory/device-management-introduction)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Key Trust
 The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory.  The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.

 ### Related topics
-[Certificate Trust](#Certificate-Trust), [Deployment Type](#Deployment-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Hybrid Deployment](#Hybrid-Deployment), [On-premises Deployment](#Onpremises-Deployment), [Trust Type](#Trust-Type), [Trust Type](#Trust-Type)
+[Certificate Trust](#certificate-trust), [Deployment Type](#deployment-type), [Hybrid Azure AD Joined](#hybrid-azure-ad-joined), [Hybrid Deployment](#hybrid-deployment), [On-premises Deployment](#on-premises-deployment), [Trust Type](#trust-type)

 ### More information
 - [Windows Hello for Business Planning Guide](hello-planning-guide.md)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Managed Environment
 Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services. 

 ### Related topics
-[Federated Environment](#Federated-Environment), [Pass-through authentication](#Passthrough-authentication), [Password Hash Synchronization](#Password-Hash-Synchronization)
+[Federated Environment](#federated-environment), [Pass-through authentication](#pass-through-authentication), [Password Hash Synchronization](#password-hash-synchronization)

 [Return to Top](#Technology-and-Terms)
 ## On-premises Deployment 
 The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities.  On-premises deployments support domain joined devices.  The on-premises deployment model supports two authentication trust types, key trust and certificate trust.

 ### Related topics
-[Cloud Deployment](#Cloud-Deployment), [Deployment Type](#Deployment-Type), [Hybrid Deployment](#Hybrid-Deployment)
+[Cloud Deployment](#cloud-deployment), [Deployment Type](#deployment-type), [Hybrid Deployment](#hybrid-deployment)

 ### More information
 - [Windows Hello for Business Planning Guide](hello-planning-guide.md)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Pass-through authentication
 Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.

 ### Related topics
-[Federated Environment](#Federated-Environment), [Managed Environment](#Managed-Environment), [Password Hash Synchronization](#Password-Hash-Synchronization)
+[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Password Hash Synchronization](#password-hash-synchronization)


 ### More information
 - [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](#hello-how-it-works-technology.md)
 ## Password Hash Sync
 The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.

 ### Related topics
-[Federated Environment](#Federated-Environment), [Managed Environment](#Managed-Environment), [Pass-through authentication](#Passthrough-authentication)
+[Federated Environment](#federated-environment), [Managed Environment](#managed-environment), [Pass-through authentication](#pass-through-authentication)

 ### More information
 - [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/azure/security/azure-ad-choose-authn)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Primary Refresh Token
 SSO relies on special tokens obtained for each of the types of applications above. These are in turn used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications we call this a Primary Refresh Token (PRT). This is a [JSON Web Token](http://openid.net/specs/draft-jones-json-web-token-07.html) containing claims about both the user and the device.

-The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and domain joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.).
+The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and hybrid Azure AD joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.).

 The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied.

@ -238,22 +242,22 @@ The PRT is needed for SSO. Without it, the user will be prompted for credentials
 The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken.

 ### Related topics
-[Attestation Identity Keys](#Attestation-Identity-Keys), [Endorsement Key](#Endorsement-Key), [Trusted Platform Module](#Trusted-Platform-Module)
+[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Trusted Platform Module](#trusted-platform-module)

 ### More information
 [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Trust type
 The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust.  The hybrid and on-premises deployment models support both trust types.  The trust type does not affect authentication to Azure Active Directory.  Windows Hello for Business authentication to Azure Active Directory always uses the key, not a certificate (excluding smart card authentication in a federated environment). 

 ### Related topics
-[Certificate Trust](#Certificate-Trust), [Hybrid Deployment](#Hybrid-Deployment), [Key Trust](#Key-Trust), [On-premises Deployment](#Onpremises-Deployment)
+[Certificate Trust](#certificate-trust), [Hybrid Deployment](#hybrid-deployment), [Key Trust](#key-trust), [On-premises Deployment](#on-premises-deployment)

 ### More information
 - [Windows Hello for Business Planning Guide](hello-planning-guide.md)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)
 ## Trusted Platform Module

 A Trusted Platform Module (TPM) is a hardware component that provides unique security features.<br>
@ -289,12 +293,12 @@ In a simplified manner, the TPM is a passive component with limited resources. I


 ### Related topics
-[Attestation Identity Keys](#Attestation-Identity-Keys), [Endorsement Key](#Endorsement-Key), [Storage Root Key](#Storage-Root-Key)
+[Attestation Identity Keys](#attestation-identity-keys), [Endorsement Key](#endorsement-key), [Storage Root Key](#storage-root-key)

 ### More information
 - [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)

-[Return to Top](#Technology-and-Terms)
+[Return to Top](hello-how-it-works-technology.md)



--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@ -60,10 +60,10 @@ The remainder of the provisioning includes Windows Hello for Business requesting
 <hr>

 ## Follow the Windows Hello for Business hybrid key trust deployment guide
-1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
-3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
+1. [Overview](hello-hybrid-key-trust.md)
+2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
+3. [New Installation Baseline](hello-hybrid-key-new-install.md)
 4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
-5. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
-6. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
+5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
+6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
 7. Sign-in and Provision(*You are here*)