deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 15:27:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into live

Browse Source
This commit is contained in:
LizRoss 2017-04-06 10:10:54 -07:00
commit 9243f1daf0
19 changed files with 129 additions and 127 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/configure/basic-level-windows-diagnostic-events-and-fields.md
View File

@ -1491,7 +1491,7 @@ This event sends data about the device, including hardware type, OEM brand, mode
The following fields are available:
- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 24.
- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
- **DeviceColor** Indicates a color of the device.
- **DeviceName** The device name that is set by the user.

43
windows/keep-secure/bitlocker-frequently-asked-questions.md
View File

@ -97,44 +97,13 @@ Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLo
### <a href="" id="bkmk-decryptfirst"></a>Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades?
The following table lists what action you need to take before you perform an upgrade or update installation.
No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start).
Users need to suspend BitLocker for Non-Microsoft software updates, such as:
- Computer manufacturer firmware updates
- TPM firmware updates
- Non-Microsoft application updates that modify boot components
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Type of update</th>
<th align="left">Action</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Windows Anytime Upgrade</p></td>
<td align="left"><p>Decrypt</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start) for Windows 10 (example: Windows 10, version 1703)</p></td>
<td align="left"><p>Suspend</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Non-Microsoft software updates, such as:</p>
<ul>
<li><p>Computer manufacturer firmware updates</p></li>
<li><p>TPM firmware updates</p></li>
<li><p>Non-Microsoft application updates that modify boot components</p></li>
</ul></td>
<td align="left"><p>Suspend</p></td>
</tr>
<tr class="even">
<td align="left"><p>Software and [quality updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start) from Windows Update</p></td>
<td align="left"><p>Nothing</p></td>
</tr>
</tbody>
</table>
 
> **Note:**  If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.
 
## <a href="" id="bkmk-deploy"></a>Deployment and administration

67
windows/keep-secure/credential-guard-manage.md
View File

@ -1,4 +1,4 @@
---
---
title: Manage Credential Guard (Windows 10)
description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
ms.prod: w10
@ -19,7 +19,9 @@ Prefer video? See [Protecting privileged users with Credential Guard](https://mv
in the Deep Dive into Credential Guard video series.
## Enable Credential Guard
Credential Guard can be enabled by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool).
Credential Guard can be enabled either by using [Group Policy](#turn-on-credential-guard-by-using-group-policy), the [registry](#turn-on-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines.
### Enable Credential Guard by using Group Policy
@ -41,7 +43,7 @@ To enforce processing of the group policy, you can run ```gpupdate /force```.
If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
### Add the virtualization-based security features
#### Add the virtualization-based security features
Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows features to use virtualization-based security is not necessary and this step can be skipped.
@ -74,7 +76,7 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
### Enable virtualization-based security and Credential Guard
#### Enable virtualization-based security and Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
@ -101,22 +103,16 @@ DG_Readiness_Tool_v3.0.ps1 -Enable -AutoReboot
### Credential Guard deployment in virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. The enablement steps are the same from within the virtual machine.
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
Credential Guard protects secrets from non-privileged access inside the VM. It does not provide additional protection from the host administrator. From the host, you can disable Credential Guard for a virtual machine:
#### Requirements for running Credential Guard in Hyper-V virtual machines
``` PowerShell
Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
```
Requirements for running Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and running at least Windows Server 2016 or Windows 10.
### Review Credential Guard performance
### Check that Credential Guard is running
You can use System Information to ensure that Credential Guard is running on a PC.
You can view System Information to check that Credential Guard is running on a PC.
1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
2. Click **System Summary**.
@ -132,10 +128,31 @@ You can also check that Credential Guard is running by using the [Device Guard a
DG_Readiness_Tool_v3.0.ps1 -Ready
```
- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain.
### Remove Credential Guard
- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
- The first variable: 0x1 means Credential Guard is configured to run. 0x0 means its not configured to run.
- The second variable: 0 means its configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
- **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking the following event in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
If you have to remove Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
- Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
- Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
## Disable Credential Guard
If you have to disable Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
@ -146,11 +163,7 @@ If you have to remove Credential Guard on a PC, you can use the following set of
> [!IMPORTANT]
> If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
3. Delete the Credential Guard EFI variables by using bcdedit.
**Delete the Credential Guard EFI variables**
1. From an elevated command prompt, type the following commands:
3. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
``` syntax
mountvol X: /s
@ -180,7 +193,7 @@ If you have to remove Credential Guard on a PC, you can use the following set of
For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](device-guard-deployment-guide.md).
<span id="turn-off-with-hardware-readiness-tool" />
#### Turn off Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
#### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
@ -188,5 +201,15 @@ You can also disable Credential Guard by using the [Device Guard and Credential
DG_Readiness_Tool_v3.0.ps1 -Disable -AutoReboot
```
#### Disable Credential Guard for a virtual machine
From the host, you can disable Credential Guard for a virtual machine:
``` PowerShell
Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
```

46
windows/keep-secure/credential-guard-not-protected-scenarios.md
View File

@ -29,13 +29,9 @@ Some ways to store credentials are not protected by Credential Guard, including:
- Third-party security packages
- Digest and CredSSP credentials
- When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.
>[!NOTE]
When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
>[!NOTE]
Windows logon cached password verifiers (commonly called "cached credentials")
- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
## Additional mitigations
@ -638,42 +634,6 @@ write-host $tmp -Foreground Red
> [!NOTE]
> If you're having trouble running this script, try replacing the single quote after the ConvertFrom-StringData parameter.
## Troubleshooting Credential Guard
### Known Issues
Microsoft is aware of certain issues with Credential Guard that affect client machines that run Windows 10.
• For devices with Credential Guard enabled, a sign-in attempt that fails because of a bad password counts as two bad password attempts instead of one. Consequently, if your enterprise has an account lockout policy based on a certain number of failed password attempts, that threshold will be reached in half the number of attempts.
This issue has been resolved for clients that run Windows 10 version 1703. For clients that run Windows 10 version 1607, a hotfix is available for download to resolve the issue. For clients that run Windows 10 versions 1507 or 1511, no hotfix is available. For those operating systems, to resolve the issue, you can upgrade the client to a later version of Windows 10. As a workaround, administrators can either choose to increase the account lockout threshold accordingly, consistent with current security policy, or can disable Credential Guard. For further information, see Credential Guard generates double bad password count
Credential guard has known issues on Windows 10 when used with certain third-party applications:
• Applications Appsense and Lumension E S. are known to cause high CPU utilization on Windows 10 client machines with credential guard enabled.
• Citrix Applications are known to cause high CPU utilization on Windows 10 client machines. This issue is currently under investigation.
• Cisco Proxy Agents are known to cause authentication failure on Windows 10 client machines. This issue is currently under investigation.
• Client machines with Credential Guard enabled cannot access shares on For further information see: Machines with Credential Guard enabled unable to connect to IBM File Servers
### How-to
## See also
**Deep Dive into Credential Guard: Related videos**

6
windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md
View File

@ -419,10 +419,10 @@ ConvertTo-ProcessMitigationPolicy -EMETFilePath <String> -OutputFilePath <String
Examples:
- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings. For example:
- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate a result file of Windows 10 mitigation settings. For example:
```powershell
ConvertTo-ProcessMitigationPolicy -EMETfile emetpolicy.xml -output newconfiguration.xml
ConvertTo-ProcessMitigationPolicy -EMETFilePath policy.xml -OutputFilePath result.xml
```
- **Audit and modify the converted settings (the output file)**: Additional cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad:
@ -436,7 +436,7 @@ Examples:
- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). For example:
```powershell
ConvertTo-ProcessMitigationPolicy -EMETfile certtrustrules.xml -output enterprisecertpinningrules.xml
ConvertTo-ProcessMitigationPolicy -EMETfilePath certtrustrules.xml -OutputFilePath enterprisecertpinningrules.xml
```
#### EMET-related products

6
windows/update/change-history-for-update-windows-10.md
View File

@ -15,5 +15,7 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
## RELEASE: Windows 10, version 1703
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update).
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
* [Windows Insider Program for Business](waas-windows-insider-for-business.md)
* [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)

BIN
windows/update/images/waas-wipfb-aad-classicaad.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.3 KiB

BIN
windows/update/images/waas-wipfb-aad-classicenable.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.5 KiB

BIN
windows/update/images/waas-wipfb-aad-consent.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/update/images/waas-wipfb-aad-error.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 10 KiB

BIN
windows/update/images/waas-wipfb-aad-newaad.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
windows/update/images/waas-wipfb-aad-newdirectorybutton.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1005 B

BIN
windows/update/images/waas-wipfb-aad-newenable.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

BIN
windows/update/images/waas-wipfb-aad-newusersettings.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 847 B

1
windows/update/index.md
View File

@ -41,6 +41,7 @@ Windows as a service provides a new way to think about building, deploying, and
| [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. |
| [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. |
| [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. |
| [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. |
>[!TIP]
>Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows.

10
windows/update/waas-configure-wufb.md
View File

@ -84,11 +84,11 @@ After you configure the servicing branch (CB or CBB), you can then define if, an
## Pause Feature Updates
You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again.
Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 60 days to the start date.
Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date.
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 60 days by configuring a later start date.
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
With version 1703, pausing through the settings app will provide a more consistent experience:
- Any active restart notification are cleared or closed
@ -98,6 +98,8 @@ With version 1703, pausing through the settings app will provide a more consiste
>[!IMPORTANT]
>This policy does not apply to Windows 10 Mobile Enterprise.
>
>Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates.
**Pause Feature Updates policies**
@ -110,7 +112,7 @@ With version 1703, pausing through the settings app will provide a more consiste
You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**.
| Value | Status|
| --- | --- |

43
windows/update/waas-windows-insider-for-business-aad.md
View File

@ -37,12 +37,11 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc
## Enroll a device with an Azure Active Directory account
1. Visit [insider.windows.com](https://insider.windows.com). Sign-in with your corporate account in AAD and follow the on-screen registration directions.
2. On your Windows 10 device, go to **Settings > Updates & Security > Windows Insider Program**.
3. Enter the AAD account that you used to register and follow the on-screen directions.
>[!NOTE]
>Make sure that you have administrator rights to the machine and that it has latest Windows updates.
3. Enter the AAD account that you used to register and follow the on-screen directions.
## Switch device enrollment from your Microsoft account to your AAD account
1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account.
2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**.
@ -55,6 +54,46 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc
>[!NOTE]
>Your device must be connected to your corporate account in AAD for the account to appear in the account list.
## User consent requirement
With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions, like this:
![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png)
Once agreed, everything will work fine and that user won't be asked for permissions again.
### Something went wrong
The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent.
In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message:
![Feedback Hub consent error message](images/waas-wipfb-aad-error.png)
This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials.
**To fix this issue**, an adminsitrator of the AAD directory will need to enable user consent for apps to access their data.
To do this through the **classic Azure portal**:
1. Go to https://manage.windowsazure.com/ .
2. Switch to the **Active Directory** dashboard.
![Azure classic portal dashboard button](images/waas-wipfb-aad-classicaad.png)
3. Select the appropriate directory and go to the **Configure** tab.
4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**.
![Azure classic portal enable consent](images/waas-wipfb-aad-classicenable.png)
To do this through the **new Azure portal**:
1. Go to https://portal.azure.com/ .
2. Switch to the **Active Directory** dashboard.
![Azure new portal dashboard button](images/waas-wipfb-aad-newaad.png)
3. Switch to the appropriate directory.
![Azure new portal switch directory button](images/waas-wipfb-aad-newdirectorybutton.png)
4. Under the **Manage** section, select **User settings**.
![Azure new portal user settings](images/waas-wipfb-aad-newusersettings.png)
5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**.
![Azure new portal enable consent](images/waas-wipfb-aad-newenable.png)
## Frequently Asked Questions
### Will my test machines be affected by automatic registration?

5
windows/update/waas-windows-insider-for-business-faq.md
View File

@ -31,11 +31,12 @@ Hindi, Catalan, and Vietnamese can only be installed as a language pack over [su
> To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc).
### How do I register for the Windows Insider Program for Business?
To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account \that you use for Office 365 and other Microsoft services.
To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services.
1. Visit https://insider.windows.com and click **Get Started**.
2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions.
3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions.
3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions.
>[!NOTE]
>Make sure that you have administrator rights to your machine and that it has latest Windows updates.

27
windows/update/waas-windows-insider-for-business.md
View File

@ -20,7 +20,7 @@ localizationpriority: high
For many IT pros, gaining visibility into feature updates early—before theyre available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation.
The Windows Insider Program for Business gives you the opportunity to:
* Get early access to Windows Insider Preview Builds
* Get early access to Windows Insider Preview Builds.
* Provide feedback to Microsoft in real-time via the Feedback Hub app.
* Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft especially on features that support your productivity and business needs.
@ -56,9 +56,8 @@ Best for Insiders who enjoy getting early access to updates for the Current Bran
Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds arent final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs.
* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch
* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows
Ring
* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch.
* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows.
### Slow
@ -70,11 +69,12 @@ The Slow Windows Insider level is for users who enjoy seeing new builds of Windo
### Fast
Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great
Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great.
* Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds.
* Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations.
* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. • Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum
* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked.
* Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum.
>[!NOTE]
>Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete.
@ -85,11 +85,11 @@ During your time in the Windows Insider Program, you may want to change between
1. Go to **Settings > Updates & Security > Windows Insider Program**
2. Under **Choose your level**, select between the following rings -
* [Windows Insider Fast](#fast)
* [Windows Insider Slow](#slow)
* [Release Preview](#release-preview)
* [Windows Insider Fast](#fast)
* [Windows Insider Slow](#slow)
* [Release Preview](#release-preview)
## How to switch between you MSA and your Corporate AAD account
## How to switch between your MSA and your Corporate AAD account
The Windows Insider Program for Business now gives users the option to register and enroll devices using a corporate account in [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) (AAD) as well as their Microsoft Account (MSA).
@ -108,11 +108,16 @@ When providing feedback, please consider the following:
3. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible.
### How to use your corporate AAD account for additional Feedback Hub benefits
Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that are using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization.
Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that you're using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization.
>[!NOTE]
>If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your AAD sing-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback youve submitted and badges youve earned.
>[!IMPORTANT]
>With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions. Once agreed, everything will work fine and that user won't be asked for permissions again.
>
> If something goes wrong, it is possible that users aren't enabled to give persmissions to access their data. This can be resolved through the AAD portal. For more information about this, please see [User consent requirement](waas-windows-insider-for-business-aad.md#user-consent-requirement).
## Not receiving Windows 10 Insider Preview build updates?
In some cases, your PC may not update to the latest Insider Preview build as expected. Here are items that you can review to troubleshoot this issue: