From ddf059038ad12ec80c785700770bc187ca02568d Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Mon, 30 Jan 2017 18:21:41 -0800 Subject: [PATCH 01/16] Waas-Delivery-optimization - added content added online requirement. Added to simple mode in order to better explain it. --- windows/manage/waas-delivery-optimization.md | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 9b3dc0a522..243665903d 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -19,6 +19,10 @@ localizationpriority: high Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. +Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize Delivery Optimization, machines need to have access to the internet. + +For more details, see [Download mode](#download-mode). + >[!NOTE] >WSUS can also use [BranchCache](waas-branchcache.md) for content sharing and caching. If Delivery Optimization is enabled on devices that use BranchCache, Delivery Optimization will be used instead. @@ -33,17 +37,19 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op Several Delivery Optimization features are configurable. + + ### Download mode (DODownloadMode) Download mode dictates which download sources clients are allowed to use when downloading Windows updates in addition to Windows Update servers. The following table shows the available download mode options and what they do. | Download mode option | Functionality when set | | --- | --- | -| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. | +| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses metadata provided by the Delivery Optimization cloud services for a more consistent plain download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. | | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | -| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. | +| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. In this mode, Delivery Optimization provides a modern download manager experience, with little optimization and no peer content sharing. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. | >[!NOTE] From 8533fa6bac53f91df75629c12787009f6c9ea471 Mon Sep 17 00:00:00 2001 From: rikot Date: Wed, 1 Feb 2017 11:17:57 -0500 Subject: [PATCH 02/16] Update manage-windows-updates-for-surface-hub.md --- .../manage-windows-updates-for-surface-hub.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 40fdda11b1..35787fbff1 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -57,6 +57,7 @@ Surface Hubs, like all Windows 10 devices, include **Windows Update for Business 2. [Configure when Surface Hub receives updates](#configure-when-surface-hub-receives-updates). > [!NOTE] + > You can use Microsoft Intune, System Center Configuration Manager, or a supported third-party MDM provider to set up WUfB. [Walkthrough: use Microsoft Intune to configure Windows Update for Business.](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-wufb-intune) @@ -75,7 +76,7 @@ This table gives examples of deployment rings. ### Configure Surface Hub to use Current Branch or Current Branch for Business By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches). - +* **To manually configure Surface Hub to use CB or CBB:** 1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 2. Select **Defer feature updates**. @@ -104,6 +105,13 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy. +**If you use a proxy server or other method to block URLs** +If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”: +- http(s)://*.update.microsoft.com +- http://download.windowsupdate.com +- http://windowsupdate.microsoft.com + +Once the Windows 10 Team Anniversary Update is installed, you can remove these addresses to return your Surface Hub to its previous state. ## Maintenance window From 6b319d25bacc26654418b846d7d700832efe9b3d Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 1 Feb 2017 17:36:28 -0800 Subject: [PATCH 03/16] Waas-servicing-branches - add section - remove WU --- .../manage/waas-servicing-branches-windows-10-updates.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md index f42352f643..b514878ffe 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/manage/waas-servicing-branches-windows-10-updates.md @@ -190,6 +190,13 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
+## Block user access to Windows Update Settings + +In Windows 10, administrators can control user access to Windows Update. +By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. + +>[!NOTE] +> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecate and are no longer supported on this platform. ## Related topics From d2f76e58eba86de11ac894434bedfbc311842d01 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 1 Feb 2017 17:47:51 -0800 Subject: [PATCH 04/16] fixed typo --- windows/manage/waas-servicing-branches-windows-10-updates.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md index b514878ffe..bf763d2b49 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/manage/waas-servicing-branches-windows-10-updates.md @@ -190,7 +190,7 @@ or [Manage Windows 10 updates using System Center Configuration Manager](waas-ma
-## Block user access to Windows Update Settings +## Block user access to Windows Update settings In Windows 10, administrators can control user access to Windows Update. By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. From 97fa0782ba1244039f2b8aebca2888d5ee747de1 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 2 Feb 2017 07:10:58 -0800 Subject: [PATCH 05/16] fix format --- devices/surface-hub/manage-windows-updates-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 35787fbff1..b2e70af5d6 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -107,7 +107,7 @@ To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/Up **If you use a proxy server or other method to block URLs** If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”: -- http(s)://*.update.microsoft.com +- http(s)://\*.update.microsoft.com - http://download.windowsupdate.com - http://windowsupdate.microsoft.com From b7c16542943af08bed734aa473975147ebd37c60 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 2 Feb 2017 07:27:21 -0800 Subject: [PATCH 06/16] URLs --- .../surface-hub/manage-windows-updates-for-surface-hub.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index b2e70af5d6..d4cb3d614d 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -76,7 +76,7 @@ This table gives examples of deployment rings. ### Configure Surface Hub to use Current Branch or Current Branch for Business By default, Surface Hubs are configured to receive updates from Current Branch (CB). CB receives feature updates as soon as they are released by Microsoft. Current Branch for Business (CBB), on the other hand, receives feature updates at least four months after they have been initially offered to CB devices, and includes all of the quality updates that have been released in the interim. For more information on the differences between CB and CBB, see [Servicing branches](https://technet.microsoft.com/en-us/itpro/windows/manage/waas-overview#servicing-branches). -* + **To manually configure Surface Hub to use CB or CBB:** 1. Open **Settings** > **Update & Security** > **Windows Update**, and then select **Advanced Options**. 2. Select **Defer feature updates**. @@ -107,9 +107,9 @@ To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/Up **If you use a proxy server or other method to block URLs** If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”: -- http(s)://\*.update.microsoft.com -- http://download.windowsupdate.com -- http://windowsupdate.microsoft.com +- `http(s)://\*.update.microsoft.com` +- `http://download.windowsupdate.com` +- `http://windowsupdate.microsoft.com` Once the Windows 10 Team Anniversary Update is installed, you can remove these addresses to return your Surface Hub to its previous state. From fd50e41f55a45efa4c934090a680d920b6defe30 Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 2 Feb 2017 08:00:34 -0800 Subject: [PATCH 07/16] format --- devices/surface-hub/manage-windows-updates-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index d4cb3d614d..1a5e22a17e 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -107,7 +107,7 @@ To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/Up **If you use a proxy server or other method to block URLs** If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”: -- `http(s)://\*.update.microsoft.com` +- `http(s)://*.update.microsoft.com` - `http://download.windowsupdate.com` - `http://windowsupdate.microsoft.com` From 7e988cb680e3ff469bc2250899b21b22c05b6e46 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 2 Feb 2017 10:01:20 -0800 Subject: [PATCH 08/16] waas-DO - fixed after PM review --- windows/manage/waas-delivery-optimization.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/manage/waas-delivery-optimization.md b/windows/manage/waas-delivery-optimization.md index 243665903d..b1701d80d9 100644 --- a/windows/manage/waas-delivery-optimization.md +++ b/windows/manage/waas-delivery-optimization.md @@ -19,7 +19,7 @@ localizationpriority: high Delivery Optimization is a self-organizing distributed cache solution for businesses looking to reduce bandwidth consumption for operating system updates, operating system upgrades, and applications by allowing clients to download those elements from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers. You can use Delivery Optimization in conjunction with stand-alone Windows Update, Windows Server Update Services (WSUS), and Windows Update for Business. This functionality is similar to BranchCache in other systems, such as System Center Configuration Manager. -Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize Delivery Optimization, machines need to have access to the internet. +Delivery Optimization is a cloud managed solution. Having access to the Delivery Optimization cloud services, is a requirement for it to be enabled. This mean that in order to utilize the peer-to-peer functionality of Delivery Optimization, machines need to have access to the internet. For more details, see [Download mode](#download-mode). @@ -45,11 +45,11 @@ Download mode dictates which download sources clients are allowed to use when do | Download mode option | Functionality when set | | --- | --- | -| HTTP Only (0) | This setting disables peer content sharing but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses metadata provided by the Delivery Optimization cloud services for a more consistent plain download experience. | +| HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content from Windows Update servers or WSUS servers. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. | | Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and AD DS sites. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | -| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable or unreachable. In this mode, Delivery Optimization provides a modern download manager experience, with little optimization and no peer content sharing. | +| Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. For example, select this mode so that clients can use BranchCache. | >[!NOTE] From d23d739707acef1a9756c3a78ecb1a13a48d0e92 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Thu, 2 Feb 2017 10:15:48 -0800 Subject: [PATCH 09/16] fixed type and added change of WaaS-branches to CH --- .../change-history-for-manage-and-update-windows-10.md | 8 ++++++-- .../manage/waas-servicing-branches-windows-10-updates.md | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md index a794ec798f..837fac6dda 100644 --- a/windows/manage/change-history-for-manage-and-update-windows-10.md +++ b/windows/manage/change-history-for-manage-and-update-windows-10.md @@ -14,6 +14,12 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in >If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history). +## February 2017 + +| New or changed topic | Description | +| --- | --- | +| [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) | Added Group Policy setting that blocks user access to Windows Update. | + ## January 2017 | New or changed topic | Description | @@ -24,8 +30,6 @@ This topic lists new and updated topics in the [Manage and update Windows 10](in | [Quick guide to Windows as a service](waas-quick-start.md) | Added video that explains how Windows as a service works. | | [Manage device restarts after updates](waas-restart.md) | Added Registry keys for controlling restarts. | - - ## December 2016 | New or changed topic | Description | diff --git a/windows/manage/waas-servicing-branches-windows-10-updates.md b/windows/manage/waas-servicing-branches-windows-10-updates.md index bf763d2b49..7e62bcbf3a 100644 --- a/windows/manage/waas-servicing-branches-windows-10-updates.md +++ b/windows/manage/waas-servicing-branches-windows-10-updates.md @@ -196,7 +196,7 @@ In Windows 10, administrators can control user access to Windows Update. By enabling the Group Policy setting under **Computer Configuration\Administrative Templates\Windows Components\Windows update\Remove access to use all Windows update features**, administrators can disable the "Check for updates" option for users. Any background update scans, downloads and installations will continue to work as configured. >[!NOTE] -> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecate and are no longer supported on this platform. +> In Windows 10, any Group Policy user configuration settings for Windows Update were deprecated and are no longer supported on this platform. ## Related topics From 4f8eaabbd71970f37e631a964a11549face01ea6 Mon Sep 17 00:00:00 2001 From: rikot Date: Thu, 2 Feb 2017 13:48:57 -0500 Subject: [PATCH 10/16] Update manage-windows-updates-for-surface-hub.md --- devices/surface-hub/manage-windows-updates-for-surface-hub.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 35787fbff1..e1e0574390 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -90,6 +90,7 @@ Once you've determined deployment rings for your Surface Hubs, configure update - To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring. > [!NOTE] + > If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates). @@ -106,6 +107,7 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy. **If you use a proxy server or other method to block URLs** + If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”: - http(s)://*.update.microsoft.com - http://download.windowsupdate.com From 408c738d0429c64900130e1a8ae81128e7fcb9dc Mon Sep 17 00:00:00 2001 From: Justinha Date: Thu, 2 Feb 2017 13:21:14 -0800 Subject: [PATCH 11/16] fixed formatting --- windows/keep-secure/credential-guard.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 37f0fd9b7f..980862a955 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -9,6 +9,7 @@ ms.pagetype: security localizationpriority: high author: brianlic-msft --- + # Protect derived domain credentials with Credential Guard **Applies to** @@ -19,9 +20,9 @@ Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard u By enabling Credential Guard, the following features and solutions are provided: - **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. +- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials. - **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system. -,- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. +- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures. ## How it works @@ -60,7 +61,7 @@ The Virtualization-based security requires: When Credential Guard is enabled, specific authentication capabilities are blocked, so applications which require blocked capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality. >[!WARNING] -> Enabling Credential Guard on domain controllers is not supported
+> Enabling Credential Guard on domain controllers is not supported.
> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes. >[!NOTE] From 594e403a7f6420a90b540ff54f18f1472209e05f Mon Sep 17 00:00:00 2001 From: Karthika Raman Date: Thu, 2 Feb 2017 13:54:25 -0800 Subject: [PATCH 12/16] making a minor change to reflect the KB requirement change with V5 --- windows/deploy/upgrade-analytics-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md index 1455ee624e..cd76825250 100644 --- a/windows/deploy/upgrade-analytics-get-started.md +++ b/windows/deploy/upgrade-analytics-get-started.md @@ -127,7 +127,7 @@ The Upgrade Analytics deployment script does the following: 3. Checks whether the computer has a pending restart.   -4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14348 or later is required, but version 10.0.14913 or later is recommended). +4. Verifies that the latest version of KB package 10.0.x is installed (version 10.0.14913 or later is required). 5. If enabled, turns on verbose mode for troubleshooting. From 09621fff218b73be9552c4ffbff860db5756f997 Mon Sep 17 00:00:00 2001 From: Justinha Date: Thu, 2 Feb 2017 14:25:52 -0800 Subject: [PATCH 13/16] fixed metadata --- windows/keep-secure/credential-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/credential-guard.md b/windows/keep-secure/credential-guard.md index 980862a955..9d3a33d12c 100644 --- a/windows/keep-secure/credential-guard.md +++ b/windows/keep-secure/credential-guard.md @@ -1,4 +1,4 @@ -[s,,--- +--- title: Protect derived domain credentials with Credential Guard (Windows 10) description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1 From 4fb86ef0967caf665ceb36ee7bcffcbed36e306f Mon Sep 17 00:00:00 2001 From: jdeckerMS Date: Thu, 2 Feb 2017 14:55:33 -0800 Subject: [PATCH 14/16] sync --- devices/surface-hub/manage-windows-updates-for-surface-hub.md | 1 - 1 file changed, 1 deletion(-) diff --git a/devices/surface-hub/manage-windows-updates-for-surface-hub.md b/devices/surface-hub/manage-windows-updates-for-surface-hub.md index 8cd7c3a9fa..d8661c166c 100644 --- a/devices/surface-hub/manage-windows-updates-for-surface-hub.md +++ b/devices/surface-hub/manage-windows-updates-for-surface-hub.md @@ -90,7 +90,6 @@ Once you've determined deployment rings for your Surface Hubs, configure update - To defer quality updates, set an appropriate [Update/DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_DeferQualityUpdatesPeriodInDays) policy for each ring. > [!NOTE] - > If you encounter issues during the update rollout, you can pause updates using [Update/PauseFeatureUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseFeatureUpdates) and [Update/PauseQualityUpdates](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_PauseQualityUpdates). From a1b4cef484bd08b7b9aa34f8bad236086c911ebd Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 2 Feb 2017 15:40:23 -0800 Subject: [PATCH 15/16] bug 118 --- windows/deploy/usmt-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deploy/usmt-overview.md b/windows/deploy/usmt-overview.md index 9f6a18384a..9dca476f1c 100644 --- a/windows/deploy/usmt-overview.md +++ b/windows/deploy/usmt-overview.md @@ -35,7 +35,7 @@ USMT provides the following benefits to businesses that are deploying Windows op - Increases employee satisfaction with the migration experience. ## Limitations -USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [Windows Easy Transfer](https://go.microsoft.com/fwlink/p/?LinkId=140248). +USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](http://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink. There are some scenarios in which the use of USMT is not recommended. These include: From 621a8df6f338a941e610f454e0f0d5a09606fb5d Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Thu, 2 Feb 2017 16:33:26 -0800 Subject: [PATCH 16/16] moving link to baseline to the top of the article --- ...dows-operating-system-components-to-microsoft-services.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index c7c8415926..83ba743e69 100644 --- a/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -25,8 +25,9 @@ If you want to minimize connections from Windows to Microsoft services, or confi You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience. -We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. +To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article. +We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com. ## What's new in Windows 10, version 1607 and Windows Server 2016 @@ -1359,5 +1360,3 @@ You can turn off automatic updates by doing one of the following. This is not re - **5**. Turn off automatic updates. To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx). - -To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying.