Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into tibdraft

devices/surface-hub/TOC.md

@@ -37,6 +37,7 @@
 ### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
 ### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
 ### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md)
+### [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md)
 ### [Using a room control system](use-room-control-system-with-surface-hub.md)
 ## [PowerShell for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md)
 ## [How Surface Hub addresses Wi-Fi Direct security issues](surface-hub-wifi-direct.md)

devices/surface-hub/change-history-surface-hub.md

@@ -16,6 +16,13 @@ ms.localizationpriority: medium
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## November 2017
+
+New or changed topic | Description 
+--- | ---
+[Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | New
+[Manage settings with an MDM provider (Surface Hub)](manage-settings-with-mdm-for-surface-hub.md) | Added settings for 802.1x wired authentication.
+
 ## October 2017
 
 New or changed topic | Description |

devices/surface-hub/enable-8021x-wired-authentication.md

@@ -0,0 +1,61 @@
+---
+title: Enable 802.1x wired authentication
+description: 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. 
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: surfacehub
+author: jdeckerms
+ms.author: jdecker
+ms.date: 11/14/2017
+ms.localizationpriority: medium
+---
+
+# Enable 802.1x wired authentication
+
+The [November 14, 2017 update to Windows 10](https://support.microsoft.com/help/4048954/windows-10-update-kb4048954) (build 15063.726) enables 802.1x wired authentication MDM policies on Surface Hub devices. The feature allows organizations to enforce standardized wired network authentication using the [IEEE 802.1x authentication protocol](http://www.ieee802.org/1/pages/802.1x-2010.html). This is already available for wireless authentication using WLAN profiles via MDM. This topic explains how to  configure a Surface Hub for use with wired authentication. 
+
+Enforcement and enablement of 802.1x wired authentication on Surface Hub can be done through MDM [OMA-URI definition](https://docs.microsoft.com/intune-classic/deploy-use/windows-10-policy-settings-in-microsoft-intune#oma-uri-settings). 
+
+The primary configuration to set is the **LanProfile** policy. Depending on the authentication method selected, other policies may be required, either the **EapUserData** policy or through MDM policies for adding user or machine certificates (such as [ClientCertificateInstall](https://docs.microsoft.com/windows/client-management/mdm/clientcertificateinstall-csp) for user/device certificates or [RootCATrustedCertificates](https://docs.microsoft.com/windows/client-management/mdm/rootcacertificates-csp) for device certificates). 
+
+## LanProfile policy element
+
+To configure Surface Hub to use one of the supported 802.1x authentication methods, utilize the following OMA-URI. 
+
+```
+./Vendor/MSFT/SurfaceHub/Dot3/LanProfile
+```
+
+This OMA-URI node takes a text string of XML as a parameter. The XML provided as a parameter should conform to the [Wired LAN Profile Schema](https://msdn.microsoft.com/library/cc233002.aspx) including elements from the [802.1X schema](https://msdn.microsoft.com/library/cc233003.aspx). 
+
+In most instances, an administrator or user can export the LanProfile XML from an existing PC that is already configured on the network for 802.1X using this following NETSH command. 
+
+```
+netsh lan export profile folder=.
+```
+
+Running this command will give the following output and place a file titled **Ethernet.xml** in the current directory. 
+
+```
+Interface: Ethernet
+Profile File Name: .\Ethernet.xml
+1 profile(s) were exported successfully.
+```
+
+## EapUserData policy element
+
+If your selected authentication method requires a username and password as opposed to a certificate, you can use the **EapUserData** element to specify credentials for the device to use to authenticate to the network. 
+
+```
+./Vendor/MSFT/SurfaceHub/Dot3/EapUserData 
+```
+
+This OMA-URI node takes a text string of XML as a parameter. The XML provided as a parameter should conform to the [PEAP MS-CHAPv2 User Properties example](https://msdn.microsoft.com/library/windows/desktop/bb891979). In the example, you will need to replace all instances of *test* and *ias-domain* with your information.
+
+
+
+## Adding certificates
+
+If your selected authentication method is certificate-based, you will will need to [create a provisioning package](provisioning-packages-for-surface-hub.md), [utilize MDM](https://docs.microsoft.com/windows/client-management/mdm/clientcertificateinstall-csp), or import a certificate from settings (**Settings** > **Update and Security** > **Certificates**) to deploy those certificates to your Surface Hub device in the appropriate Certificate Store. When adding certificates, each PFX must contain only one certificate (a PFX cannot have multiple certificates).
+

devices/surface-hub/manage-settings-with-mdm-for-surface-hub.md

@@ -87,6 +87,8 @@ For more information, see [SurfaceHub configuration service provider](https://ms
 | Disable auto-populating the sign-in dialog with invitees from scheduled meetings | Properties/DisableSignInSuggestions | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 | Disable "My meetings and files" feature in Start menu | Properties/DoNotShowMyMeetingsAndFiles | Yes </br>  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 \*Settings supported with SyncML can also be configured in a Windows Configuration Designer provisioning package. 
+| Set the LanProfile for 802.1x Wired Auth | Dot3/LanProfile | Yes <br> [Use a custom policy.](#example-intune)  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
+| Set the EapUserData for 802.1x Wired Auth | Dot3/EapUserData | Yes <br> [Use a custom policy.](#example-intune)  | Yes.<br> [Use a custom setting.](#example-sccm) | Yes |
 
 ### Supported Windows 10 settings
 

devices/surface-hub/manage-surface-hub.md

@@ -38,6 +38,7 @@ Learn about managing and updating Surface Hub.
 | [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
 | [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
 | [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. |
+ [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md) | 802.1x Wired Authentication MDM policies have been enabled on Surface Hub devices. 
 | [Using a room control system]( https://technet.microsoft.com/itpro/surface-hub/use-room-control-system-with-surface-hub) | Room control systems can be used with your Microsoft Surface Hub.|
 
 ## Related topics

devices/surface-hub/prepare-your-environment-for-surface-hub.md

@@ -29,7 +29,7 @@ Review these dependencies to make sure Surface Hub features will work in your IT
 | Skype for Business (Lync Server 2013 or later, or Skype for Business Online)  | Skype for Business is used for various conferencing features, like video calls, instant messaging, and screen sharing.</br></br>If screen sharing on a Surface Hub fails and the error message **An error occurred during the screen presentation** is displayed, see [Video Based Screen Sharing not working on Surface Hub](https://support.microsoft.com/help/3179272/video-based-screen-sharing-not-working-on-surface-hub) for help. |
 | Mobile device management (MDM) solution (Microsoft Intune, System Center Configuration Manager, or supported third-party MDM provider) | If you want to apply settings and install apps remotely, and to multiple devices at a time, you must set up a MDM solution and enroll the device to that solution. See [Manage settings with an MDM provider](manage-settings-with-mdm-for-surface-hub.md) for details. |
 | Microsoft Operations Managmement Suite (OMS)   | OMS is used to monitor the health of Surface Hub devices. See [Monitor your Surface Hub](monitor-surface-hub.md) for details. |
-| Network and Internet access   | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.</br></br></br>**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.</br>**Note:** Surface Hub supports 802.1X using PEAP-MSCHAPv2. We currently do not support additional EAP methods such as 802.1X using PEAP-TLS or PEAP-EAP-TLS.</br></br>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</br></br>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |
+| Network and Internet access   | In order to function properly, the Surface Hub should have access to a wired or wireless network. Overall, a wired connection is preferred. 802.1X Authentication is supported for both wired and wireless connections.</br></br></br>**802.1X authentication:** In Windows 10, version 1703, 802.1X authentication for wired and wireless connections is enabled by default in Surface Hub. If your organization doesn't use 802.1X authentication, there is no configuration required and Surface Hub will continue to function as normal. If you use 802.1X authentication, you must ensure that the authentication certification is installed on Surface Hub. You can deliver the certificate to Surface Hub using the [ClientCertificateInstall CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/clientcertificateinstall-csp) in MDM, or you can [create a provisioning package](provisioning-packages-for-surface-hub.md) and install it during first run or through the Settings app. After the certificate is applied to Surface Hub, 802.1X authentication will start working automatically.</br>**Note:** For more information on enabling 802.1X wired authentication on Surface Hub, see [Enable 802.1x wired authentication](enable-8021x-wired-authentication.md).</br></br>**Dynamic IP:** The Surface Hub cannot be configured to use a static IP. It must use DHCP to assign an IP address.</br></br>**Proxy servers:** If your topology requires a connection to a proxy server to reach Internet services, then you can configure it during first run, or in Settings. Proxy credentials are stored across Surface Hub sessions and only need to be set once. |
 
 Additionally, note that Surface Hub requires the following open ports:
 - HTTPS: 443

windows/client-management/mdm/remotewipe-ddf-file.md

@@ -17,6 +17,8 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW
 
 You can download the Windows 10 version 1607 DDF files from [here](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip).
 
+The XML below is the DDF for Windows 10, version 1709.
+
 ``` syntax
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
@@ -108,6 +110,27 @@ You can download the Windows 10 version 1607 DDF files from [here](http://downlo
                 <Description>Exec on this node will perform a remote wipe on the device and fully clean the internal drive. In some device configurations, this command may leave the device unable to boot. The return status code shows whether the device accepted the Exec command.</Description>
             </DFProperties>
         </Node>
+        <Node>
+            <NodeName>doWipePersistUserData</NodeName>
+            <DFProperties>
+              <AccessType>
+                  <Exec />
+              </AccessType>
+              <DFFormat>
+                  <chr />
+              </DFFormat>
+              <Occurrence>
+                  <One />
+              </Occurrence>
+              <Scope>
+                  <Permanent />
+              </Scope>
+              <DFType>
+                  <MIME>text/plain</MIME>
+              </DFType>
+              <Description>Exec on this node will perform a remote reset on the device and persist user accounts and data. The return status code shows whether the device accepted the Exec command.</Description>
+            </DFProperties>
+        </Node>
     </Node>
 </MgmtTree>
 ```