From a75a6bb4960d99874c6ada7c2019d9b6a04a28bb Mon Sep 17 00:00:00 2001 From: Michael Niehaus Date: Mon, 1 Jun 2020 12:00:37 -0700 Subject: [PATCH 01/14] Adding BYO VPN documentation Added additional instructions for the new BYO VPN feature. --- .../windows-autopilot/user-driven.md | 63 +++++++++++++++++-- 1 file changed, 59 insertions(+), 4 deletions(-) diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 1a9d30eb2e..78e37a59ba 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -47,6 +47,7 @@ For more information on the available join options, see the following sections: - [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. - [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. +- [Hybrid Azure Active Directory join with VPN support](#user-driven-mode-for-hybrid-azure-active-directory-join-with-VPN-support) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain, but are not connected to the corporate network and must use VPN connectivity. ## User-driven mode for Azure Active Directory join @@ -83,11 +84,65 @@ To perform a user-driven hybrid Azure AD joined deployment using Windows Autopil - Note: The Intune Connector will perform an on-prem AD join, therefore users do not need on-prem AD-join permission, assuming the Connector is [configured to perform this action](https://docs.microsoft.com/intune/windows-autopilot-hybrid#increase-the-computer-account-limit-in-the-organizational-unit) on the user's behalf. - If using Proxy, WPAD Proxy settings option must be enabled and configured. -**Azure AD device join**: The hybrid Azure AD join process uses the system context to perform device Azure AD join, therefore it is not affected by user based Azure AD join permission settings. In addition, all users are enabled to join devices to Azure AD by default. +The hybrid Azure AD join process uses the system context to register the device to Azure AD, therefore it is not affected by user based Azure AD join permission settings. -### Step by step instructions +## User-driven mode for hybrid Azure Active Directory join with VPN support + +Devices that are joined to Active Directory require connectivity to an Active Directory domain controller for a variety of activities, such as user sign-in (validating the user's credentials) and Group Policy application. As a result, the Windows Autopilot user-driven Hybrid Azure AD Join process would validate that the device is able to contact an Active Directory domain controller by pinging that domain controller. + +With the additional of VPN support for this scenario, it is now possible for you to specify to skip that connectivity check during the Hybrid Azure AD Join. This does not eliminate the need for communicating with an Active Directory domain controller, but rather enables the device to be first prepared with a needed VPN configuration delivered via Intune prior to the user attempting to sign into Windows, allowing connectivity to the organization's network. + +### Requirements + +The following additional requirements apply for Hybrid Azure AD Join with VPN support: + +- A supported version of Windows 10: + - Windows 10 1903 + December 10th Cumulative update (KB4530684, OS build 18362.535) or higher + - Windows 10 1909 + December 10th Cumulative update (KB4530684, OS build 18363.535) or higher + - Windows 10 2004 or later +- Enable the new “Skip domain connectivity check” toggle in the Hybrid Azure AD Join Autopilot profile. +- A VPN configuration that can be deployed via Intune that enables the user to manualy establish a VPN connection from the Windows logon screen, or one that automatically establishes a VPN connection as needed. + +The specific VPN configuration required depends on the VPN software and authentication being used. For third-party (non-Microsoft) VPN solutions, this typically would involve deploying a Win32 app (containing the VPN client software itself as well as any specific connection information, e.g. VPN endpoint host names) via Intune Management Extensions. Consult your VPN provider's documentation for configuration details specific to that provider. + +> [!NOTE] +> The VPN requirements are not specific to Windows Autopilot. For example, if you have already implemented a VPN configuration to enable remote password resets, where a user needs to log on to Windows with a new password when not on the organization's network, that same configuration can be used with Windows Autopilot. Once the user has signed in to cache their credentials, subsequent log-on attempts do not need connectivity since the cached credentials can be used. + +In cases where certificate authentication is required by the VPN software, the needed machine certificate should also be deployed via Intune. This can be done using the Intune certificate enrollment capabilities, targeting the certificate profiles to the device. + +Note that user certificates are not supported because these certificates cannot be deployed until the user logs in. Also, third-party UWP VPN plug-ins delivered from the Windows Store are also not supported because these are not installed until after the user signs in. + +### Validation + +Before attempting a hybrid Azure AD Join using VPN, it is important to first confirm that a user-driven Hybrid Azure AD Join process can be performed on the organization's network, before adding in the additional requirements described below. This simplifies troubleshooting by making sure the core process works fine before adding the additional VPN configuration required. + +Next, validate that the VPN configuration (Win32 app, certs, and any other requirements) can be deployed via Intune to an existing device that has already been hybrid Azure AD joined. For example, some VPN clients create a per-machine VPN connection as part of the installation process, so you can validate the configuration using steps such as these: + +- From PowerShell, verify that at least one per-machine VPN connection has been created using the "Get-VpnConnection -AllUserConnection" command. +- Attempt to manually start the VPN connection using the command: RASDIAL.EXE "ConnectionName" +- Log out and verify that the "VPN connection" icon can be seen on the Windows logon page. +- Move the device off the corporate network and attempt to establish the connection using the icon on the Windows logon page, signing into an account that does not have cached credentials. + +For VPN configurations that automatically connect, the validation steps may be different. + +> [!NOTE] +> Always On VPN can be used for this scenario. See the [Deploy Always On VPN](https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) documentation for more information. Note that Intune cannot yet deploy the needed per-machine VPN profile. + +To validate the end-to-end process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. This can be done manually during OOBE by first downloading the latest cumulative from http://catalog.update.microsoft.com and then manually installing it: + +- Press Shift-F10 to open a command prompt. +- Insert a USB key containing the donwloaded update. +- Install the update using the command (substituting the real file name): WUSA.EXE .msu /quiet +- Reboot the computer using the command: shutdown.exe /r /t 0 + +Alternatively, you can invoke Windows Update to install the latest updates through this process: + +- Press Shift-F10 to open a command prompt. +- Run the command "start ms-settings:" +- Navigate to the "Update & Security" node and check for updates. +- Reboot after the updates are installed. + +## Step by step instructions See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid). - - From 2efc2b6a576c39a7bd77c3346a1014b4bd78e80f Mon Sep 17 00:00:00 2001 From: rogersoMS <44718379+rogersoMS@users.noreply.github.com> Date: Fri, 12 Jun 2020 21:30:21 +1000 Subject: [PATCH 02/14] Clarified key trust & 2016 DC's within AD site @mapalko adjusting the text here based off direct customer feedback from National Australia Bank who deployed this week but 'overlooked' this requirement. Clarified Active Directory site, etc --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 0f6cbee626..7d16521a42 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -40,7 +40,9 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. -You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. +If using the key trust deployment model, you MUST ensure that you have adequate (at least 1) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. +Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. > [!NOTE] >There was an issue with key trust authentication on Windows Server 2019. If you are planning to use Windows Server 2019 domain controllers refer to [KB4487044](https://support.microsoft.com/en-us/help/4487044/windows-10-update-kb4487044) to fix this issue. From 8c49398875be6ec81539cbe2f424e8f7b31998e4 Mon Sep 17 00:00:00 2001 From: jirenugo <57419984+jirenugo@users.noreply.github.com> Date: Fri, 12 Jun 2020 10:01:06 -0700 Subject: [PATCH 03/14] Update credential-guard-requirements.md --- .../credential-guard/credential-guard-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md index b20c33c92e..7f5c4ffe62 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-requirements.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-requirements.md @@ -31,7 +31,7 @@ For Windows Defender Credential Guard to provide protection, the computers you a To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses: - Support for Virtualization-based security (required) - Secure boot (required) -- TPM 1.2 or 2.0 (preferred - provides binding to hardware), either discrete or firmware +- TPM (preferred - provides binding to hardware) versions 1.2 and 2.0 are supported, either discrete or firmware - UEFI lock (preferred - prevents attacker from disabling with a simple registry key change) The Virtualization-based security requires: From 653ffe684c55df6ff7b653f3cfc225720e2d767b Mon Sep 17 00:00:00 2001 From: rogersoMS <44718379+rogersoMS@users.noreply.github.com> Date: Mon, 15 Jun 2020 14:00:32 +1000 Subject: [PATCH 04/14] Updated OneNote & WIP blurb to simplify steps @Dansimp Will create an internal thread to verify steps with Onenote folks --- .../windows-information-protection/limitations-with-wip.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 7e12444b58..347d96d88b 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -135,7 +135,11 @@ This table provides info about the most common problems you might encounter whil By design, OneNote only supports WIP protected notebooks stored on enterprise-managed SharePoint (OneDrive for Business). Onenote does not support local WIP protected notebooks. OneNote might encounter an error such as "This notebook contains protected content from your organization, which can't be viewed or synced. Please change the file ownership to Personal, or contact your IT administrator." Supported notebooks (OneDrive for Business) should be shown in File Explorer as links and open with your associated browser. Unsupported notebooks would show as folders or .one files (with a OneNote icon) - If unsupported files won't open in the browser, then they are 'stuck' in the old local format - incompatible with WIP or viewing online. We recommend that you create a new notebook and copy the contents from the existing notebook into the new one. In OneNote desktop, File > New > OnedDive - company name notebook and create a new one. Then within OneNote, copy over the old 'local' sections into this new notebook to ensure they get upgraded to the modern format. Hold Ctrl + drag and drop the sections into the notebook. Holding Ctrl will copy sections rather than move them, preserving the old sections as backup copies. Wait for the new notebook to finish syncing to OneDrive for business. + If unsupported files won't open in the browser, then they are 'stuck' in the old local format - incompatible with WIP or viewing online. +OneNote notebooks that are newly copy-pasted ito OneDrive via File Explorer should be automatically fixed. To do this, follow these steps: +1. Close the notebook in OneNote +2. Move the notebook folder via File Explorer out of the 'OneDrive – company name' (OneDrive for Business folder) to some other location, such as the Desktop. +3. Copy and paste the folder back into the OneDrive for Business folder. Wait a few minutes to allow OneDrive to finish syncing & upgrading the files, and the folder should automatically convert to a URL which will then successfully open in the browser (and OneNote client).. Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. From e78f4b829d33c71027c9dced14739fcd6ad2426f Mon Sep 17 00:00:00 2001 From: rogersoMS <44718379+rogersoMS@users.noreply.github.com> Date: Tue, 16 Jun 2020 14:31:37 +1000 Subject: [PATCH 05/14] Additional changes as suggested by Jeffrey Hubbard (OneNote) --- .../limitations-with-wip.md | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 347d96d88b..3fecc05cc0 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -133,13 +133,14 @@ This table provides info about the most common problems you might encounter whil - By design, OneNote only supports WIP protected notebooks stored on enterprise-managed SharePoint (OneDrive for Business). Onenote does not support local WIP protected notebooks. - OneNote might encounter an error such as "This notebook contains protected content from your organization, which can't be viewed or synced. Please change the file ownership to Personal, or contact your IT administrator." Supported notebooks (OneDrive for Business) should be shown in File Explorer as links and open with your associated browser. Unsupported notebooks would show as folders or .one files (with a OneNote icon) - If unsupported files won't open in the browser, then they are 'stuck' in the old local format - incompatible with WIP or viewing online. -OneNote notebooks that are newly copy-pasted ito OneDrive via File Explorer should be automatically fixed. To do this, follow these steps: -1. Close the notebook in OneNote -2. Move the notebook folder via File Explorer out of the 'OneDrive – company name' (OneDrive for Business folder) to some other location, such as the Desktop. -3. Copy and paste the folder back into the OneDrive for Business folder. Wait a few minutes to allow OneDrive to finish syncing & upgrading the files, and the folder should automatically convert to a URL which will then successfully open in the browser (and OneNote client).. + OneNote notebooks on OneDrive for Business must be properly configured to work with WIP. + OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it. + "OneNote notebooks that are newly copied into the OneDrive for Business folder via File Explorer should get fixed automatically. To do this, follow these steps: +1. Close the notebook in OneNote. +2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop. +3. Copy the notebook folder and Paste it back into the OneDrive for Business folder. + +Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client via the “Open in app” button.. Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. From 2a1e8c6a513e478d06fad4041ae71491aa727dfc Mon Sep 17 00:00:00 2001 From: 1justingilmore Date: Mon, 22 Jun 2020 13:48:35 -0600 Subject: [PATCH 06/14] Update articles in PR 2026 --- .../mdm/certificate-renewal-windows-mdm.md | 41 +++++----------- .../mdm/clientcertificateinstall-csp.md | 49 ++++++------------- windows/client-management/mdm/defender-csp.md | 29 +++++------ ...application-virtualization-applications.md | 22 +-------- 4 files changed, 42 insertions(+), 99 deletions(-) diff --git a/windows/client-management/mdm/certificate-renewal-windows-mdm.md b/windows/client-management/mdm/certificate-renewal-windows-mdm.md index 415aa6a9b9..f6b0b2998b 100644 --- a/windows/client-management/mdm/certificate-renewal-windows-mdm.md +++ b/windows/client-management/mdm/certificate-renewal-windows-mdm.md @@ -17,16 +17,13 @@ ms.date: 06/26/2017 # Certificate Renewal - The enrolled client certificate expires after a period of use. The expiration date of the certificate is specified by the server. To ensure continuous access to enterprise applications, Windows supports a user-triggered certificate renewal process. The user is prompted to provide the current password for the corporate account, and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate. The client generates a new private/public key pair, generates a PKCS\#7 request, and signs the PKCS\#7 request with the existing certificate. In Windows, automatic MDM client certificate renewal is also supported. -> **Note**  Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. - -  +> [!Note] +> Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal request is triggered. ## In this topic - - [Automatic certificate renewal request](#automatic-certificate-renewal-request) - [Certificate renewal schedule configuration](#certificate-renewal-schedule-configuration) - [Certificate renewal response](#certificate-renewal-response) @@ -35,12 +32,10 @@ The enrolled client certificate expires after a period of use. The expiration da ## Automatic certificate renewal request - In addition to manual certificate renewal, Windows includes support for automatic certificate renewal, also known as Renew On Behalf Of (ROBO), that does not require any user interaction. For auto renewal, the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security (TLS). The user security token is not needed in the SOAP header. As a result, the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renewal. -> **Note**  Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. - -  +> [!Note] +> Certificate renewal of the enrollment certificate through ROBO is only supported with Microsoft PKI. Auto certificate renewal is the only supported MDM client certificate renewal method for the device that is enrolled using WAB authentication (meaning that the AuthPolicy is set to Federated). It also means if the server supports WAB authentication, the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate. @@ -54,7 +49,7 @@ During the automatic certificate renew process, the device will deny HTTP redire The following example shows the details of an automatic renewal request. -``` +``` xml @@ -106,7 +101,6 @@ The following example shows the details of an automatic renewal request. ``` - ## Certificate renewal schedule configuration @@ -116,11 +110,10 @@ For more information about the parameters, see the CertificateStore configuratio Unlike manual certificate renewal, the device will not perform an automatic MDM client certificate renewal if the certificate is already expired. To make sure that the device has enough time to perform an automatic renewal, we recommend that you set a renewal period a couple months (40-60 days) before the certificate expires and set the renewal retry interval to be every few days such as every 4-5 days instead every 7 days (weekly) to increase the chance that the device will a connectivity at different days of the week. -> **Note**  For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. +> [!Note] +> For PCs that were previously enrolled in MDM in Windows 8.1 and then upgraded to Windows 10, renewal will be triggered for the enrollment certificate. Thereafter, renewal will happen at the configured ROBO interval. > For Windows Phone 8.1 devices upgraded to Windows 10 Mobile, renewal will happen at the configured ROBO internal. This is expected and by design. -  - ## Certificate renewal response When RequestType is set to Renew, the web service verifies the following (in additional to initial enrollment): @@ -133,12 +126,12 @@ When RequestType is set to Renew, the web service verifies the following (in add After validation is completed, the web service retrieves the PKCS\#10 content from the PKCS\#7 BinarySecurityToken. The rest is the same as initial enrollment, except that the Provisioning XML only needs to have the new certificate issued by the CA. -> **Note**  The HTTP server response must not be chunked; it must be sent as one message. - +> [!Note] +> The HTTP server response must not be chunked; it must be sent as one message. The following example shows the details of an certificate renewal response. -``` +``` xml @@ -163,25 +156,15 @@ The following example shows the details of an certificate renewal response. ``` -> **Note**  The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time. - -  +> [!Note] +The client receives a new certificate, instead of renewing the initial certificate. The administrator controls which certificate template the client should use. The templates may be different at renewal time than the initial enrollment time. ## Configuration service providers supported during MDM enrollment and certificate renewal - The following configuration service providers are supported during MDM enrollment and certificate renewal process. See Configuration service provider reference for detailed descriptions of each configuration service provider. - CertificateStore - w7 APPLICATION - DMClient - EnterpriseAppManagement - -  - - - - - - diff --git a/windows/client-management/mdm/clientcertificateinstall-csp.md b/windows/client-management/mdm/clientcertificateinstall-csp.md index 0f2ec33a8f..0337dad577 100644 --- a/windows/client-management/mdm/clientcertificateinstall-csp.md +++ b/windows/client-management/mdm/clientcertificateinstall-csp.md @@ -14,17 +14,15 @@ ms.date: 02/28/2020 # ClientCertificateInstall CSP - -The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. +The ClientCertificateInstall configuration service provider enables the enterprise to install client certificates. A client certificate has a unique ID, which is the *\[UniqueID\]* for this configuration. Each client certificate must have different UniqueIDs for the SCEP enrollment request. For PFX certificate installation and SCEP installation, the SyncML commands must be wrapped in atomic commands to ensure enrollment execution is not triggered until all settings are configured. The Enroll command must be the last item in the atomic block. -> **Note**   -Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. +> [!Note] +> Currently in Windows 10, version 1511, when using the ClientCertificateInstall to install certificates to the device store and the user store and both certificates are sent to the device in the same MDM payload, the certificate intended for the device store will also get installed in the user store. This may cause issues with Wi-Fi or VPN when choosing the correct certificate to establish a connection. We are working to fix this issue. You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. - The following image shows the ClientCertificateInstall configuration service provider in tree format. ![clientcertificateinstall csp](images/provisioning-csp-clientcertificateinstall.png) @@ -63,7 +61,6 @@ The data type is an integer corresponding to one of the following values: | 3 | Install to software. | | 4 | Install to Windows Hello for Business (formerly known as Microsoft Passport for Work) whose name is specified | - **ClientCertificateInstall/PFXCertInstall/*UniqueID*/ContainerName** Optional. Specifies the Windows Hello for Business (formerly known as Microsoft Passport for Work) container name (if Windows Hello for Business storage provider (KSP) is chosen for the KeyLocation). If this node is not specified when Windows Hello for Business KSP is chosen, enrollment will fail. @@ -107,9 +104,9 @@ Supported operations are Get, Add, and Replace. **ClientCertificateInstall/PFXCertInstall/*UniqueID*/PFXKeyExportable** Optional. Used to specify if the private key installed is exportable (and can be exported later). The PFX is not exportable when it is installed to TPM. -> **Note**  You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. +> [!Note] +> You can only set PFXKeyExportable to true if KeyLocation=3. For any other KeyLocation value, the CSP will fail. - The data type bool. Supported operations are Get, Add, and Replace. @@ -138,21 +135,20 @@ Supported operations are Add, Get, and Replace. **ClientCertificateInstall/SCEP** Node for SCEP. -> **Note**  An alert is sent after the SCEP certificate is installed. +> [!Note] +> An alert is sent after the SCEP certificate is installed. - **ClientCertificateInstall/SCEP/***UniqueID* A unique ID to differentiate different certificate installation requests. - **ClientCertificateInstall/SCEP/*UniqueID*/Install** A node required for SCEP certificate enrollment. Parent node to group SCEP cert installation related requests. Supported operations are Get, Add, Replace, and Delete. -> **Note**  Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. +> [!Note] +> Although the child nodes under Install support Replace commands, once the Exec command is sent to the device, the device will take the values that are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted, as it will impact the current enrollment underway. The server should check the Status node value and make sure the device is not at an unknown state before changing child node values. - **ClientCertificateInstall/SCEP/*UniqueID*/Install/ServerURL** Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons. @@ -191,9 +187,9 @@ Supported operations are Add, Get, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyProtection** Optional. Specifies where to keep the private key. -> **Note**  Even if the private key is protected by TPM, it is not protected with a TPM PIN. +> [!Note] +> Even if the private key is protected by TPM, it is not protected with a TPM PIN. - The data type is an integer corresponding to one of the following values: | Value | Description | @@ -203,7 +199,6 @@ The data type is an integer corresponding to one of the following values: | 3 | (Default) Private key saved in software KSP. | | 4 | Private key protected by Windows Hello for Business (formerly known as Microsoft Passport for Work). If this option is specified, the ContainerName must be specified, otherwise enrollment will fail. | - Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/KeyUsage** @@ -238,9 +233,9 @@ Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/TemplateName** Optional. OID of certificate template name. -> **Note**  This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it. +> [!Note] +> This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it. - Data type is string. Supported operations are Add, Get, Delete, and Replace. @@ -294,7 +289,6 @@ Valid values are: > **Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. - Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ValidPeriodUnits** @@ -302,9 +296,9 @@ Optional. Specifies the desired number of units used in the validity period. Thi Data type is string. ->**Note**  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. +> [!Note] +> The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server defines how to use this valid period to create the certificate. - Supported operations are Add, Get, Delete, and Replace. **ClientCertificateInstall/SCEP/*UniqueID*/Install/ContainerName** @@ -358,7 +352,6 @@ The only supported operation is Get. | 16 | Action failed | | 32 | Unknown | - **ClientCertificateInstall/SCEP/*UniqueID*/ErrorCode** Optional. An integer value that indicates the HRESULT of the last enrollment error code. @@ -373,7 +366,6 @@ The only supported operation is Get. ## Example - Enroll a client certificate through SCEP. ```xml @@ -669,15 +661,4 @@ Add a PFX certificate. The PFX certificate password is encrypted with a custom c ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) - - - - - - - - - - diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 0842fb0031..ecfd84d7fa 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -120,8 +120,6 @@ The following table describes the supported values: | 50 | Ransomware | | 51 | ASR Rule | - - Supported operation is Get. **Detections/*ThreatId*/CurrentStatus** @@ -179,9 +177,9 @@ An interior node to group information about Windows Defender health status. Supported operation is Get. **Health/ProductStatus** -Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. +Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list. -Data type is integer. Supported operation is Get. +Data type is integer. Supported operation is Get. Supported product status values: - No status = 0 @@ -248,60 +246,60 @@ Supported operation is Get. **Health/DefenderEnabled** Indicates whether the Windows Defender service is running. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/RtpEnabled** Indicates whether real-time protection is running. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/NisEnabled** Indicates whether network protection is running. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/QuickScanOverdue** Indicates whether a Windows Defender quick scan is overdue for the device. -A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default) +A Quick scan is overdue when a scheduled Quick scan did not complete successfully for 2 weeks and [catchup Quick scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupquickscan) are disabled (default). -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/FullScanOverdue** Indicates whether a Windows Defender full scan is overdue for the device. -A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default) +A Full scan is overdue when a scheduled Full scan did not complete successfully for 2 weeks and [catchup Full scans](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-disablecatchupfullscan) are disabled (default). -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/SignatureOutOfDate** Indicates whether the Windows Defender signature is outdated. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/RebootRequired** Indicates whether a device reboot is needed. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. **Health/FullScanRequired** Indicates whether a Windows Defender full scan is required. -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. @@ -357,7 +355,7 @@ Supported operation is Get. **Health/TamperProtectionEnabled** Indicates whether the Windows Defender tamper protection feature is enabled.​ -The data type is a boolean. +The data type is a Boolean. Supported operation is Get. @@ -422,5 +420,4 @@ Supported operations are Get and Execute. ## Related topics - [Configuration service provider reference](configuration-service-provider-reference.md) diff --git a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md index 8b68977b69..2d435e85ed 100644 --- a/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md +++ b/windows/configuration/ue-v/uev-using-uev-with-application-virtualization-applications.md @@ -23,7 +23,6 @@ User Experience Virtualization (UE-V) supports Microsoft Application Virtualizat ## UE-V settings synchronization for App-V applications - UE-V monitors when an application opens by the program name and, optionally, by file version numbers and product version numbers, whether the application is installed locally or virtually by using App-V. When the application starts, UE-V monitors the App-V process, applies any settings that are stored in the user's settings storage path, and then enables the application to start normally. UE-V monitors App-V applications and automatically translates the relevant file and registry paths to the virtualized location as opposed to the physical location outside the App-V computing environment. **To implement settings synchronization for a virtualized application** @@ -34,28 +33,11 @@ UE-V monitors when an application opens by the program name and, optionally, by 3. Publish the template to the location of your settings template catalog or manually install the template by using the `Register-UEVTemplate` Windows PowerShell cmdlet. - **Note**   - If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**. - - + > [!NOTE] + > If you publish the newly created template to the settings template catalog, the client does not receive the template until the sync provider updates the settings. To manually start this process, open **Task Scheduler**, expand **Task Scheduler Library**, expand **Microsoft**, and expand **UE-V**. In the results pane, right-click **Template Auto Update**, and then click **Run**. 4. Start the App-V package. - - - - - ## Related topics - [Administering UE-V](uev-administering-uev.md) - - - - - - - - - From bb6a55ad38b22c164499c68695a86732986c68a2 Mon Sep 17 00:00:00 2001 From: 1justingilmore Date: Mon, 22 Jun 2020 14:30:10 -0600 Subject: [PATCH 07/14] Update windows-update-resources.md --- .../update/windows-update-resources.md | 31 +++++++++---------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md index 414c766a67..0371ab7f89 100644 --- a/windows/deployment/update/windows-update-resources.md +++ b/windows/deployment/update/windows-update-resources.md @@ -30,55 +30,52 @@ The following resources provide additional information about using Windows Updat [Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/) - ## How do I reset Windows Update components? -[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data. - - -[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update. +[Reset Windows Update Client settings script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data. +[Reset Windows Update Agent script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allows you to reset the Windows Update Agent, resolving issues with Windows Update. ## Reset Windows Update components manually 1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER: - ```console + ``` console cmd ``` 2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ```console + ``` console net stop bits net stop wuauserv ``` 3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER: - ```console + ``` console Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" ``` 4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above. 1. Rename the following folders to *.BAK: - ```console + ``` console %systemroot%\SoftwareDistribution\DataStore %systemroot%\SoftwareDistribution\Download %systemroot%\system32\catroot2 ``` To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ```console + ``` console Ren %systemroot%\SoftwareDistribution\DataStore *.bak Ren %systemroot%\SoftwareDistribution\Download *.bak Ren %systemroot%\system32\catroot2 *.bak ``` 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ```console + ``` console sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU) ``` 5. Type the following command at a command prompt, and then press ENTER: - ```console + ``` console cd /d %windir%\system32 ``` 6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ```console + ``` console regsvr32.exe atl.dll regsvr32.exe urlmon.dll regsvr32.exe mshtml.dll @@ -118,20 +115,20 @@ The following resources provide additional information about using Windows Updat ``` 7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER: - ```console + ``` console netsh winsock reset ``` 8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER: - ```console + ``` console proxycfg.exe -d ``` 9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command. - ```console + ``` console net start bits net start wuauserv ``` 10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER: - ```console + ``` console bitsadmin.exe /reset /allusers ``` From d07b2a45c3ff2ed97d0ab9c489b14b7ee0274dd9 Mon Sep 17 00:00:00 2001 From: 1justingilmore Date: Mon, 22 Jun 2020 14:50:31 -0600 Subject: [PATCH 08/14] Update articles for PR 3065 --- .../usmt/usmt-determine-what-to-migrate.md | 14 -------------- .../volume-activation/vamt-known-issues.md | 4 ++-- .../windows-autopilot-requirements.md | 18 +++++++++--------- 3 files changed, 11 insertions(+), 25 deletions(-) diff --git a/windows/deployment/usmt/usmt-determine-what-to-migrate.md b/windows/deployment/usmt/usmt-determine-what-to-migrate.md index 3b16df17e6..418f73f68c 100644 --- a/windows/deployment/usmt/usmt-determine-what-to-migrate.md +++ b/windows/deployment/usmt/usmt-determine-what-to-migrate.md @@ -16,7 +16,6 @@ ms.topic: article # Determine What to Migrate - By default, User State Migration Tool (USMT) 10.0 migrates the items listed in [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md), depending on the migration .xml files you specify. These default settings are often enough for a basic migration. However, when considering what settings to migrate, you should also consider what settings you would like the user to be able to configure, if any, and what settings you would like to standardize. Many organizations use their migration as an opportunity to create and begin enforcing a better-managed environment. Some of the settings that users can configure on unmanaged computers prior to the migration can be locked on the new, managed computers. For example, standard wallpaper, Internet Explorer security settings, and desktop configuration are some of the items you can choose to standardize. @@ -25,7 +24,6 @@ To reduce complexity and increase standardization, your organization should cons ## In This Section - @@ -51,18 +49,6 @@ To reduce complexity and increase standardization, your organization should cons
- - ## Related topics - [What Does USMT Migrate?](usmt-what-does-usmt-migrate.md) - - - - - - - - - diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md index b4173bb737..d28e648aac 100644 --- a/windows/deployment/volume-activation/vamt-known-issues.md +++ b/windows/deployment/volume-activation/vamt-known-issues.md @@ -48,13 +48,13 @@ On the KMS host computer, perform the following steps: 1. To extract the contents of the update, run the following command: - ```cmd + ```console expand c:\KB3058168\Windows8.1-KB3058168-x64.msu -f:* C:\KB3058168\ ``` 1. To extract the contents of Windows8.1-KB3058168-x64.cab, run the following command: - ```cmd + ```console expand c:\KB3058168\Windows8.1-KB3058168-x64.cab -f:pkeyconfig-csvlk.xrm-ms c:\KB3058168 ``` diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md index 1cf373f277..2b3ffca049 100644 --- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md +++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md @@ -26,7 +26,8 @@ ms.custom: Windows Autopilot depends on specific capabilities available in Windows 10, Azure Active Directory, and MDM services such as Microsoft Intune. In order to use Windows Autopilot and leverage these capabilities, some requirements must be met. -**Note**: For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). +> [!NOTE] +> For a list of OEMs that currently support Windows Autopilot, see the Participant device manufacturers section at [Windows Autopilot](https://aka.ms/windowsautopilot). ## Software requirements @@ -46,8 +47,8 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur Windows Autopilot depends on a variety of internet-based services. Access to these services must be provided for Autopilot to function properly. In the simplest case, enabling proper functionality can be achieved by ensuring the following: -- Ensure DNS name resolution for internet DNS names -- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP) +- Ensure DNS name resolution for internet DNS names. +- Allow access to all hosts via port 80 (HTTP), 443 (HTTPS), and 123 (UDP/NTP). In environments that have more restrictive Internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to allow access to the required services. For additional details about each of these services and their specific requirements, review the following details: @@ -84,7 +85,7 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti Office 365As part of the Intune device configuration, installation of Microsoft 365 Apps for enterprise may be required. For more information, see Office 365 URLs and IP address ranges (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). Certificate revocation lists (CRLs)Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at Office 365 URLs and IP address ranges and Office 365 Certificate Chains. Hybrid AAD joinThe device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at Windows Autopilot user-driven mode -Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested: +Autopilot Self-Deploying mode and Autopilot White GloveFirmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See TPM recommendations for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
Intel- https://ekop.intel.com/ekcertservice
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1 @@ -97,9 +98,9 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti Windows Autopilot depends on specific capabilities available in Windows 10 and Azure Active Directory. It also requires an MDM service such as Microsoft Intune. These capabilities can be obtained through various editions and subscription programs: To provide needed Azure Active Directory (automatic MDM enrollment and company branding features) and MDM functionality, one of the following is required: -- [Microsoft 365 Business Premium subscriptions](https://www.microsoft.com/microsoft-365/business) -- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline) -- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx) +- [Microsoft 365 Business Premium subscriptions](https://www.microsoft.com/microsoft-365/business). +- [Microsoft 365 F1 subscriptions](https://www.microsoft.com/microsoft-365/enterprise/firstline). +- [Microsoft 365 Academic A1, A3, or A5 subscriptions](https://www.microsoft.com/education/buy-license/microsoft365/default.aspx). - [Microsoft 365 Enterprise E3 or E5 subscriptions](https://www.microsoft.com/microsoft-365/enterprise), which include all Windows 10, Office 365, and EM+S features (Azure AD and Intune). - [Enterprise Mobility + Security E3 or E5 subscriptions](https://www.microsoft.com/cloud-platform/enterprise-mobility-security), which include all needed Azure AD and Intune features. - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features. @@ -120,7 +121,7 @@ Before Windows Autopilot can be used, some configuration tasks are required to s - Configure Azure Active Directory custom branding. In order to display an organization-specific logon page during the Autopilot process, Azure Active Directory needs to be configured with the images and text that should be displayed. See [Quickstart: Add company branding to your sign-in page in Azure AD](https://docs.microsoft.com/azure/active-directory/fundamentals/customize-branding) for more details. Note that the "square logo" and "sign-in page text" are the key elements for Autopilot, as well as the Azure Active Directory tenant name (configured separately in the Azure AD tenant properties). - Enable [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation) if desired, in order to automatically step up from Windows 10 Pro to Windows 10 Enterprise. -Specific scenarios will then have additional requirements. Generally, there are two specific tasks: +Specific scenarios will then have additional requirements. Generally, there are two specific tasks: - Device registration. Devices need to be added to Windows Autopilot to support most Windows Autopilot scenarios. See [Adding devices to Windows Autopilot](add-devices.md) for more details. - Profile configuration. Once devices have been added to Windows Autopilot, a profile of settings needs to be applied to each device. See [Configure Autopilot profiles](profiles.md) for details. Note that Microsoft Intune can automate this profile assignment; see [Create an AutoPilot device group](https://docs.microsoft.com/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Assign an AutoPilot deployment profile to a device group](https://docs.microsoft.com/intune/enrollment-autopilot#assign-an-autopilot-deployment-profile-to-a-device-group) for more information. @@ -133,7 +134,6 @@ For a walkthrough for some of these and related steps, see this video: - There are no additional hardware requirements to use Windows 10 Autopilot, beyond the [requirements to run Windows 10](https://www.microsoft.com/windows/windows-10-specifications). ## Related topics From ed3375adef9f5e20e25e0b33ea02b93ad1dfbaed Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 23 Jun 2020 07:31:38 -0700 Subject: [PATCH 09/14] Update limitations-with-wip.md --- .../windows-information-protection/limitations-with-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 3fecc05cc0..340c9edb2a 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -135,12 +135,12 @@ This table provides info about the most common problems you might encounter whil OneNote notebooks on OneDrive for Business must be properly configured to work with WIP. OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it. - "OneNote notebooks that are newly copied into the OneDrive for Business folder via File Explorer should get fixed automatically. To do this, follow these steps: + "OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps: 1. Close the notebook in OneNote. 2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop. 3. Copy the notebook folder and Paste it back into the OneDrive for Business folder. -Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client via the “Open in app” button.. +Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button. Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. From ef192a9ff6605c49b076df6bc2b3e892872594e8 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 23 Jun 2020 07:35:38 -0700 Subject: [PATCH 10/14] Update hello-hybrid-key-trust-prereqs.md --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 7d16521a42..561d5a4070 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -41,7 +41,7 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. -If using the key trust deployment model, you MUST ensure that you have adequate (at least 1) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. +If using the key trust deployment model, you MUST ensure that you have adequate (1 or more) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. > [!NOTE] From 7a736d353da0d653b233a7ce715cdd797c79654c Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 23 Jun 2020 07:36:22 -0700 Subject: [PATCH 11/14] Update hello-hybrid-key-trust-prereqs.md --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 561d5a4070..5a7e9bb20a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -41,7 +41,7 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. -If using the key trust deployment model, you MUST ensure that you have adequate (1 or more) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. +If using the key trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. > [!NOTE] From 02aa91c41bba63d8109d4815f232053d49f278c2 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Tue, 23 Jun 2020 08:33:59 -0700 Subject: [PATCH 12/14] pencil edit --- windows/deployment/windows-autopilot/user-driven.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 78e37a59ba..4087db6315 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -128,7 +128,7 @@ For VPN configurations that automatically connect, the validation steps may be d > [!NOTE] > Always On VPN can be used for this scenario. See the [Deploy Always On VPN](https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) documentation for more information. Note that Intune cannot yet deploy the needed per-machine VPN profile. -To validate the end-to-end process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. This can be done manually during OOBE by first downloading the latest cumulative from http://catalog.update.microsoft.com and then manually installing it: +To validate the end-to-end process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. This can be done manually during OOBE by first downloading the latest cumulative from https://catalog.update.microsoft.com and then manually installing it: - Press Shift-F10 to open a command prompt. - Insert a USB key containing the donwloaded update. From d9e9a808cb33fcd49817dca4479f78334219218b Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Tue, 23 Jun 2020 08:39:46 -0700 Subject: [PATCH 13/14] pencil edit --- windows/deployment/windows-autopilot/user-driven.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index 4087db6315..ed5c6a50fb 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -126,7 +126,7 @@ Next, validate that the VPN configuration (Win32 app, certs, and any other requi For VPN configurations that automatically connect, the validation steps may be different. > [!NOTE] -> Always On VPN can be used for this scenario. See the [Deploy Always On VPN](https://docs.microsoft.com/en-us/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) documentation for more information. Note that Intune cannot yet deploy the needed per-machine VPN profile. +> Always On VPN can be used for this scenario. See the [Deploy Always On VPN](https://docs.microsoft.com/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy-deployment) documentation for more information. Note that Intune cannot yet deploy the needed per-machine VPN profile. To validate the end-to-end process, ensure the needed Windows 10 cumulative update has been installed on Windows 10 1903 or Windows 10 1909. This can be done manually during OOBE by first downloading the latest cumulative from https://catalog.update.microsoft.com and then manually installing it: From 74a01fc5ece1550b24795ea1cf067c6058066f17 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Tue, 23 Jun 2020 08:43:08 -0700 Subject: [PATCH 14/14] pencil edit --- windows/deployment/windows-autopilot/user-driven.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md index ed5c6a50fb..7786be9c94 100644 --- a/windows/deployment/windows-autopilot/user-driven.md +++ b/windows/deployment/windows-autopilot/user-driven.md @@ -47,7 +47,7 @@ For more information on the available join options, see the following sections: - [Azure Active Directory join](#user-driven-mode-for-azure-active-directory-join) is available if devices do not need to be joined to an on-prem Active Directory domain. - [Hybrid Azure Active Directory join](#user-driven-mode-for-hybrid-azure-active-directory-join) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain. -- [Hybrid Azure Active Directory join with VPN support](#user-driven-mode-for-hybrid-azure-active-directory-join-with-VPN-support) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain, but are not connected to the corporate network and must use VPN connectivity. +- [Hybrid Azure Active Directory join with VPN support](#user-driven-mode-for-hybrid-azure-active-directory-join-with-vpn-support) is available for devices that must be joined to both Azure Active Directory and your on-prem Active Directory domain, but are not connected to the corporate network and must use VPN connectivity. ## User-driven mode for Azure Active Directory join