From a69c9a424293f68f9b0d283cc522dbdca49de9af Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 26 Oct 2017 11:18:29 -0700 Subject: [PATCH 1/8] added XTS default for 1511 --- .../bitlocker/bitlocker-group-policy-settings.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md index cb8e0ad837..77beed3765 100644 --- a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md @@ -1100,19 +1100,25 @@ This policy setting is used to control the encryption method and cipher strength

When disabled or not configured

-

BitLocker uses the default encryption method of AES 128-bit or the encryption method that is specified by the setup script.

+

Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS.

  **Reference** -By default, BitLocker uses AES 128-bit encryption. Available options are AES-128 and AES-256. The values of this policy determine the strength of the cipher that BitLocker uses for encryption. Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). +The values of this policy determine the strength of the cipher that BitLocker uses for encryption. +Enterprises may want to control the encryption level for increased security (AES-256 is stronger than AES-128). + +If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually. +For fixed and operating system drives, we recommend that you use the XTS-AES algorithm. +For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later. + Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored. >**Warning:**  This policy does not apply to encrypted drives. Encrypted drives utilize their own algorithm, which is set by the drive during partitioning.   -When this policy setting is disabled, BitLocker uses AES with the same bit strength (128-bit or 256-bit) as specified in the policy setting **Choose drive encryption method and cipher strength (Windows Vista, Windows Server 2008, Windows 7)**. If neither policy is set, BitLocker uses the default encryption method, AES-128, or the encryption method that is specified in the setup script. +When this policy setting is disabled or not configured, BitLocker will use the default encryption method of XTS-AES 128-bit or the encryption method that is specified in the setup script. ### Configure use of hardware-based encryption for fixed data drives From 53fde11b622556e20ec42567f9baef87337bb1d2 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Thu, 26 Oct 2017 23:07:55 +0000 Subject: [PATCH 2/8] Merged PR 4126: Add SCCM and MDT task sequence scenario requirements to the topic Details for deployment tools --- windows/deployment/mbr-to-gpt.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md index ee77f2ce0e..c1f6ffae6a 100644 --- a/windows/deployment/mbr-to-gpt.md +++ b/windows/deployment/mbr-to-gpt.md @@ -7,7 +7,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: deploy author: greg-lindsay -ms.date: 09/05/2017 +ms.date: 10/26/2017 ms.localizationpriority: high --- @@ -20,25 +20,26 @@ ms.localizationpriority: high **MBR2GPT.EXE** converts a disk from the Master Boot Record (MBR) to the GUID Partition Table (GPT) partition style without modifying or deleting data on the disk. The tool is designed to be run from a Windows Preinstallation Environment (Windows PE) command prompt, but can also be run from the full Windows 10 operating system (OS) by using the **/allowFullOS** option. +>MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. +>The tool is available in both the full OS environment and Windows PE. To use this tool in a deployment task sequence with Configuration Manager or Microsoft Deployment Toolkit (MDT), you must first update the boot.wim file with the [Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) 1703, or a later version. + See the following video for a detailed description and demonstration of MBR2GPT. ->MBR2GPT.EXE is located in the **Windows\\System32** directory on a computer running Windows 10 version 1703 (also known as the Creator's Update) or later. ->The tool is available in both the full OS environment and Windows PE. - You can use MBR2GPT to: - Convert any attached MBR-formatted system disk to the GPT partition format. You cannot use the tool to convert non-system disks from MBR to GPT. - Convert an MBR disk with BitLocker-encrypted volumes as long as protection has been suspended. To resume BitLocker after conversion, you will need to delete the existing protectors and recreate them. - Convert operating system disks that have earlier versions of Windows 10 installed, such as versions 1507, 1511, and 1607. However, you must run the tool while booted into Windows 10 version 1703 or later, and perform an offline conversion. +- Convert an operating system disk from MBR to GPT through a Configuration Manager or MDT task sequence provided that version 1703 or later of the Windows ADK is installed. Offline conversion of system disks with earlier versions of Windows installed, such as Windows 7, 8, or 8.1 are not officially supported. The recommended method to convert these disks is to upgrade the operating system to Windows 10 first, then perform the MBR to GPT conversion. >[!IMPORTANT] >After the disk has been converted to GPT partition style, the firmware must be reconfigured to boot in UEFI mode.
Make sure that your device supports UEFI before attempting to convert the disk. -## Prerequisites +## Disk Prerequisites Before any change to the disk is made, MBR2GPT validates the layout and geometry of the selected disk to ensure that: - The disk is currently using MBR From 7c36b9867d9672f7a0e793d2451cf55248165f8e Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 26 Oct 2017 16:16:59 -0700 Subject: [PATCH 3/8] added default for Phone --- .../bitlocker/bitlocker-group-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md index 77beed3765..6199c24fc9 100644 --- a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md @@ -1100,7 +1100,7 @@ This policy setting is used to control the encryption method and cipher strength

When disabled or not configured

-

Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS.

+

Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CSB 128-bit by default and supports AES-CBC 256-bit by policy.

From 29aca996b18bbc012bad73c4a000da77d72059d2 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Thu, 26 Oct 2017 16:28:10 -0700 Subject: [PATCH 4/8] added default for Phone --- .../bitlocker/bitlocker-group-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md index 6199c24fc9..1e5630aab0 100644 --- a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md @@ -1100,7 +1100,7 @@ This policy setting is used to control the encryption method and cipher strength

When disabled or not configured

-

Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CSB 128-bit by default and supports AES-CBC 256-bit by policy.

+

Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.

From 5a155f1f108487651142d4db2f901d1efd6ece7b Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Fri, 27 Oct 2017 00:05:04 +0000 Subject: [PATCH 5/8] Merged PR 4128: Fixing typos and updating links --- .../deployment/update/waas-windows-insider-for-business.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/deployment/update/waas-windows-insider-for-business.md b/windows/deployment/update/waas-windows-insider-for-business.md index 6de16163e4..94c1ade630 100644 --- a/windows/deployment/update/waas-windows-insider-for-business.md +++ b/windows/deployment/update/waas-windows-insider-for-business.md @@ -287,7 +287,4 @@ Your individual registration with the Insider program will not be impacted. If y - [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) - [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) - [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) -- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) -- [Manage updates using Windows Update for Business](waas-manage-updates-wufb.md) -- [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) -- [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) \ No newline at end of file +- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) \ No newline at end of file From e5341647c62fcad688ccc5dca7f12b998f6ef86c Mon Sep 17 00:00:00 2001 From: Mike Stephens Date: Fri, 27 Oct 2017 08:48:48 -0700 Subject: [PATCH 6/8] Fixed types and small correction --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index d31a4393af..0bd7c0a3b1 100644 --- a/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/access-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -11,7 +11,7 @@ ms.author: mstephen localizationpriority: high ms.date: 10/20/2017 --- -# Hybrid Key tust Windows Hello for Business Prerequisites +# Hybrid Key trust Windows Hello for Business Prerequisites **Applies to** - Windows 10 @@ -64,7 +64,6 @@ The minimum required enterprise certificate authority that can be used with Wind ### Section Review > [!div class="checklist"] > * Windows Server 2012 Issuing Certificate Authority -> * Windows Server 2016 Active Directory Federation Services
@@ -99,8 +98,8 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth ### Section Review > [!div class="checklist"] > * Azure MFA Service -> * Windows Server 2016 AD FS and Azure -> * Windows Server 2016 AD FS and third party MFA Adapter +> * Windows Server 2016 AD FS and Azure (optional, if federated) +> * Windows Server 2016 AD FS and third party MFA Adapter (optiona, if federated)
From 1d4478e51b035434f507dea88d1dc0048574e125 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 27 Oct 2017 09:11:45 -0700 Subject: [PATCH 7/8] grammar fix --- .../bitlocker/bitlocker-group-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md index 1e5630aab0..753d60ef60 100644 --- a/windows/device-security/bitlocker/bitlocker-group-policy-settings.md +++ b/windows/device-security/bitlocker/bitlocker-group-policy-settings.md @@ -343,7 +343,7 @@ This policy setting is used to set a minimum PIN length when you use an unlock m

When enabled

-

You can require that users enter a minimum number of digits to when setting their startup PINs.

+

You can require that users enter between 4 and 20 digits when setting their startup PINs.

When disabled or not configured

From 3b5b300b83af3a12eeded6d043183f9fe82265a9 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 27 Oct 2017 16:41:42 +0000 Subject: [PATCH 8/8] Merged PR 4137: Deleted device-dialog-box.md Deleted device-dialog-box.md --- windows/deployment/planning/device-dialog-box.md | 5 ----- 1 file changed, 5 deletions(-) delete mode 100644 windows/deployment/planning/device-dialog-box.md diff --git a/windows/deployment/planning/device-dialog-box.md b/windows/deployment/planning/device-dialog-box.md deleted file mode 100644 index 5d32e55b8f..0000000000 --- a/windows/deployment/planning/device-dialog-box.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -title: Device Dialog Box (Windows 10) -description: In Application Compatibility Manager (ACM), the Device dialog box shows information about the selected device. -description: This section describes the compatibility reports in Application Compatibility Manager (ACM) and how you can work with the reports. ---- \ No newline at end of file