From 7b5202cbe7d9d89427fc27a721ec56df0d4195af Mon Sep 17 00:00:00 2001 From: John Tobin Date: Wed, 9 Aug 2017 10:22:48 -0700 Subject: [PATCH 1/5] Added new Java GSS API issue. --- .../credential-guard-known-issues.md | 20 ++++--------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/windows/access-protection/credential-guard/credential-guard-known-issues.md b/windows/access-protection/credential-guard/credential-guard-known-issues.md index b9dd345053..2241fb465d 100644 --- a/windows/access-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/access-protection/credential-guard/credential-guard-known-issues.md @@ -33,25 +33,13 @@ The following known issues have been fixed by servicing releases made available - Windows 10 Version 1511: [KB4015219 (OS Build 10586.873)](https://support.microsoft.com/help/4015219) - Windows 10 Version 1507: [KB4015221 (OS Build 10240.17354)](https://support.microsoft.com/help/4015221) +## Known issues involving third-party applications +The following issue affects the Java GSS API. See the following Oracle bug database article: +- [JDK-8161921: Windows 10 Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) - - - - - - - - - - - - - - - - +When Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). The following issue affects Cisco AnyConnect Secure Mobility Client: From 59143583113a3a68ac4383838dcffa542da62a8c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 9 Aug 2017 11:17:59 -0700 Subject: [PATCH 2/5] update table label --- ...roxy-internet-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md index 1a162b7913..ab5af4aee7 100644 --- a/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md +++ b/windows/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md @@ -80,7 +80,7 @@ For example: netsh winhttp set proxy 10.0.0.6:8080 ## Enable access to Windows Defender ATP service URLs in the proxy server If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443: -Primary Domain Controller | .Microsoft.com DNS record +Service location | .Microsoft.com DNS record :---|:--- US |```*.blob.core.windows.net```
```crl.microsoft.com```
```us.vortex-win.data.microsoft.com```
```winatp-gw-cus.microsoft.com```
```winatp-gw-eus.microsoft.com``` Europe |```*.blob.core.windows.net```
```crl.microsoft.com```
```eu.vortex-win.data.microsoft.com```
```winatp-gw-neu.microsoft.com```
```winatp-gw-weu.microsoft.com```
From 11c7c951f64f2da460820bc1076b4c982e7da73b Mon Sep 17 00:00:00 2001 From: Maricia Alforque Date: Wed, 9 Aug 2017 19:06:00 +0000 Subject: [PATCH 3/5] Merged PR 2638: EntepriseDataProtection CSP updated values in Settings/EDPEnforcementLevel --- .../mdm/enterprisedataprotection-csp.md | 6 +++--- .../mdm/new-in-windows-mdm-enrollment-management.md | 10 ++++++++++ 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/enterprisedataprotection-csp.md b/windows/client-management/mdm/enterprisedataprotection-csp.md index 95722f7b40..c79f4f55e9 100644 --- a/windows/client-management/mdm/enterprisedataprotection-csp.md +++ b/windows/client-management/mdm/enterprisedataprotection-csp.md @@ -7,7 +7,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: nickbrower -ms.date: 06/19/2017 +ms.date: 08/09/2017 --- # EnterpriseDataProtection CSP @@ -44,8 +44,8 @@ The following diagram shows the EnterpriseDataProtection CSP in tree format. - 0 (default) – Off / No protection (decrypts previously protected data). - 1 – Silent mode (encrypt and audit only). -- 2 – Override mode (encrypt, prompt, and audit). -- 3 – Block mode (encrypt, block, and audit). +- 2 – Allow override mode (encrypt, prompt and allow overrides, and audit). +- 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).

Supported operations are Add, Get, Replace and Delete. Value type is integer. diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index ddbd9bfab8..2fe500388f 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1322,6 +1322,16 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware [CM\_CellularEntries CSP](cm-cellularentries-csp.md)

Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.

+ +[EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) +

Updated the Settings/EDPEnforcementLevel values to the following:

+
    +
  • 0 (default) – Off / No protection (decrypts previously protected data).
    • +
  • 1 – Silent mode (encrypt and audit only).
    • +
  • 2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
    • +
  • 3 – Hides overrides (encrypt, prompt but hide overrides, and audit).
    • +
+ [Policy CSP](policy-configuration-service-provider.md)

Added the following new policies for Windows 10, version 1709:

From 1ece34af8eb1bee58aa094ab35210913afa8d050 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 9 Aug 2017 19:13:09 +0000 Subject: [PATCH 4/5] Merged PR 2640: Fixed sample intro (customer feedback) --- windows/configuration/start-layout-xml-desktop.md | 2 +- windows/configuration/windows-spotlight.md | 4 ---- 2 files changed, 1 insertion(+), 5 deletions(-) diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index 0bf7db49e7..e203016bfa 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -191,7 +191,7 @@ You can use the **start:DesktopApplicationTile** tag to pin a Windows desktop ap To pin a Windows desktop application through this method, you must set the **DesktopApplicationID** attribute to the application user model ID that's associated with the corresponding app. - The following example shows how to pin the Internet Explorer Windows desktop application: + The following example shows how to pin the File Explorer Windows desktop application: ```XML [!WARNING] -> In Windows 10, version 1607, the **Force a specific default lock screen image** policy setting will prevent users from changing the lock screen image. This behavior will be corrected in a future release. -> -> In Windows 10, version 1703, the **Force a specific default lock screen image** policy setting applies only intermittently and may not produce expected results. This behavior will be corrected in a future release. ![lockscreen policy details](images/lockscreenpolicy.png) From 9813a135d6e662f0f1718fde4a22a4982ea96f35 Mon Sep 17 00:00:00 2001 From: Jeanie Decker Date: Wed, 9 Aug 2017 20:59:39 +0000 Subject: [PATCH 5/5] Merged PR 2645: Fixed account test instructions --- .../surface-hub/prepare-your-environment-for-surface-hub.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index 892a1a31a4..7346763936 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -68,9 +68,8 @@ Surface Hub interacts with a few different products and services. Depending on t A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. -After you've created your device account, there are a couple of ways to verify that it's setup correctly. -- Run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. -- Use the account with the [Lync Microsoft Store app](https://www.microsoft.com/en-us/store/p/lync/9wzdncrfhvhm). If Lync signs in successfully, then the device account will most likely work with Skype for Business on Surface Hub. +After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. + ## Prepare for first-run program