deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-22 13:53:39 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #1992 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Gary Moore
2020-02-05 21:50:01 -08:00
committed by GitHub
parent b0abaa735c ff70712443
commit b82d41836e
7 changed files with 42 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
devices/surface-hub/surface-hub-update-history.md
View File

@ -24,6 +24,17 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
## Windows 10 Team Creators Update 1703 ## Windows 10 Team Creators Update 1703
<details>
<summary>January 14, 2020—update for Team edition based on KB4534296* (OS Build 15063.2254)</summary>
This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
* Addresses an issue with log collection for Microsoft Surface Hub 2S.
Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
*[KB4534296](https://support.microsoft.com/help/4534296)
</details>
<details> <details>
<summary>September 24, 2019—update for Team edition based on KB4516059* (OS Build 15063.2078)</summary> <summary>September 24, 2019—update for Team edition based on KB4516059* (OS Build 15063.2078)</summary>
@ -57,7 +68,6 @@ Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface
This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
* Addresses an issue with log collection for Microsoft Surface Hub 2S.
* Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully. * Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully.
* Adds support for TLS 1.2 connections to identity providers and Exchange in device account setup scenarios. * Adds support for TLS 1.2 connections to identity providers and Exchange in device account setup scenarios.
* Fixes to improve reliability of Hardware Diagnostic App on Hub 2S. * Fixes to improve reliability of Hardware Diagnostic App on Hub 2S.

6
devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
View File

@ -89,11 +89,11 @@ The Surface Hub Hardware Diagnostic tool is an easy-to-navigate tool that lets t
Field |Success |Failure |Comment |Reference Field |Success |Failure |Comment |Reference
|------|------|------|------|------| |------|------|------|------|------|
Internet Connectivity |Device does have Internet connectivity |Device does not have Internet connectivity |Verifies internet connectivity, including proxy connection |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/) Internet Connectivity |Device does have Internet connectivity |Device does not have Internet connectivity |Verifies internet connectivity, including proxy connection |
HTTP Version |1.1 |1.0 |If HTTP 1.0 found, it will cause issue with WU and Store | HTTP Version |1.1 |1.0 |If HTTP 1.0 found, it will cause issue with WU and Store |
Direct Internet Connectivity |Device has a Proxy configured Device has no Proxy configured |N/A |Informational. Is your device behind a proxy? | Direct Internet Connectivity |Device has a Proxy configured Device has no Proxy configured |N/A |Informational. Is your device behind a proxy? |
Proxy Address | | |If configured, returns proxy address. | Proxy Address | | |If configured, returns proxy address. |
Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/) Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. |
Proxy Auth Types | | |If proxy authentication is used, return the Authentication methods advertised by the proxy. | Proxy Auth Types | | |If proxy authentication is used, return the Authentication methods advertised by the proxy. |
#### Environment #### Environment
@ -131,5 +131,5 @@ SIP Pool Cert Root CA | | |Information. Display the SIP Pool Cert Root CA, if av
Field |Success |Failure |Comment |Reference Field |Success |Failure |Comment |Reference
|------|------|------|------|------| |------|------|------|------|------|
Trust Model Status |No Trust Model Issue Detected. |SIP Domain and server domain are different please add the following domains. |Check the LD FQDN/ LD Server Name/ Pool Server name for Trust model issue. |[Surface Hub and the Skype for Business Trusted Domain List](https://blogs.technet.microsoft.com/y0av/2017/10/25/95/) Trust Model Status |No Trust Model Issue Detected. |SIP Domain and server domain are different please add the following domains. |Check the LD FQDN/ LD Server Name/ Pool Server name for Trust model issue.
Domain Name(s) | | |Return the list of domains that should be added for SFB to connect. | Domain Name(s) | | |Return the list of domains that should be added for SFB to connect. |

19
mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
View File

@ -26,24 +26,21 @@ Verify you have a current documentation of your MBAM environment, including all
### Upgrade steps ### Upgrade steps
#### Steps to upgrade the MBAM Database (SQL Server) #### Steps to upgrade the MBAM Database (SQL Server)
1. Using the MBAM Configurator; remove the Reports role from the SQL server, or wherever the SSRS database is hosted. Depending on your environment, this can be the same server or a separate one. 1. Using the MBAM Configurator; remove the Reports role from the SQL server, or wherever the SSRS database is hosted. Depending on your environment, this can be the same server or a separate one.
Note: You will not see an option to remove the Databases; this is expected. > [!NOTE]
> You will not see an option to remove the Databases; this is expected.
2. Install 2.5 SP1 (Located with MDOP - Microsoft Desktop Optimization Pack 2015 from the Volume Licensing Service Center site: <https://www.microsoft.com/Licensing/servicecenter/default.aspx> 2. Install 2.5 SP1 (Located with MDOP - Microsoft Desktop Optimization Pack 2015 from the Volume Licensing Service Center site: <https://www.microsoft.com/Licensing/servicecenter/default.aspx>
3. Do not configure it at this time  3. Do not configure it at this time 
4. Install the May 2019 Rollup: https://www.microsoft.com/download/details.aspx?id=58345 4. Using the MBAM Configurator; re-add the Reports role
5. Using the MBAM Configurator; re-add the Reports role 5. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server
6. This will configure the SSRS connection using the latest MBAM code from the rollup  6. At the end, you will be warned that the DBs already exist and werent created, but this is expected
7. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server. 7. This process updates the existing databases to the current version being installed.
8. At the end, you will be warned that the DBs already exist and werent created, but this is expected.
9. This process updates the existing databases to the current version being installed
#### Steps to upgrade the MBAM Server (Running MBAM and IIS) #### Steps to upgrade the MBAM Server (Running MBAM and IIS)
1. Using the MBAM Configurator; remove the Admin and Self Service Portals from the IIS server 1. Using the MBAM Configurator; remove the Admin and Self Service Portals from the IIS server
2. Install MBAM 2.5 SP1 2. Install MBAM 2.5 SP1
3. Do not configure it at this time   3. Do not configure it at this time  
4. Install the May 2019 Rollup on the IIS server(https://www.microsoft.com/download/details.aspx?id=58345) 4. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server 
5. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server  5. Open an elevated command prompt, type **IISRESET**, and hit Enter.
6. This will configure the sites using the latest MBAM code from the May 2019 Rollup
7. Open an elevated command prompt, Type: **IISRESET** and Hit Enter.
#### Steps to upgrade the MBAM Clients/Endpoints #### Steps to upgrade the MBAM Clients/Endpoints
1. Uninstall the 2.5 Agent from client endpoints 1. Uninstall the 2.5 Agent from client endpoints

4
windows/application-management/manage-windows-mixed-reality.md
View File

@ -33,14 +33,14 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD. 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
a. Download the FOD .cab file for [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab). a. Download the FOD .cab file for [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
>[!NOTE] >[!NOTE]
>You must download the FOD .cab file that matches your operating system version. >You must download the FOD .cab file that matches your operating system version.
b. Use `Add-Package` to add Windows Mixed Reality FOD to the image. b. Use `Add-Package` to add Windows Mixed Reality FOD to the image.
``` ```powershell
Add-Package Add-Package
Dism /Online /add-package /packagepath:(path) Dism /Online /add-package /packagepath:(path)
``` ```

2
windows/security/identity-protection/hello-for-business/hello-planning-guide.md
View File

@ -65,7 +65,7 @@ The hybrid deployment model is for organizations that:
* Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources * Use applications hosted in Azure Active Directory, and want a single sign-in user experience for both on-premises and Azure Active Directory resources
> [!Important] > [!Important]
> Hybrid deployments support non-destructive PIN reset that only works with the certificate trust model.</br> > Hybrid deployments support non-destructive PIN reset that works with both the certificate trust and key trust models.</br>
> **Requirements:**</br> > **Requirements:**</br>
> Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903</br> > Microsoft PIN Reset Service - Windows 10, versions 1709 to 1809, Enterprise Edition. There is no licensing requirement for this service since version 1903</br>
> Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903 > Reset above lock screen (_I forgot my PIN_ link) - Windows 10, version 1903

23
windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
View File

@ -55,7 +55,8 @@ Network Unlock must meet mandatory hardware and software requirements before the
The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer. The network stack must be enabled to use the Network Unlock feature. Equipment manufacturers deliver their products in various states and with different BIOS menus, so you need to confirm that the network stack has been enabled in the BIOS before starting the computer.
>**Note:**  To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled. > [!NOTE]
> To properly support DHCP within UEFI, the UEFI-based system should be in native mode without a compatibility support module (CSM) enabled.
For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail. For Network Unlock to work reliably on computers running Windows 8 and later, the first network adapter on the computer, usually the onboard adapter, must be configured to support DHCP and used for Network Unlock. This is especially worth noting when you have multiple adapters, and you wish to configure one without DHCP, such as for a lights-out management protocol. This configuration is necessary because Network Unlock will stop enumerating adapters when it reaches one with a DHCP port failure for any reason. Thus, if the first enumerated adapter does not support DHCP, is not plugged into the network, or fails to report availability of the DHCP port for any reason, then Network Unlock will fail.
@ -243,7 +244,8 @@ The following steps describe how to enable the Group Policy setting that is a re
The following steps describe how to deploy the required Group Policy setting: The following steps describe how to deploy the required Group Policy setting:
>**Note:**  The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012. > [!NOTE]
> The Group Policy settings **Allow network unlock at startup** and **Add Network Unlock Certificate** were introduced in Windows Server 2012.
1. Copy the .cer file created for Network Unlock to the domain controller. 1. Copy the .cer file created for Network Unlock to the domain controller.
2. On the domain controller, launch Group Policy Management Console (gpmc.msc). 2. On the domain controller, launch Group Policy Management Console (gpmc.msc).
@ -254,10 +256,12 @@ The following steps describe how to deploy the required Group Policy setting:
2. Right-click the folder and choose **Add Network Unlock Certificate**. 2. Right-click the folder and choose **Add Network Unlock Certificate**.
3. Follow the wizard steps and import the .cer file that was copied earlier. 3. Follow the wizard steps and import the .cer file that was copied earlier.
>**Note:**  Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer. > [!NOTE]
> Only one network unlock certificate can be available at a time. If a new certificate is required, delete the current certificate before deploying a new one. The Network Unlock certificate is located in the **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\SystemCertificates\\FVE\_NKP** key on the client computer.
5. Reboot the clients after deploying the group policy. 5. Reboot the clients after deploying the group policy.
>**Note:** The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store. > [!NOTE]
> The **Network (Certificate Based)** protector will be added only after a reboot with the policy enabled and a valid certificate present in the FVE_NKP store.
### Subnet policy configuration files on WDS Server (Optional) ### Subnet policy configuration files on WDS Server (Optional)
@ -276,7 +280,8 @@ SUBNET4=2001:4898:a:3::/64; in production, the admin would likely give more usef
``` ```
Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate. Following the \[SUBNETS\] section, there can be sections for each Network Unlock certificate, identified by the certificate thumbprint formatted without any spaces, which define subnets clients can be unlocked from with that certificate.
>**Note:**  When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid. > [!NOTE]
> When specifying the certificate thumbprint, do not include any spaces. If spaces are included in the thumbprint the subnet configuration will fail because the thumbprint will not be recognized as valid.
Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section. Subnet restrictions are defined within each certificate section by denoting the allowed list of permitted subnets. If any subnet is listed in a certificate section, then only those subnets listed are permitted for that certificate. If no subnet is listed in a certificate section, then all subnets are permitted for that certificate. If a certificate does not have a section in the subnet policy configuration file, then no subnet restrictions are applied for unlocking with that certificate. This means for restrictions to apply to every certificate, there must be a certificate section for every Network Unlock certificate on the server, and an explicit allowed list set for each certificate section.
Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon. Subnet lists are created by putting the name of a subnet from the \[SUBNETS\] section on its own line below the certificate section header. Then, the server will only unlock clients with this certificate on the subnet(s) specified as in the list. For troubleshooting, a subnet can be quickly excluded without deleting it from the section by simply commenting it out with a prepended semi-colon.
@ -295,7 +300,8 @@ To disallow the use of a certificate altogether, its subnet list may contain the
To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain. To turn off the unlock server, the PXE provider can be unregistered from the WDS server or uninstalled altogether. However, to stop clients from creating Network Unlock protectors the **Allow Network Unlock at startup** Group Policy setting should be disabled. When this policy setting is updated to disabled on client computers any Network Unlock key protectors on the computer will be deleted. Alternatively, the BitLocker Network Unlock certificate policy can be deleted on the domain controller to accomplish the same task for an entire domain.
>**Note:**  Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the servers ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server. > [!NOTE]
> Removing the FVE_NKP certificate store that contains the Network Unlock certificate and key on the WDS server will also effectively disable the servers ability to respond to unlock requests for that certificate. However, this is seen as an error condition and is not a supported or recommended method for turning off the Network Unlock server.
## <a href="" id="bkmk-updatecerts"/>Update Network Unlock certificates ## <a href="" id="bkmk-updatecerts"/>Update Network Unlock certificates
@ -311,12 +317,13 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many
- Group policy for Network Unlock is enabled and linked to the appropriate domains. - Group policy for Network Unlock is enabled and linked to the appropriate domains.
- Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities. - Verify group policy is reaching the clients properly. This can be done using the GPRESULT.exe or RSOP.msc utilities.
- Verify the clients were rebooted after applying the policy. - Verify the clients were rebooted after applying the policy.
- Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer: - Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the local computer:
```powershell ```powershell
manage-bde -protectors -get C: manage-bde -protectors -get C:
``` ```
>**Note:** Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock > [!NOTE]
> Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock
Files to gather when troubleshooting BitLocker Network Unlock include: Files to gather when troubleshooting BitLocker Network Unlock include:

8
windows/security/threat-protection/microsoft-defender-atp/troubleshoot-siem.md
View File

@ -39,9 +39,7 @@ If your client secret expires or if you've misplaced the copy provided when you
3. Select your tenant. 3. Select your tenant.
4. Click **App registrations**. Then in the applications list, select the application: 4. Click **App registrations**. Then in the applications list, select the application.
- For SIEM: `https://WindowsDefenderATPSiemConnector`
- For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
5. Select **Keys** section, then provide a key description and specify the key validity duration. 5. Select **Keys** section, then provide a key description and specify the key validity duration.
@ -59,9 +57,7 @@ If you encounter an error when trying to get a refresh token when using the thre
3. Select your tenant. 3. Select your tenant.
4. Click **App Registrations**. Then in the applications list, select the application: 4. Click **App Registrations**. Then in the applications list, select the application.
- For SIEM: `https://WindowsDefenderATPSiemConnector`
- For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
5. Add the following URL: 5. Add the following URL:
- For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` - For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`