From 54f68f3cd70d3ade60cbc338d83dda05665f94b1 Mon Sep 17 00:00:00 2001 From: Christopher Yoo Date: Fri, 7 Jun 2019 16:39:45 -0700 Subject: [PATCH 001/248] Call out for those without Store on their machine --- windows/privacy/diagnostic-data-viewer-overview.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index ec0ba4cd4a..92b7cb467a 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -44,6 +44,9 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn ### Download the Diagnostic Data Viewer Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. + >[!Important] + >It's possible that your Windows machine may not have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830). + ### Start the Diagnostic Data Viewer You can start this app from the **Settings** panel. From 571ede347299e39f7d762b0972120a1482b33e39 Mon Sep 17 00:00:00 2001 From: mapalko Date: Mon, 10 Jun 2019 11:59:23 -0700 Subject: [PATCH 002/248] Updating CDF references Removing some of the CDF section. This should not be recommended to meet FIPS compliance. --- .../threat-protection/windows-10-mobile-security-guide.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index cadf290d91..cd1f4442c5 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -72,8 +72,6 @@ The biometric image collected at enrollment is converted into an algorithmic for A Windows Hello companion device enables a physical device, like a wearable, to serve as a factor for validating the user’s identity before granting them access to their credentials. For instance, when the user has physical possession of a companion device they can easily, possibly even automatically, unlock their PC and authenticate with apps and websites. This type of device can be useful for smartphones or tablets that don’t have integrated biometric sensors or for industries where users need a faster, more convenient sign-in experience, such as retail. -In some cases, the companion device for Windows Hello enables a physical device, like a phone, wearable, or other types of device to store all of the user’s credentials. Storage of the credentials on a mobile device makes it possible to use them on any supporting device, like a kiosk or family PC, and eliminates the need to enroll Windows Hello on each device. Companion devices also help enable organizations to meet regulatory requirements, such as Federal Information Processing Standard (FIPS) Publication 140-2, (FIPS 140-2). - ### Standards-based approach The Fast Identity Online (FIDO) Alliance is a nonprofit organization that works to address the lack of interoperability among strong authentication devices and the problems users face in creating and remembering multiple user names and passwords. FIDO standards help reduce reliance on passwords to authenticate users of online services securely, allowing any business network, app, website, or cloud application to interface with a broad variety of existing and future FIDO-enabled devices and operating system platforms. From 97758f49989d22ddb32f17778cddd58b24b01394 Mon Sep 17 00:00:00 2001 From: Liza Poggemeyer Date: Wed, 12 Jun 2019 15:20:26 -0700 Subject: [PATCH 003/248] Changed "machine" to "device." --- windows/privacy/diagnostic-data-viewer-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md index 92b7cb467a..44a4dba799 100644 --- a/windows/privacy/diagnostic-data-viewer-overview.md +++ b/windows/privacy/diagnostic-data-viewer-overview.md @@ -45,7 +45,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/en-us/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page. >[!Important] - >It's possible that your Windows machine may not have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830). + >It's possible that your Windows device doesn't have the Microsoft Store available (e.g. Windows Server). If this is the case, please check out [Diagnostic Data Viewer for PowerShell](https://go.microsoft.com/fwlink/?linkid=2023830). ### Start the Diagnostic Data Viewer You can start this app from the **Settings** panel. From b4e06f0a5db03e0f2067a1e1cb37a305f370b705 Mon Sep 17 00:00:00 2001 From: Chris Kibble <39386226+ChrisKibble@users.noreply.github.com> Date: Thu, 13 Jun 2019 08:40:54 -0400 Subject: [PATCH 004/248] Fixed end comment in previous suggested file change. --- windows/deployment/update/feature-update-user-install.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/update/feature-update-user-install.md b/windows/deployment/update/feature-update-user-install.md index 489c2fcbfd..f46f295f30 100644 --- a/windows/deployment/update/feature-update-user-install.md +++ b/windows/deployment/update/feature-update-user-install.md @@ -69,6 +69,7 @@ foreach ($k in $iniSetupConfigKeyValuePair.Keys) #Write content to file New-Item $iniFilePath -ItemType File -Value $iniSetupConfigContent -Force +<# Disclaimer Sample scripts are not supported under any Microsoft standard support program or service. The sample scripts is provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without @@ -78,6 +79,7 @@ Microsoft, its authors, or anyone else involved in the creation, production, or for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample script or documentation, even if Microsoft has been advised of the possibility of such damages. +#> ``` >[!NOTE] From b3c063d4b024220067f446b815bd0e5ae78294bf Mon Sep 17 00:00:00 2001 From: karthigb Date: Thu, 20 Jun 2019 09:35:16 -0700 Subject: [PATCH 005/248] Update create-windows-firewall-rules-in-intune.md --- .../create-windows-firewall-rules-in-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md index 8de4021830..bf20974a75 100644 --- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md +++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md @@ -123,8 +123,8 @@ Default is Any address. [Learn more](https://aka.ms/intunefirewallremotaddressrule) -## Edge traversal (coming soon) -Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. +## Edge traversal (UI coming soon) +Indicates whether edge traversal is enabled or disabled for this rule. The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address. New rules have the EdgeTraversal property disabled by default. This setting can only be configured via Intune Graph at this time. [Learn more](https://aka.ms/intunefirewalledgetraversal) From 57d788db8fd09445942c9531569f719ccd8f5242 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Andr=C3=A9=20Oliveira?= Date: Tue, 25 Jun 2019 16:12:33 +0100 Subject: [PATCH 006/248] Update enterprise-mode-schema-version-2-guidance.md Added more details on the release of Windows 10 for which schema v2 applies. allow-redirect flag is only available starting from RS3 (v 1709) --- .../enterprise-mode-schema-version-2-guidance.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md index 187ba67198..186b96bd2c 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md +++ b/browsers/internet-explorer/ie11-deploy-guide/enterprise-mode-schema-version-2-guidance.md @@ -19,11 +19,11 @@ ms.date: 12/04/2017 **Applies to:** -- Windows 10 +- Windows 10 (>= v1709) - Windows 8.1 - Windows 7 -Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10, using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. +Use the Enterprise Mode Site List Manager to create and update your site list for devices running Windows 7, Windows 8.1, and Windows 10 (>= v1709), using the version 2.0 (v.2) of the Enterprise Mode schema. If you don't want to use the Enterprise Mode Site List Manager, you also have the option to update your XML schema using Notepad, or any other XML-editing app. **Important**
If you're running Windows 7 or Windows 8.1 and you've been using the version 1.0 (v.1) of the schema, you can continue to do so, but you won't get the benefits that come with the updated schema. For info about the v.1 schema, see [Enterprise Mode schema v.1 guidance](enterprise-mode-schema-version-1-guidance.md). From b74a68a6420d250082bf2cd1cc478167d7ae80a7 Mon Sep 17 00:00:00 2001 From: skycommand Date: Wed, 26 Jun 2019 11:33:29 +0430 Subject: [PATCH 007/248] Unfurl the list, perform link maintenance From top to bottom, I propose the following changes without prejudice: 1. Converted the heaped mass of links was into an accessible list, compliant with Microsoft Docs guideline. 2. Deleted the second, redundant instance of the link to "Release Notes for MBAM 2.5". 3. Deleted the link to "MDOP TechCenter Page". This page is now deleted. The link redirects to "MDOP Information Experience" to which there is already link in the page. 4. Deleted feedback links (email, Twitter, and Facebook). These channels have been defunct since 2015. 5. Deleted the entire "Got a suggestion for MBAM" section. Both links in it are dead. The UserVoice channel and TechNet subforum have been gone for a long time now. --- mdop/mbam-v25/index.md | 84 ++++++++++++++++++++---------------------- 1 file changed, 40 insertions(+), 44 deletions(-) diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md index 9e5c96e03d..81d7b89f5e 100644 --- a/mdop/mbam-v25/index.md +++ b/mdop/mbam-v25/index.md @@ -16,61 +16,57 @@ ms.date: 04/19/2017 Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM, see [About MBAM 2.5](about-mbam-25.md). -To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). +To obtain MBAM, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). -[Getting Started with MBAM 2.5](getting-started-with-mbam-25.md) +## Outline -[About MBAM 2.5](about-mbam-25.md)**|**[Release Notes for MBAM 2.5](release-notes-for-mbam-25.md)**|**[About MBAM 2.5 SP1](about-mbam-25-sp1.md)**|**[Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md)**|**[Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md)**|**[High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md)**|**[Accessibility for MBAM 2.5](accessibility-for-mbam-25.md) - -[Planning for MBAM 2.5](planning-for-mbam-25.md) - -[Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md)**|**[MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)**|**[Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md)**|**[Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md)**|**[Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md)**|**[Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)**|**[MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)**|**[Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md)**|**[MBAM 2.5 Security Considerations](mbam-25-security-considerations.md)**|**[MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md) - -[Deploying MBAM 2.5](deploying-mbam-25.md) - -[Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md)**|**[Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)**|**[Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)**|**[MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md)**|**[Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md)**|**[Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md) - -[Operations for MBAM 2.5](operations-for-mbam-25.md) - -[Administering MBAM 2.5 Features](administering-mbam-25-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md)**|**[Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)**|**[Maintaining MBAM 2.5](maintaining-mbam-25.md)**|**[Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md) - -[Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md) - -[Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md) - -[Client Event Logs](client-event-logs.md)**|**[Server Event Logs](server-event-logs.md) +- [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md) + - [About MBAM 2.5](about-mbam-25.md) + - [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md) + - [About MBAM 2.5 SP1](about-mbam-25-sp1.md) + - [Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md) + - [Evaluating MBAM 2.5 in a Test Environment](evaluating-mbam-25-in-a-test-environment.md) + - [High-Level Architecture for MBAM 2.5](high-level-architecture-for-mbam-25.md) + - [Accessibility for MBAM 2.5](accessibility-for-mbam-25.md) +- [Planning for MBAM 2.5](planning-for-mbam-25.md) + - [Preparing your Environment for MBAM 2.5](preparing-your-environment-for-mbam-25.md) + - [MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md) + - [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md) + - [Planning for MBAM 2.5 Groups and Accounts](planning-for-mbam-25-groups-and-accounts.md) + - [Planning How to Secure the MBAM Websites](planning-how-to-secure-the-mbam-websites.md) + - [Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md) + - [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md) + - [Planning for MBAM 2.5 High Availability](planning-for-mbam-25-high-availability.md) + - [MBAM 2.5 Security Considerations](mbam-25-security-considerations.md) + - [MBAM 2.5 Planning Checklist](mbam-25-planning-checklist.md) +- [Deploying MBAM 2.5](deploying-mbam-25.md) + - [Deploying the MBAM 2.5 Server Infrastructure](deploying-the-mbam-25-server-infrastructure.md) + - [Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md) + - [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md) + - [MBAM 2.5 Deployment Checklist](mbam-25-deployment-checklist.md) + - [Upgrading to MBAM 2.5 or MBAM 2.5 SP1 from Previous Versions](upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md) + - [Removing MBAM Server Features or Software](removing-mbam-server-features-or-software.md) +- [Operations for MBAM 2.5](operations-for-mbam-25.md) + - [Administering MBAM 2.5 Features](administering-mbam-25-features.md) + - [Monitoring and Reporting BitLocker Compliance with MBAM 2.5](monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md) + - [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md) + - [Maintaining MBAM 2.5](maintaining-mbam-25.md) + - [Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md) +- [Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md) +- [Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md) + - [Client Event Logs](client-event-logs.md) + - [Server Event Logs](server-event-logs.md) ### More Information -- [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md) - - View updated product information and known issues for MBAM 2.5. - -- [MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) - - Learn about the latest MDOP information and resources. - - [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) - Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). + Find documentation, videos, and other resources for MDOP technologies. - [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398) Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. - + - [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) Guide of how to apply MBAM 2.5 SP1 Server hotfixes - -## Got a suggestion for MBAM? -- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). -- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). - -  - -  - - - - - From 1ea33cd8c4c6663abc74215f5e83eef5de8a33d1 Mon Sep 17 00:00:00 2001 From: skycommand Date: Wed, 26 Jun 2019 17:23:57 +0430 Subject: [PATCH 008/248] Link maintenance\ --- mdop/mbam-v25/index.md | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md index 81d7b89f5e..244e0ae818 100644 --- a/mdop/mbam-v25/index.md +++ b/mdop/mbam-v25/index.md @@ -10,13 +10,11 @@ ms.prod: w10 ms.date: 04/19/2017 --- - # Microsoft BitLocker Administration and Monitoring 2.5 - Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 provides a simplified administrative interface that you can use to manage BitLocker Drive Encryption. You configure MBAM Group Policy Templates that enable you to set BitLocker Drive Encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. For a more detailed description of MBAM, see [About MBAM 2.5](about-mbam-25.md). -To obtain MBAM, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId=322049) (https://go.microsoft.com/fwlink/?LinkId=322049). +To obtain MBAM, see [How Do I Get MDOP](index.md#how-to-get-mdop). ## Outline @@ -57,16 +55,16 @@ To obtain MBAM, see [How Do I Get MDOP](https://go.microsoft.com/fwlink/?LinkId= - [Client Event Logs](client-event-logs.md) - [Server Event Logs](server-event-logs.md) -### More Information +## More Information -- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) +- [MDOP Information Experience](index.md) - Find documentation, videos, and other resources for MDOP technologies. + Find documentation, videos, and other resources for MDOP technologies. -- [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398) +- [MBAM Deployment Guide](https://www.microsoft.com/download/details.aspx?id=38398) - Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. + Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method. -- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) +- [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md) - Guide of how to apply MBAM 2.5 SP1 Server hotfixes + Guide of how to apply MBAM 2.5 SP1 Server hotfixes From 6bea2eb3189bf5a38be88cc26b88d3b21c0fc990 Mon Sep 17 00:00:00 2001 From: skycommand Date: Wed, 26 Jun 2019 17:29:21 +0430 Subject: [PATCH 009/248] Unfurl the list, perform link maintenance From top to bottom, I propose the following changes without prejudice: 1. Convert the heaped mass of links into an accessible list, compliant with Microsoft Docs guideline. 2. Delete the second, redundant instance of the link to "Release Notes for MBAM 2.0". 3. Delete the link to "MDOP TechCenter Page". This page is now deleted. The link redirects to "MDOP Information Experience" to which there is already a link in the page. 4. Delete feedback links (email, Twitter, and Facebook). These channels have been defunct since 2015. --- mdop/mbam-v2/index.md | 62 +++++++++++++++++++++++-------------------- 1 file changed, 33 insertions(+), 29 deletions(-) diff --git a/mdop/mbam-v2/index.md b/mdop/mbam-v2/index.md index 5337db9b65..7f73c171c5 100644 --- a/mdop/mbam-v2/index.md +++ b/mdop/mbam-v2/index.md @@ -10,43 +10,47 @@ ms.prod: w8 ms.date: 04/19/2017 --- - # Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide - Microsoft BitLocker Administration and Monitoring (MBAM) 2.0 provides a simplified administrative interface that you can use to manage BitLocker drive encryption. In BitLocker Administration and Monitoring 2.0, you can select BitLocker drive encryption policy options that are appropriate for your enterprise, and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the enterprise as a whole. In addition, you can access recovery key information when users forget their PIN or password or when their BIOS or boot record changes. -[Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md) +## Outline -[About MBAM 2.0](about-mbam-20-mbam-2.md)**|**[Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md)**|**[About MBAM 2.0 SP1](about-mbam-20-sp1.md)**|**[Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md)**|**[Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md)**|**[High-Level Architecture for MBAM 2.0](high-level-architecture-for-mbam-20-mbam-2.md)**|**[Accessibility for MBAM 2.0](accessibility-for-mbam-20-mbam-2.md) +- [Getting Started with MBAM 2.0](getting-started-with-mbam-20-mbam-2.md) + - [About MBAM 2.0](about-mbam-20-mbam-2.md) + - [Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md) + - [About MBAM 2.0 SP1](about-mbam-20-sp1.md) + - [Release Notes for MBAM 2.0 SP1](release-notes-for-mbam-20-sp1.md) + - [Evaluating MBAM 2.0](evaluating-mbam-20-mbam-2.md) + - [High-Level Architecture for MBAM 2.0](high-level-architecture-for-mbam-20-mbam-2.md) + - [Accessibility for MBAM 2.0](accessibility-for-mbam-20-mbam-2.md) +- [Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md) + - [Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md) + - [MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md) + - [Planning to Deploy MBAM 2.0](planning-to-deploy-mbam-20-mbam-2.md) + - [MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md) + - [MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md) +- [Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md) + - [Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md) + - [Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md) + - [Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md) + - [MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md) + - [Upgrading from Previous Versions of MBAM](upgrading-from-previous-versions-of-mbam.md) +- [Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md) + - [Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md) + - [Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md) + - [Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md) + - [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md) + - [Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md) + - [Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md) + - [Administering MBAM 2.0 Using PowerShell](administering-mbam-20-using-powershell-mbam-2.md) +- [Troubleshooting MBAM 2.0](troubleshooting-mbam-20-mbam-2.md) -[Planning for MBAM 2.0](planning-for-mbam-20-mbam-2.md) +## More Information -[Preparing your Environment for MBAM 2.0](preparing-your-environment-for-mbam-20-mbam-2.md)**|**[MBAM 2.0 Deployment Prerequisites](mbam-20-deployment-prerequisites-mbam-2.md)**|**[Planning to Deploy MBAM 2.0](planning-to-deploy-mbam-20-mbam-2.md)**|**[MBAM 2.0 Supported Configurations](mbam-20-supported-configurations-mbam-2.md)**|**[MBAM 2.0 Planning Checklist](mbam-20-planning-checklist-mbam-2.md) +- [MDOP Information Experience](index.md) -[Deploying MBAM 2.0](deploying-mbam-20-mbam-2.md) - -[Deploying the MBAM 2.0 Server Infrastructure](deploying-the-mbam-20-server-infrastructure-mbam-2.md)**|**[Deploying MBAM 2.0 Group Policy Objects](deploying-mbam-20-group-policy-objects-mbam-2.md)**|**[Deploying the MBAM 2.0 Client](deploying-the-mbam-20-client-mbam-2.md)**|**[MBAM 2.0 Deployment Checklist](mbam-20-deployment-checklist-mbam-2.md)**|**[Upgrading from Previous Versions of MBAM](upgrading-from-previous-versions-of-mbam.md) - -[Operations for MBAM 2.0](operations-for-mbam-20-mbam-2.md) - -[Using MBAM with Configuration Manager](using-mbam-with-configuration-manager.md)**|**[Administering MBAM 2.0 Features](administering-mbam-20-features-mbam-2.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 2.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-20-mbam-2.md)**|**[Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam-mbam-2.md)**|**[Maintaining MBAM 2.0](maintaining-mbam-20-mbam-2.md)**|**[Security and Privacy for MBAM 2.0](security-and-privacy-for-mbam-20-mbam-2.md)**|** [Administering MBAM 2.0 Using PowerShell](administering-mbam-20-using-powershell-mbam-2.md) - -[Troubleshooting MBAM 2.0](troubleshooting-mbam-20-mbam-2.md) - -### More Information - -- [Release Notes for MBAM 2.0](release-notes-for-mbam-20-mbam-2.md) - - View updated product information and known issues for MBAM 2.0. - -- [MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) - - Learn about the latest MDOP information and resources. - -- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) - - Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). + Find documentation, videos, and other resources for MDOP technologies.   From 69e37cd6f1ef7879544099001d0c42d98e9fc845 Mon Sep 17 00:00:00 2001 From: skycommand Date: Thu, 27 Jun 2019 14:32:01 +0430 Subject: [PATCH 010/248] Unfurl the list, perform link maintenance From top to bottom, I propose the following changes without prejudice: 1. Convert the heaped mass of links into an accessible list, compliant with Microsoft Docs guideline. 2. Move the link to "Release Notes for MBAM 1.0" into the outline for consistency with the other MBAM admin guides. 3. Delete the link to "MDOP TechCenter Page". This page is now deleted. The link redirects to "MDOP Information Experience" to which there is already a link in the page. 4. Delete feedback links (email, Twitter, and Facebook). These channels have been defunct since 2015. --- mdop/mbam-v1/index.md | 66 ++++++++++++++++++------------------------- 1 file changed, 28 insertions(+), 38 deletions(-) diff --git a/mdop/mbam-v1/index.md b/mdop/mbam-v1/index.md index f7646af27e..4424f1bfa5 100644 --- a/mdop/mbam-v1/index.md +++ b/mdop/mbam-v1/index.md @@ -10,46 +10,36 @@ ms.prod: w8 ms.date: 04/19/2017 --- - # Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide - Microsoft BitLocker Administration and Monitoring (MBAM) provides a simplified administrative interface that you can use to manage BitLocker drive encryption. With MBAM, you can select BitLocker encryption policy options that are appropriate to your enterprise and then use them to monitor client compliance with those policies. You can also report on the encryption status of an individual computer and on the entire enterprise. In addition, you can access recovery key information when users forget their PIN or password, or when their BIOS or boot record changes. -[Getting Started with MBAM 1.0](getting-started-with-mbam-10.md) - -[About MBAM 1.0](about-mbam-10.md)**|**[Evaluating MBAM 1.0](evaluating-mbam-10.md)**|**[High Level Architecture for MBAM 1.0](high-level-architecture-for-mbam-10.md)**|**[Accessibility for MBAM 1.0](accessibility-for-mbam-10.md)**|**[Privacy Statement for MBAM 1.0](privacy-statement-for-mbam-10.md) - -[Planning for MBAM 1.0](planning-for-mbam-10.md) - -[Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md)**|**[MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md)**|**[Planning to Deploy MBAM 1.0](planning-to-deploy-mbam-10.md)**|**[MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md)**|**[MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md) - -[Deploying MBAM 1.0](deploying-mbam-10.md) - -[Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md)**|**[Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md)**|**[Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md)**|**[Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md)**|**[MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md) - -[Operations for MBAM 1.0](operations-for-mbam-10.md) - -[Administering MBAM 1.0 Features](administering-mbam-10-features.md)**|**[Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md)**|**[Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md)**|**[Administering MBAM 1.0 by Using PowerShell](administering-mbam-10-by-using-powershell.md) - -[Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md) - -### More Information - -[Release Notes for MBAM 1.0](release-notes-for-mbam-10.md) -View updated product information and known issues for MBAM 1.0. - -[MDOP TechCenter Page](https://go.microsoft.com/fwlink/p/?LinkId=225286) -Learn about the latest MDOP information and resources. - -[MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) -Find documentation, videos, and other resources for MDOP technologies. You can also [send us feedback](mailto:MDOPDocs@microsoft.com) or learn about updates by following us on [Facebook](https://go.microsoft.com/fwlink/p/?LinkId=242445) or [Twitter](https://go.microsoft.com/fwlink/p/?LinkId=242447). - -  - -  - - - - +- [Getting Started with MBAM 1.0](getting-started-with-mbam-10.md) + - [About MBAM 1.0](about-mbam-10.md) + - [Release Notes for MBAM 1.0](release-notes-for-mbam-10.md) + - [Evaluating MBAM 1.0](evaluating-mbam-10.md) + - [High Level Architecture for MBAM 1.0](high-level-architecture-for-mbam-10.md) + - [Accessibility for MBAM 1.0](accessibility-for-mbam-10.md) + - [Privacy Statement for MBAM 1.0](privacy-statement-for-mbam-10.md) +- [Planning for MBAM 1.0](planning-for-mbam-10.md) + - [Preparing your Environment for MBAM 1.0](preparing-your-environment-for-mbam-10.md) + - [MBAM 1.0 Deployment Prerequisites](mbam-10-deployment-prerequisites.md) + - [Planning to Deploy MBAM 1.0](planning-to-deploy-mbam-10.md) + - [MBAM 1.0 Supported Configurations](mbam-10-supported-configurations.md) + - [MBAM 1.0 Planning Checklist](mbam-10-planning-checklist.md) +- [Deploying MBAM 1.0](deploying-mbam-10.md) + - [Deploying the MBAM 1.0 Server Infrastructure](deploying-the-mbam-10-server-infrastructure.md) + - [Deploying MBAM 1.0 Group Policy Objects](deploying-mbam-10-group-policy-objects.md) + - [Deploying the MBAM 1.0 Client](deploying-the-mbam-10-client.md) + - [Deploying the MBAM 1.0 Language Release Update](deploying-the-mbam-10-language-release-update.md) + - [MBAM 1.0 Deployment Checklist](mbam-10-deployment-checklist.md) +- [Operations for MBAM 1.0](operations-for-mbam-10.md) + - [Administering MBAM 1.0 Features](administering-mbam-10-features.md) + - [Monitoring and Reporting BitLocker Compliance with MBAM 1.0](monitoring-and-reporting-bitlocker-compliance-with-mbam-10.md) + - [Performing BitLocker Management with MBAM](performing-bitlocker-management-with-mbam.md) + - [Administering MBAM 1.0 by Using PowerShell](administering-mbam-10-by-using-powershell.md) +- [Troubleshooting MBAM 1.0](troubleshooting-mbam-10.md) +## More Information +- [MDOP Information Experience](https://go.microsoft.com/fwlink/p/?LinkId=236032) + Find documentation, videos, and other resources for MDOP technologies. From c5158881016392ecf9eb060399d86f82659f7b7e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 27 Jun 2019 21:55:49 +0530 Subject: [PATCH 011/248] Just now added corresponding registry key and download link for templates I taken example from windows 10 v1903, i found the corresponding registry keys for hide all notifications and hide non-critical notifications [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications] "DisableNotifications"=dword:00000001 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications] "DisableEnhancedNotifications"=dword:00000001 Also i added the download link for latest administrative templates for Windows 10 v1809. So please add these registry keys and download link as my contribution in this document. Thanking you --- .../wdsc-hide-notifications.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 9ae361f1fd..008876e723 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -56,6 +56,10 @@ This can only be done in Group Policy. > >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. +0. Download the latest Administrative templates for windows 10 v1809 from below Microsoft official site + **https://www.microsoft.com/en-us/download/details.aspx?id=57576** + + 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. @@ -74,6 +78,8 @@ You can hide all notifications that are sourced from the Windows Security app. T This can only be done in Group Policy. >[!IMPORTANT] + + >### Requirements > >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. @@ -86,4 +92,14 @@ This can only be done in Group Policy. 6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**. -7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). +7. Corresponding registry key for **Hide all notifications** + + **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** + **"DisableNotifications"=dword:00000001** + +8. Corresponding registry key for **Hide not-critical notifications** + + **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** + **"DisableEnhancedNotifications"=dword:00000001** + +9. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx). From a2d96c43e065d29a1e49bfd6c36fff16e45bf528 Mon Sep 17 00:00:00 2001 From: illfated Date: Mon, 10 Jun 2019 09:48:26 +0200 Subject: [PATCH 012/248] Windows/Security: update passwordless-strategy.md - Grammar corrections - Simplification of double spacing between sentences - Typo corrections - Removal of trailing spaces Closes #3959 --- .../passwordless-strategy.md | 186 +++++++++--------- 1 file changed, 93 insertions(+), 93 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 284982d26b..8e163285dc 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -14,7 +14,7 @@ ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium ms.date: 08/20/2018 -ms.reviewer: +ms.reviewer: --- # Password-less Strategy @@ -25,184 +25,184 @@ Over the past few years, Microsoft has continued their commitment to enabling a ### 1. Develop a password replacement offering -Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory. +Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory. -Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. +Deploying Windows Hello for Business is the first step towards password-less. Windows Hello for Business deployed coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a password-less deployment -Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: +Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: - the user never types their password - the user never changes their password - the user does not know their password -In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. +In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. ### 4. Eliminate passwords from the identity directory -The final step of the password-less story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly password-less environment. +The final step of the password-less story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly password-less environment. ## Methodology -The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations. +The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations. -### Prepare for the Journey -The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey. +### Prepare for the Journey +The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey. -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is: +The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is: - Number of departments -- Organization or department hierarchy +- Organization or department hierarchy - Number and type of applications and services - Number of work personas - Organization's IT structure -#### Number of departments -The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. +#### Number of departments +The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computer (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. +You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computer (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. #### Organization or department hierarchy -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. +Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. #### Number and type of applications and services -The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. +The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. -Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacture and the version. Also, do not forget web-based applications or services when inventorying applications. +Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacture and the version. Also, do not forget web-based applications or services when inventorying applications. #### Number of work personas -Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. +Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. +A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. -Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. +Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. -Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or that needs a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. +Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or that needs a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. #### Organization's IT structure -IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded. +IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded. #### Assess your Organization -You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? +You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? -By now you can see why its a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple-- meaning a solution already exists in the environment and its a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. +By now you can see why its a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple-- meaning a solution already exists in the environment and its a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. -How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: +How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: - work through the work personas - organize and deploy user acceptance testing - evaluate user acceptance testing results for user-visible password surfaces - work with stakeholders to create solutions that mitigate user-visible password surfaces - add the solution to the project backlog and prioritize against other projects -- deploy solution +- deploy solution - User acceptance testing to confirm the solution mitigates the user-visible password surface - Repeat as needed -Your organization's journey to password-less may take some time to get there. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it is likely that to go password-less tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to password-less. +Your organization's journey to password-less may take some time to get there. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it is likely that to go password-less tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to password-less. ### Where to start? -What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused. +What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused. -#### Work persona -You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps. +#### Work persona +You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps. > [!IMPORTANT] -> Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. +> Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. -Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. +Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. -Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. +Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. -You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your time line. +You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your time line. ## The Process -The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like +The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like -1. Password-less replacement offering (Step 1) - 1. Identify test users that represent the targeted work persona. +1. Password-less replacement offering (Step 1) + 1. Identify test users representing the targeted work persona. 2. Deploy Windows Hello for Business to test users. - 3. Validate password and Windows Hello for Business work. + 3. Validate that passwords and Windows Hello for Business work. 2. Reduce User-visible Password Surface (Step 2) 1. Survey test user workflow for password usage. 2. Identify password usage and plan, develop, and deploy password mitigations. 3. Repeat until all user password usage is mitigated. - 4. Remove password capabilities from the Windows. - 5. Validate **all** workflows do not need passwords. + 4. Remove password capabilities from Windows. + 5. Validate that **none of the workflows** need passwords. 3. Transition into a password-less (Step 3) - 1. Awareness campaign and user education. - 2. Including remaining users that fit the work persona. - 3. Validate **all** users of the work personas do not need passwords. - 4. Configure user accounts to disallow password authentication. + 1. Awareness campaign and user education. + 2. Including remaining users that fit the work persona. + 3. Validate that **none of the users** of the work personas need passwords. + 4. Configure user accounts to disallow password authentication. -After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. +After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. ### Password-less replacement offering (Step 1) -THe first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. +The first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona -A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. +A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. #### Deploy Windows Hello for Business to test users -Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. +Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. -With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. +With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. > [!NOTE] -> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. +> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. -#### Validate password and Windows Hello for Business work -In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas. +#### Validate that passwords and Windows Hello for Business work +In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas. ### Reduce User-visible Password Surface (Step 2) Before you move to step 2, ensure you have: -- selected your targeted work persona. +- selected your targeted work persona. - identified your test users that represented the targeted work persona. - deployed Windows Hello for Business to test users. - validated passwords and Windows Hello for Business both work for the test users. #### Survey test user workflow for password usage -Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2. +Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2. -Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simply task. Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is: +Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simply task. Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is: - What is the name of the application that asked for a password?. - Why do they use the application that asked for a password? (Example: is there more than one application that can do the same thing?). - What part of their workflow makes them use the application? Try to be as specific as possible (I use application x to issue credit card refunds for amounts over y.). - How frequently do you use this application in a given day? week? -- Is the password you type into the application the same as the password you use to sign-in to Windows? +- Is the password you type into the application the same as the password you use to sign-in to Windows? -Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt which could delay the transition to password-less. +Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt which could delay the transition to password-less. #### Identify password usage and plan, develop, and deploy password mitigations -Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. +Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. -Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. +Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. -Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they low percentage scenarios. Remember to include scenarios like: +Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they low percentage scenarios. Remember to include scenarios like: - Provisioning a new brand new user without a password. - Users who forget the PIN or other remediation flows when the strong credential is unusable. -Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions-- whichever of the two is easier or quicker. This will certainly vary by organization. +Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions-- whichever of the two is easier or quicker. This will certainly vary by organization. -Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. +Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). -The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. +The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. -Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authenticate. +Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication. #### Repeat until all user password usage is mitigated -Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance. +Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance. -#### Remove password capabilities from the Windows -You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password. +#### Remove password capabilities from Windows +You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password. -Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider. +Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider. -##### Security Policy -You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. +##### Security Policy +You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy. ![securityPolicyLocation](images/passwordless/00-securityPolicy.png) **Windows Server 2016 and earlier** @@ -213,32 +213,32 @@ The policy name for these operating systems is **Interactive logon: Require smar The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. ![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png) -When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. +When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider -You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon** +You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon** ![HideCredProvPolicy](images/passwordless/00-hidecredprov.png) -The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. +The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. ![HideCredProvPolicy2](images/passwordless/01-hidecredprov.png) -Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. +Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. -#### Validate all workflows do not need passwords -This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a passwords. Users will be blocked is any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. +#### Validate that none of the workflows need passwords +This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. -### Transition into a password-less deployment (Step 3) -Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success. +### Transition into a password-less deployment (Step 3) +Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success. #### Awareness and user education In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. -An awareness campaign is introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide user education, where you can show the users the changes and, if your environment allows, enable the users to try the experience out. +An awareness campaign is introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide user education, where you can show the users the changes and, if your environment allows, enable the users to try the experience out. #### Including remaining users that fit the work persona -You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. +You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. -#### Validate **all** users of the work personas do not need passwords. +#### Validate that none of the users of the work personas need passwords You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment. Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are: @@ -247,24 +247,24 @@ Track all reported issues. Set priority and severity to each reported issue and - Is the outage a result of a misconfiguration? - Is the outage a overlooked gap from step 2? -Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process. +Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process. -Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating. +Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating. #### Configure user accounts to disallow password authentication. -You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. +You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object. The account options on a user account includes an option -- **Smart card is required for interactive logon**, also known as (SCRIL). > [!NOTE] -> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. +> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller. ![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png) **SCRIL setting for a user on Active Directory Users and Computers.** -When you configure an user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users is effectively password-less because: +When you configure an user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users is effectively password-less because: - the do not know their password. - their password is 128 random bits of data and is likely to include non-typable characters. - the user is not asked to change their password @@ -274,7 +274,7 @@ When you configure an user account for SCRIL, Active Directory changes the affec **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.** > [!NOTE] -> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically. +> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically. ![SCRIL setting from ADAC on Windows Server 2016](images/passwordless/01-scril-adac-2016.png) **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.** @@ -283,14 +283,14 @@ When you configure an user account for SCRIL, Active Directory changes the affec > Windows Hello for Business was formerly known as Microsoft Passport. ##### Automatic password change for SCRIL configured users -Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for a SCRIL enabled users by configuring the domain to automatically change the password for SCRIL users. +Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for a SCRIL enabled users by configuring the domain to automatically change the password for SCRIL users. -In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages. +In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages. ![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) > [!NOTE] -> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability with while reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. +> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability with while reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. ## The Road Ahead -The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). +The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). From 1c707b838f34e0d7c04a773788170be8e8e33b96 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Mon, 10 Jun 2019 23:45:06 +0200 Subject: [PATCH 013/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md * "password-less" changed to passwordless Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 8e163285dc..18107d412e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 08/20/2018 ms.reviewer: --- -# Password-less Strategy +# Passwordless Strategy ## Four steps to Password-less From a8898d572f56ca6e8c7311e43a9da1215e91821d Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Mon, 10 Jun 2019 23:54:02 +0200 Subject: [PATCH 014/248] Update passwordless-strategy.md - "Password-less" in the heading replaced with 'password freedom' - "Password-less" in the image comment contracted to 'passwordless' --- .../hello-for-business/passwordless-strategy.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 18107d412e..d4a553671e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -18,10 +18,10 @@ ms.reviewer: --- # Passwordless Strategy -## Four steps to Password-less +## Four steps to password freedom Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password-less. -![Password-less approach](images/four-steps-passwordless.png) +![Passwordless approach](images/four-steps-passwordless.png) ### 1. Develop a password replacement offering From 0648ea96971ef6998db3fa86e2837360dc5f3bf7 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:39:38 +0200 Subject: [PATCH 015/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - correction in line 63 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index d4a553671e..225c7f44e9 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -60,7 +60,7 @@ The most intuitive answer is the size of the organization, and that would be cor #### Number of departments The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computer (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. +You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. From 1f38acc0c83b939bf3773564a1ffaadfae66218f Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:41:27 +0200 Subject: [PATCH 016/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - correction in line 65 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 225c7f44e9..cdbda1bf4d 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -62,7 +62,7 @@ The number of departments within an organization varies. Most organizations have You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password-less. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. #### Organization or department hierarchy Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. From 5800d73a93ec51e4d748b841a4e9b686d0d6b237 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:42:42 +0200 Subject: [PATCH 017/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - correction in line 73 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index cdbda1bf4d..362b41a5a6 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -70,7 +70,7 @@ Organization and department hierarchy is the management layers within the depart #### Number and type of applications and services The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. -Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacture and the version. Also, do not forget web-based applications or services when inventorying applications. +Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. #### Number of work personas Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. From e4afb2da405da663f44c918d3200f7ef6df1676b Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:43:30 +0200 Subject: [PATCH 018/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - punctuation in line 78 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 362b41a5a6..c20390c1a3 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -75,7 +75,7 @@ Capturing the number of applications used is easier once you have the department #### Number of work personas Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. +A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. From 948118e668aefc62adfcd4a681050c5374f05f29 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:46:21 +0200 Subject: [PATCH 019/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - punctuation in line 90 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index c20390c1a3..ef7f71019c 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -87,7 +87,7 @@ IT department structures can vary more than the organization. Some IT department #### Assess your Organization You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? -By now you can see why its a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple-- meaning a solution already exists in the environment and its a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. +By now you can see why it's a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: - work through the work personas From 4ca65d872c67ff16b2f871e9aaddcb56c68ff548 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:47:15 +0200 Subject: [PATCH 020/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections in line 117 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index ef7f71019c..96ea10e3dd 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -114,7 +114,7 @@ Review your collection of work personas. Early in your password-less journey, id Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. -You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your time line. +You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always a good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your timeline. ## The Process From b8cc24c5007b7aff32843c54a4ecdc50af860b67 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:49:15 +0200 Subject: [PATCH 021/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - added " this:" to the end of line 121 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 96ea10e3dd..6cb845ddbf 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -118,7 +118,7 @@ You will want to balance testing in a lab with providing results to management q ## The Process -The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like +The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: 1. Password-less replacement offering (Step 1) 1. Identify test users representing the targeted work persona. From 1dc0a0dccb4823419cecf488b27ece40a143e65b Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:49:50 +0200 Subject: [PATCH 022/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction in line 135 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 6cb845ddbf..3d638a913e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -132,7 +132,7 @@ The journey to password-less is to take each work persona through each password- 5. Validate that **none of the workflows** need passwords. 3. Transition into a password-less (Step 3) 1. Awareness campaign and user education. - 2. Including remaining users that fit the work persona. + 2. Include remaining users that fit the work persona. 3. Validate that **none of the users** of the work personas need passwords. 4. Configure user accounts to disallow password authentication. From dc69ad9566ac53f2179655e14aff8dec4580b018 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:50:45 +0200 Subject: [PATCH 023/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction in line 182 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 3d638a913e..e796bf83fe 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -179,7 +179,7 @@ Your test users have provided you valuable information that describes the how, w Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. -Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they low percentage scenarios. Remember to include scenarios like: +Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they are low percentage scenarios. Remember to include scenarios like: - Provisioning a new brand new user without a password. - Users who forget the PIN or other remediation flows when the strong credential is unusable. From fd9c68a97a4838772486582a2981c1bc2d30be5c Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:51:48 +0200 Subject: [PATCH 024/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - punctuation adjustment in line 186 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index e796bf83fe..e9b21afa27 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -183,7 +183,7 @@ Keep in mind your test users will not uncover all scenarios. Some scenarios you - Provisioning a new brand new user without a password. - Users who forget the PIN or other remediation flows when the strong credential is unusable. -Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions-- whichever of the two is easier or quicker. This will certainly vary by organization. +Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization. Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. From a9d059d811477b0d9b940462deedbe504e5f7591 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:54:25 +0200 Subject: [PATCH 025/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction ("A" to An) in line 188 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index e9b21afa27..514bbbca61 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -185,7 +185,7 @@ Keep in mind your test users will not uncover all scenarios. Some scenarios you Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization. -Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. +Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). From c0b9fce31e03d5548dac97f2f614c8b7c7426e07 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:57:06 +0200 Subject: [PATCH 026/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - word duplication removal + punctuation adjustment in line 192 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 514bbbca61..2b811f0b73 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -189,7 +189,7 @@ Start mitigating password usages based on the workflows of your targeted persona Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). -The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. +The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication. From 5829b2c3a321c1500aac00eeea4e6d2c8d2e097d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:58:53 +0200 Subject: [PATCH 027/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections in line 197 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2b811f0b73..570bd01ddf 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -194,7 +194,7 @@ The ideal mitigation for applications that prompt the user for a password is to Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authentication. #### Repeat until all user password usage is mitigated -Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance. +Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you are stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you are out of options, contact Microsoft for assistance. #### Remove password capabilities from Windows You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password. From c45befa44f1b3cfdfc653aa2b9706da224e1a1b1 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 07:59:45 +0200 Subject: [PATCH 028/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar + punctuation correction in line 200 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 570bd01ddf..66e43a918d 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -197,7 +197,7 @@ Each scenario on your master list should now have a problem statement, an invest Some or all of your mitigations are in place. You need to validate that your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all of the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If you are stuck, others might be too. Use the forums from various sources or your network of IT colleagues to describe your problem and see how others are solving it. If you are out of options, contact Microsoft for assistance. #### Remove password capabilities from Windows -You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password. +You believe you have mitigated all the password usage for the targeted work persona. Now comes the true test - configure Windows so the user cannot use a password. Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider. From d8e11458716d26aa40e2877aa699324144319dd8 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 08:00:32 +0200 Subject: [PATCH 029/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar/typo correction in line 216 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 66e43a918d..a637f3fdfe 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -213,7 +213,7 @@ The policy name for these operating systems is **Interactive logon: Require smar The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**. ![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png) -When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. +When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon** From aaf6de66b46715a4e687cbcc7f412db745ef61a7 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 08:01:41 +0200 Subject: [PATCH 030/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar + punctuation correction in line 231 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index a637f3fdfe..59affc9a4a 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -228,7 +228,7 @@ Excluding the password credential provider hides the password credential provide This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. ### Transition into a password-less deployment (Step 3) -Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success. +Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. From 3fdde5fc4fd48d50b025528894b4387bfbeb8bf2 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 08:02:35 +0200 Subject: [PATCH 031/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections in line 236 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 59affc9a4a..9c3e8f09bf 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -233,7 +233,7 @@ Congratulations! You are ready to transition one or more portions of your organ #### Awareness and user education In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. -An awareness campaign is introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide user education, where you can show the users the changes and, if your environment allows, enable the users to try the experience out. +An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience. #### Including remaining users that fit the work persona You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. From 08bfea5bb27cb32aa394aa97a63b4d699e8d3b60 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 08:03:33 +0200 Subject: [PATCH 032/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction in line 241 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 9c3e8f09bf..08ca0c4975 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -238,7 +238,7 @@ An awareness campaign introduces the users to the new way of authenticating to t #### Including remaining users that fit the work persona You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. -#### Validate that none of the users of the work personas need passwords +#### Validate that none of the users of the work personas needs passwords You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment. Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are: From 68b0467247d61ca9350c0c14df12539aed9591ee Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:28:37 +0200 Subject: [PATCH 033/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - add missing word at the end of line 252 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 08ca0c4975..611d453547 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -249,7 +249,7 @@ Track all reported issues. Set priority and severity to each reported issue and Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process. -Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating. +Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. #### Configure user accounts to disallow password authentication. You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. From f353e7f771d8d81fe5626f678b8b9289b3c5ffad Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:32:43 +0200 Subject: [PATCH 034/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - 2 grammar corrections in line 267 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 611d453547..b5c133806d 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -264,7 +264,7 @@ The account options on a user account includes an option -- **Smart card is requ ![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png) **SCRIL setting for a user on Active Directory Users and Computers.** -When you configure an user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users is effectively password-less because: +When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively password-less because: - the do not know their password. - their password is 128 random bits of data and is likely to include non-typable characters. - the user is not asked to change their password From ff48adfa44ddb5e0a27bcdad3ae9f6dad9d40f76 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:33:32 +0200 Subject: [PATCH 035/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - single grammar correction in line 286 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index b5c133806d..48e6d384ca 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -283,7 +283,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect > Windows Hello for Business was formerly known as Microsoft Passport. ##### Automatic password change for SCRIL configured users -Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for a SCRIL enabled users by configuring the domain to automatically change the password for SCRIL users. +Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages. ![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) From 2e04972a9e2f55cbffea39932eafbcce9f8a40c2 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:36:24 +0200 Subject: [PATCH 036/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - various grammar corrections in line 288 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 48e6d384ca..390311c324 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -285,7 +285,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect ##### Automatic password change for SCRIL configured users Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users. -In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages. +In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages. ![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) > [!NOTE] From 111505ef9eed1ee775e38315d1588cdf8de2e915 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:37:56 +0200 Subject: [PATCH 037/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - structural grammar correction in line 292 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 390311c324..2769cfa228 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -289,7 +289,7 @@ In this configuration, passwords for SCRIL-configured users expire based on Acti ![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png) > [!NOTE] -> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability with while reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. +> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. ## The Road Ahead The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). From 16bcc67eaaa69d280f8eae501f864731253e6b97 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:53:13 +0200 Subject: [PATCH 038/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - well needed punctuation corrections in line 295 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2769cfa228..561a121ec9 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -292,5 +292,5 @@ In this configuration, passwords for SCRIL-configured users expire based on Acti > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. ## The Road Ahead -The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). +The information presented here is just the beginning. We will update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). From 0e2b598e45276438b2c19d612254145e664deef6 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 11 Jun 2019 19:58:35 +0200 Subject: [PATCH 039/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - combine corrections from JohanFreelancer9 with my own --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 561a121ec9..acd249a15e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -247,7 +247,7 @@ Track all reported issues. Set priority and severity to each reported issue and - Is the outage a result of a misconfiguration? - Is the outage a overlooked gap from step 2? -Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process. +Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process. Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. From d450d0d28cfbd43142a30050fa61e4b066b66ff4 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:40:24 +0200 Subject: [PATCH 040/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction in line 30 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index acd249a15e..b01918cfd7 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -27,7 +27,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a ### 1. Develop a password replacement offering Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory. -Deploying Windows Hello for Business is the first step towards password-less. Windows Hello for Business deployed coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. +Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. From 26135c92257299aecd6e980209ca9470e0c0a931 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:42:22 +0200 Subject: [PATCH 041/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - readability simplification in line 33 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index b01918cfd7..9940c4bdd0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -30,7 +30,7 @@ Before you move away from passwords, you need something to replace them. With Wi Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a password-less deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: From 819b07f6fd4d63e1eab326ab69a210f0881669d6 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:43:34 +0200 Subject: [PATCH 042/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - heading format corrections in line 35 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 9940c4bdd0..e86cef3768 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -32,7 +32,7 @@ Deploying Windows Hello for Business is the first step towards a passwordless en ### 2. Reduce user-visible password surface area With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. -### 3. Transition into a password-less deployment +### 3. Transition into a passwordless deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: - the user never types their password - the user never changes their password From d0ae5347d59217147703d3e82739262037c68bf3 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:44:41 +0200 Subject: [PATCH 043/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => passwordless in line 36 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index e86cef3768..1a4a88c244 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -33,7 +33,7 @@ Deploying Windows Hello for Business is the first step towards a passwordless en With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a passwordless deployment -Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where: +Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where: - the user never types their password - the user never changes their password - the user does not know their password From db8b536a211dcf3e0214a5fc17d8a91e7957a777 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:45:30 +0200 Subject: [PATCH 044/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - 2x "password-less" => passwordless in line 44 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 1a4a88c244..ba18f2dbc4 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -41,7 +41,7 @@ Once the user-visible password surface has been eliminated, your organization ca In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. ### 4. Eliminate passwords from the identity directory -The final step of the password-less story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly password-less environment. +The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment. ## Methodology The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations. From 9cb6ebdba87f334dbec0f4d96692404f43fe4627 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:47:00 +0200 Subject: [PATCH 045/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - readability improvement in line 47 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index ba18f2dbc4..b3968d3355 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -44,7 +44,7 @@ In this world, the user signs in to Windows 10 using Windows Hello for Business The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment. ## Methodology -The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations. +Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations. ### Prepare for the Journey The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey. From 1aa853886bb9a08cd7c42d2a914b6cbb0036f961 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:48:12 +0200 Subject: [PATCH 046/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections in line 50 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index b3968d3355..96e7c243dd 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -47,7 +47,7 @@ The final step of the passwordless story is where passwords simply do not exist. Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations. ### Prepare for the Journey -The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey. +The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria that influence the length of the journey. The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is: - Number of departments From a45d3197b600d6431e01d12d40c3114e01a4d41e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:48:44 +0200 Subject: [PATCH 047/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - punctuation correction in line 52 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 96e7c243dd..35744f5215 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -49,7 +49,7 @@ Four steps to password freedom provides an overall view of how Microsoft envisio ### Prepare for the Journey The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria that influence the length of the journey. -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is: +The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is: - Number of departments - Organization or department hierarchy - Number and type of applications and services From 31af310df1fe8c474ef35183e49acfc87a698055 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:50:23 +0200 Subject: [PATCH 048/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - readability improvement (simplification) at the end of line 63 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 35744f5215..a4fd3640a5 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -60,7 +60,7 @@ The most intuitive answer is the size of the organization, and that would be cor #### Number of departments The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less. +You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable. Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password-less. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. From d7ecdc25ac1ef2da9658d323f2482db3cfff12fe Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:52:38 +0200 Subject: [PATCH 049/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar correction in line 65 (might need removal of 1 space) Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index a4fd3640a5..b293c1e2a6 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -62,7 +62,7 @@ The number of departments within an organization varies. Most organizations have You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password-less. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. From ee11f61f7fdd6b453df7d621ad237fd2dd774a16 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:56:43 +0200 Subject: [PATCH 050/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 68 (also should be updated later with "differently from" instead of "differently than") Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index b293c1e2a6..75f91de16e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -65,7 +65,7 @@ You need to know all the departments within your organization and you need to kn Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device. +Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. From 01ff56b01a8ee17041d3f8c2b9a0e488a3d19d8f Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:57:40 +0200 Subject: [PATCH 051/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 71 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 75f91de16e..36b3b6d7d1 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -68,7 +68,7 @@ Your count of the departments must be thorough and accurate, as well as knowing Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services -The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. +The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. From ed1abd1ade8c801b2448b9cf0b301ba62745d37e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 19:59:26 +0200 Subject: [PATCH 052/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections in line 78 (might need to add one or two commas here later) Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 36b3b6d7d1..aad6e3c128 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -75,7 +75,7 @@ Capturing the number of applications used is easier once you have the department #### Number of work personas Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name. +A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work and you will refer to them in documentation and in meetings. You need to give them a name. Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. From cacf39a5875955711635c30fe53a3c6defe45123 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:00:46 +0200 Subject: [PATCH 053/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - semantic improvement in line 82 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index aad6e3c128..8851e977ab 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -79,7 +79,7 @@ A work persona classifies a category of user, title or role (individual contribu Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. -Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or that needs a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. +Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. #### Organization's IT structure IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded. From 6edb7070e14d9bf4ba011095274c990f9c31e40d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:02:42 +0200 Subject: [PATCH 054/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - multiple corrections of "password-less" => 'passwordless' also with a couple of words added in line 85 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 8851e977ab..f1ef213674 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -82,7 +82,7 @@ Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. #### Organization's IT structure -IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded. +IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to being passwordless will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to being passwordless. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded. #### Assess your Organization You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? From b94a3f8b78e0e79f650f999f70c85d4de1ecbc9e Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:07:18 +0200 Subject: [PATCH 055/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - multiple corrections of "password-less" ('passwordless' or improving the semantics by replacing the words) Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index f1ef213674..09569176b9 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -89,7 +89,7 @@ You have a ton of information. You have created your work personas, you identifi By now you can see why it's a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. -How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: +How long does it take to become passwordless? The answer is "it depends". It depends on the organizational alignment of a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: - work through the work personas - organize and deploy user acceptance testing - evaluate user acceptance testing results for user-visible password surfaces From 59ae4bc850eda787123077d799b72c43d014b866 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:09:44 +0200 Subject: [PATCH 056/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections and punctuation improvements in line 102 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 09569176b9..f583d3c80a 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -99,7 +99,7 @@ How long does it take to become passwordless? The answer is "it depends". It de - User acceptance testing to confirm the solution mitigates the user-visible password surface - Repeat as needed -Your organization's journey to password-less may take some time to get there. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it is likely that to go password-less tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to password-less. +Your organization's journey to being passwordless may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. ### Where to start? What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused. From c1ba62b192f3532adb62ba331c3abf6b9ce44e7d Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:10:48 +0200 Subject: [PATCH 057/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar corrections and semantic improvements in line 105 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index f583d3c80a..a26a2124ae 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -102,7 +102,7 @@ How long does it take to become passwordless? The answer is "it depends". It de Your organization's journey to being passwordless may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. ### Where to start? -What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused. +What is the best guidance for kicking off the passwordless journey? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. #### Work persona You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps. From c0b74942ad5c66909391efb1c26eeb6d65c70b3f Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:11:56 +0200 Subject: [PATCH 058/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 108 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index a26a2124ae..5ba7909b91 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -105,7 +105,7 @@ Your organization's journey to being passwordless may take some time. Counting t What is the best guidance for kicking off the passwordless journey? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. #### Work persona -You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps. +You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the passwordless steps. > [!IMPORTANT] > Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. From 7d2401d85709361c7969f7a812053dc2c5142eac Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:12:32 +0200 Subject: [PATCH 059/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 111 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 5ba7909b91..891f2b248e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -108,7 +108,7 @@ What is the best guidance for kicking off the passwordless journey? You will wa You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the passwordless steps. > [!IMPORTANT] -> Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. +> Avoid using any work personas from your IT department. This is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. From 1ca09e1e7f018514859e0f0d4b05ccf1f1a64f39 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:13:03 +0200 Subject: [PATCH 060/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 113 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 891f2b248e..b8714f89a9 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -110,7 +110,7 @@ You begin with your work personas. These were part of your preparation process. > [!IMPORTANT] > Avoid using any work personas from your IT department. This is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. -Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. +Review your collection of work personas. Early in your passwordless journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. From ddf3841e76a79b3d974053e1b3b411b3e0cb1551 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:14:29 +0200 Subject: [PATCH 061/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'a password-free strategy' in line 115 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index b8714f89a9..1c34b1ee92 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -112,7 +112,7 @@ You begin with your work personas. These were part of your preparation process. Review your collection of work personas. Early in your passwordless journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. -Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. +Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always a good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your timeline. From fc6fc54c72c94b30aee236476ea6783df1f933b0 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:15:49 +0200 Subject: [PATCH 062/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - 2 "password-less" corrections + 1 word added in line 121 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 1c34b1ee92..89d029e35e 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -118,7 +118,7 @@ You will want to balance testing in a lab with providing results to management q ## The Process -The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: +The journey to being passwordless is to take each work persona through each passwordless step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: 1. Password-less replacement offering (Step 1) 1. Identify test users representing the targeted work persona. From 3c550a7a38f4ef050a9e3dc6da8c4b11e8712862 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:17:34 +0200 Subject: [PATCH 063/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "Password-less" => 'Passwordless' in line 123 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 89d029e35e..2a0047ddc2 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -120,7 +120,7 @@ You will want to balance testing in a lab with providing results to management q The journey to being passwordless is to take each work persona through each passwordless step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: -1. Password-less replacement offering (Step 1) +1. Passwordless replacement offering (Step 1) 1. Identify test users representing the targeted work persona. 2. Deploy Windows Hello for Business to test users. 3. Validate that passwords and Windows Hello for Business work. From 62577a1488f95b4a6af09de77de7f614fa8edc31 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:18:21 +0200 Subject: [PATCH 064/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "Password-less" => 'Passwordless' in line 141 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2a0047ddc2..01b6573b1f 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -138,7 +138,7 @@ The journey to being passwordless is to take each work persona through each pass After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. -### Password-less replacement offering (Step 1) +### Passwordless replacement offering (Step 1) The first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona From 5cfdf4dcdf5df8e1f5a75b3fd632353774803412 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:19:18 +0200 Subject: [PATCH 065/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'password freedom' in line 142 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 01b6573b1f..90a8521d72 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -139,7 +139,7 @@ The journey to being passwordless is to take each work persona through each pass After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. ### Passwordless replacement offering (Step 1) -The first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. +The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. From 598c9e3e44ef1112f4529de48b84bb93d71ac918 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:20:25 +0200 Subject: [PATCH 066/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - readability improvement (removal of "password-less") in line 145 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 90a8521d72..63192115fe 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -142,7 +142,7 @@ After successfully moving a work persona to password-less, you can prioritize th The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona -A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. +A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. #### Deploy Windows Hello for Business to test users Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. From 196c4ff45b6ee6bb7f8833a142698c2e5691dd72 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:21:24 +0200 Subject: [PATCH 067/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - semantic improvement (including "password-less" => 'passwordless') in line 190 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 63192115fe..c0184a9f9b 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -187,7 +187,7 @@ Next, review your master list of scenarios. You can start with the workflows tha Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. -Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). +Mitigating password usage with applications is one or the more challenging obstacle in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. From aad240c225f5a1098e25a0738fac7ec38c421104 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:22:21 +0200 Subject: [PATCH 068/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 230 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index c0184a9f9b..e2a52e5fd2 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -227,7 +227,7 @@ Excluding the password credential provider hides the password credential provide #### Validate that none of the workflows need passwords This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. -### Transition into a password-less deployment (Step 3) +### Transition into a passwordless deployment (Step 3) Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education From 2c64492583099129f7eed6c11359cc9e1922b594 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:23:07 +0200 Subject: [PATCH 069/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 231 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index e2a52e5fd2..007105df76 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -228,7 +228,7 @@ Excluding the password credential provider hides the password credential provide This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. ### Transition into a passwordless deployment (Step 3) -Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. +Congratulations! You are ready to transition one or more portions of your organization to a passwordless deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. From d911333b88d04ccb185424e2337c8565629bf3fe Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:23:57 +0200 Subject: [PATCH 070/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - 2x "password-less" => 'passwordless' in line 255 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 007105df76..36ab994644 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -252,7 +252,7 @@ Each organization's priority and severity will differ. However, most organizatio Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. #### Configure user accounts to disallow password authentication. -You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. +You transitioned all the users for the targeted work persona to a passwordless environment and you have successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object. From 93da7499512b6275b9949ae06d246e88ebb378c6 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:24:55 +0200 Subject: [PATCH 071/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => 'passwordless' in line 267 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 36ab994644..2023b4d469 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -264,7 +264,7 @@ The account options on a user account includes an option -- **Smart card is requ ![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png) **SCRIL setting for a user on Active Directory Users and Computers.** -When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively password-less because: +When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because: - the do not know their password. - their password is 128 random bits of data and is likely to include non-typable characters. - the user is not asked to change their password From 49f41cefb13cae9d927c57bd0a0b242bf6a9c70c Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Wed, 12 Jun 2019 20:26:11 +0200 Subject: [PATCH 072/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "password-less" => "a passwordless future" in line 295 Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 2023b4d469..10e2239dcb 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -292,5 +292,5 @@ In this configuration, passwords for SCRIL-configured users expire based on Acti > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely. ## The Road Ahead -The information presented here is just the beginning. We will update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). +The information presented here is just the beginning. We will update this guide with improved tools, methods, and scenarios, like Azure AD joined and MDM managed environments. As we continue to invest in a passwordless future, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback). From 4ac7ebed1c557f9f88c6239ce8c2ff23e5e1eeab Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 20:34:45 +0200 Subject: [PATCH 073/248] Update hello-for-business/passwordless-strategy.md - "password-less" => 'password freedom' in line 23 (to keep it in tune with the preceding headline) --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 10e2239dcb..34b853b30b 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -20,7 +20,7 @@ ms.reviewer: ## Four steps to password freedom -Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password-less. +Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom. ![Passwordless approach](images/four-steps-passwordless.png) From f2706af5217d547d26f1e967f63719efea9f712c Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 20:51:35 +0200 Subject: [PATCH 074/248] Update hello-for-business/passwordless-strategy.md Further corrections in line 65: - reduced a double space to single space from previous changes - "organizations" => organization (our own organization is singular in the reader's perspective) --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 34b853b30b..c9bb8cdad0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -62,7 +62,7 @@ The number of departments within an organization varies. Most organizations have You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. From 40d4c5e8d4916e0597f1e1eaf1041d4918b9cfb7 Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 21:06:40 +0200 Subject: [PATCH 075/248] Update hello-for-business/passwordless-strategy.md Correction in line 68: - "differently than" => 'differently compared to' Correct use cases are usually "different than" or "different from", but "differently" needs more details in the comparison. --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index c9bb8cdad0..c59aefdb5a 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -65,7 +65,7 @@ You need to know all the departments within your organization and you need to kn Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. +Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. From 44507a5280204180300b48c2709e38b7952d9faf Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 21:09:46 +0200 Subject: [PATCH 076/248] Update hello-for-business/passwordless-strategy.md Correction in line 78: 1 comma added to maintain structural semantics. --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index c59aefdb5a..8927498ca0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -75,7 +75,7 @@ Capturing the number of applications used is easier once you have the department #### Number of work personas Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. -A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work and you will refer to them in documentation and in meetings. You need to give them a name. +A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work, and you will refer to them in documentation and in meetings. You need to give them a name. Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. From b2336814df149421626b6e98a59608779aa7fc5d Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 22:53:30 +0200 Subject: [PATCH 077/248] Update hello-for-business/passwordless-strategy.md Add some changes in the lines 98-100 to make each bullet point work as a complete sentence starting with "Those resources will [...]" --- .../hello-for-business/passwordless-strategy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 8927498ca0..a87e88a60f 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -95,9 +95,9 @@ How long does it take to become passwordless? The answer is "it depends". It de - evaluate user acceptance testing results for user-visible password surfaces - work with stakeholders to create solutions that mitigate user-visible password surfaces - add the solution to the project backlog and prioritize against other projects -- deploy solution -- User acceptance testing to confirm the solution mitigates the user-visible password surface -- Repeat as needed +- deploy the solution +- perform user acceptance testing to confirm that the solution mitigates the user-visible password surface +- repeat the testing as needed Your organization's journey to being passwordless may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. From 968acf48e98fd243d91c3c6c7ed308620fc36b9a Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 23:01:16 +0200 Subject: [PATCH 078/248] Update hello-for-business/passwordless-strategy.md Change in line 33: "the user knows they have a password" replaced with "the users know they have a password" to match the plural 'users' referenced elsewhere. --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index a87e88a60f..6b375fe6dc 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -30,7 +30,7 @@ Before you move away from passwords, you need something to replace them. With Wi Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it. ### 2. Reduce user-visible password surface area -With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. +With Windows Hello for Business and passwords coexisting in your environment, the next step is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the users know they have a password, but they never use it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is how passwords are phished. Users who rarely, if at all, use their password are unlikely to provide it. Password prompts are no longer the norm. ### 3. Transition into a passwordless deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where: From 1098a4cd9e67bdf035e1524545e5e220f91736ec Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 23:07:35 +0200 Subject: [PATCH 079/248] Update hello-for-business/passwordless-strategy.md Changes in the lines 37-39: user => users (along with the verbs corrected to plural) to match the plural 'users' referenced elsewhere. --- .../hello-for-business/passwordless-strategy.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 6b375fe6dc..f872f56909 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -34,9 +34,9 @@ With Windows Hello for Business and passwords coexisting in your environment, th ### 3. Transition into a passwordless deployment Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a passwordless world. A world where: - - the user never types their password - - the user never changes their password - - the user does not know their password + - the users never type their password + - the users never change their password + - the users do not know their password In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business. From 310179b7b35c256d93d6c143ba7d9e51b58c7d0d Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 12 Jun 2019 23:56:44 +0200 Subject: [PATCH 080/248] Update hello-for-business/passwordless-strategy.md Multiple scattered changes, including: - "password-less" => passwordless - both in titles and sentences (should resolve all remaining occurrences of "password-less") - semantics improvements - punctuation adjustments (mainly comma placements) - singular/plural corrections based on general reference - added some missing structural words --- .../passwordless-strategy.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index f872f56909..7426c2c6dc 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,5 +1,5 @@ --- -title: Password-less Strategy +title: Passwordless Strategy description: Reducing Password Usage Surface keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: w10 @@ -60,7 +60,7 @@ The most intuitive answer is the size of the organization, and that would be cor #### Number of departments The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable. +You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed that it is not applicable. Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. @@ -68,7 +68,7 @@ Your count of the departments must be thorough and accurate, as well as knowing Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services -The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. +The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. @@ -114,7 +114,7 @@ Review your collection of work personas. Early in your passwordless journey, ide Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. -You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always a good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your timeline. +You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your journey to being passwordless is always a good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your timeline. ## The Process @@ -130,13 +130,13 @@ The journey to being passwordless is to take each work persona through each pass 3. Repeat until all user password usage is mitigated. 4. Remove password capabilities from Windows. 5. Validate that **none of the workflows** need passwords. -3. Transition into a password-less (Step 3) +3. Transition into a passwordless scenario (Step 3) 1. Awareness campaign and user education. - 2. Include remaining users that fit the work persona. + 2. Include remaining users who fit the work persona. 3. Validate that **none of the users** of the work personas need passwords. 4. Configure user accounts to disallow password authentication. -After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process. +After successfully moving a work persona to being passwordless, you can prioritize the remaining work personas, and repeat the process. ### Passwordless replacement offering (Step 1) The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. @@ -145,9 +145,9 @@ The first step to password freedom is providing an alternative to passwords. Win A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. #### Deploy Windows Hello for Business to test users -Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. +Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. -With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. +With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is that you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment. > [!NOTE] > There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices. @@ -172,7 +172,7 @@ Test users create the workflows associated with the targeted work persona. Their - How frequently do you use this application in a given day? week? - Is the password you type into the application the same as the password you use to sign-in to Windows? -Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt which could delay the transition to password-less. +Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt that could delay the transition to being passwordless. #### Identify password usage and plan, develop, and deploy password mitigations Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. @@ -231,15 +231,15 @@ This is the big moment. You have identified password usage, developed solutions Congratulations! You are ready to transition one or more portions of your organization to a passwordless deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education -In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign. +In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of being passwordless. Before you do this, you want to invest in an awareness campaign. An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience. #### Including remaining users that fit the work persona -You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment. +You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to being passwordless. Add the remaining users that match the targeted work persona to your deployment. #### Validate that none of the users of the work personas needs passwords -You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment. +You have successfully transitioned all users for the targeted work persona to being passwordless. Monitor the users within the work persona to ensure they do not encounter any issues while working in a passwordless environment. Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are: - Is the reporting user performing a task outside the work persona? @@ -249,7 +249,7 @@ Track all reported issues. Set priority and severity to each reported issue and Each organization's priority and severity will differ. However, most organizations consider work stoppages to be fairly significant. Your team should predefine levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority, and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it, and less time on the process. -Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. +Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal, but do not let this slow down your momentum towards becoming passwordless. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating it. #### Configure user accounts to disallow password authentication. You transitioned all the users for the targeted work persona to a passwordless environment and you have successfully validated all their workflows. The last step to complete the passwordless transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords. From f8d8da725333c8abef7c62545d2c27a6e5603f9a Mon Sep 17 00:00:00 2001 From: illfated Date: Thu, 13 Jun 2019 00:58:18 +0200 Subject: [PATCH 081/248] Update hello-for-business/passwordless-strategy.md Another round of multiple scattered changes. Multiple occurrences of 'passwordless' replaced with "password freedom", specifically where "the journey to password freedom" fits better. --- .../passwordless-strategy.md | 50 +++++++++---------- 1 file changed, 25 insertions(+), 25 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 7426c2c6dc..d448e47f84 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -44,12 +44,12 @@ In this world, the user signs in to Windows 10 using Windows Hello for Business The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment. ## Methodology -Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations. +Four steps to password freedom provides an overall view of how Microsoft envisions the road to eliminating passwords. But this road is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of achieving a passwordless environment, but can easily become overwhelmed by any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish freedom from passwords, here is one recommendation based on several years of research, investigation, and customer conversations. ### Prepare for the Journey -The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria that influence the length of the journey. +The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria influencing the length of that journey. -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is: +The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the - Number of departments - Organization or department hierarchy - Number and type of applications and services @@ -58,38 +58,38 @@ The most intuitive answer is the size of the organization, and that would be cor - Organization's IT structure #### Number of departments -The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. +The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly, while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well. -You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed that it is not applicable. +You need to know all the departments within your organization and you need to know which departments use computers and which ones do not. It is fine if a department does not use computers (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed that it is not applicable. -Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the passwordless road. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. +Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will put you and your staff on the road to password freedom. Realistically, many of us lose sight of our organizational chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organization goes password-free, but your partners continue to use passwords and then access your corporate resources, you should know about it and include them in your passwordless strategy. #### Organization or department hierarchy -Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. +Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used, most likely differs between each department, but also within the structure of the department. To determine the correct passwordless strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently compared to a member of middle management in the sales department. Both of those user cases are probably different to how an individual contributor in the customer service department uses their device. #### Number and type of applications and services The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical items in your passwordless assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedures and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application. -Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. +Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the latter, document the manufacturer and the version. Also, do not forget web-based applications or services when inventorying applications. #### Number of work personas Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona. A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc.), within a specific department to a collection of applications used. There is a high probability that you will have many work personas. These work personas will become units of work, and you will refer to them in documentation and in meetings. You need to give them a name. -Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. +Give your personas easy and intuitive names like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. #### Organization's IT structure -IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to being passwordless will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to being passwordless. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded. +IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded. #### Assess your Organization -You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what? +You have a ton of information. You have created your work personas, you have identified your stakeholders throughout the different IT groups. Now what? -By now you can see why it's a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it's a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. +By now you can see why it is a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you have identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple - meaning a solution already exists in the environment and it is only a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project which must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity. -How long does it take to become passwordless? The answer is "it depends". It depends on the organizational alignment of a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will: +How long does it take to become passwordless? The answer is "it depends". It depends on the organizational alignment of a passwordless strategy. Top-down agreement that a passwordless environment is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement, as a priority within the ranks of other on-going IT projects, helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the passwordless effort. The organization allocates resources based on the priority (after they have agreed on the strategy). Those resources will: - work through the work personas - organize and deploy user acceptance testing - evaluate user acceptance testing results for user-visible password surfaces @@ -99,26 +99,26 @@ How long does it take to become passwordless? The answer is "it depends". It de - perform user acceptance testing to confirm that the solution mitigates the user-visible password surface - repeat the testing as needed -Your organization's journey to being passwordless may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. +Your organization's journey to password freedom may take some time. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go passwordless today is *n*, then it is likely that to go passwordless tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to a passwordless state. ### Where to start? -What is the best guidance for kicking off the passwordless journey? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. +What is the best guidance for kicking off the journey to password freedom? You will want to show your management a proof of concept as soon as possible. Ideally, you want to show this at each step of your passwordless journey. Keeping your passwordless strategy top of mind and showing consistent progress keeps everyone focused. #### Work persona -You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the passwordless steps. +You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the steps to password freedom. > [!IMPORTANT] > Avoid using any work personas from your IT department. This is probably the worst way to start the passwordless journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey. -Review your collection of work personas. Early in your passwordless journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. +Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. -Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona. +Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could take a few days or several weeks, depending on the complexity of targeted work persona. -You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your journey to being passwordless is always a good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your timeline. +You will want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline. ## The Process -The journey to being passwordless is to take each work persona through each passwordless step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: +The journey to password freedom is to take each work persona through each step of the process. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like this: 1. Passwordless replacement offering (Step 1) 1. Identify test users representing the targeted work persona. @@ -136,13 +136,13 @@ The journey to being passwordless is to take each work persona through each pass 3. Validate that **none of the users** of the work personas need passwords. 4. Configure user accounts to disallow password authentication. -After successfully moving a work persona to being passwordless, you can prioritize the remaining work personas, and repeat the process. +After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process. ### Passwordless replacement offering (Step 1) The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory. #### Identify test users that represent the targeted work persona -A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. +A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process. #### Deploy Windows Hello for Business to test users Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the journey to becoming passwordless. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learning which deployment is best suited for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business. @@ -158,14 +158,14 @@ In this first step, passwords and Windows Hello for Business must coexist. You w ### Reduce User-visible Password Surface (Step 2) Before you move to step 2, ensure you have: - selected your targeted work persona. -- identified your test users that represented the targeted work persona. +- identified your test users who represent the targeted work persona. - deployed Windows Hello for Business to test users. - validated passwords and Windows Hello for Business both work for the test users. #### Survey test user workflow for password usage Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2. -Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simply task. Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is: +Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions: - What is the name of the application that asked for a password?. - Why do they use the application that asked for a password? (Example: is there more than one application that can do the same thing?). - What part of their workflow makes them use the application? Try to be as specific as possible (I use application x to issue credit card refunds for amounts over y.). @@ -231,7 +231,7 @@ This is the big moment. You have identified password usage, developed solutions Congratulations! You are ready to transition one or more portions of your organization to a passwordless deployment. You have validated that the targeted work persona is ready to go where the user no longer needs to know or use their password. You are just a few steps away from declaring success. #### Awareness and user education -In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of being passwordless. Before you do this, you want to invest in an awareness campaign. +In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password freedom. Before you do this, you want to invest in an awareness campaign. An awareness campaign introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide with user education, where you can show the users the changes and, if your environment allows, enable the users to try out the experience. From e109dd02a04562e5b10f4da6311c0b4421e1f378 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:23:46 +0200 Subject: [PATCH 082/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - single semantic addition ("the") in line 115 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index d448e47f84..903207c8a6 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -112,7 +112,7 @@ You begin with your work personas. These were part of your preparation process. Review your collection of work personas. Early in your passwordless journey, identify personas with the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot. -Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could take a few days or several weeks, depending on the complexity of targeted work persona. +Most organizations host their proof of concept in a test lab or environment. To do that with a password-free strategy may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could take a few days or several weeks, depending on the complexity of the targeted work persona. You will want to balance lab testing with providing results to management quickly. Continuing to show forward progress on your journey to password freedom is always a good thing. If there are ways you can test in production with low or no risk, it may be advantageous to your timeline. From 428824d490176d67ffa6835a5fb0a27fb42e3e00 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:24:42 +0200 Subject: [PATCH 083/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "your => you" typo correction in line 166 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 903207c8a6..aa86612a39 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -163,7 +163,7 @@ Before you move to step 2, ensure you have: - validated passwords and Windows Hello for Business both work for the test users. #### Survey test user workflow for password usage -Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2. +Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as you further your progress through step 2. Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simple task: Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is to ask yourself the following set of questions: - What is the name of the application that asked for a password?. From 399dde0af66b31c438cae7bf01197087a4de6de1 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:25:25 +0200 Subject: [PATCH 084/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "its => it is" correction in line 180 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index aa86612a39..522e711308 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -177,7 +177,7 @@ Some organizations will empower their users to write this information while some #### Identify password usage and plan, develop, and deploy password mitigations Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password. -Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. +Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If it is policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password. Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they are low percentage scenarios. Remember to include scenarios like: - Provisioning a new brand new user without a password. From cba2d309655b6562e7cd0fa565e72149a90599cd Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:25:59 +0200 Subject: [PATCH 085/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - punctuation (comma) correction in line 186 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 522e711308..d8550c51dd 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -183,7 +183,7 @@ Keep in mind your test users will not uncover all scenarios. Some scenarios you - Provisioning a new brand new user without a password. - Users who forget the PIN or other remediation flows when the strong credential is unusable. -Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization. +Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy, or you can begin with workflows that need technical solutions - whichever of the two is easier or quicker. This will certainly vary by organization. Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. From 621092136c770a03f790fe60f286e13192397b35 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:27:05 +0200 Subject: [PATCH 086/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - grammar & typo correction in line 190 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index d8550c51dd..1448ed5051 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -187,7 +187,7 @@ Next, review your master list of scenarios. You can start with the workflows tha Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. An overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed, either infrastructure or code changes, the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded. -Mitigating password usage with applications is one or the more challenging obstacle in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). +Mitigating password usage with applications is one of the more challenging obstacles in the passwordless journey. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS). The ideal mitigation for applications that prompt the user for a password is to enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases. From 053573452deae36adaf5d466aed84068377c3cef Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:28:04 +0200 Subject: [PATCH 087/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - singular/plural correction (setting) in line 219 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 1448ed5051..1b6ed949d7 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -216,7 +216,7 @@ The policy name for these operating systems is **Interactive logon: Require Wind When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card. #### Excluding the password credential provider -You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon** +You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > Logon** ![HideCredProvPolicy](images/passwordless/00-hidecredprov.png) The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**. From a7d08cc1bc3166ec67d772b78a702235d6d5c744 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:33:09 +0200 Subject: [PATCH 088/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - "none" taking singular verb -- line 227 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 1b6ed949d7..480d0d5c10 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -224,7 +224,7 @@ The name of the policy setting is **Exclude credential providers**. The value to Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs. -#### Validate that none of the workflows need passwords +#### Validate that none of the workflows needs passwords This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a password. Users will be blocked if any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well. ### Transition into a passwordless deployment (Step 3) From 9768384a4c9fc43c3d8dee88527b310074a17129 Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Thu, 13 Jun 2019 18:34:09 +0200 Subject: [PATCH 089/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - addition of colon before a following list -- line 52 Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 480d0d5c10..c4eaab4612 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -49,7 +49,7 @@ Four steps to password freedom provides an overall view of how Microsoft envisio ### Prepare for the Journey The road to being passwordless is a journey. The duration of that journey varies for each organization. It is important for IT decision-makers to understand the criteria influencing the length of that journey. -The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the +The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size? One way to break down the size of the organization is by creating a summary of the: - Number of departments - Organization or department hierarchy - Number and type of applications and services From 0aaad1aaf624370d867380cbe8cb3ea317132cee Mon Sep 17 00:00:00 2001 From: "Trond B. Krokli" <38162891+illfated@users.noreply.github.com> Date: Tue, 2 Jul 2019 23:48:54 +0200 Subject: [PATCH 090/248] Update windows/security/identity-protection/hello-for-business/passwordless-strategy.md - remove 2 commas and substitute the last one with "and". --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index c4eaab4612..dad7dbf3f8 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -79,7 +79,7 @@ A work persona classifies a category of user, title or role (individual contribu Give your personas easy and intuitive names like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments, then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona. -Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software. +Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person who is in that department and who uses that specific software. #### Organization's IT structure IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password freedom will probably have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password freedom. Ensure there is a passwordless stakeholder on each of these teams, and that the effort is understood and funded. From a1cfdd776d2ba81e4bbba32079c30f5b859f37fd Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Thu, 4 Jul 2019 11:38:05 +0200 Subject: [PATCH 091/248] Update waas-overview.md Added additional link. --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 787af15764..e1523a2e7f 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -145,7 +145,7 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. >[!NOTE] ->Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products). +>Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products) and [Windows Processor Requirements.](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements) The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. From 5f59ccc20acedca416f9af20ecfcce9cd7d41428 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sun, 7 Jul 2019 13:26:09 +0200 Subject: [PATCH 092/248] Update windows/deployment/update/waas-overview.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index e1523a2e7f..0b135a319f 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -145,7 +145,7 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. >[!NOTE] ->Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products) and [Windows Processor Requirements.](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements) +>Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products) and [Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements). The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. From 8ac9ffb2ca15db5e67cedfbd7e2abbf0acdae760 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Sun, 7 Jul 2019 18:56:44 +0200 Subject: [PATCH 093/248] Update set-up-mdt-for-bitlocker.md Edits for clarity, adds note format, resolves https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4266 --- .../deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index f61b25241d..e0b049b416 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -136,12 +136,14 @@ cscript.exe SetConfig.vbs SecurityChip Active ``` ## Configure the Windows 10 task sequence to enable BitLocker -When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In this task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). In the following task sequence, we have added five actions: +When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). + +We added these five actions to the task sequence: - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. - **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. - **Note**   - It is common for organizations wrapping these tools in scripts to get additional logging and error handling. - + + > [!NOTE] + > It is common for organizations wrapping these tools in scripts to get additional logging and error handling. - **Restart computer.** Self-explanatory, reboots the computer. - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. - **Enable BitLocker.** Runs the built-in action to activate BitLocker. From 88960816c21441b15ad48bc2a67e8d43124047ed Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Sun, 7 Jul 2019 19:43:46 +0200 Subject: [PATCH 094/248] Update windows/deployment/update/waas-overview.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 0b135a319f..07acf89db8 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -145,7 +145,7 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. >[!NOTE] ->Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products) and [Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements). +>Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information about Windows support for the latest processor and chipsets, see [Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements). The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. From 69713821d072e07ab97c8347ec877effc64fd70e Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Sun, 7 Jul 2019 23:40:38 +0200 Subject: [PATCH 095/248] Update set-up-mdt-for-bitlocker.md Note clarified --- .../deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index e0b049b416..2d6089ad5e 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -143,7 +143,7 @@ We added these five actions to the task sequence: - **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. > [!NOTE] - > It is common for organizations wrapping these tools in scripts to get additional logging and error handling. + > It is common for organizations to wrap these tools in scripts to get additional logging and error handling. - **Restart computer.** Self-explanatory, reboots the computer. - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script one more time. - **Enable BitLocker.** Runs the built-in action to activate BitLocker. From 240578799f5e72ade5587d58df31d8a2dd177a50 Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Tue, 9 Jul 2019 11:38:41 -0400 Subject: [PATCH 096/248] Acronym Expansion For Clearer Translation https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4270 --- .../update/waas-delivery-optimization-reference.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 415928e9ba..652a143a93 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -106,7 +106,7 @@ Download mode dictates which download sources clients are allowed to use when do | --- | --- | | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.| -| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and AD DS sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | +| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and Active Directory Domain Services sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | @@ -116,7 +116,7 @@ Download mode dictates which download sources clients are allowed to use when do ### Group ID -By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and AD DS site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or AD DS site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. +By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. [//]: # (SCCM Boundary Group option; GroupID Source policy) @@ -128,7 +128,7 @@ By default, peer sharing on clients using the group download mode is limited to ### Select the source of Group IDs Starting in Windows 10, version 1803, set this policy to restrict peer selection to a specific source. The options are: - 0 = not set -- 1 = AD Site +- 1 = Authenticated Domain Site - 2 = Authenticated domain SID - 3 = DHCP Option ID (with this option, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID) - 4 = DNS Suffix From 37683cf7aea19fd50433d8f48cf376e211645e7b Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Tue, 9 Jul 2019 12:06:53 -0400 Subject: [PATCH 097/248] Adding Note Of Recent Changes https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4085 --- .../hello-for-business/hello-key-trust-validate-deploy-mfa.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md index 732aada2b0..1eecb7cf9f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md @@ -18,6 +18,9 @@ ms.reviewer: --- # Validate and Deploy Multifactor Authentication Services (MFA) +> [!IMPORTANT] +> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual. + **Applies to** - Windows 10, version 1703 or later - On-premises deployment From 2a7393b19ae320ba608d4d7c27e01ffa57242541 Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Wed, 10 Jul 2019 15:32:27 +0200 Subject: [PATCH 098/248] Update remove-provisioned-apps-during-update.md Added apps. --- .../remove-provisioned-apps-during-update.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/application-management/remove-provisioned-apps-during-update.md b/windows/application-management/remove-provisioned-apps-during-update.md index 371e401c1a..a828991d9d 100644 --- a/windows/application-management/remove-provisioned-apps-during-update.md +++ b/windows/application-management/remove-provisioned-apps-during-update.md @@ -162,9 +162,13 @@ Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneMusic_8wekyb3d8bbwe] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.ZuneVideo_8wekyb3d8bbwe] -``` +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.3DBuilder_8wekyb3d8bbwe] +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.HEVCVideoExtension_8wekyb3d8bbwe] + +[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\Deprovisioned\Microsoft.Messaging_8wekyb3d8bbwe] +``` [Get-AppxPackage](https://docs.microsoft.com/powershell/module/appx/get-appxpackage) [Get-AppxPackage -allusers](https://docs.microsoft.com/powershell/module/appx/get-appxpackage) From 33e13b0fde00ca8c57ebafe9a2d21a7645a80752 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 12 Jul 2019 11:53:02 +0500 Subject: [PATCH 099/248] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 960a7fb0ca..3e059d2d47 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -111,15 +111,16 @@ They could also choose to create a catalog that captures information about the u Beginning with Windows 10 version 1903, Windows Defender Application Control (WDAC) policies can contain path-based rules. -- New-CIPolicy parameters +- New-CIPolicy parameter - FilePath: create path rules under path \ for anything not user-writeable (at the individual file level) ```powershell - New-CIPolicy -f .\mypolicy.xml -l FilePath -s -u + New-CIPolicy -FilePath .\mypolicy.xml -Level FileName -ScanPath -UserPEs ``` Optionally, add -UserWriteablePaths to ignore user writeability - + +- New-CIPolicyRule parameter - FilePathRule: create a rule where filepath string is directly set to value of \ ```powershell @@ -134,7 +135,7 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD $rules = New-CIPolicyRule … $rules += New-CIPolicyRule … … - New-CIPolicyRule -f .\mypolicy.xml -u + New-CIPolicyRule -FilePath .\mypolicy.xml -UserPEs ``` - Wildcards supported @@ -149,6 +150,6 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD - Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: ```powershell - Set-RuleOption -o 18 .\policy.xml + Set-RuleOption -Option 18 .\policy.xml ``` From bb8cbe683de5601a10b98b411c6257eb6e3cefe7 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 12 Jul 2019 12:00:14 +0500 Subject: [PATCH 100/248] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 3e059d2d47..a040c9fc58 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -135,7 +135,7 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD $rules = New-CIPolicyRule … $rules += New-CIPolicyRule … … - New-CIPolicyRule -FilePath .\mypolicy.xml -UserPEs + New-CIPolicy -FilePath .\mypolicy.xml -Rules $rules -UserPEs ``` - Wildcards supported From 680646be9ae7e8d6167977154c12d978dd401de9 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 12 Jul 2019 16:46:03 -0400 Subject: [PATCH 101/248] fix: MD037/no-space-in-emphasis Spaces inside emphasis markers --- mdop/appv-v4/app-v-45-sp2-release-notes.md | 4 ++-- ...nly-cache-on-the-app-v-client--rds--sp1.md | 2 +- ...ad-only-cache-on-the-app-v-client--vdi-.md | 2 +- ...ion-46-service-pack-2-privacy-statement.md | 24 +++++++++---------- mdop/appv-v4/planning-for-client-security.md | 4 ++-- .../security-and-protection-overview.md | 2 +- .../how-to-configure-image-pre-staging.md | 12 +++++----- .../get-started-with-ue-v-2x-new-uevv2.md | 2 +- .../mdm/policy-csp-applicationmanagement.md | 2 +- .../mdm/policy-csp-internetexplorer.md | 4 ++-- .../mdm/policy-csp-remotemanagement.md | 2 +- .../mdm/policy-csp-system.md | 4 ++-- .../troubleshoot-inaccessible-boot-device.md | 2 +- .../access-control/security-identifiers.md | 4 ++-- .../hello-for-business/hello-features.md | 2 +- .../threat-protection/auditing/event-4612.md | 4 ++-- .../threat-protection/auditing/event-4615.md | 2 +- .../threat-protection/auditing/event-4624.md | 2 +- .../threat-protection/auditing/event-4670.md | 2 +- .../threat-protection/auditing/event-4688.md | 2 +- .../threat-protection/auditing/event-4704.md | 2 +- .../threat-protection/auditing/event-4705.md | 2 +- .../threat-protection/auditing/event-4715.md | 2 +- .../threat-protection/auditing/event-4717.md | 2 +- .../threat-protection/auditing/event-4718.md | 2 +- .../threat-protection/auditing/event-4738.md | 2 +- .../threat-protection/auditing/event-4742.md | 2 +- .../threat-protection/auditing/event-4817.md | 4 ++-- .../threat-protection/auditing/event-4864.md | 2 +- .../threat-protection/auditing/event-4907.md | 2 +- .../threat-protection/auditing/event-4911.md | 2 +- .../threat-protection/auditing/event-4913.md | 2 +- .../threat-protection/auditing/event-5143.md | 2 +- .../threat-protection/auditing/event-5145.md | 2 +- .../threat-protection/auditing/event-5150.md | 2 +- .../threat-protection/auditing/event-5151.md | 2 +- .../threat-protection/auditing/event-6400.md | 2 +- .../threat-protection/auditing/event-6401.md | 2 +- .../threat-protection/auditing/event-6402.md | 2 +- .../threat-protection/auditing/event-6403.md | 2 +- .../threat-protection/auditing/event-6404.md | 2 +- .../threat-protection/auditing/event-6409.md | 2 +- .../get-user-related-alerts.md | 2 +- .../get-user-related-machines.md | 2 +- ...dit-the-access-of-global-system-objects.md | 2 +- ...-connections-windows-defender-antivirus.md | 6 ++--- .../using-event-viewer-with-applocker.md | 8 +++---- .../working-with-applocker-policies.md | 2 +- 48 files changed, 76 insertions(+), 76 deletions(-) diff --git a/mdop/appv-v4/app-v-45-sp2-release-notes.md b/mdop/appv-v4/app-v-45-sp2-release-notes.md index dc5d8fafe0..881c7d1187 100644 --- a/mdop/appv-v4/app-v-45-sp2-release-notes.md +++ b/mdop/appv-v4/app-v-45-sp2-release-notes.md @@ -73,11 +73,11 @@ When this has been completed, install the App-V 4.5 SP2 Clients by using Setup.m When installing Microsoft Application Error Reporting, use the following command if you are installing or upgrading to the App-V 4.5 SP2 Desktop Client: -**    msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** +**msiexec /i dw20shared.msi APPGUID={C6FC75B9-7D86-4C44-8BDB-EAFE1F0E200D}  allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** Alternatively, if you are installing or upgrading to the App-V 4.5 SP2 Client for Remote Desktop Services (formerly Terminal Services), use the following command: -**    msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** +**msiexec /i dw20shared.msi APPGUID={ECF80BBA-CA07-4A74-9ED6-E064F38AF1F5} allusers=1 reboot=suppress REINSTALL=all REINSTALLMODE=vomus** **Note**   - The APPGUID parameter references the product code of the App-V Clients that you install or upgrade. The product code is unique for each Setup.msi. You can use the Orca Database Editor or a similar tool to examine Windows Installer files and determine the product code. This step is required for all installations or upgrades to App-V 4.5 SP2. diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md index 801b2d13bc..130a3ba1eb 100644 --- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md +++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--rds--sp1.md @@ -156,7 +156,7 @@ Instead of changing the AppFS key FILENAME value every time that a new cache fil 3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled. - **     fsutil behavior set SymlinkEvaluation R2R:1** + **fsutil behavior set SymlinkEvaluation R2R:1** **Note**   On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**. diff --git a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md index 2ee211e811..ab53e737d0 100644 --- a/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md +++ b/mdop/appv-v4/how-to-configure-a-read-only-cache-on-the-app-v-client--vdi-.md @@ -167,7 +167,7 @@ Instead of modifying the AppFS key FILENAME value every time that a new cache fi 3. On the VDI Master VM Image, open a Command Prompt window by using the **Run as administrator** option and grant remote link permissions so that the VM can access the symbolic link on the VDI Host operating system. By default, remote link permissions are disabled. - **     fsutil behavior set SymlinkEvaluation R2R:1** + **fsutil behavior set SymlinkEvaluation R2R:1** **Note**   On the storage server, appropriate link permissions must be enabled. Depending on the location of link and the Sftfs.fsd file, the permissions are **L2L:1** or **L2R:1** or **R2L:1** or **R2R:1**. diff --git a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md index f7ffd9de24..11b0ee223a 100644 --- a/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md +++ b/mdop/appv-v4/microsoft-application-virtualization-46-service-pack-2-privacy-statement.md @@ -76,7 +76,7 @@ This section is divided into two parts: (1) features in all versions of App-V an Microsoft Error Reporting provides a service that allows you to report problems you may be having with App-V to Microsoft and to receive information that may help you avoid or solve such problems. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** For information about the information collected, processed, or transmitted by Microsoft Error Reporting, see the Microsoft Error Reporting privacy statement at . @@ -84,7 +84,7 @@ For information about the information collected, processed, or transmitted by Mi We use the error reporting data to solve customer problems and improve our software and services. -**Choice/Control: ** +**Choice/Control:** App-V does not change your Microsoft Error Reporting settings. If you previously turned on error reporting, it will send Microsoft the information about the errors you encountered. When Microsoft needs additional data to analyze the problem, you will be prompted to review the data and choose whether or not to send it.  App-V will always respect your Microsoft Error Reporting settings. @@ -98,7 +98,7 @@ Enterprise customers can use Group Policy to configure how Microsoft Error Repor Microsoft Update is a service that provides Windows updates as well as updates for other Microsoft software, including App-V.  For details about what information is collected, how it is used and how to change your settings, see the Update Services Privacy Statement at . -**Choice/Control: ** +**Choice/Control:** If Microsoft Update is not enabled, you can opt-in during setup and subsequent checks for updates will follow the machine-wide schedule. You can update this option from the Microsoft Update Control Panel item. @@ -108,7 +108,7 @@ If Microsoft Update is not enabled, you can opt-in during setup and subsequent c The product will collect various configuration items, including UserID, MachineID and SecurityGroup details, to be able to enforce settings on managed nodes. The data is stored in the App-V SQL database and transmitted across the App-V server and client components to enforce the configuration on the managed node. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** User and machine information and configuration content @@ -116,7 +116,7 @@ User and machine information and configuration content The information is used to enforce the application access configuration on the managed nodes within the enterprise. The information does not leave the enterprise. -**Choice/Control: ** +**Choice/Control:** By default, the product does not have any data. All data is entered and enabled by the admin and can be viewed in the Management console. The feature cannot be disabled as this is the product functionality. To disable this, App-V will need to be uninstalled. @@ -130,7 +130,7 @@ None of this information is sent out of the enterprise. It captures package history and asset information as part of the package. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** Information about the package and the sequencing environment is collected and stored in the package manifest during sequencing. @@ -138,7 +138,7 @@ Information about the package and the sequencing environment is collected and st The information will be used by the admin to track the updates done to a package during its lifecycle. It will also be used by software deployment systems to track the package deployments within the organization. -**Choice/Control: ** +**Choice/Control:** This feature is always enabled and cannot be turned off. @@ -152,7 +152,7 @@ This administrator information will be stored in the package and can be viewed b The product will collect a variety of reporting data points, including the username, to allow reporting on the usage of the product. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** Information about the machine, package and application usage are collected from every machine that reporting is enabled on. @@ -160,7 +160,7 @@ Information about the machine, package and application usage are collected from The information is used to report on application usage within the enterprise. The information does not leave the enterprise. -**Choice/Control: ** +**Choice/Control:** By default, the product does not have any data. Data is only collected once the reporting feature is enabled on the App-V Client. To disable the collection of reporting data, the reporting feature must be disabled on all clients. @@ -178,7 +178,7 @@ This section addresses specific features available in App-V 4.6 SP1 and later. The Customer Experience Improvement Program (“CEIP”) collects basic information about your hardware configuration and how you use our software and services in order to identify trends and usage patterns. CEIP also collects the type and number of errors you encounter, software and hardware performance, and the speed of services. We will not collect your name, address, or other contact information. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** For more information about the information collected, processed, or transmitted by CEIP, see the CEIP privacy statement at . @@ -186,7 +186,7 @@ For more information about the information collected, processed, or transmitted We use this information to improve the quality, reliability, and performance of Microsoft software and services. -**Choice/Control: ** +**Choice/Control:** CEIP is optional and the opt-in status can be updated during install or post install from the GUI.   @@ -196,7 +196,7 @@ CEIP is optional and the opt-in status can be updated during install or post ins Customers can use Application Package Accelerators to automatically package complex applications without installing the application. The App-V sequencer allows you to create package accelerators for each virtual package. You can then use these package accelerators to automatically re-create the same virtual package in the future. You may also use package accelerators released by Microsoft or other third parties to simplify and automate packaging of complex applications. -**Information Collected, Processed, or Transmitted: ** +**Information Collected, Processed, or Transmitted:** Application Package Accelerators may contain information such as computer names, user account information, and information about applications included in the Package Accelerator file. diff --git a/mdop/appv-v4/planning-for-client-security.md b/mdop/appv-v4/planning-for-client-security.md index 6050d3895b..4d95a5a3b3 100644 --- a/mdop/appv-v4/planning-for-client-security.md +++ b/mdop/appv-v4/planning-for-client-security.md @@ -34,7 +34,7 @@ By default, at installation the App-V client is configured with the minimum perm By default, the installation of the client registers file type associations (FTAs) for OSD files, which enables users to start applications directly from OSD files instead of the published shortcuts. If a user with local administrator rights receives an OSD file containing malicious code, either in e-mail or downloaded from a Web site, the user can open the OSD file and start the application even if the client has been set to restrict the **Add Application** permission. You can unregister the FTAs for the OSD to reduce this risk. Also, consider blocking this extension in the e-mail system and at the firewall. For more information about configuring Outlook to block extensions, see . -**Security Note:  ** +**Security Note:** Starting with App-V version 4.6, the file type association is no longer created for OSD files during a new installation of the client, although the existing settings will be maintained during an upgrade from version 4.2 or 4.5 of the App-V client. If for any reason it is essential to create the file type association, you can create the following registry keys and set their values as shown: @@ -50,7 +50,7 @@ During installation, you can use the **RequireAuthorizationIfCached** parameter Antivirus software running on an App-V Client computer can detect and report an infected file in the virtual environment. However, it cannot disinfect the file. If a virus is detected in the virtual environment, the antivirus software would perform the configured quarantine or repair operation in the cache, not in the actual package. Configure the antivirus software with an exception for the sftfs.fsd file. This file is the cache file that stores packages on the App-V Client. -**Security Note:  ** +**Security Note:** If a virus is detected in an application or package deployed in the production environment, replace the application or package with a virus-free version. diff --git a/mdop/appv-v4/security-and-protection-overview.md b/mdop/appv-v4/security-and-protection-overview.md index fc4bd7ab49..ccac6f1558 100644 --- a/mdop/appv-v4/security-and-protection-overview.md +++ b/mdop/appv-v4/security-and-protection-overview.md @@ -21,7 +21,7 @@ Microsoft Application Virtualization 4.5 provides the following enhanced securi - Application Virtualization now supports Transport Layer Security (TLS) using X.509 V3 certificates. Provided that a server certificate has been provisioned to the planned Application Virtualization Management or Streaming Server, the installation will default to secure, using the RTSPS protocol over port 322. Using RTSPS ensures that communication between the Application Virtualization Servers and the Application Virtualization Clients is signed and encrypted. If no certificate is assigned to the server during the Application Virtualization Server installation, the communication will be set to RTSP over port 554. - **Security Note:  ** + **Security Note:** To help provide a secure setup of the server, you must make sure that RTSP ports are disabled even if you have all packages configured to use RTSPS. diff --git a/mdop/medv-v1/how-to-configure-image-pre-staging.md b/mdop/medv-v1/how-to-configure-image-pre-staging.md index 5d736b92b9..36f12450ad 100644 --- a/mdop/medv-v1/how-to-configure-image-pre-staging.md +++ b/mdop/medv-v1/how-to-configure-image-pre-staging.md @@ -72,17 +72,17 @@ Image pre-staging is useful only for the initial image download. It is not suppo **NT AUTHORITY\\Authenticated Users:(OI)(CI)(special access:)** - **                                READ\_CONTROL** + **READ\_CONTROL** - **                                                                                SYNCHRONIZE** + **SYNCHRONIZE** - **                                                                                FILE\_GENERIC\_READ** + **FILE\_GENERIC\_READ** - **                                                                                                FILE\_READ\_DATA** + **FILE\_READ\_DATA** - **                                                                                FILE\_READ\_EA** + **FILE\_READ\_EA** - **                                                                                FILE\_READ\_ATTRIBUTES** + **FILE\_READ\_ATTRIBUTES** **NT AUTHORITY\\SYSTEM:(OI)(CI)F** diff --git a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md index a18ae22ef9..d918fb1b54 100644 --- a/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md +++ b/mdop/uev-v2/get-started-with-ue-v-2x-new-uevv2.md @@ -193,7 +193,7 @@ You’ll need to deploy a settings storage location, a standard network share wh -**Security Note:  ** +**Security Note:** If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor: diff --git a/windows/client-management/mdm/policy-csp-applicationmanagement.md b/windows/client-management/mdm/policy-csp-applicationmanagement.md index 29d419c3dd..3adcbafde8 100644 --- a/windows/client-management/mdm/policy-csp-applicationmanagement.md +++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md @@ -537,7 +537,7 @@ Added in Windows 10, version 1607. Boolean value that disables the launch of al ADMX Info: -- GP English name: *Disable all apps from Microsoft Store * +- GP English name: *Disable all apps from Microsoft Store* - GP name: *DisableStoreApps* - GP path: *Windows Components/Store* - GP ADMX file name: *WindowsStore.admx* diff --git a/windows/client-management/mdm/policy-csp-internetexplorer.md b/windows/client-management/mdm/policy-csp-internetexplorer.md index 69b9a21645..0cb9a3b3d4 100644 --- a/windows/client-management/mdm/policy-csp-internetexplorer.md +++ b/windows/client-management/mdm/policy-csp-internetexplorer.md @@ -13428,7 +13428,7 @@ For more information, see "Outdated ActiveX Controls" in the Internet Explorer T ADMX Info: -- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer * +- GP English name: *Remove "Run this time" button for outdated ActiveX controls in Internet Explorer* - GP name: *VerMgmtDisableRunThisTime* - GP path: *Windows Components/Internet Explorer/Security Features/Add-on Management* - GP ADMX file name: *inetres.admx* @@ -16504,7 +16504,7 @@ Also, see the "Security zones: Do not allow users to change policies" policy. ADMX Info: -- GP English name: *Security Zones: Use only machine settings * +- GP English name: *Security Zones: Use only machine settings* - GP name: *Security_HKLM_only* - GP path: *Windows Components/Internet Explorer* - GP ADMX file name: *inetres.admx* diff --git a/windows/client-management/mdm/policy-csp-remotemanagement.md b/windows/client-management/mdm/policy-csp-remotemanagement.md index ba8a7d6310..f176045650 100644 --- a/windows/client-management/mdm/policy-csp-remotemanagement.md +++ b/windows/client-management/mdm/policy-csp-remotemanagement.md @@ -365,7 +365,7 @@ If you disable or do not configure this policy setting, the WinRM service will n The service listens on the addresses specified by the IPv4 and IPv6 filters. The IPv4 filter specifies one or more ranges of IPv4 addresses, and the IPv6 filter specifies one or more ranges of IPv6addresses. If specified, the service enumerates the available IP addresses on the computer and uses only addresses that fall within one of the filter ranges. -You should use an asterisk (*) to indicate that the service listens on all available IP addresses on the computer. When * is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses. +You should use an asterisk (\*) to indicate that the service listens on all available IP addresses on the computer. When \* is used, other ranges in the filter are ignored. If the filter is left blank, the service does not listen on any addresses. For example, if you want the service to listen only on IPv4 addresses, leave the IPv6 filter empty. diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 99b3c5e4f3..11e0ca009c 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1068,7 +1068,7 @@ If you disable or don't configure this policy setting, the Delete diagnostic dat ADMX Info: -- GP English name: *Disable deleting diagnostic data * +- GP English name: *Disable deleting diagnostic data* - GP name: *DisableDeviceDelete* - GP element: *DisableDeviceDelete* - GP path: *Data Collection and Preview Builds* @@ -1131,7 +1131,7 @@ If you disable or don't configure this policy setting, the Diagnostic Data Viewe ADMX Info: -- GP English name: *Disable diagnostic data viewer. * +- GP English name: *Disable diagnostic data viewer.* - GP name: *DisableDiagnosticDataViewer* - GP element: *DisableDiagnosticDataViewer* - GP path: *Data Collection and Preview Builds* diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index c82c69f352..de195c15da 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -171,7 +171,7 @@ Run the following command to verify the Windows update installation and dates: Dism /Image:: /Get-packages ``` -After you run this command, you will see the **Install pending** and **Uninstall Pending ** packages: +After you run this command, you will see the **Install pending** and **Uninstall Pending** packages: ![Dism output](images/pendingupdate.png) diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md index d8db3e63d2..c1d0c47fdc 100644 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ b/windows/security/identity-protection/access-control/security-identifiers.md @@ -194,9 +194,9 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID | S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.| | S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.| | S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.| -| S-1-5-5- *X *- *Y * | Logon Session| The *X * and *Y * values for these SIDs uniquely identify a particular logon session.| +| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.| | S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.| -| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName *, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName * (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| +| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| | S-1-5-8| Proxy| Does not currently apply: this SID is not used.| | S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.| | S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.| diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index cc796078e6..edcd394519 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -147,7 +147,7 @@ To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 ### On-premises Deployments -** Requirements** +**Requirements** * Active Directory * On-premises Windows Hello for Business deployment * Reset from settings - Windows 10, version 1703, Professional diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md index 163c584492..2ca7cca35a 100644 --- a/windows/security/threat-protection/auditing/event-4612.md +++ b/windows/security/threat-protection/auditing/event-4612.md @@ -30,9 +30,9 @@ There is no example of this event in this document. ***Event Schema:*** -*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. * +*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.* -*Number of audit messages discarded: %1 * +*Number of audit messages discarded: %1* *This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.* diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index be8925c8ba..9231f28b82 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -48,7 +48,7 @@ It appears that this event never occurs. *LPC Server Port Name:%6* -*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." * +*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSA’s use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel."* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md index f3c3ed088b..2ca7e8267c 100644 --- a/windows/security/threat-protection/auditing/event-4624.md +++ b/windows/security/threat-protection/auditing/event-4624.md @@ -138,7 +138,7 @@ This event generates when a logon session is created (on destination machine). I - **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.” -**Logon Information** \[Version 2\]**: ** +**Logon Information** \[Version 2\]**:** - **Logon Type** \[Version 0, 1, 2\] \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field. diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md index 95a2dfe34f..45dcd000c9 100644 --- a/windows/security/threat-protection/auditing/event-4670.md +++ b/windows/security/threat-protection/auditing/event-4670.md @@ -142,7 +142,7 @@ Before this event can generate, certain ACEs might need to be set in the object - **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md index 8e1fe42fab..94d84a85cf 100644 --- a/windows/security/threat-protection/auditing/event-4688.md +++ b/windows/security/threat-protection/auditing/event-4688.md @@ -151,7 +151,7 @@ This event generates every time a new process starts. - **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process. -- **Token Elevation Type** \[Type = UnicodeString\]**: ** +- **Token Elevation Type** \[Type = UnicodeString\]**:** - **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account. diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md index f9b06a7a3b..f78b83ef3c 100644 --- a/windows/security/threat-protection/auditing/event-4704.md +++ b/windows/security/threat-protection/auditing/event-4704.md @@ -99,7 +99,7 @@ You will see unique event for every user. - **Account Name** \[Type = SID\]: the SID of security principal for which user rights were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**New Right: ** +**New Right:** - **User Right** \[Type = UnicodeString\]: the list of assigned user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights: diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md index d009b73786..09c240e026 100644 --- a/windows/security/threat-protection/auditing/event-4705.md +++ b/windows/security/threat-protection/auditing/event-4705.md @@ -99,7 +99,7 @@ You will see unique event for every user. - **Account Name** \[Type = SID\]: the SID of security principal for which user rights were removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**Removed Right: ** +**Removed Right:** - **User Right** \[Type = UnicodeString\]: the list of removed user rights. This event generates only for *user* rights, not logon rights. Here is the list of possible user rights: diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md index 38d46d5ace..c51f51c999 100644 --- a/windows/security/threat-protection/auditing/event-4715.md +++ b/windows/security/threat-protection/auditing/event-4715.md @@ -100,7 +100,7 @@ This event is always logged regardless of the "Audit Policy Change" sub-category - **New Security Descriptor** \[Type = UnicodeString\]**:** new Security Descriptor Definition Language (SDDL) value for the audit policy. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md index f04223bd5b..13f2c744aa 100644 --- a/windows/security/threat-protection/auditing/event-4717.md +++ b/windows/security/threat-protection/auditing/event-4717.md @@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were granted to mu - **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was granted. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**Access Granted: ** +**Access Granted:** - **Access Right** \[Type = UnicodeString\]: the name of granted logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows: diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md index a86f9f5168..9bb398d835 100644 --- a/windows/security/threat-protection/auditing/event-4718.md +++ b/windows/security/threat-protection/auditing/event-4718.md @@ -99,7 +99,7 @@ You will see unique event for every user if logon user rights were removed for m - **Account Name** \[Type = SID\]: the SID of the security principal for which logon right was removed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -**Access Removed: ** +**Access Removed:** - **Access Right** \[Type = UnicodeString\]: the name of removed logon right. This event generates only for [logon rights](https://technet.microsoft.com/library/cc728212(v=ws.10).aspx), which are as follows: diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md index 8597d956a6..faa3dcf853 100644 --- a/windows/security/threat-protection/auditing/event-4738.md +++ b/windows/security/threat-protection/auditing/event-4738.md @@ -266,7 +266,7 @@ For 4738(S): A user account was changed. |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Display Name**
**User Principal Name**
**Home Directory**
**Home Drive**
**Script Path**
**Profile Path**
**User Workstations**
**Password Last Set**
**Account Expires**
**Primary Group ID
Logon Hours** | We recommend monitoring all changes for these fields for critical domain and local accounts. | | **Primary Group ID** is not 513 | Typically, the **Primary Group** value is 513 for domain and local users. Other values should be monitored. | -| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. | +| For user accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on user accounts that previously had a services list (on the **Delegation** tab), it means the list was cleared. | | **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | - Consider whether to track the following user account control flags: diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md index 22ae105d96..b39135ee00 100644 --- a/windows/security/threat-protection/auditing/event-4742.md +++ b/windows/security/threat-protection/auditing/event-4742.md @@ -276,7 +276,7 @@ For 4742(S): A computer account was changed. | **Display Name** is not -
**User Principal Name** is not -
**Home Directory** is not -
**Home Drive** is not -
**Script Path** is not -
**Profile Path** is not -
**User Workstations** is not -
**Account Expires** is not -
**Logon Hours** is not **-** | Typically these fields are **-** for computer accounts. Other values might indicate an anomaly and should be monitored. | | **Password Last Set** changes occur more often than usual | Changes that are more frequent than the default (typically once a month) might indicate an anomaly or attack. | | **Primary Group ID** is not 516, 521, or 515 | Typically, the **Primary Group ID** value is one of the following:
**516** for domain controllers
**521** for read only domain controllers (RODCs)
**515** for servers and workstations (domain computers)
Other values should be monitored. | -| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set> ** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. | +| For computer accounts for which the services list (on the **Delegation** tab) should not be empty: **AllowedToDelegateTo** is marked **<value not set>** | If **AllowedToDelegateTo** is marked **<value not set>** on computers that previously had a services list (on the **Delegation** tab), it means the list was cleared. | | **SID History** is not - | This field will always be set to - unless the account was migrated from another domain. | - Consider whether to track the following account control flags: diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md index 74ffbb09b0..efdf01da8a 100644 --- a/windows/security/threat-protection/auditing/event-4817.md +++ b/windows/security/threat-protection/auditing/event-4817.md @@ -116,7 +116,7 @@ Separate events will be generated for “Registry” and “File system” polic | Job | Port | FilterConnectionPort | | | ALPC Port | Semaphore | Adapter | | -- **Object Name: ** +- **Object Name:** - Key – if “Registry” Global Object Access Auditing policy was changed. @@ -128,7 +128,7 @@ Separate events will be generated for “Registry” and “File system” polic - **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the Global Object Access Auditing policy. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md index e62c824d10..62ced88fe8 100644 --- a/windows/security/threat-protection/auditing/event-4864.md +++ b/windows/security/threat-protection/auditing/event-4864.md @@ -44,7 +44,7 @@ There is no example of this event in this document. *Security ID:%7* -*New Flags:%8 * +*New Flags:%8* ***Required Server Roles:*** Active Directory domain controller. diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md index f74c140ce4..34454c6d14 100644 --- a/windows/security/threat-protection/auditing/event-4907.md +++ b/windows/security/threat-protection/auditing/event-4907.md @@ -159,7 +159,7 @@ This event doesn't generate for Active Directory objects. - **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md index cc73362f36..d385a72649 100644 --- a/windows/security/threat-protection/auditing/event-4911.md +++ b/windows/security/threat-protection/auditing/event-4911.md @@ -152,7 +152,7 @@ Resource attributes for file or folder can be changed, for example, using Window - **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new resource attributes. See more information in **Resource Attributes\\Original Security Descriptor** field section for this event. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index f8dcd9f29b..3be7e9bec3 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -156,7 +156,7 @@ This event always generates, regardless of the object’s [SACL](https://msdn.mi - **New Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the new Central Policy ID (for the policy that has been applied to the object). See more information in **Central Policy ID\\Original Security Descriptor** field section for this event. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md index 81e6052b16..c7f46521ae 100644 --- a/windows/security/threat-protection/auditing/event-5143.md +++ b/windows/security/threat-protection/auditing/event-5143.md @@ -141,7 +141,7 @@ This event generates every time network share object was modified. - **New SD** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for network share security descriptor. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md index 696faaadce..f5ec73669e 100644 --- a/windows/security/threat-protection/auditing/event-5145.md +++ b/windows/security/threat-protection/auditing/event-5145.md @@ -177,7 +177,7 @@ REQUESTED\_ACCESS: RESULT ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS. - ACE\_WHICH\_ ALLOWED\_OR\_DENIED\_ACCESS: the Security Descriptor Definition Language (SDDL) value for Access Control Entry (ACE), which granted or denied access. -> **Note**  The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. +> **Note**  The **Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor. > > Example: > diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md index 4d84e4bb68..c1f8d98680 100644 --- a/windows/security/threat-protection/auditing/event-5150.md +++ b/windows/security/threat-protection/auditing/event-5150.md @@ -52,7 +52,7 @@ There is no example of this event in this document. > > *Layer Name:%9* > -> *Layer Run-Time ID:%10 * +> *Layer Run-Time ID:%10* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md index 25faaeb212..699a093def 100644 --- a/windows/security/threat-protection/auditing/event-5151.md +++ b/windows/security/threat-protection/auditing/event-5151.md @@ -52,7 +52,7 @@ There is no example of this event in this document. > > *Layer Name:%9* > -> *Layer Run-Time ID:%10 * +> *Layer Run-Time ID:%10* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md index d018fdee5e..7a379132bc 100644 --- a/windows/security/threat-protection/auditing/event-6400.md +++ b/windows/security/threat-protection/auditing/event-6400.md @@ -30,7 +30,7 @@ There is no example of this event in this document. *BranchCache: Received an incorrectly formatted response while discovering availability of content.* -*IP address of the client that sent this response:%1 * +*IP address of the client that sent this response:%1* ***Required Server Roles:*** None. diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md index 9f647bcec8..1ce4c083dd 100644 --- a/windows/security/threat-protection/auditing/event-6401.md +++ b/windows/security/threat-protection/auditing/event-6401.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: Received invalid data from a peer. Data discarded. * +*BranchCache: Received invalid data from a peer. Data discarded.* *IP address of the client that sent this data:%1* diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md index 5002d2167c..dde20455d3 100644 --- a/windows/security/threat-protection/auditing/event-6402.md +++ b/windows/security/threat-protection/auditing/event-6402.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: The message to the hosted cache offering it data is incorrectly formatted. * +*BranchCache: The message to the hosted cache offering it data is incorrectly formatted.* *IP address of the client that sent this message: %1* diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md index 29629cb6a7..e8020581ad 100644 --- a/windows/security/threat-protection/auditing/event-6403.md +++ b/windows/security/threat-protection/auditing/event-6403.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data. * +*BranchCache: The hosted cache sent an incorrectly formatted response to the client’s message to offer it data.* *Domain name of the hosted cache is:%1* diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md index 0505b241b2..43228f26be 100644 --- a/windows/security/threat-protection/auditing/event-6404.md +++ b/windows/security/threat-protection/auditing/event-6404.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate. * +*BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.* *Domain name of the hosted cache:%1* diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md index 8f28ea3891..e1f76dbf69 100644 --- a/windows/security/threat-protection/auditing/event-6409.md +++ b/windows/security/threat-protection/auditing/event-6409.md @@ -28,7 +28,7 @@ There is no example of this event in this document. ***Event Schema:*** -*BranchCache: A service connection point object could not be parsed. * +*BranchCache: A service connection point object could not be parsed.* *SCP object GUID: %1* diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md index 2b5551a0bb..92bc4c7650 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-alerts.md @@ -44,7 +44,7 @@ Delegated (work or school account) | Alert.ReadWrite | 'Read and write alerts' GET /api/users/{id}/alerts ``` -**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts) ** +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve alerts for user1@contoso.com use /api/users/user1/alerts)** ## Request headers diff --git a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md index 341c605bbb..ca042a7e99 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md +++ b/windows/security/threat-protection/microsoft-defender-atp/get-user-related-machines.md @@ -44,7 +44,7 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine GET /api/users/{id}/machines ``` -**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines) ** +**Note that the id is not the full UPN, but only the user name. (e.g., to retrieve machines for user1@contoso.com use /api/users/user1/machines)** ## Request headers diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index 4fcca719b6..ef5a46869a 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -102,7 +102,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf | 565 | Access was granted to an already existing object type. | | 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. | | 569 | The resource manager in Authorization Manager attempted to create a client context. | -| 570 | A client attempted to access an object.
**Note: ** An event will be generated for every attempted operation on the object. | +| 570 | A client attempted to access an object.
**Note:** An event will be generated for every attempted operation on the object. | ## Security considerations diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md index c06a9f2d2f..c1445cd23f 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md @@ -54,10 +54,10 @@ As a cloud service, it is required that computers have access to the internet an | *Windows Defender Antivirus cloud-delivered protection service, also referred to as Microsoft Active Protection Service (MAPS)*|Used by Windows Defender Antivirus to provide cloud-delivered protection|*.wdcp.microsoft.com *.wdcpalt.microsoft.com *.wd.microsoft.com| | *Microsoft Update Service (MU)*| Security intelligence and product updates |*.update.microsoft.com| | *Security intelligence updates Alternate Download Location (ADL)*| Alternate location for Windows Defender Antivirus Security intelligence updates if the installed Security intelligence is out of date (7 or more days behind)| *.download.microsoft.com| -| *Malware submission storage *|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net | +| *Malware submission storage*|Upload location for files submitted to Microsoft via the Submission form or automatic sample submission | ussus1eastprod.blob.core.windows.net ussus1westprod.blob.core.windows.net usseu1northprod.blob.core.windows.net usseu1westprod.blob.core.windows.net ussuk1southprod.blob.core.windows.net ussuk1westprod.blob.core.windows.net ussas1eastprod.blob.core.windows.net ussas1southeastprod.blob.core.windows.net ussau1eastprod.blob.core.windows.net ussau1southeastprod.blob.core.windows.net | | *Certificate Revocation List (CRL)* |Used by Windows when creating the SSL connection to MAPS for updating the CRL | http://www.microsoft.com/pkiops/crl/ http://www.microsoft.com/pkiops/certs http://crl.microsoft.com/pki/crl/products http://www.microsoft.com/pki/certs | -| *Symbol Store *|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | -| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: * vortex-win.data.microsoft.com * settings-win.data.microsoft.com| +| *Symbol Store*|Used by Windows Defender Antivirus to restore certain critical files during remediation flows | https://msdl.microsoft.com/download/symbols | +| *Universal Telemetry Client* | Used by Windows to send client diagnostic data; Windows Defender Antivirus uses this for product quality monitoring purposes | This update uses SSL (TCP Port 443) to download manifests and upload diagnostic data to Microsoft that uses the following DNS endpoints: *vortex-win.data.microsoft.com* settings-win.data.microsoft.com| ## Validate connections between your network and the cloud diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 6fa4d92a72..a3834e3625 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -50,11 +50,11 @@ The following table contains information about the events that you can use to de | 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.| | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| | 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| -| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules ** enforcement mode were enabled. | -| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| +| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| | 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| -| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only ** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules ** enforcement mode were enabled. | -| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name> * is restricted by the administrator. Applied only when the **Enforce rules ** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| +| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| | 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| | 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| | 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index 8e77d3e330..d3c403d633 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -30,7 +30,7 @@ This topic for IT professionals provides links to procedural topics about creati | Topic | Description | | - | - | | [Configure the Application Identity service](configure-the-application-identity-service.md) | This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually.| -| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only ** within your IT environment by using AppLocker.| +| [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md) | This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker.| | [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md) | This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting.| | [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md) | This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app.| | [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md) | This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified.| From bd852f1b071700ed0186b4e668e2f7cea9298ec7 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 15 Jul 2019 15:55:14 +0500 Subject: [PATCH 102/248] Updated script line There was typo in the script variable and has been fixed. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4084 --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 3fe994764f..641e5878eb 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -208,7 +208,7 @@ You can also disable Windows Defender Credential Guard by using the [Windows Def DG_Readiness_Tool_v3.6.ps1 -Disable -AutoReboot ``` > [!IMPORTANT] -> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. +> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. #### Disable Windows Defender Credential Guard for a virtual machine From 7205ec071f061b5db00d2245357abbcdd43a5104 Mon Sep 17 00:00:00 2001 From: Rick Munck <33725928+jmunck@users.noreply.github.com> Date: Mon, 15 Jul 2019 13:29:40 -0700 Subject: [PATCH 103/248] Update security-compliance-toolkit-10.md Updated link for Security blog since we moved it --- .../threat-protection/security-compliance-toolkit-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index c2c3f86318..7036973802 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -49,7 +49,7 @@ The Security Compliance Toolkit consists of: - Local Group Policy Object (LGPO) tool -You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/). +You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](https://techcommunity.microsoft.com/t5/Microsoft-Security-Baselines/bg-p/Microsoft-Security-Baselines). ## What is the Policy Analyzer tool? From 203aefd3a2ab6064194d1da41978f44bb2b4cf2c Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Mon, 15 Jul 2019 16:31:24 -0500 Subject: [PATCH 104/248] Update windows/deployment/update/waas-delivery-optimization-reference.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 652a143a93..164db3333a 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -106,7 +106,7 @@ Download mode dictates which download sources clients are allowed to use when do | --- | --- | | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.| -| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use GroupID option to create your own custom group independently of domains and Active Directory Domain Services sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other method to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | +| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and Active Directory Domain Services sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other methods to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | From 6cab2580cfde0853323f131314004de39dc3ab1c Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 16 Jul 2019 23:42:05 +0500 Subject: [PATCH 105/248] * was mistakenly there in the command Made a correction as * was mistakenly shown in the command. --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 641e5878eb..49f533818e 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -115,7 +115,7 @@ You can also enable Windows Defender Credential Guard by using the [Windows Defe DG_Readiness_Tool_v3.5.ps1 -Enable -AutoReboot ``` > [!IMPORTANT] -> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `*$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. +> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. ### Review Windows Defender Credential Guard performance From f28e55c14725310c7f5ad92a83b3ced73f00e6c8 Mon Sep 17 00:00:00 2001 From: Brent Kendall Date: Tue, 16 Jul 2019 14:17:09 -0700 Subject: [PATCH 106/248] Made PKID instructions more accurate Previously, the requirements made it sound like the PKID should be entered into the SMBIOS, but it doesn't go there. So, I changed it to say the PKID (created by the OA3 Tool) should be submitted with the CBR report (not injected into the BIOS). --- .../windows-autopilot/autopilot-device-guidelines.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md index 2997787bd1..a081a6f68e 100644 --- a/windows/deployment/windows-autopilot/autopilot-device-guidelines.md +++ b/windows/deployment/windows-autopilot/autopilot-device-guidelines.md @@ -28,8 +28,8 @@ All devices used with Windows Autopilot should meet the [minimum hardware requir The following additional best practices ensure that devices can easily be provisioned by organizations as part of the Windows Autopilot deployment process: - Ensure that the TPM 2.0 is enabled and in a good state (not in Reduced Functionality Mode) by default on devices intended for Windows Autopilot self-deploying mode. -- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) or PKID + SmbiosSystemSerialNumber into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h). -- The OEM uploads 4K Hardware Hashes obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner. +- The OEM provisions unique tuple info (SmbiosSystemManufacturer, SmbiosSystemProductName, SmbiosSystemSerialNumber) into the [SMBIOS fields](https://docs.microsoft.com/windows-hardware/drivers/bringup/smbios) per Microsoft specification (Manufacturer, Product Name and Serial Number stored in SMBIOS Type 1 04h, Type 1 05h and Type 1 07h). +- The OEM uploads 4K Hardware Hashes that include the Product Key IDs (PKIDs) obtained using OA3 Tool RS3+ run in Audit mode on full OS to Microsoft via CBR report prior to shipping devices to an Autopilot customer or channel partner. - As a best practice, Microsoft requires that OEM shipping drivers are published to Windows Update within 30 days of the CBR being submitted, and system firmware and driver updates are published to Windows Update within 14 days - The OEM ensures that the PKID provisioned in the SMBIOS is passed on to the channel. From 9494a283428b4a784e68901afcda7f6a4faba351 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Tue, 16 Jul 2019 23:45:57 +0200 Subject: [PATCH 107/248] Update windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md index 2d6089ad5e..233354f110 100644 --- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md +++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md @@ -138,7 +138,7 @@ cscript.exe SetConfig.vbs SecurityChip Active When configuring a task sequence to run any BitLocker tool, either directly or using a custom script, it is helpful if you also add some logic to detect whether the BIOS is already configured on the machine. In the following task sequence, we are using a sample script (ZTICheckforTPM.wsf) from the Deployment Guys web page to check the status on the TPM chip. You can download this script from the Deployment Guys Blog post, [Check to see if the TPM is enabled](https://go.microsoft.com/fwlink/p/?LinkId=619549). -We added these five actions to the task sequence: +We have added these five actions to the task sequence: - **Check TPM Status.** Runs the ZTICheckforTPM.wsf script to determine if TPM is enabled. Depending on the status, the script will set the TPMEnabled and TPMActivated properties to either true or false. - **Configure BIOS for TPM.** Runs the vendor tools (in this case, HP, Dell, and Lenovo). To ensure this action is run only when necessary, add a condition so the action is run only when the TPM chip is not already activated. Use the properties from the ZTICheckforTPM.wsf. From ec4aacc9ca9313d97404aa4e4331f6af552ae8f9 Mon Sep 17 00:00:00 2001 From: martyav Date: Wed, 17 Jul 2019 15:30:47 -0400 Subject: [PATCH 108/248] resolves #4409 --- .../wd-app-guard-overview.md | 66 +------------------ 1 file changed, 1 insertion(+), 65 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 4aadf6d205..bbec01b199 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -39,71 +39,7 @@ Application Guard has been created to target several types of systems: ## Frequently Asked Questions -| | | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Can I enable Application Guard on machines equipped with 4GB RAM? | -| **A:** | We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | -| | HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | -| | HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB. | -| | HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB. | - -
- - -| | | -|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Can employees download documents from the Application Guard Edge session onto host devices? | -| **A:** | In Windows 10 Enterprise edition 1803, users will be able to download documents from the isolated Application Guard container to the host PC. This is managed by policy.

In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. | - -
- - -| | | -|--------|------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Can employees copy and paste between the host device and the Application Guard Edge session? | -| **A:** | Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. | - -
- - -| | | -|--------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Why don't employees see their Favorites in the Application Guard Edge session? | -| **A:** | To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. | - -
- - -| | | -|--------|---------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | Why aren’t employees able to see their Extensions in the Application Guard Edge session? | -| **A:** | Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. | - -
- - -| | | -|--------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | How do I configure WDAG to work with my network proxy (IP-Literal Addresses)? | -| **A:** | WDAG requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as “192.168.1.4:81” can be annotated as “itproxy:81” or using a record such as “P19216810010” for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, 1709 or higher. | - -
- - -| | | -|--------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? | -| **A:** | This feature is currently experimental-only and is not functional without an additional regkey provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, please contact Microsoft and we’ll work with you to enable the feature. | - -
- - -| | | -|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Q:** | What is the WDAGUtilityAccount local account? | -| **A:** | This account is part of Application Guard beginning with Windows 10 version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware. | - -
+Please see [Frequently asked questions - Windows Defender Application Guard](faq-wd-app-guard.md) for common user-submitted questions. ## Related topics From 75ecca9636b52818499780cd723d6b397fc3ccbb Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 17 Jul 2019 17:31:56 -0500 Subject: [PATCH 109/248] Update and rename configure-mssp-support-windows-defender-advanced-threat-protection.md to configure-mssp-support.md --- ...rotection.md => configure-mssp-support.md} | 30 ++++++++----------- 1 file changed, 12 insertions(+), 18 deletions(-) rename windows/security/threat-protection/windows-defender-atp/{configure-mssp-support-windows-defender-advanced-threat-protection.md => configure-mssp-support.md} (92%) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md similarity index 92% rename from windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md rename to windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md index 738c8f0548..7cf8f93bca 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md @@ -153,34 +153,28 @@ You'll need to create an application and grant it permissions to fetch alerts fr 2. Select **Azure Active Directory** > **App registrations**. -3. Click **New application registration**. +3. Click **New registration**. 4. Specify the following values: - Name: \ SIEM MSSP Connector (replace Tenant_name with the tenant display name) - - Application type: Web app / API - - Sign-on URL: `https://SiemMsspConnector` + - Supported account types: Account in this organizational directory only + - Redirect URI: Select Web and type `https:///SiemMsspConnector`(replace with the tenant name) -5. Click **Create**. The application is displayed in the list of applications you own. +5. Click **Register**. The application is displayed in the list of applications you own. -6. Select the application, then click **Settings** > **Properties**. +6. Select the application, then click **Overview**. -7. Copy the value from the **Application ID** field. +7. Copy the value from the **Application (client) ID** field to a safe place, you will need this on the next step. -8. Change the value in the **App ID URI** to: `https:///SiemMsspConnector` (replace \ with the tenant name. +8. Select **Certificate & secrets** in the new application panel. -9. Ensure that the **Multi-tenanted** field is set to **Yes**. - -10. In the **Settings** panel, select **Reply URLs** and add the following URL: `https://localhost:44300/wdatpconnector`. - -11. Click **Save**. - -12. Select **Keys** and specify the following values: +9. Click **New client secret**. - Description: Enter a description for the key. - Expires: Select **In 1 year** -13. Click **Save**. Save the value is a safe place, you'll need this +10. Click **Add**, copy the value of the client secret to a safe place, you will need this on the next step. ### Step 2: Get access and refresh tokens from your customer's tenant This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow. @@ -249,9 +243,9 @@ After providing your credentials, you'll need to grant consent to the applicatio 6. Enter the following commands: `.\MsspTokensAcquisition.ps1 -clientId -secret -tenantId ` - - Replace \ with the Application ID you got from the previous step. - - Replace \ with the application key you created from the previous step. - - Replace \ with your customer's tenant ID. + - Replace \ with the **Application (client) ID** you got from the previous step. + - Replace \ with the **Client Secret** you created from the previous step. + - Replace \ with your customer's **Tenant ID**. 7. You'll be asked to provide your credentials and consent. Ignore the page redirect. From 4c9748fd846996a71e8830098673453bfcc5c28f Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 17 Jul 2019 20:32:01 -0500 Subject: [PATCH 110/248] Update apply-a-basic-audit-policy-on-a-file-or-folder.md --- ...ly-a-basic-audit-policy-on-a-file-or-folder.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 6622f7fc55..13f762f32c 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -36,6 +36,21 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit successful events, click **Success.** - To audit failure events, click **Fail.** - To audit all events, click **All.** +6. In the **Applies to** box, indicate to which object or objects the audit of events will apply, can be to: + - **This folder only.** + - **This folder, subfolders and files.** + - **This folder and subfolders.** + - **This folder and files.** + - **Subfolders and files only.** + - **Subfolders only** + - **Files only.** +7. By default the selected **Basic Permissions** to Audit are the following: + - **Read & Execute.** + - **List folder contents.** + - **Read.** + - You can additionally select the audit of **Full control**, **Modify** and/or **Write** permissions. With your desired combination. + + > **Important:**  Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.   From d16c927ac178164847a5a755406ed9f4dc170ccc Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 09:05:30 +0530 Subject: [PATCH 111/248] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 008876e723..181c402c03 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -56,7 +56,7 @@ This can only be done in Group Policy. > >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -0. Download the latest Administrative templates for windows 10 v1809 from below Microsoft official site +1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576). **https://www.microsoft.com/en-us/download/details.aspx?id=57576** From d85aa5f07ab0d47adfcfa68584f67b2db1e610e6 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 09:06:17 +0530 Subject: [PATCH 112/248] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 181c402c03..3713800e19 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -57,7 +57,6 @@ This can only be done in Group Policy. >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. 1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576). - **https://www.microsoft.com/en-us/download/details.aspx?id=57576** 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. From b3fe93ffa9006fd63e1377add4b1e109bae34cf2 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 09:06:55 +0530 Subject: [PATCH 113/248] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 3713800e19..ab49b98816 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -58,7 +58,6 @@ This can only be done in Group Policy. 1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576). - 1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. From 98f883237f567ac2f183010d00e42cd6a838c108 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 09:07:35 +0530 Subject: [PATCH 114/248] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index ab49b98816..9ace2c3612 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -95,7 +95,7 @@ This can only be done in Group Policy. **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** **"DisableNotifications"=dword:00000001** -8. Corresponding registry key for **Hide not-critical notifications** +8. Use the following registry key and DWORD value to **Hide not-critical notifications** **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** **"DisableEnhancedNotifications"=dword:00000001** From ada58811038bd9e36805a5aecd83fa20551be230 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 09:08:21 +0530 Subject: [PATCH 115/248] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 9ace2c3612..4ddd16a1f3 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -90,7 +90,7 @@ This can only be done in Group Policy. 6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**. -7. Corresponding registry key for **Hide all notifications** +7. Use the following registry key and DWORD value to **Hide all notifications**. **[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications]** **"DisableNotifications"=dword:00000001** From 4af3d5650c05e419ec2dd6a9ff5ff5a07e4db3a9 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Thu, 18 Jul 2019 01:24:10 -0400 Subject: [PATCH 116/248] fix: Replace syntax with langauge code 2 --- .../mdm/windowslicensing-csp.md | 12 +- .../mdm/windowssecurityauditing-csp.md | 2 +- .../customize-and-export-start-layout.md | 2 +- .../settings-that-can-be-locked-down.md | 2 +- ...v-application-template-schema-reference.md | 18 +-- ...anage-administrative-backup-and-restore.md | 4 +- ...plates-using-windows-powershell-and-wmi.md | 6 +- ...synchronizing-microsoft-office-with-uev.md | 2 +- .../assign-applications-using-roles-in-mdt.md | 4 +- ...d-environment-for-windows-10-deployment.md | 4 +- .../configure-mdt-deployment-share-rules.md | 10 +- .../configure-mdt-for-userexit-scripts.md | 4 +- .../create-a-windows-10-reference-image.md | 26 ++-- .../deploy-a-windows-10-image-using-mdt.md | 10 +- ...ntegrate-configuration-manager-with-mdt.md | 4 +- ...prepare-for-windows-deployment-with-mdt.md | 2 +- ...s-7-computer-with-a-windows-10-computer.md | 2 +- ...ows-10-deployment-in-a-test-environment.md | 2 +- .../use-web-services-in-mdt.md | 4 +- ...0-deployment-with-configuration-manager.md | 4 +- ...f-windows-10-with-configuration-manager.md | 2 +- windows/deployment/deploy-windows-to-go.md | 22 ++-- ...se-management-strategies-and-deployment.md | 2 +- .../usmt/offline-migration-reference.md | 4 +- .../usmt/understanding-migration-xml-files.md | 16 +-- .../deployment/usmt/usmt-best-practices.md | 2 +- .../deployment/usmt/usmt-configxml-file.md | 4 +- .../usmt/usmt-conflicts-and-precedence.md | 8 +- .../usmt/usmt-custom-xml-examples.md | 6 +- .../usmt/usmt-hard-link-migration-store.md | 2 +- .../usmt/usmt-include-files-and-settings.md | 18 +-- windows/deployment/usmt/usmt-log-files.md | 10 +- .../usmt/usmt-reroute-files-and-settings.md | 6 +- .../usmt/usmt-xml-elements-library.md | 122 +++++++++--------- .../deployment/usmt/xml-file-requirements.md | 6 +- .../use-vamt-in-windows-powershell.md | 2 +- .../windows-deployment-scenarios-and-tools.md | 4 +- .../additional-mitigations.md | 8 +- ...redential-guard-not-protected-scenarios.md | 10 +- .../credential-guard-scripts.md | 4 +- .../bitlocker/bitlocker-basic-deployment.md | 32 ++--- ...tlocker-how-to-deploy-on-windows-server.md | 12 +- .../bitlocker-how-to-enable-network-unlock.md | 2 +- .../bitlocker-recovery-guide-plan.md | 17 ++- ...ve-encryption-tools-to-manage-bitlocker.md | 30 ++--- ...nd-storage-area-networks-with-bitlocker.md | 18 +-- ...arding-to-assist-in-intrusion-detection.md | 5 +- ...r-policies-by-using-set-applockerpolicy.md | 2 +- ...to-end-ipsec-connections-by-using-ikev2.md | 6 +- ...-administration-with-windows-powershell.md | 76 +++++------ 50 files changed, 290 insertions(+), 292 deletions(-) diff --git a/windows/client-management/mdm/windowslicensing-csp.md b/windows/client-management/mdm/windowslicensing-csp.md index f5372d05f6..58a5040b72 100644 --- a/windows/client-management/mdm/windowslicensing-csp.md +++ b/windows/client-management/mdm/windowslicensing-csp.md @@ -196,7 +196,7 @@ Values: **CheckApplicability** -``` syntax +```xml @@ -223,7 +223,7 @@ Values: **Edition** -``` syntax +```xml @@ -241,7 +241,7 @@ Values: **LicenseKeyType** -``` syntax +```xml @@ -259,7 +259,7 @@ Values: **Status** -``` syntax +```xml @@ -277,7 +277,7 @@ Values: **UpgradeEditionWithProductKey** -``` syntax +```xml @@ -304,7 +304,7 @@ Values: **UpgradeEditionWithLicense** -``` syntax +```xml diff --git a/windows/client-management/mdm/windowssecurityauditing-csp.md b/windows/client-management/mdm/windowssecurityauditing-csp.md index ea9dd8e10a..ffd68aa965 100644 --- a/windows/client-management/mdm/windowssecurityauditing-csp.md +++ b/windows/client-management/mdm/windowssecurityauditing-csp.md @@ -39,7 +39,7 @@ Supported operations are Get and Replace. Enable logging of audit events. -``` syntax +```xml diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md index aa221c4b9e..7ac4b1ff90 100644 --- a/windows/configuration/customize-and-export-start-layout.md +++ b/windows/configuration/customize-and-export-start-layout.md @@ -176,7 +176,7 @@ If the Start layout is applied by Group Policy or MDM, and the policy is removed 2. [Export the Start layout](#export-the-start-layout). 3. Open the layout .xml file. There is a `` element. Add `LayoutCustomizationRestrictionType="OnlySpecifiedGroups"` to the **DefaultLayoutOverride** element as follows: - ``` syntax + ```xml ``` diff --git a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md index 5603c46bfa..4ea4c7f814 100644 --- a/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md +++ b/windows/configuration/mobile-devices/settings-that-can-be-locked-down.md @@ -462,7 +462,7 @@ Quick action buttons are locked down in exactly the same way as Settings pages/g You can specify the quick actions as follows: -``` syntax +```xml diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 299ba40be7..156e4af29b 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -241,7 +241,7 @@ Version identifies the version of the settings location template for administrat **Hint:** You can save notes about version changes using XML comment tags ``, for example: -``` syntax +```xml @@ -195,7 +195,7 @@ This table describes the behavior in the following example .xml file. -``` syntax +```xml File Migration Test @@ -231,7 +231,7 @@ This table describes the behavior in the following example .xml file. The behavior for this custom .xml file is described within the <`displayName`> tags in the code. -``` syntax +```xml diff --git a/windows/deployment/usmt/usmt-hard-link-migration-store.md b/windows/deployment/usmt/usmt-hard-link-migration-store.md index 100e1e1f04..bbcdb94333 100644 --- a/windows/deployment/usmt/usmt-hard-link-migration-store.md +++ b/windows/deployment/usmt/usmt-hard-link-migration-store.md @@ -209,7 +209,7 @@ You must use the **/nocompress** option with the **/HardLink** option. The following XML sample specifies that files locked by an application under the \\Users directory can remain in place during the migration. It also specifies that locked files that are not located in the \\Users directory should result in the **File in Use** error. It is important to exercise caution when specifying the paths using the **File in Use<createhardlink>** tag in order to minimize scenarios that make the hard-link migration store more difficult to delete. -``` syntax +```xml diff --git a/windows/deployment/usmt/usmt-include-files-and-settings.md b/windows/deployment/usmt/usmt-include-files-and-settings.md index 89b7d8fa3a..8d0ba60945 100644 --- a/windows/deployment/usmt/usmt-include-files-and-settings.md +++ b/windows/deployment/usmt/usmt-include-files-and-settings.md @@ -37,7 +37,7 @@ In this topic: The following .xml file migrates a single registry key. -``` syntax +```xml Component to migrate only registry value string @@ -63,7 +63,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Including subfolders.** The following .xml file migrates all files and subfolders from C:\\EngineeringDrafts to the destination computer. - ``` syntax + ```xml Component to migrate all Engineering Drafts Documents including subfolders @@ -82,7 +82,7 @@ The following examples show how to migrate a folder from a specific drive, and f - **Excluding subfolders.** The following .xml file migrates all files from C:\\EngineeringDrafts, but it does not migrate any subfolders within C:\\EngineeringDrafts. - ``` syntax + ```xml Component to migrate all Engineering Drafts Documents without subfolders @@ -103,7 +103,7 @@ The following examples show how to migrate a folder from a specific drive, and f The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any drive on the computer. If multiple folders exist with the same name, then all files with this name are migrated. -``` syntax +```xml Component to migrate all Engineering Drafts Documents folder on any drive on the computer @@ -123,7 +123,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf The following .xml file migrates all files and subfolders of the EngineeringDrafts folder from any location on the C:\\ drive. If multiple folders exist with the same name, they are all migrated. -``` syntax +```xml Component to migrate all Engineering Drafts Documents EngineeringDrafts folder from where ever it exists on the C: drive @@ -146,7 +146,7 @@ The following .xml file migrates all files and subfolders of the EngineeringDraf The following .xml file migrates .mp3 files located in the specified drives on the source computer into the C:\\Music folder on the destination computer. -``` syntax +```xml All .mp3 files to My Documents @@ -176,7 +176,7 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from a folder.** The following .xml file migrates only the Sample.doc file from C:\\EngineeringDrafts on the source computer to the destination computer. - ``` syntax + ```xml Component to migrate all Engineering Drafts Documents @@ -195,13 +195,13 @@ The following examples show how to migrate a file from a specific folder, and ho - **To migrate a file from any location.** To migrate the Sample.doc file from any location on the C:\\ drive, use the <pattern> element, as the following example shows. If multiple files exist with the same name on the C:\\ drive, all of files with this name are migrated. - ``` syntax + ```xml C:\* [Sample.doc] ``` To migrate the Sample.doc file from any drive on the computer, use <script> as the following example shows. If multiple files exist with the same name, all files with this name are migrated. - ``` syntax + ```xml ``` diff --git a/windows/deployment/usmt/usmt-log-files.md b/windows/deployment/usmt/usmt-log-files.md index fad90a25bf..daba5ef2e2 100644 --- a/windows/deployment/usmt/usmt-log-files.md +++ b/windows/deployment/usmt/usmt-log-files.md @@ -294,7 +294,7 @@ To migrate these files you author the following migration XML: However, upon testing the migration you notice that the “New Text Document.txt” file isn’t included in the migration. To troubleshoot this failure, the migration can be repeated with the environment variable MIG\_ENABLE\_DIAG set such that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: -``` syntax +```xml @@ -315,13 +315,13 @@ Analysis of this XML section reveals the migunit that was created when the migra An analysis of the XML elements reference topic reveals that the <pattern> tag needs to be modified as follows: -``` syntax +```xml c:\data\* [*] ``` When the migration is preformed again with the modified tag, the diagnostic log reveals the following: -``` syntax +```xml @@ -396,7 +396,7 @@ You author the following migration XML: However, upon testing the migration you notice that all the text files are still included in the migration. In order to troubleshoot this issue, the migration can be performed with the environment variable MIG\_ENABLE\_DIAG set so that the diagnostic log is generated. Upon searching the diagnostic log for the component “DATA1”, the following XML section is discovered: -``` syntax +```xml @@ -453,7 +453,7 @@ Upon reviewing the diagnostic log, you confirm that the files are still migratin Your revised migration XML script excludes the files from migrating, as confirmed in the diagnostic log: -``` syntax +```xml diff --git a/windows/deployment/usmt/usmt-reroute-files-and-settings.md b/windows/deployment/usmt/usmt-reroute-files-and-settings.md index 4ea1caaac3..ea0c442a2a 100644 --- a/windows/deployment/usmt/usmt-reroute-files-and-settings.md +++ b/windows/deployment/usmt/usmt-reroute-files-and-settings.md @@ -31,7 +31,7 @@ In this topic: The following custom .xml file migrates the directories and files from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. -``` syntax +```xml Engineering Drafts Documents to Personal Folder @@ -60,7 +60,7 @@ The following custom .xml file migrates the directories and files from C:\\Engin The following custom .xml file reroutes .mp3 files located in the fixed drives on the source computer into the C:\\Music folder on the destination computer. -``` syntax +```xml All .mp3 files to My Documents @@ -88,7 +88,7 @@ The following custom .xml file reroutes .mp3 files located in the fixed drives o The following custom .xml file migrates the Sample.doc file from C:\\EngineeringDrafts into the My Documents folder of every user. %CSIDL\_PERSONAL% is the virtual folder representing the My Documents desktop item, which is equivalent to CSIDL\_MYDOCUMENTS. -``` syntax +```xml Sample.doc into My Documents diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md index 13fcf0effc..d64010f54e 100644 --- a/windows/deployment/usmt/usmt-xml-elements-library.md +++ b/windows/deployment/usmt/usmt-xml-elements-library.md @@ -138,7 +138,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -212,7 +212,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang] DWORD @@ -275,7 +275,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [Lang] DWORD @@ -455,7 +455,7 @@ For example, In the code sample below, the <condition> elements, A and B, are joined together by the AND operator because they are in separate <conditions> sections. For example: -``` syntax +```xml A @@ -468,7 +468,7 @@ In the code sample below, the <condition> elements, A and B, are joined to However, in the code sample below, the <condition> elements, A and B, are joined together by the OR operator because they are in the same <conditions> section. -``` syntax +```xml A @@ -826,7 +826,7 @@ For example: ~~~ For example: -``` syntax +```xml MigXmlHelper.DoesStringContentEqual("File","%USERNAME%","") ``` ~~~ @@ -914,7 +914,7 @@ For example: ~~~ For example: -``` syntax +```xml MigXmlHelper.IsSameObject("File","%CSIDL_FAVORITES%","%CSIDL_COMMON_FAVORITES%") %CSIDL_FAVORITES%\* [*] @@ -1055,7 +1055,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml MigXmlHelper.IsNative64Bit() @@ -1152,13 +1152,13 @@ The following functions generate patterns out of the content of an object. These ~~~ For example: -``` syntax +```xml ``` and -``` syntax +```xml ``` ~~~ @@ -1243,7 +1243,7 @@ and ~~~ For example: -``` syntax +```xml @@ -1365,7 +1365,7 @@ The following functions change the content of objects as they are migrated. Thes ~~~ For example: -``` syntax +```xml HKCU\Control Panel\Desktop [ScreenSaveUsePassword] @@ -1622,7 +1622,7 @@ Syntax: The following code sample shows how the <description> element defines the "My custom component" description.: -``` syntax +```xml My custom component ``` @@ -1677,7 +1677,7 @@ Syntax: For example: -``` syntax +```xml HKCU\Software\Lotus\123\99.0\DDE Preferences\* [*] @@ -1807,7 +1807,7 @@ Syntax: The following example is from the MigApp.xml file. -``` syntax +```xml MigXmlHelper.DoesFileVersionMatch("%Lotus123InstPath%\123w.exe","ProductVersion","9.*") @@ -1878,7 +1878,7 @@ Syntax: For example: -``` syntax +```xml MigXmlHelper.DoesObjectExist("Registry","HKCU\Software\Adobe\Photoshop\8.0") @@ -1889,7 +1889,7 @@ For example: and -``` syntax +```xml @@ -1945,7 +1945,7 @@ Syntax: For example: -``` syntax +```xml Command Prompt settings ``` @@ -2012,7 +2012,7 @@ Syntax: In this scenario, you want to generate the location of objects at run time depending on the configuration of the destination computer. For example, you must do this if an application writes data in the directory where it is installed, and users can install the application anywhere on the computer. If the application writes a registry value hklm\\software\\companyname\\install \[path\] and then updates this value with the location where the application is installed, then the only way for you to migrate the required data correctly is to define an environment variable. For example: -``` syntax +```xml @@ -2022,7 +2022,7 @@ In this scenario, you want to generate the location of objects at run time depen Then you can use an include rule as follows. You can use any of the [<script> functions](#scriptfunctions) to perform similar tasks. -``` syntax +```xml %INSTALLPATH%\ [*.xyz] @@ -2032,7 +2032,7 @@ Then you can use an include rule as follows. You can use any of the [<script& Second, you can also filter registry values that contain data that you need. The following example extracts the first string (before the separator ",") in the value of the registry Hklm\\software\\companyname\\application\\ \[Path\]. -``` syntax +```xml @@ -2050,7 +2050,7 @@ Second, you can also filter registry values that contain data that you need. The In this scenario, you want to migrate five files named File1.txt, File2.txt, and so on, from %SYSTEMDRIVE%\\data\\userdata\\dir1\\dir2\\. To do this you must have the following <include> rule in an .xml file: -``` syntax +```xml %SYSTEMDRIVE%\data\userdata\dir1\dir2 [File1.txt] @@ -2064,7 +2064,7 @@ In this scenario, you want to migrate five files named File1.txt, File2.txt, and Instead of typing the path five times, you can create a variable for the location as follows: -``` syntax +```xml %SYSTEMDRIVE%\data\userdata\dir1\dir2 @@ -2074,7 +2074,7 @@ Instead of typing the path five times, you can create a variable for the locatio Then, you can specify the variable in an <include> rule as follows: -``` syntax +```xml %DATAPATH% [File1.txt] @@ -2133,7 +2133,7 @@ Syntax: For example, from the MigUser.xml file: -``` syntax +```xml %CSIDL_MYMUSIC%\* [*] @@ -2190,7 +2190,7 @@ Syntax: Example: -``` syntax +```xml @@ -2297,7 +2297,7 @@ Syntax: For example, if you want to migrate all \*.doc files from the source computer, specifying the following code under the <component> element: -``` syntax +```xml doc @@ -2305,7 +2305,7 @@ For example, if you want to migrate all \*.doc files from the source computer, s is the same as specifying the following code below the <rules> element: -``` syntax +```xml @@ -2418,7 +2418,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml My Video @@ -2501,7 +2501,7 @@ The following functions return a Boolean value. You can use them to migrate cert For example: - ``` syntax + ```xml %CSIDL_COMMON_VIDEO%\* [*] @@ -2517,7 +2517,7 @@ The following functions return a Boolean value. You can use them to migrate cert In the following example, HKCU\\Control Panel\\International \[Locale\] will be included in the store, but it will not be migrated to the destination computer: - ``` syntax + ```xml HKCU\Control Panel\International [Locale] @@ -2634,7 +2634,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -2695,7 +2695,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %CSIDL_APPDATA%\Microsoft\Office\ [Access10.pip] @@ -2740,7 +2740,7 @@ The following functions change the location of objects as they are migrated when ~~~ For example: -``` syntax +```xml HKCU\Keyboard Layout\Toggle [] @@ -2817,7 +2817,7 @@ For example: ~~~ For example: -``` syntax +```xml %CSIDL_COMMON_FAVORITES%\* [*] @@ -2923,7 +2923,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml @@ -2948,7 +2948,7 @@ These functions control how collisions are resolved. For example: - ``` syntax + ```xml HKCU\Software\Microsoft\Office\9.0\PhotoDraw\ [MyPictures] @@ -3037,7 +3037,7 @@ These functions control how collisions are resolved. For example: - ``` syntax + ```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Publisher [UpgradeVersion] @@ -3097,7 +3097,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml ``` @@ -3138,7 +3138,7 @@ This filter helper function can be used to filter the migration of files based o -``` syntax +```xml File_size @@ -3194,7 +3194,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml %HklmWowSoftware%\Microsoft\Office\12.0\Common\Migration\Office [UpgradeVersion] @@ -3230,7 +3230,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml My Music @@ -3273,7 +3273,7 @@ This is an internal USMT element. Do not use this element. You can use this element to specify multiple objects. You can specify multiple <pattern> elements for each <objectSet> element and they will be combined. If you are specifying files, you may want to use GenerateDrivePatterns with <script> instead. GenerateDrivePatterns is basically the same as a <pattern> rule, without the drive letter specification. For example, the following two lines of code are similar: -``` syntax +```xml C:\Folder\* [Sample.doc] ``` @@ -3336,13 +3336,13 @@ For example: - To migrate a single registry key: - ``` syntax + ```xml HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Cache [Persistent] ``` - To migrate the EngineeringDrafts folder and any subfolders from the C: drive: - ``` syntax + ```xml C:\EngineeringDrafts\* [*] ``` @@ -3352,13 +3352,13 @@ For example: - To migrate the Sample.doc file from C:\\EngineeringDrafts: - ``` syntax + ```xml C:\EngineeringDrafts\ [Sample.doc] ``` - To migrate the Sample.doc file from where ever it exists on the C: drive use pattern in the following way. If multiple files exist with the same name on the C: drive, then all of these files will be migrated. - ``` syntax + ```xml C:\* [Sample.doc] ``` @@ -3484,7 +3484,7 @@ Syntax: The following example is from the MigUser.xml file. For more examples, see the MigApp.xml file: -``` syntax +```xml Start Menu @@ -3571,7 +3571,7 @@ Syntax: The following example is from the MigUser.xml file: -``` syntax +```xml My Music @@ -3679,7 +3679,7 @@ Examples: To migrate the Sample.doc file from any drive on the source computer, use <script> as follows. If multiple files exist with the same name, all such files will get migrated. -``` syntax +```xml ``` @@ -3744,7 +3744,7 @@ These functions return either a string or a pattern. ~~~ For example: -``` syntax +```xml @@ -3849,7 +3849,7 @@ If GenerateUserPattens('File','%userprofile% \[\*.doc\]','FALSE') is called whil The following is example code for this scenario. The first <rules> element migrates all.doc files on the source computer with the exception of those inside C:\\Documents and Settings. The second <rules> elements will migrate all .doc files from C:\\Documents and Settings with the exception of the .doc files in the profiles of the other users. Because the second <rules> element will be processed in each migrated user context, the end result will be the desired behavior. The end result is the one we expected. -``` syntax +```xml @@ -3915,7 +3915,7 @@ This helper function invokes the document finder to scan the system for all file -``` syntax +```xml MigDocUser @@ -3942,7 +3942,7 @@ The following scripts have no return value. You can use the following errors wit - **AskForLogoff()**. Prompts the user to log off at the end of the migration. For example: - ``` syntax + ```xml @@ -3952,7 +3952,7 @@ The following scripts have no return value. You can use the following errors wit - **KillExplorer()**. Stops Explorer.exe for the current user context. This allows access to certain keys and files that are kept open when Explorer.exe is running. For example: - ``` syntax + ```xml @@ -3960,7 +3960,7 @@ The following scripts have no return value. You can use the following errors wit - **RegisterFonts(FileEncodedLocation)**. Registers the given font or all of the fonts in the given directory. For example: - ``` syntax + ```xml @@ -3970,7 +3970,7 @@ The following scripts have no return value. You can use the following errors wit - **RestartExplorer().** Restarts Explorer.exe at the end of the migration. For example: - ``` syntax + ```xml @@ -4020,7 +4020,7 @@ Syntax: For example: -``` syntax +```xml %CSIDL_COMMON_APPDATA%\QuickTime @@ -4045,7 +4045,7 @@ Syntax: The following .xml file excludes all .mp3 files from migration. For additional examples of how to use this element, see the [Exclude Files and Settings](usmt-exclude-files-and-settings.md). -``` syntax +```xml Test @@ -4116,7 +4116,7 @@ Syntax: The following example is from the MigApp.xml file: -``` syntax +```xml HKLM\Software @@ -4168,7 +4168,7 @@ Syntax: For example: -``` syntax +```xml 4.* ``` diff --git a/windows/deployment/usmt/xml-file-requirements.md b/windows/deployment/usmt/xml-file-requirements.md index 8baca0f103..89576c00a4 100644 --- a/windows/deployment/usmt/xml-file-requirements.md +++ b/windows/deployment/usmt/xml-file-requirements.md @@ -20,20 +20,20 @@ When creating custom .xml files, note the following requirements: - **The file must be in Unicode Transformation Format-8 (UTF-8).** You must save the file in this format, and you must specify the following syntax at the beginning of each .xml file: - ``` syntax + ```xml ``` - **The file must have a unique migration urlid**. The urlid of each file that you specify on the command line must be different. If two migration .xml files have the same urlid, the second .xml file that is specified on the command line will not be processed. This is because USMT uses the urlid to define the components within the file. For example, you must specify the following syntax at the beginning of each file: - ``` syntax + ```xml ``` - **Each component in the file must have a display name in order for it to appear in the Config.xml file.** This is because the Config.xml file defines the components by the display name and the migration urlid. For example, specify the following syntax: - ``` syntax + ```xml My Application ``` diff --git a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md index 034bbfc2c8..cc4e0d99a9 100644 --- a/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md +++ b/windows/deployment/volume-activation/use-vamt-in-windows-powershell.md @@ -36,7 +36,7 @@ The Volume Activation Management Tool (VAMT) PowerShell cmdlets can be used to p cd “C:\Program Files (x86)\Windows Kits\10\Assessment and Deployment Kit\VAMT 3.0” ``` - Import the VAMT PowerShell module. To import the module, type the following at a command prompt: - ``` syntax + ```powershell Import-Module .\VAMT.psd1 ``` Where **Import-Module** imports a module only into the current session. To import the module into all sessions, add an **Import-Module** command to a Windows PowerShell profile. For more information about profiles, type `get-help about_profiles`. diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md index dfab99ad78..31a483c26e 100644 --- a/windows/deployment/windows-deployment-scenarios-and-tools.md +++ b/windows/deployment/windows-deployment-scenarios-and-tools.md @@ -43,7 +43,7 @@ Dism.exe /Online /Enable-Feature /FeatureName:NetFX3 /All /Source:D:\Sources\SxS In Windows 10, you can use Windows PowerShell for many of the functions performed by DISM.exe. The equivalent command in Windows 10 using PowerShell is: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All -Source D:\Sources\SxS -LimitAccess ``` @@ -132,7 +132,7 @@ Figure 6. The updated Volume Activation Management Tool. VAMT also can be used to create reports, switch from MAK to KMS, manage Active Directory-based activation, and manage Office 2010 and Office 2013 volume activation. VAMT also supports PowerShell (instead of the old command-line tool). For example, if you want to get information from the VAMT database, you can type: -``` syntax +```powershell Get-VamtProduct ``` diff --git a/windows/security/identity-protection/credential-guard/additional-mitigations.md b/windows/security/identity-protection/credential-guard/additional-mitigations.md index c67ea0ab51..870cc58a84 100644 --- a/windows/security/identity-protection/credential-guard/additional-mitigations.md +++ b/windows/security/identity-protection/credential-guard/additional-mitigations.md @@ -71,7 +71,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t **Enrolling devices in a certificate** Run the following command: -``` syntax +```powershell CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -87,7 +87,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` @@ -96,7 +96,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` @@ -143,7 +143,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md index 2e1a83d9b7..582af34a67 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-not-protected-scenarios.md @@ -96,7 +96,7 @@ Then on the devices that are running Windows Defender Credential Guard, enroll t **Enrolling devices in a certificate** Run the following command: -``` syntax +```powershell CertReq -EnrollCredGuardCert MachineAuthentication ``` @@ -112,7 +112,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [get-IssuancePolicy.ps1](#bkmk-getscript) shows all of the issuance policies that are available on the certificate authority. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\get-IssuancePolicy.ps1 –LinkedToGroup:All ``` @@ -121,7 +121,7 @@ Beginning with the Windows Server 2008 R2 domain functional level, domain contro - The [set-IssuancePolicyToGroupLink.ps1](#bkmk-setscript) creates a Universal security group, creates an organizational unit, and links the issuance policy to that Universal security group. From a Windows PowerShell command prompt, run the following command: - ``` syntax + ```powershell .\set-IssuancePolicyToGroupLink.ps1 –IssuancePolicyName:"" –groupOU:"" –groupName:”" ``` @@ -172,7 +172,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## @@ -363,7 +363,7 @@ write-host "There are no issuance policies which are not mapped to groups" Save the script file as set-IssuancePolicyToGroupLink.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md index 0b6d13f777..dae9193c68 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-scripts.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-scripts.md @@ -25,7 +25,7 @@ Here is a list of scripts mentioned in this topic. Save this script file as get-IssuancePolicy.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## @@ -216,7 +216,7 @@ write-host "There are no issuance policies which are not mapped to groups" Save the script file as set-IssuancePolicyToGroupLink.ps1. -``` syntax +```powershell ####################################### ## Parameters to be defined ## ## by the user ## diff --git a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md index 8029b9b1b9..acd70ac9ea 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md +++ b/windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md @@ -206,7 +206,7 @@ This command returns the volumes on the target, current encryption status and vo For example, suppose that you want to enable BitLocker on a computer without a TPM chip. To properly enable BitLocker for the operating system volume, you will need to use a USB flash drive as a startup key to boot (in this example, the drive letter E). You would first create the startup key needed for BitLocker using the –protectors option and save it to the USB drive on E: and then begin the encryption process. You will need to reboot the computer when prompted to complete the encryption process. -``` syntax +```powershell manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` @@ -237,7 +237,7 @@ Data volumes use the same syntax for encryption as operating system volumes but A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. -``` syntax +```powershell manage-bde -protectors -add -pw C: manage-bde -on C: ``` @@ -382,13 +382,13 @@ Occasionally, all protectors may not be shown when using Get-BitLockerVo If you wanted to remove the existing protectors prior to provisioning BitLocker on the volume, you can utilize the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed. A simple script can pipe the values of each **Get-BitLockerVolume** return out to another variable as seen below: -``` syntax +```powershell $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` Using this, we can display the information in the **$keyprotectors** variable to determine the GUID for each protector. Using this information, we can then remove the key protector for a specific volume using the command: -``` syntax +```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` > **Note:**  The BitLocker cmdlet requires the key protector GUID enclosed in quotation marks to execute. Ensure the entire GUID, with braces, is included in the command. @@ -398,19 +398,19 @@ Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" Using the BitLocker Windows PowerShell cmdlets is similar to working with the manage-bde tool for encrypting operating system volumes. Windows PowerShell offers users a lot of flexibility. For example, users can add the desired protector as part command for encrypting the volume. Below are examples of common user scenarios and steps to accomplish them using the BitLocker cmdlets for Windows PowerShell. To enable BitLocker with just the TPM protector. This can be done using the command: -``` syntax +```powershell Enable-BitLocker C: ``` The example below adds one additional protector, the StartupKey protectors, and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. -``` syntax +```powershell Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` ### Data volume Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. Last, encryption begins. -``` syntax +```powershell $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw @@ -423,12 +423,12 @@ The ADAccountOrGroup protector is an Active Directory SID-based protector. This To add an ADAccountOrGroup protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. -``` syntax +```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` For users who wish to use the SID for the account or group, the first step is to determine the SID associated with the account. To get the specific SID for a user account in Windows PowerShell, use the following command: -``` syntax +```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` > **Note:**  Use of this command requires the RSAT-AD-PowerShell feature. @@ -437,7 +437,7 @@ get-aduser -filter {samaccountname -eq "administrator"} In the example below, the user wishes to add a domain SID based protector to the previously encrypted operating system volume. The user knows the SID for the user account or group they wish to add and uses the following command: -``` syntax +```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup "" ``` > **Note:**  Active Directory-based protectors are normally used to unlock Failover Cluster enabled volumes. @@ -469,7 +469,7 @@ Administrators who prefer a command line interface can utilize manage-bde to che To check the status of a volume using manage-bde, use the following command: -``` syntax +```powershell manage-bde -status ``` > **Note:**  If no volume letter is associated with the -status command, all volumes on the computer display their status. @@ -480,7 +480,7 @@ Windows PowerShell commands offer another way to query BitLocker status for volu Using the Get-BitLockerVolume cmdlet, each volume on the system will display its current BitLocker status. To get information that is more detailed on a specific volume, use the following command: -``` syntax +```powershell Get-BitLockerVolume -Verbose | fl ``` This command will display information about the encryption method, volume type, key protectors, etc. @@ -506,12 +506,12 @@ Once decryption is complete, the drive will update its status in the control pan Decrypting volumes using manage-bde is very straightforward. Decryption with manage-bde offers the advantage of not requiring user confirmation to start the process. Manage-bde uses the -off command to start the decryption process. A sample command for decryption is: -``` syntax +```powershell manage-bde -off C: ``` This command disables protectors while it decrypts the volume and removes all protectors when decryption is complete. If a user wishes to check the status of the decryption, they can use the following command: -``` syntax +```powershell manage-bde -status C: ``` ### Decrypting volumes using the BitLocker Windows PowerShell cmdlets @@ -520,12 +520,12 @@ Decryption with Windows PowerShell cmdlets is straightforward, similar to manage Using the Disable-BitLocker command, they can remove all protectors and encryption at the same time without the need for additional commands. An example of this command is: -``` syntax +```powershell Disable-BitLocker ``` If a user did not want to input each mount point individually, using the `-MountPoint` parameter in an array can sequence the same command into one line without requiring additional user input. An example command is: -``` syntax +```powershell Disable-BitLocker -MountPoint E:,F:,G: ``` ## See also diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md index 70ba14d6a6..f8d1a6e1f9 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md @@ -52,14 +52,14 @@ The `servermanager` Windows PowerShell module can use either the `Install-Window By default, installation of features in Windows PowerShell does not include optional sub-features or management tools as part of the install process. This can be seen using the `-WhatIf` option in Windows PowerShell. -``` syntax +```powershell Install-WindowsFeature BitLocker -WhatIf ``` The results of this command show that only the BitLocker Drive Encryption feature installs using this command. To see what would be installed with the BitLocker feature including all available management tools and sub-features, use the following command: -``` syntax +```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -WhatIf | fl ``` @@ -75,7 +75,7 @@ The result of this command displays the following list of all the administration The command to complete a full installation of the BitLocker feature with all available features and then rebooting the server at completion is: -``` syntax +```powershell Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools -Restart ``` @@ -85,7 +85,7 @@ Install-WindowsFeature BitLocker -IncludeAllSubFeature -IncludeManagementTools - The `dism` Windows PowerShell module uses the `Enable-WindowsOptionalFeature` cmdlet to install features. The BitLocker feature name for BitLocker is `BitLocker`. The `dism` module does not support wildcards when searching for feature names. To list feature names for the `dism` module, use the `Get-WindowsOptionalFeatures` cmdlet. The following command will list all of the optional features in an online (running) operating system. -``` syntax +```powershell Get-WindowsOptionalFeature -Online | ft ``` @@ -93,13 +93,13 @@ From this output, we can see that there are three BitLocker related optional fea To install BitLocker using the `dism` module, use the following command: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker -All ``` This command will prompt the user for a reboot. The Enable-WindowsOptionalFeature cmdlet does not offer support for forcing a reboot of the computer. This command does not include installation of the management tools for BitLocker. For a complete installation of BitLocker and all available management tools, use the following command: -``` syntax +```powershell Enable-WindowsOptionalFeature -Online -FeatureName BitLocker, BitLocker-Utilities -All ``` ## More information diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md index 6545ca0992..49b3e4f60f 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md +++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md @@ -313,7 +313,7 @@ Troubleshooting Network Unlock issues begins by verifying the environment. Many - Verify the clients were rebooted after applying the policy. - Verify the **Network (Certificate Based)** protector is listed on the client. This can be done using either manage-bde or Windows PowerShell cmdlets. For example the following command will list the key protectors currently configured on the C: drive of the lcoal computer: - ``` syntax + ```powershell manage-bde –protectors –get C: ``` >**Note:** Use the output of manage-bde along with the WDS debug log to determine if the proper certificate thumbprint is being used for Network Unlock diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md index f21beec5e9..bde16da8e3 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md +++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md @@ -278,26 +278,25 @@ You can reset the recovery password in two ways: 1. Remove the previous recovery password - ``` syntax + ```powershell Manage-bde –protectors –delete C: –type RecoveryPassword ``` 2. Add the new recovery password - ``` syntax + ```powershell Manage-bde –protectors –add C: -RecoveryPassword - ``` 3. Get the ID of the new recovery password. From the screen copy the ID of the recovery password. - ``` syntax + ```powershell Manage-bde –protectors –get C: -Type RecoveryPassword - ``` + 4. Backup the new recovery password to AD DS - ``` syntax + ```powershell Manage-bde –protectors –adbackup C: -id {EXAMPLE6-5507-4924-AA9E-AFB2EB003692} ``` >**Warning:**  You must include the braces in the ID string. @@ -315,7 +314,7 @@ You can reset the recovery password in two ways: You can use the following sample script to create a VBScript file to reset the recovery passwords. -``` syntax +```vb ' Target drive letter strDriveLetter = "c:" ' Target computer name @@ -404,7 +403,7 @@ The following sample script exports all previously-saved key packages from AD D You can use the following sample script to create a VBScript file to retrieve the BitLocker key package from AD DS. -``` syntax +```vb ' -------------------------------------------------------------------------------- ' Usage ' -------------------------------------------------------------------------------- @@ -551,7 +550,7 @@ The following sample script exports a new key package from an unlocked, encrypte **cscript GetBitLockerKeyPackage.vbs -?** -``` syntax +```vb ' -------------------------------------------------------------------------------- ' Usage ' -------------------------------------------------------------------------------- diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md index 30fea18843..20ab73acfb 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md +++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md @@ -46,7 +46,7 @@ Listed below are examples of basic valid commands for operating system volumes. A good practice when using manage-bde is to determine the volume status on the target system. Use the following command to determine volume status: -``` syntax +```powershell manage-bde -status ``` This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume: @@ -55,7 +55,7 @@ This command returns the volumes on the target, current encryption status, encry The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process. -``` syntax +```powershell manage-bde –protectors -add C: -startupkey E: manage-bde -on C: ``` @@ -64,7 +64,7 @@ manage-bde -on C: An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. This is done with the command: -``` syntax +```powershell manage-bde -protectors -add C: -pw -sid ``` @@ -72,13 +72,13 @@ This command will require you to enter and then confirm the password protector b On computers with a TPM it is possible to encrypt the operating system volume without any defined protectors using manage-bde. The command to do this is: -``` syntax +```powershell manage-bde -on C: ``` This will encrypt the drive using the TPM as the default protector. If you are not sure if a TPM protector is available, to list the protectors available for a volume, run the following command: -``` syntax +```powershell manage-bde -protectors -get ``` ### Using manage-bde with data volumes @@ -87,7 +87,7 @@ Data volumes use the same syntax for encryption as operating system volumes but A common protector for a data volume is the password protector. In the example below, we add a password protector to the volume and turn BitLocker on. -``` syntax +```powershell manage-bde -protectors -add -pw C: manage-bde -on C: ``` @@ -257,7 +257,7 @@ If you want to remove the existing protectors prior to provisioning BitLocker on A simple script can pipe the values of each Get-BitLockerVolume return out to another variable as seen below: -``` syntax +```powershell $vol = Get-BitLockerVolume $keyprotectors = $vol.KeyProtector ``` @@ -266,7 +266,7 @@ Using this, you can display the information in the $keyprotectors variable to de Using this information, you can then remove the key protector for a specific volume using the command: -``` syntax +```powershell Remove-BitLockerKeyProtector : -KeyProtectorID "{GUID}" ``` @@ -278,13 +278,13 @@ Using the BitLocker Windows PowerShell cmdlets is similar to working with the ma The following example shows how to enable BitLocker on an operating system drive using only the TPM protector: -``` syntax +```powershell Enable-BitLocker C: - ``` + In the example below, adds one additional protector, the StartupKey protector and chooses to skip the BitLocker hardware test. In this example, encryption starts immediately without the need for a reboot. -``` syntax +```powershell Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTest ``` @@ -293,7 +293,7 @@ Enable-BitLocker C: -StartupKeyProtector -StartupKeyPath -SkipHardwareTes Data volume encryption using Windows PowerShell is the same as for operating system volumes. You should add the desired protectors prior to encrypting the volume. The following example adds a password protector to the E: volume using the variable $pw as the password. The $pw variable is held as a SecureString value to store the user defined password. -``` syntax +```powershell $pw = Read-Host -AsSecureString Enable-BitLockerKeyProtector E: -PasswordProtector -Password $pw @@ -306,7 +306,7 @@ The **ADAccountOrGroup** protector, introduced in Windows 8 and Windows Server 2 To add an **ADAccountOrGroup** protector to a volume requires either the actual domain SID or the group name preceded by the domain and a backslash. In the example below, the CONTOSO\\Administrator account is added as a protector to the data volume G. -``` syntax +```powershell Enable-BitLocker G: -AdAccountOrGroupProtector -AdAccountOrGroup CONTOSO\Administrator ``` @@ -314,7 +314,7 @@ For users who wish to use the SID for the account or group, the first step is to >**Note:**  Use of this command requires the RSAT-AD-PowerShell feature. -``` syntax +```powershell get-aduser -filter {samaccountname -eq "administrator"} ``` @@ -322,7 +322,7 @@ get-aduser -filter {samaccountname -eq "administrator"} The following example adds an **ADAccountOrGroup** protector to the previously encrypted operating system volume using the SID of the account: -``` syntax +```powershell Add-BitLockerKeyProtector C: -ADAccountOrGroupProtector -ADAccountOrGroup S-1-5-21-3651336348-8937238915-291003330-500 ``` diff --git a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md index e19f192e4c..01c9fe213f 100644 --- a/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md +++ b/windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md @@ -66,13 +66,13 @@ BitLocker encryption is available for disks before or after addition to a cluste 2. Ensure the disk is formatted NTFS and has a drive letter assigned to it. 3. Identify the name of the cluster with Windows PowerShell. - ``` syntax + ```powershell Get-Cluster - ``` + 4. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: - ``` syntax + ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` @@ -88,32 +88,32 @@ When the cluster service owns a disk resource already, it needs to be set into m 1. Install the BitLocker Drive Encryption feature if it is not already installed. 2. Check the status of the cluster disk using Windows PowerShell. - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" ``` 3. Put the physical disk resource into maintenance mode using Windows PowerShell. - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" | Suspend-ClusterResource ``` 4. Identify the name of the cluster with Windows PowerShell. - ``` syntax + ```powershell Get-Cluster ``` 5. Enable BitLocker on the volume of your choice with an **ADAccountOrGroup** protector, using the cluster name. For example, use a command such as: - ``` syntax + ```powershell Enable-BitLocker E: -ADAccountOrGroupProtector -ADAccountOrGroup CLUSTER$ ``` >**Warning:**  You must configure an **ADAccountOrGroup** protector using the cluster CNO for a BitLocker enabled volume to either be shared in a Cluster Shared Volume or to fail over properly in a traditional failover cluster. 6. Use **Resume-ClusterResource** to take the physical disk resource back out of maintenance mode: - ``` syntax + ```powershell Get-ClusterResource "Cluster Disk 1" | Resume-ClusterResource ``` @@ -146,7 +146,7 @@ You can also use manage-bde to enable BitLocker on clustered volumes. The steps 6. Once the disk is online in the storage pool, it can be added to a CSV by right clicking on the disk resource and choosing "**Add to cluster shared volumes**". CSVs can include both encrypted and unencrypted volumes. To check the status of a particular volume for BitLocker encryption, administrators can utilize the manage-bde -status command with a path to the volume inside the CSV namespace as seen in the example command line below. -``` syntax +```powershell manage-bde -status "C:\ClusterStorage\volume1" ``` diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md index 44a4ae63d3..300f56c569 100644 --- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md +++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md @@ -413,7 +413,7 @@ Here are the minimum steps for WEF to operate: ## Appendix E – Annotated baseline subscription event query -``` syntax +```xml @@ -578,8 +578,7 @@ Here are the minimum steps for WEF to operate: ## Appendix F – Annotated Suspect Subscription Event Query -``` syntax - +```xml diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 7ee34ff838..575ad0d393 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -41,6 +41,6 @@ You can also manually merge AppLocker policies. For the procedure to do this, se Gets the local AppLocker policy, and then merges the policy with the existing AppLocker policy in the GPO specified in the LDAP path. -``` syntax +```powershell C:\PS>Get-AppLockerPolicy -Local | Set-AppLockerPolicy -LDAP "LDAP://DC13.Contoso.com/CN={31B2F340-016D-11D2-945F-00C044FB984F9},CN=Policies,CN=System,DC=Contoso,DC=com" -Merge ``` diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md index 9c6966b525..5ded02bd51 100644 --- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md +++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md @@ -80,7 +80,7 @@ This script does the following: Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. -``` syntax +```powershell # Create a Security Group for the computers that will get the policy $pathname = (Get-ADDomain).distinguishedname New-ADGroup -name "IPsec client and servers" -SamAccountName "IPsec client and servers" ` @@ -120,7 +120,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints. -``` syntax +```powershell #Set up the certificate $certprop = New-NetIPsecAuthProposal -machine -cert -Authority "DC=com, DC=contoso, DC=corp, CN=corp-APP1-CA" $myauth = New-NetIPsecPhase1AuthSet -DisplayName "IKEv2TestPhase1AuthSet" -proposal $certprop @@ -173,7 +173,7 @@ Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections: 6. Open the wfpdiag.xml file with your an XML viewer program or Notepad, and then examine the contents. There will be a lot of data in this file. One way to narrow down where to start looking is to search the last “errorFrequencyTable” at the end of the file. There might be many instances of this table, so make sure that you look at the last table in the file. For example, if you have a certificate problem, you might see the following entry in the last table at the end of the file: - ``` syntax + ```xml ERROR_IPSEC_IKE_NO_CERT 32 diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md index 79ee3e58bd..4daaa5d367 100644 --- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md +++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md @@ -67,7 +67,7 @@ netsh advfirewall set allprofiles state on **Windows PowerShell** -``` syntax +```powershell Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True ``` @@ -88,7 +88,7 @@ netsh advfirewall set allprofiles logging filename %SystemRoot%\System32\LogFile Windows PowerShell -``` syntax +```powershell Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow –NotifyOnListen True -AllowUnicastResponseToMulticast True –LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log ``` @@ -140,7 +140,7 @@ netsh advfirewall firewall add rule name="Allow Inbound Telnet" dir=in program= Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow ``` @@ -157,7 +157,7 @@ netsh advfirewall firewall add rule name="Block Outbound Telnet" dir=out program Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name ``` @@ -169,7 +169,7 @@ The following performs the same actions as the previous example (by adding a Tel Windows PowerShell -``` syntax +```powershell $gpo = Open-NetGPO –PolicyStore domain.contoso.com\gpo_name New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\telnet.exe –Protocol TCP –LocalPort 23 -Action Block –GPOSession $gpo Save-NetGPO –GPOSession $gpo @@ -191,7 +191,7 @@ netsh advfirewall firewall set rule name="Allow Web 80" new remoteip=192.168.0.2 Windows PowerShell -``` syntax +```powershell Set-NetFirewallRule –DisplayName “Allow Web 80” -RemoteAddress 192.168.0.2 ``` @@ -205,7 +205,7 @@ In the following example, we assume the query returns a single firewall rule, wh Windows PowerShell -``` syntax +```powershell Get-NetFirewallPortFilter | ?{$_.LocalPort -eq 80} | Get-NetFirewallRule | ?{ $_.Direction –eq “Inbound” -and $_.Action –eq “Allow”} | Set-NetFirewallRule -RemoteAddress 192.168.0.2 ``` @@ -213,7 +213,7 @@ You can also query for rules using the wildcard character. The following example Windows PowerShell -``` syntax +```powershell Get-NetFirewallApplicationFilter -Program "*svchost*" | Get-NetFirewallRule ``` @@ -223,7 +223,7 @@ In the following example, we add both inbound and outbound Telnet firewall rules Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow –Group “Telnet Management” ``` @@ -232,7 +232,7 @@ If the group is not specified at rule creation time, the rule can be added to th Windows PowerShell -``` syntax +```powershell $rule = Get-NetFirewallRule -DisplayName “Allow Inbound Telnet” $rule.Group = “Telnet Management” $rule | Set-NetFirewallRule @@ -250,7 +250,7 @@ netsh advfirewall firewall set rule group="Windows Defender Firewall remote mana Windows PowerShell -``` syntax +```powershell Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” –Enabled True ``` @@ -258,7 +258,7 @@ There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by g Windows PowerShell -``` syntax +```powershell Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose ``` @@ -276,7 +276,7 @@ netsh advfirewall firewall delete rule name=“Allow Web 80” Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Allow Web 80” ``` @@ -284,7 +284,7 @@ Like with other cmdlets, you can also query for rules to be removed. Here, all b Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –Action Block ``` @@ -292,7 +292,7 @@ Note that it may be safer to query the rules with the **Get** command and save i Windows PowerShell -``` syntax +```powershell $x = Get-NetFirewallRule –Action Block $x $x[0-3] | Remove-NetFirewallRule @@ -306,7 +306,7 @@ The following example returns all firewall rules of the persistent store on a de Windows PowerShell -``` syntax +```powershell Get-NetFirewallRule –CimSession RemoteDevice ``` @@ -314,7 +314,7 @@ We can perform any modifications or view rules on remote devices by simply usin Windows PowerShell -``` syntax +```powershell $RemoteSession = New-CimSession –ComputerName RemoteDevice Remove-NetFirewallRule –DisplayName “AllowWeb80” –CimSession $RemoteSession -Confirm ``` @@ -342,7 +342,7 @@ netsh advfirewall consec add rule name="Require Inbound Authentication" endpoint Windows PowerShell -``` syntax +```powershell New-NetIPsecRule -DisplayName “Require Inbound Authentication” -PolicyStore domain.contoso.com\gpo_name ``` @@ -365,7 +365,7 @@ netsh advfirewall consec add rule name="Require Outbound Authentication" endpoin Windows PowerShell -``` syntax +```powershell $AHandESPQM = New-NetIPsecQuickModeCryptoProposal -Encapsulation AH,ESP –AHHash SHA1 -ESPHash SHA1 -Encryption DES3 $QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “ah:sha1+esp:sha1-des3” -Proposal $AHandESPQM –PolicyStore domain.contoso.com\gpo_name New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request -QuickModeCryptoSet $QMCryptoSet.Name –PolicyStore domain.contoso.com\gpo_name @@ -379,7 +379,7 @@ You can leverage IKEv2 capabilities in Windows Server 2012 by simply specifying Windows PowerShell -``` syntax +```powershell New-NetIPsecRule -DisplayName “Require Inbound Authentication” -InboundSecurity Require -OutboundSecurity Request –Phase1AuthSet MyCertAuthSet -KeyModule IKEv2 –RemoteAddress $nonWindowsGateway ``` @@ -395,7 +395,7 @@ Copying individual rules is a task that is not possible through the Netsh interf Windows PowerShell -``` syntax +```powershell $Rule = Get-NetIPsecRule –DisplayName “Require Inbound Authentication” $Rule | Copy-NetIPsecRule –NewPolicyStore domain.costoso.com\new_gpo_name $Rule | Copy-NetPhase1AuthSet –NewPolicyStore domain.costoso.com\new_gpo_name @@ -407,7 +407,7 @@ To handle errors in your Windows PowerShell scripts, you can use the *–ErrorAc Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98” –ErrorAction SilentlyContinue ``` @@ -415,7 +415,7 @@ Note that the use of wildcards can also suppress errors, but they could potentia Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” ``` @@ -423,7 +423,7 @@ When using wildcards, if you want to double-check the set of rules that is match Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –WhatIf ``` @@ -431,7 +431,7 @@ If you only want to delete some of the matched rules, you can use the *–Confir Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Confirm ``` @@ -439,7 +439,7 @@ You can also just perform the whole operation, displaying the name of each rule Windows PowerShell -``` syntax +```powershell Remove-NetFirewallRule –DisplayName “Contoso Messenger 98*” –Verbose ``` @@ -457,7 +457,7 @@ netsh advfirewall consec show rule name=all Windows PowerShell -``` syntax +```powershell Show-NetIPsecRule –PolicyStore ActiveStore ``` @@ -473,7 +473,7 @@ netsh advfirewall monitor show mmsa all Windows PowerShell -``` syntax +```powershell Get-NetIPsecMainModeSA ``` @@ -485,7 +485,7 @@ For objects that come from a GPO (the *–PolicyStoreSourceType* parameter is sp Windows PowerShell -``` syntax +```powershell Get-NetIPsecRule –DisplayName “Require Inbound Authentication” –TracePolicyStore ``` @@ -506,7 +506,7 @@ netsh advfirewall consec add rule name=“Basic Domain Isolation Policy” profi Windows PowerShell -``` syntax +```powershell $kerbprop = New-NetIPsecAuthProposal –Machine –Kerberos $Phase1AuthSet = New-NetIPsecPhase1AuthSet -DisplayName "Kerberos Auth Phase1" -Proposal $kerbprop –PolicyStore domain.contoso.com\domain_isolation New-NetIPsecRule –DisplayName “Basic Domain Isolation Policy” –Profile Domain –Phase1AuthSet $Phase1AuthSet.Name –InboundSecurity Require –OutboundSecurity Request –PolicyStore domain.contoso.com\domain_isolation @@ -524,7 +524,7 @@ netsh advfirewall consec add rule name="Tunnel from 192.168.0.0/16 to 192.157.0. Windows PowerShell -``` syntax +```powershell $QMProposal = New-NetIPsecQuickModeCryptoProposal -Encapsulation ESP -ESPHash SHA1 -Encryption DES3 $QMCryptoSet = New-NetIPsecQuickModeCryptoSet –DisplayName “esp:sha1-des3” -Proposal $QMProposal New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel -LocalAddress 192.168.0.0/16 -RemoteAddress 192.157.0.0/16 -LocalTunnelEndpoint 1.1.1.1 -RemoteTunnelEndpoint 2.2.2.2 -InboundSecurity Require -OutboundSecurity Require -QuickModeCryptoSet $QMCryptoSet.Name @@ -548,7 +548,7 @@ netsh advfirewall firewall add rule name="Allow Authenticated Telnet" dir=in pro Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName “Allow Authenticated Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -Authentication Required -Action Allow ``` @@ -562,7 +562,7 @@ netsh advfirewall consec add rule name="Authenticate Both Computer and User" end Windows PowerShell -``` syntax +```powershell $mkerbauthprop = New-NetIPsecAuthProposal -Machine –Kerberos $mntlmauthprop = New-NetIPsecAuthProposal -Machine -NTLM $P1Auth = New-NetIPsecPhase1AuthSet -DisplayName “Machine Auth” –Proposal $mkerbauthprop,$mntlmauthprop @@ -593,7 +593,7 @@ The following example shows you how to create an SDDL string that represents sec Windows PowerShell -``` syntax +```powershell $user = new-object System.Security.Principal.NTAccount (“corp.contoso.com\Administrators”) $SIDofSecureUserGroup = $user.Translate([System.Security.Principal.SecurityIdentifier]).Value $secureUserGroup = "D:(A;;CC;;;$SIDofSecureUserGroup)" @@ -603,7 +603,7 @@ By using the previous scriptlet, you can also get the SDDL string for a secure c Windows PowerShell -``` syntax +```powershell $secureMachineGroup = "D:(A;;CC;;;$SIDofSecureMachineGroup)" ``` @@ -622,7 +622,7 @@ netsh advfirewall firewall add rule name=“Allow Encrypted Inbound Telnet to Gr Windows PowerShell -``` syntax +```powershell New-NetFirewallRule -DisplayName "Allow Encrypted Inbound Telnet to Group Members Only" -Program %SystemRoot%\System32\tlntsvr.exe -Protocol TCP -Direction Inbound -Action Allow -LocalPort 23 -Authentication Required -Encryption Required –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\Server_Isolation ``` @@ -634,7 +634,7 @@ In this example, we set the global IPsec setting to only allow transport mode tr Windows PowerShell -``` syntax +```powershell Set-NetFirewallSetting -RemoteMachineTransportAuthorizationList $secureMachineGroup ``` @@ -653,7 +653,7 @@ netsh advfirewall firewall add rule name="Inbound Secure Bypass Rule" dir=in sec Windows PowerShell -``` syntax +```powershell New-NetFirewallRule –DisplayName “Inbound Secure Bypass Rule" –Direction Inbound –Authentication Required –OverrideBlockRules $true -RemoteMachine $secureMachineGroup –RemoteUser $secureUserGroup –PolicyStore domain.contoso.com\domain_isolation ``` From ce42927cabd759d49fed0c22b302e44e586b2c0d Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 11:49:39 +0530 Subject: [PATCH 117/248] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 4ddd16a1f3..c85241effb 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -58,7 +58,7 @@ This can only be done in Group Policy. 1. Download the latest [Administrative Templates (.admx) for Windows 10, v1809](https://www.microsoft.com/download/details.aspx?id=57576). -1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. +2. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**. 3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. From 5c507fb6bf8243eb1af1bb026072a64840f3c8ee Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 11:50:19 +0530 Subject: [PATCH 118/248] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index c85241effb..cb14c4f7bd 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -77,7 +77,6 @@ This can only be done in Group Policy. >[!IMPORTANT] - >### Requirements > >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. From febe7c706ae43898a0d1aef263195d325e89ef6e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 18 Jul 2019 11:51:12 +0530 Subject: [PATCH 119/248] Update windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md agreed Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-security-center/wdsc-hide-notifications.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index cb14c4f7bd..67bbc627e5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -76,7 +76,6 @@ You can hide all notifications that are sourced from the Windows Security app. T This can only be done in Group Policy. >[!IMPORTANT] - >### Requirements > >You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. From 59dc426cb9a9f20946d8ede98b9cee68fcd40d03 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 19 Jul 2019 09:54:18 +0500 Subject: [PATCH 120/248] Data protection for user profile data As the user has reported that if user profile data is in any other drive instead of Windows installed profile location WDAG give an error. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4377 --- .../enable-controlled-folders-exploit-guard.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 29ed15335f..938a3a3512 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -53,6 +53,8 @@ For more information about disabling local list merging, see [Prevent or allow u >If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. >If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. +>If you are protecting user profile data, it is recommended that user profile should be on default Windows installation drive. + ## Intune 1. Sign in to the [Azure portal](https://portal.azure.com) and open Intune. From 9744468a7a4843e3cc28426d833e05f14e96ef0e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 19 Jul 2019 11:27:14 +0500 Subject: [PATCH 121/248] Google Drive Config for WIP Added a use case where user can block Google Drive not to sync WIP protected files. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4342 --- .../testing-scenarios-for-wip.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 08af5d2456..c076d6d52c 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -172,6 +172,17 @@ You can try any of the processes included in these scenarios, but you should foc + + Stop Google Drive to sync WIP protected files and folders. + +
    +
  • In silent configuration add Google Drive in Protected Apps and set it to Deny. This way Google Drive will not sync WIP protected files and folders.
    • +
  • Google Drive details
    • + Publisher=O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US + File=GOOGLEDRIVESYNC.EXE +
+ + >[!NOTE] From 4d6191054dd6c7718c0e5364670e8962427bf57c Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 20 Jul 2019 00:14:24 +0500 Subject: [PATCH 122/248] Update windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../windows-information-protection/testing-scenarios-for-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index c076d6d52c..48b64f7054 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -173,7 +173,7 @@ You can try any of the processes included in these scenarios, but you should foc - Stop Google Drive to sync WIP protected files and folders. + Stop Google Drive from syncing WIP protected files and folders.
  • In silent configuration add Google Drive in Protected Apps and set it to Deny. This way Google Drive will not sync WIP protected files and folders.
    • From 76f80125765fb2812f95f70089e82f00c07f2b5b Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 20 Jul 2019 00:14:49 +0500 Subject: [PATCH 123/248] Update windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../windows-information-protection/testing-scenarios-for-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index 48b64f7054..f5c7d7c720 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -176,7 +176,7 @@ You can try any of the processes included in these scenarios, but you should foc Stop Google Drive from syncing WIP protected files and folders.
      -
    • In silent configuration add Google Drive in Protected Apps and set it to Deny. This way Google Drive will not sync WIP protected files and folders.
      • +
    • In silent configuration, add Google Drive in Protected Apps and set it to Deny. This way, Google Drive will not sync WIP protected files and folders.
    • Google Drive details
      • Publisher=O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US File=GOOGLEDRIVESYNC.EXE From f724cc07d46f9efec4a5010267d518d77108c8a4 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 20 Jul 2019 00:16:44 +0500 Subject: [PATCH 124/248] Update windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../enable-controlled-folders-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index 938a3a3512..c6c845ae2d 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -53,7 +53,7 @@ For more information about disabling local list merging, see [Prevent or allow u >If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. >If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. ->If you are protecting user profile data, it is recommended that user profile should be on default Windows installation drive. +>If you are protecting user profile data, it is recommended that the user profile should be on the default Windows installation drive. ## Intune From 87430441c45f858cbcd0fc6beb0acfae7af0f626 Mon Sep 17 00:00:00 2001 From: arcarley <52137849+arcarley@users.noreply.github.com> Date: Fri, 19 Jul 2019 12:42:58 -0700 Subject: [PATCH 125/248] Update policy-csp-update.md In 1903 we deprecated the value of 32 and combined Semi-Annual Channel (Targeted) with the Semi-Annual Channel. We need to communicate this change in the documentation. --- windows/client-management/mdm/policy-csp-update.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index e4c57fa46a..6548aba8fa 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -1053,7 +1053,7 @@ Supported values: -Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. +Added in Windows 10, version 1607. Allows the IT admin to set which branch a device receives their updates from. As of 1903, the branch readiness levels of Semi-Annual Channel (Targeted) and Semi-Annual Channel have been combined into one Semi-Annual Channel set with a value of 16. For devices on 1903 and later releases, the value of 32 is not a supported value. @@ -1071,8 +1071,8 @@ The following list shows the supported values: - 2 {0x2} - Windows Insider build - Fast (added in Windows 10, version 1709) - 4 {0x4} - Windows Insider build - Slow (added in Windows 10, version 1709) - 8 {0x8} - Release Windows Insider build (added in Windows 10, version 1709) -- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). -- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. +- 16 {0x10} - (default) Semi-annual Channel (Targeted). Device gets all applicable feature updates from Semi-annual Channel (Targeted). +- 32 {0x20} - Semi-annual Channel. Device gets feature updates from Semi-annual Channel. (*Only applicable to releases prior to 1903) From 75847423023340dec7ea6489680918070814e537 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Fri, 19 Jul 2019 02:55:16 -0400 Subject: [PATCH 126/248] chore: Replace tab after unorderd list marker --- devices/hololens/hololens-encryption.md | 2 +- devices/hololens/hololens-updates.md | 6 +- .../client-management/mdm/devicestatus-csp.md | 34 +++--- .../mdm/enable-admx-backed-policies-in-mdm.md | 8 +- .../mdm/esim-enterprise-management.md | 18 ++-- .../mdm/networkqospolicy-csp.md | 10 +- .../mdm/policy-csp-browser.md | 6 +- .../mdm/policy-csp-settings.md | 10 +- .../mdm/understanding-admx-backed-policies.md | 22 ++-- .../troubleshoot-stop-errors.md | 4 +- .../troubleshoot-windows-freeze.md | 4 +- .../windows-10-mobile-and-mdm.md | 28 ++--- .../windows-10-accessibility-for-ITPros.md | 6 +- ...ws-diagnostic-data-in-your-organization.md | 32 +++--- windows/privacy/gdpr-win10-whitepaper.md | 6 +- .../privacy/manage-windows-1709-endpoints.md | 10 +- .../privacy/manage-windows-1803-endpoints.md | 10 +- .../privacy/manage-windows-1809-endpoints.md | 10 +- .../privacy/manage-windows-1903-endpoints.md | 10 +- .../credential-guard-known-issues.md | 20 ++-- .../microsoft-defender-atp/alerts-queue.md | 8 +- ...ormation-protection-in-windows-overview.md | 4 +- .../microsoft-defender-atp/isolate-machine.md | 4 +- .../respond-machine-alerts.md | 2 +- .../security-operations-dashboard.md | 2 +- .../troubleshoot-onboarding.md | 4 +- .../whats-new-in-microsoft-defender-atp.md | 8 +- .../windows-10-mobile-security-guide.md | 100 +++++++++--------- 28 files changed, 194 insertions(+), 194 deletions(-) diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md index 8cbeaf26eb..838674f0dc 100644 --- a/devices/hololens/hololens-encryption.md +++ b/devices/hololens/hololens-encryption.md @@ -102,6 +102,6 @@ Provisioning packages are files created by the Windows Configuration Designer to Encryption is silent on HoloLens. To verify the device encryption status: -- On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted. +- On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted. ![About screen showing BitLocker enabled](images/about-encryption.png) diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md index ef830c3525..418cfce2d9 100644 --- a/devices/hololens/hololens-updates.md +++ b/devices/hololens/hololens-updates.md @@ -22,9 +22,9 @@ manager: dansimp For a complete list of Update policies, see [Policies supported by Windows Holographic for Business](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#a-href-idhololenspoliciesapolicies-supported-by-windows-holographic-for-business). To configure how and when updates are applied, use the following policies: -- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) -- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) -- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) +- [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) +- [Update/ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallday) +- [Update/ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalltime) To turn off the automatic check for updates, set the following policy to value **5** – Turn off Automatic Updates: - [Update/AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautoupdate) diff --git a/windows/client-management/mdm/devicestatus-csp.md b/windows/client-management/mdm/devicestatus-csp.md index 8d704d0165..2191e66e9c 100644 --- a/windows/client-management/mdm/devicestatus-csp.md +++ b/windows/client-management/mdm/devicestatus-csp.md @@ -277,23 +277,23 @@ Supported operation is Get. **DeviceStatus/DeviceGuard/VirtualizationBasedSecurityHwReq** Added in Windows, version 1709. Virtualization-based security hardware requirement status. The value is a 256 value bitmask. -- 0x0: System meets hardware configuration requirements -- 0x1: SecureBoot required -- 0x2: DMA Protection required -- 0x4: HyperV not supported for Guest VM -- 0x8: HyperV feature is not available +- 0x0: System meets hardware configuration requirements +- 0x1: SecureBoot required +- 0x2: DMA Protection required +- 0x4: HyperV not supported for Guest VM +- 0x8: HyperV feature is not available Supported operation is Get. **DeviceStatus/DeviceGuard/VirtualizationBasedSecurityStatus** Added in Windows, version 1709. Virtualization-based security status. Value is one of the following: -- 0 - Running -- 1 - Reboot required -- 2 - 64 bit architecture required -- 3 - not licensed -- 4 - not configured -- 5 - System doesn't meet hardware requirements -- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details +- 0 - Running +- 1 - Reboot required +- 2 - 64 bit architecture required +- 3 - not licensed +- 4 - not configured +- 5 - System doesn't meet hardware requirements +- 42 – Other. Event logs in Microsoft-Windows-DeviceGuard have more details Supported operation is Get. @@ -301,11 +301,11 @@ Supported operation is Get. **DeviceStatus/DeviceGuard/LsaCfgCredGuardStatus** Added in Windows, version 1709. Local System Authority (LSA) credential guard status. -- 0 - Running -- 1 - Reboot required -- 2 - Not licensed for Credential Guard -- 3 - Not configured -- 4 - VBS not running +- 0 - Running +- 1 - Reboot required +- 2 - Not licensed for Credential Guard +- 3 - Not configured +- 4 - VBS not running Supported operation is Get. diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index f97a70c2f7..fe5a5b2d1e 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -19,10 +19,10 @@ This is a step-by-step guide to configuring ADMX-backed policies in MDM. Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of select Group Policy administrative templates (ADMX-backed policies) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Summary of steps to enable a policy: -- Find the policy from the list ADMX-backed policies. -- Find the Group Policy related information from the MDM policy description. -- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. -- Create the data payload for the SyncML. +- Find the policy from the list ADMX-backed policies. +- Find the Group Policy related information from the MDM policy description. +- Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. +- Create the data payload for the SyncML. See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) for a walk-through using Intune. diff --git a/windows/client-management/mdm/esim-enterprise-management.md b/windows/client-management/mdm/esim-enterprise-management.md index 1fad0a54a6..386f5a8c48 100644 --- a/windows/client-management/mdm/esim-enterprise-management.md +++ b/windows/client-management/mdm/esim-enterprise-management.md @@ -14,13 +14,13 @@ ms.topic: # How Mobile Device Management Providers support eSIM Management on Windows The eSIM Profile Management Solution puts the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to leverage an already existing solution that customers are familiar with and that they use to manage devices. The expectations from an MDM are that it will leverage the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and installation happens on the background and not impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. If you are a Mobile Device Management (MDM) Provider and would like to support eSIM Management on Windows, you should do the following: -- Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties. -- Assess solution type that you would like to provide your customers -- Batch/offline solution -- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. -- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to -- Real-time solution -- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. -- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used +- Onboard to Azure Active Directory +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Window OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, please contact them and learn more about their onboarding. If you would like to support multiple mobile operators, [orchestrator providers]( https://www.idemia.com/esim-management-facilitation) are there to act as a proxy that will handle MDM onboarding as well as mobile operator onboarding. Their main [role]( https://www.idemia.com/smart-connect-hub) is to enable the process to be as painless but scalable to all parties. +- Assess solution type that you would like to provide your customers +- Batch/offline solution +- IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. +- Operator does not have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to +- Real-time solution +- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. +- Operator is notified of the status of each eSIM profile and has visibility on which devices are being used **Note:** The solution type is not noticeable to the end-user. The choice between the two is made between the MDM and the Mobile Operator. diff --git a/windows/client-management/mdm/networkqospolicy-csp.md b/windows/client-management/mdm/networkqospolicy-csp.md index 564059ef4e..e35af4bde2 100644 --- a/windows/client-management/mdm/networkqospolicy-csp.md +++ b/windows/client-management/mdm/networkqospolicy-csp.md @@ -16,13 +16,13 @@ manager: dansimp The NetworkQoSPolicy configuration service provider creates network Quality of Service (QoS) policies. A QoS policy performs a set of actions on network traffic based on a set of matching conditions. This CSP was added in Windows 10, version 1703. The following conditions are supported: -- Network traffic from a specific application name -- Network traffic from specific source or destination ports -- Network traffic from a specific IP protocol (TCP, UDP, or both) +- Network traffic from a specific application name +- Network traffic from specific source or destination ports +- Network traffic from a specific IP protocol (TCP, UDP, or both) The following actions are supported: -- Layer 2 tagging using a IEEE 802.1p priority value -- Layer 3 tagging using a differentiated services code point (DSCP) value +- Layer 2 tagging using a IEEE 802.1p priority value +- Layer 3 tagging using a differentiated services code point (DSCP) value > [!NOTE] > The NetworkQoSPolicy configuration service provider is supported only in Microsoft Surface Hub. diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md index b49fa49949..aad7447b3e 100644 --- a/windows/client-management/mdm/policy-csp-browser.md +++ b/windows/client-management/mdm/policy-csp-browser.md @@ -633,9 +633,9 @@ ADMX Info: Supported values: -- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit. -- 0 - Never send tracking information. -- 1 - Send tracking information. +- Blank (default) - Do not send tracking information but let users choose to send tracking information to sites they visit. +- 0 - Never send tracking information. +- 1 - Send tracking information. Most restricted value: 1 diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md index cecaec5871..0c2b8a9c14 100644 --- a/windows/client-management/mdm/policy-csp-settings.md +++ b/windows/client-management/mdm/policy-csp-settings.md @@ -806,11 +806,11 @@ If the policy is not specified, the behavior will be that no pages are affected. The format of the PageVisibilityList value is as follows: -- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. -- There are two variants: one that shows only the given pages and one which hides the given pages. -- The first variant starts with the string "showonly:" and the second with the string "hide:". -- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. -- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi". +- The value is a unicode string up to 10,000 characters long, which will be used without case sensitivity. +- There are two variants: one that shows only the given pages and one which hides the given pages. +- The first variant starts with the string "showonly:" and the second with the string "hide:". +- Following the variant identifier is a semicolon-delimited list of page identifiers, which must not have any extra whitespace. +- Each page identifier is the ms-settings:xyz URI for the page, minus the ms-settings: prefix, so the identifier for the page with URI "ms-settings:network-wifi" would be just "network-wifi". The default value for this setting is an empty string, which is interpreted as show everything. diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md index 233e581a91..33001ff094 100644 --- a/windows/client-management/mdm/understanding-admx-backed-policies.md +++ b/windows/client-management/mdm/understanding-admx-backed-policies.md @@ -23,8 +23,8 @@ In addition to standard policies, the Policy CSP can now also handle ADMX-backed ADMX files can either describe operating system (OS) Group Policies that are shipped with Windows or they can describe settings of applications, which are separate from the OS and can usually be downloaded and installed on a PC. Depending on the specific category of the settings that they control (OS or application), the administrative template settings are found in the following two locations in the Local Group Policy Editor: -- OS settings: Computer Configuration/Administrative Templates -- Application settings: User Configuration/Administrative Templates +- OS settings: Computer Configuration/Administrative Templates +- Application settings: User Configuration/Administrative Templates In a domain controller/Group Policy ecosystem, Group Policies are automatically added to the registry of the client computer or user profile by the Administrative Templates Client Side Extension (CSE) whenever the client computer processes a Group Policy. Conversely, in an MDM-managed client, ADMX files are leveraged to define policies independent of Group Policies. Therefore, in an MDM-managed client, a Group Policy infrastructure, including the Group Policy Service (gpsvc.exe), is not required. @@ -42,17 +42,17 @@ To capture the end-to-end MDM handling of ADMX Group Policies, an IT administrat The ADMX file that the MDM ISV uses to determine what UI to display to the IT administrator is the same ADMX file that the client uses for the policy definition. The ADMX file is processed either by the OS at build time or set by the client at OS runtime. In either case, the client and the MDM ISV must be synchronized with the ADMX policy definitions. Each ADMX file corresponds to a Group Policy category and typically contains several policy definitions, each of which represents a single Group Policy. For example, the policy definition for the “Publishing Server 2 Settings” is contained in the appv.admx file, which holds the policy definitions for the Microsoft Application Virtualization (App-V) Group Policy category. Group Policy option button setting: -- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. - - The MDM client stack receives this data, which causes the Policy CSP to update the device’s registry per the ADMX-backed policy definition. +- If **Enabled** is selected, the necessary data entry controls are displayed for the user in the UI. When IT administrator enters the data and clicks **Apply**, the following events occur: + - The MDM ISV server sets up a Replace SyncML command with a payload that contains the user-entered data. + - The MDM client stack receives this data, which causes the Policy CSP to update the device’s registry per the ADMX-backed policy definition. -- If **Disabled** is selected and you click **Apply**, the following events occur: - - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. - - The MDM client stack receives this command, which causes the Policy CSP to either delete the device’s registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition. +- If **Disabled** is selected and you click **Apply**, the following events occur: + - The MDM ISV server sets up a Replace SyncML command with a payload set to ``. + - The MDM client stack receives this command, which causes the Policy CSP to either delete the device’s registry settings, set the registry keys, or both, per the state change directed by the ADMX-backed policy definition. -- If **Not Configured** is selected and you click **Apply**, the following events occur: - - MDM ISV server sets up a Delete SyncML command. - - The MDM client stack receives this command, which causes the Policy CSP to delete the device’s registry settings per the ADMX-backed policy definition. +- If **Not Configured** is selected and you click **Apply**, the following events occur: + - MDM ISV server sets up a Delete SyncML command. + - The MDM client stack receives this command, which causes the Policy CSP to delete the device’s registry settings per the ADMX-backed policy definition. The following diagram shows the main display for the Group Policy Editor. diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md index 26d48d6ccb..0c13fc8950 100644 --- a/windows/client-management/troubleshoot-stop-errors.md +++ b/windows/client-management/troubleshoot-stop-errors.md @@ -107,8 +107,8 @@ You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that More information on how to use Dumpchk.exe to check your dump files: -- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) -- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) +- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) +- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) ### Pagefile Settings diff --git a/windows/client-management/troubleshoot-windows-freeze.md b/windows/client-management/troubleshoot-windows-freeze.md index 920e5a1ff0..664dc7700e 100644 --- a/windows/client-management/troubleshoot-windows-freeze.md +++ b/windows/client-management/troubleshoot-windows-freeze.md @@ -145,8 +145,8 @@ If the computer is no longer frozen and now is running in a good state, use the Use the Dump Check Utility (Dumpchk.exe) to read a memory dump file or verify that the file was created correctly. You can use the Microsoft DumpChk (Crash Dump File Checker) tool to verify that the memory dump files are not corrupted or invalid. -- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) -- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) +- [Using DumpChk]( https://docs.microsoft.com/windows-hardware/drivers/debugger/dumpchk) +- [Download DumpCheck](https://developer.microsoft.com/windows/downloads/windows-10-sdk) Learn how to use Dumpchk.exe to check your dump files: diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md index 3dc34d0551..9790bdb770 100644 --- a/windows/client-management/windows-10-mobile-and-mdm.md +++ b/windows/client-management/windows-10-mobile-and-mdm.md @@ -27,11 +27,11 @@ Employees increasingly depend on smartphones to complete daily work tasks, but t Windows 10 supports end-to-end device lifecycle management to give companies control over their devices, data, and apps. Devices can easily be incorporated into standard lifecycle practices, from device enrollment, configuration, and application management to maintenance, monitoring, and retirement using a comprehensive mobile device management solution. **In this article** -- [Deploy](#deploy) -- [Configure](#configure) -- [Apps](#apps) -- [Manage](#manage) -- [Retire](#retire) +- [Deploy](#deploy) +- [Configure](#configure) +- [Apps](#apps) +- [Manage](#manage) +- [Retire](#retire) ## Deploy @@ -365,18 +365,18 @@ You can define and deploy APN profiles in MDM systems that configure cellular da - **APN name** The APN name - *IP connection type* The IP connection type; set to one of the following values: - - IPv4 only - - IPv6 only - - IPv4 and IPv6 concurrently - - IPv6 with IPv4 provided by 46xlat + - IPv4 only + - IPv6 only + - IPv4 and IPv6 concurrently + - IPv6 with IPv4 provided by 46xlat - **LTE attached** Whether the APN should be attached as part of an LTE Attach - **APN class ID** The globally unique identifier that defines the APN class to the modem - **APN authentication type** The APN authentication type; set to one of the following values: - - None - - Auto - - PAP - - CHAP - - MSCHAPv2 + - None + - Auto + - PAP + - CHAP + - MSCHAPv2 - **User name** The user account when users select Password Authentication Protocol (PAP), CHAP, or MSCHAPv2 authentication in APN authentication type - **Password** The password for the user account specified in User name - **Integrated circuit card ID** The integrated circuit card ID associated with the cellular connection profile diff --git a/windows/configuration/windows-10-accessibility-for-ITPros.md b/windows/configuration/windows-10-accessibility-for-ITPros.md index 8516293eec..b4d228ce4e 100644 --- a/windows/configuration/windows-10-accessibility-for-ITPros.md +++ b/windows/configuration/windows-10-accessibility-for-ITPros.md @@ -19,9 +19,9 @@ Microsoft is dedicated to making its products and services accessible and usable This topic helps IT administrators learn about built-in accessibility features, and includes a few recommendations for how to support people in your organization who use these features. ## General recommendations -- **Be aware of Ease of Access settings** – Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows 10. -- **Do not block settings** – Avoid using Group Policy or MDM settings that override Ease of Access settings. -- **Encourage choice** – Allow people in your organization to customize their computers based on their needs. That might mean installing an add-on for their browser, or a non-Microsoft assistive technology. +- **Be aware of Ease of Access settings** – Understand how people in your organization might use these settings. Help people in your organization learn how they can customize Windows 10. +- **Do not block settings** – Avoid using Group Policy or MDM settings that override Ease of Access settings. +- **Encourage choice** – Allow people in your organization to customize their computers based on their needs. That might mean installing an add-on for their browser, or a non-Microsoft assistive technology. ## Vision diff --git a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md index acef50c475..aed5ac00b0 100644 --- a/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md +++ b/windows/privacy/configure-windows-diagnostic-data-in-your-organization.md @@ -36,12 +36,12 @@ At Microsoft, we use Windows diagnostic data to inform our decisions and focus o To frame a discussion about diagnostic data, it is important to understand Microsoft’s privacy principles. We earn customer trust every day by focusing on six key privacy principles as described at [privacy.microsoft.com](https://privacy.microsoft.com/). These principles guided the implementation of the Windows diagnostic data system in the following ways: -- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. -- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. -- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. -- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. -- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. -- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. +- **Control.** We offer customers control of the diagnostic data they share with us by providing easy-to-use management tools. +- **Transparency.** We provide information about the diagnostic data that Windows and Windows Server collects so our customers can make informed decisions. +- **Security.** We encrypt diagnostic data in transit from your device via TLS 1.2, and additionally use certificate pinning to secure the connection. +- **Strong legal protections.** We respect customers’ local privacy laws and fight for legal protection of their privacy as a fundamental human right. +- **No content-based targeting.** We take steps to avoid and minimize the collection of customer content, such as the content of files, chats, or emails, through the Windows diagnostic data system. Customer content inadvertently collected is kept confidential and not used for user targeting. +- **Benefits to you.** We collect Windows diagnostic data to help provide you with an up-to-date, more secure, reliable and performant product, and to improve Windows for all our customers. In previous versions of Windows and Windows Server, Microsoft used diagnostic data to check for updated or new Windows Defender signatures, check whether Windows Update installations were successful, gather reliability information through the Reliability Analysis Component (RAC), and gather reliability information through the Windows Customer Experience Improvement Program (CEIP) on Windows. In Windows 10 and Windows Server, you can control diagnostic data streams by using the Privacy option in Settings, Group Policy, or MDM. @@ -56,16 +56,16 @@ The release cadence of Windows may be fast, so feedback is critical to its succe ### What is Windows diagnostic data? Windows diagnostic data is vital technical data from Windows devices about the device and how Windows and related software are performing. It's used in the following ways: -- Keep Windows up to date -- Keep Windows secure, reliable, and performant -- Improve Windows – through the aggregate analysis of the use of Windows -- Personalize Windows engagement surfaces +- Keep Windows up to date +- Keep Windows secure, reliable, and performant +- Improve Windows – through the aggregate analysis of the use of Windows +- Personalize Windows engagement surfaces Here are some specific examples of Windows diagnostic data: -- Type of hardware being used -- Applications installed and usage details -- Reliability information on device drivers +- Type of hardware being used +- Applications installed and usage details +- Reliability information on device drivers ### What is NOT diagnostic data? @@ -96,9 +96,9 @@ There was a version of a video driver that was crashing on some devices running Windows diagnostic data also helps Microsoft better understand how customers use (or do not use) the operating system’s features and related services. The insights we gain from this data helps us prioritize our engineering effort to directly impact our customers’ experiences. Examples are: -- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. -- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. -- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. +- **Start menu.** How do people change the Start menu layout? Do they pin other apps to it? Are there any apps that they frequently unpin? We use this dataset to adjust the default Start menu layout to better reflect people’s expectations when they turn on their device for the first time. +- **Cortana.** We use diagnostic data to monitor the scalability of our cloud service, improving search performance. +- **Application switching.** Research and observations from earlier Windows versions showed that people rarely used Alt+Tab to switch between applications. After discussing this with some users, we learned they loved the feature, saying that it would be highly productive, but they did not know about it previously. Based on this, we created the Task View button in Windows 10 to make this feature more discoverable. Later diagnostic data showed significantly higher usage of this feature. **These examples show how the use of diagnostic data enables Microsoft to build or enhance features which can help organizations increase employee productivity while lowering help desk calls.** diff --git a/windows/privacy/gdpr-win10-whitepaper.md b/windows/privacy/gdpr-win10-whitepaper.md index 4797029729..3ad1a4a14e 100644 --- a/windows/privacy/gdpr-win10-whitepaper.md +++ b/windows/privacy/gdpr-win10-whitepaper.md @@ -105,11 +105,11 @@ A key provision within the GDPR is data protection by design and by default, and The chip includes multiple physical security mechanisms to make it tamper resistant, and malicious software is unable to tamper with the security functions of the TPM. Some of the key advantages of using TPM technology are that you can: -- Generate, store, and limit the use of cryptographic keys. +- Generate, store, and limit the use of cryptographic keys. -- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself. +- Use TPM technology for platform device authentication by using the TPM’s unique RSA key, which is burned into itself. -- Help to ensure platform integrity by taking and storing security measurements. +- Help to ensure platform integrity by taking and storing security measurements. Additional advanced device protection relevant to your operating without data breaches include Windows Trusted Boot to help maintain the integrity of the system by ensuring malware is unable to start before system defenses. diff --git a/windows/privacy/manage-windows-1709-endpoints.md b/windows/privacy/manage-windows-1709-endpoints.md index 4f007d6da6..ae5da4bba4 100644 --- a/windows/privacy/manage-windows-1709-endpoints.md +++ b/windows/privacy/manage-windows-1709-endpoints.md @@ -23,11 +23,11 @@ ms.reviewer: Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). diff --git a/windows/privacy/manage-windows-1803-endpoints.md b/windows/privacy/manage-windows-1803-endpoints.md index c8c4bffe0c..2ad044d990 100644 --- a/windows/privacy/manage-windows-1803-endpoints.md +++ b/windows/privacy/manage-windows-1803-endpoints.md @@ -23,11 +23,11 @@ ms.reviewer: Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). diff --git a/windows/privacy/manage-windows-1809-endpoints.md b/windows/privacy/manage-windows-1809-endpoints.md index 2f2f90b82d..f574f6409d 100644 --- a/windows/privacy/manage-windows-1809-endpoints.md +++ b/windows/privacy/manage-windows-1809-endpoints.md @@ -23,11 +23,11 @@ ms.reviewer: Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). diff --git a/windows/privacy/manage-windows-1903-endpoints.md b/windows/privacy/manage-windows-1903-endpoints.md index 4bbb0ad085..104167ec70 100644 --- a/windows/privacy/manage-windows-1903-endpoints.md +++ b/windows/privacy/manage-windows-1903-endpoints.md @@ -22,11 +22,11 @@ ms.date: 5/3/2019 Some Windows components, app, and related services transfer data to Microsoft network endpoints. Some examples include: -- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. -- Connecting to email servers to send and receive email. -- Connecting to the web for every day web browsing. -- Connecting to the cloud to store and access backups. -- Using your location to show a weather forecast. +- Connecting to Microsoft Office and Windows sites to download the latest app and security updates. +- Connecting to email servers to send and receive email. +- Connecting to the web for every day web browsing. +- Connecting to the cloud to store and access backups. +- Using your location to show a weather forecast. This article lists different endpoints that are available on a clean installation of Windows 10, version 1709 and later. Details about the different ways to control traffic to these endpoints are covered in [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md). diff --git a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md index 1a19c1ea01..e50ae1fdfb 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-known-issues.md @@ -34,14 +34,14 @@ The following known issue has been fixed in the [Cumulative Security Update for The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017: -- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217) +- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217) This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221) -- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview) +- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview) - This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems: + This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems: - Windows 10 Version 1607 and Windows Server 2016: [KB4015217 (OS Build 14393.1066 and 14393.1083)](https://support.microsoft.com/help/4015217) @@ -52,30 +52,30 @@ The following known issues have been fixed by servicing releases made available The following issue affects the Java GSS API. See the following Oracle bug database article: -- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) +- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921) When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements). The following issue affects Cisco AnyConnect Secure Mobility Client: -- [Blue screen on Windows 10 computers running Windows Defender Device Guard and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \* +- [Blue screen on Windows 10 computers running Windows Defender Device Guard and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \* *Registration required to access this article. The following issue affects McAfee Application and Change Control (MACC): -- [KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) [1] +- [KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) [1] The following issue affects AppSense Environment Manager. For further information, see the following Knowledge Base article: -- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) [1] \** +- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) [1] \** The following issue affects Citrix applications: -- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [1] +- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. [1] [1] Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article: -- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786) +- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786) For further technical information on LSAISO.exe, see the MSDN article: [Isolated User Mode (IUM) Processes](https://msdn.microsoft.com/library/windows/desktop/mt809132(v=vs.85).aspx) @@ -86,7 +86,7 @@ For further technical information on LSAISO.exe, see the MSDN article: [Isolated ## Vendor support See the following article on Citrix support for Secure Boot: -- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/) +- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/) Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions: diff --git a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md index a3455dcc67..0379951dbd 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md +++ b/windows/security/threat-protection/microsoft-defender-atp/alerts-queue.md @@ -58,10 +58,10 @@ The Windows Defender AV threat severity represents the absolute severity of the The Microsoft Defender ATP alert severity represents the severity of the detected behavior, the actual risk to the machine but more importantly the potential risk to the organization. So, for example: -- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. -- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. -- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". -- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. +- The severity of a Microsoft Defender ATP alert about a Windows Defender AV detected threat that was completely prevented and did not infect the machine is categorized as "Informational" because there was no actual damage incurred. +- An alert about a commercial malware was detected while executing, but blocked and remediated by Windows Defender AV, is categorized as "Low" because it may have caused some damage to the individual machine but poses no organizational threat. +- An alert about malware detected while executing which can pose a threat not only to the individual machine but to the organization, regardless if it was eventually blocked, may be ranked as "Medium" or "High". +- Suspicious behavioral alerts which were not blocked or remediated will be ranked "Low", "Medium" or "High" following the same organizational threat considerations. #### Understanding alert categories We've redefined the alert categories to align to the [enterprise attack tactics](https://attack.mitre.org/tactics/enterprise/) in the [MITRE ATT&CK matrix](https://attack.mitre.org/). New category names apply to all new alerts. Existing alerts will retain the previous category names. diff --git a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md index ee65c7302f..ef5226c49c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/information-protection-in-windows-overview.md @@ -45,8 +45,8 @@ Sensitivity labels classify and help protect sensitive content. Sensitive information types in the Office 365 data loss prevention (DLP) implementation fall under two categories: -- Default -- Custom +- Default +- Custom Default sensitive information types include information such as bank account numbers, social security numbers, or national IDs. For more information, see [What the sensitive information type look for](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for). diff --git a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md index 095c078b1f..9747f2d0ae 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md +++ b/windows/security/threat-protection/microsoft-defender-atp/isolate-machine.md @@ -61,8 +61,8 @@ Comment | String | Comment to associate with the action. **Required**. IsolationType | String | Type of the isolation. Allowed values are: 'Full' or 'Selective'. **IsolationType** controls the type of isolation to perform and can be one of the following: -- Full – Full isolation -- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details) +- Full – Full isolation +- Selective – Restrict only limited set of applications from accessing the network (see [Isolate machines from the network](respond-machine-alerts.md#isolate-machines-from-the-network) for more details) ## Response diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md index 5bb659b44e..d9cfb97c3f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-machine-alerts.md @@ -96,7 +96,7 @@ The package contains the following folders: |:---|:---------| |Autoruns | Contains a set of files that each represent the content of the registry of a known auto start entry point (ASEP) to help identify attacker’s persistency on the machine.

      NOTE: If the registry key is not found, the file will contain the following message: “ERROR: The system was unable to find the specified registry key or value.” | |Installed programs | This .CSV file contains the list of installed programs that can help identify what is currently installed on the machine. For more information, see [Win32_Product class](https://go.microsoft.com/fwlink/?linkid=841509). | -|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

      - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

      - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

      ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

      - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

      - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

      - FirewassExecutionLog.txt and pfirewall.log | +|Network connections | This folder contains a set of data points related to the connectivity information which can help in identifying connectivity to suspicious URLs, attacker’s command and control (C&C) infrastructure, any lateral movement, or remote connections.

      - ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. Provides the ability to look for suspicious connectivity made by a process.

      - Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.

      ARP cache can reveal additional hosts on a network that have been compromised or suspicious systems on the network that night have been used to run an internal attack.

      - DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.

      - IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.

      - FirewassExecutionLog.txt and pfirewall.log | | Prefetch files| Windows Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.

      - Prefetch folder – Contains a copy of the prefetch files from `%SystemRoot%\Prefetch`. NOTE: It is suggested to download a prefetch file viewer to view the prefetch files.

      - PrefetchFilesList.txt – Contains the list of all the copied files which can be used to track if there were any copy failures to the prefetch folder. | | Processes| Contains a .CSV file listing the running processes which provides the ability to identify current processes running on the machine. This can be useful when identifying a suspicious process and its state. | | Scheduled tasks| Contains a .CSV file listing the scheduled tasks which can be used to identify routines performed automatically on a chosen machine to look for suspicious code which was set to run automatically. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md index f7c9eff384..731963f220 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/security-operations-dashboard.md @@ -75,7 +75,7 @@ The **Sensor health** tile provides information on the individual machine’s ab ![Sensor health tile](images/atp-tile-sensor-health.png) There are two status indicators that provide information on the number of machines that are not reporting properly to the service: -- **Misconfigured** – These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. +- **Misconfigured** – These machines might partially be reporting sensor data to the Microsoft Defender ATP service and might have configuration errors that need to be corrected. - **Inactive** - Machines that have stopped reporting to the Microsoft Defender ATP service for more than seven days in the past month. diff --git a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md index f981d9c12a..289a76f1c5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md +++ b/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-onboarding.md @@ -296,8 +296,8 @@ You might also need to check the following: ## Licensing requirements Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: - - Windows 10 Enterprise E5 - - Windows 10 Education E5 + - Windows 10 Enterprise E5 + - Windows 10 Education E5 - Microsoft 365 Enterprise E5 which includes Windows 10 Enterprise E5 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md index 994b79b7b6..b3c05cd9a2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md @@ -79,8 +79,8 @@ For more information preview features, see [Preview features](https://docs.micro Threat Analytics is a set of interactive reports published by the Microsoft Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats. - New in Windows 10 version 1809, there are two new attack surface reduction rules: - - Block Adobe Reader from creating child processes - - Block Office communication application from creating child processes. + - Block Adobe Reader from creating child processes + - Block Office communication application from creating child processes. - [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) - Antimalware Scan Interface (AMSI) was extended to cover Office VBA macros as well. [Office VBA + AMSI: Parting the veil on malicious macros](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/12/office-vba-amsi-parting-the-veil-on-malicious-macros/). @@ -95,8 +95,8 @@ Query data using Advanced hunting in Microsoft Defender ATP. - [Attack surface reduction rules](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard)
      New attack surface reduction rules: - - Use advanced protection against ransomware - - Block credential stealing from the Windows local security authority subsystem (lsass.exe) + - Use advanced protection against ransomware + - Block credential stealing from the Windows local security authority subsystem (lsass.exe) - Block process creations originating from PSExec and WMI commands - Block untrusted and unsigned processes that run from USB - Block executable content from email client and webmail diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md index a9991a6eef..4c7c6be9c8 100644 --- a/windows/security/threat-protection/windows-10-mobile-security-guide.md +++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md @@ -22,16 +22,16 @@ ms.date: 10/13/2017 Smartphones now serve as a primary productivity tool for business workers and, just like desktops or laptops, need to be secured against malware and data theft. Protecting these devices can be challenging due to the wide range of device operating systems and configurations and the fact that many employees use their own personal devices. IT needs to secure corporate assets on every device, but also ensure the privacy of the user’s personal apps and data. Windows 10 Mobile addresses these security concerns directly, whether workers are using personal or corporate-owned devices. It uses the same security technologies as the Windows 10 operating system to help protect against known and emerging security threats across the spectrum of attack vectors. These technologies include: -- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods. -- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps. -- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices. +- **Windows Hello for Business** Enhanced identity and access control features ensure that only authorized users can access corporate data and resources. Windows Hello simplifies multifactor authentication (MFA) deployment and use, offering PIN, companion device, and biometric authentication methods. +- **Windows Information Protection** Automatic data separation keeps corporate information from being shared with personal data and apps. +- **Malware resistance** Multi-layered protections built into the device hardware, startup processes, and app platform help reduce the threat of malware that can compromise employee devices. This guide helps IT administrators better understand the security features in Windows 10 Mobile, which can be used to improve protection against unauthorized access, data leakage, and malware. **In this article:** -- Windows Hello for Business -- Windows Information Protection -- Malware resistance +- Windows Hello for Business +- Windows Information Protection +- Malware resistance ## Windows Hello @@ -56,9 +56,9 @@ To compromise Windows Hello credentials, an attacker would need access to the ph Biometrics help prevent credential theft and make it easier for users to login to their devices. Users always have their biometric identity with them – there is nothing to forget, lose, or leave behind. Attackers would need to have both access to the user’s device and be able to impersonate the user’s biometric identity to gain access to corporate resources, which is far more difficult than stealing a password. Windows Hello supports three biometric sensor scenarios: -- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology. -- **Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello. -- **Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology. +- **Facial recognition** uses special IR cameras to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major manufacturers are already shipping laptops with integrated facial-recognition technology. Both Surface Pro 4 and Surface Book support this technology. +- **Fingerprint recognition** uses a sensor to scan the user’s fingerprint. Although fingerprint readers have been available for computers running the Windows operating system for years, the detection, anti-spoofing, and recognition algorithms in Windows 10 are more advanced than in previous Windows versions. Most existing fingerprint readers (whether external to or integrated into laptops or USB keyboards) that support the Windows Biometric Framework will work with Windows Hello. +- **Iris scanning** uses cameras designed to scan the user’s iris, the colorful and highly detailed portion of the eye. Because the data must be accurate, iris scanning uses a combination of an IR light source and a high-quality camera. Microsoft Lumia 950 and 950 XL devices support this technology. >Users must create an unlock PIN while they enroll a biometric gesture. The device uses this PIN as a fallback mechanism in situations where it cannot capture the biometric gesture. @@ -87,12 +87,12 @@ Enterprises have seen huge growth in the convergence of personal and corporate d Inadvertent disclosure is rapidly becoming the biggest source of confidential data leakage as organizations allow personal devices to access corporate resources. It’s easy to imagine that an employee using work email on their personal phone could unintentionally save an attachment containing sensitive company information to personal cloud storage, which could be shared with unauthorized people. This accidental sharing of corporate data is just one example of the challenges common to using mobile devices in the workplace. To prevent this type of data leakage, most solutions require users to login with a separate username and password to a container that stores all corporate apps and data, an experience that degrades user productivity. Windows 10 Mobile includes Windows Information Protection to transparently keep corporate data secure and personal data private. Because corporate data is always protected, users cannot inadvertently copy it or share it with unauthorized users or apps. Key features include: -- Automatically tag personal and corporate data. -- Protect data while it’s at rest on local or removable storage. -- Control which apps can access corporate data. -- Control which apps can access a virtual private network (VPN) connection. -- Prevent users from copying corporate data to public locations. -- Help ensure business data is inaccessible when the device is in a locked state. +- Automatically tag personal and corporate data. +- Protect data while it’s at rest on local or removable storage. +- Control which apps can access corporate data. +- Control which apps can access a virtual private network (VPN) connection. +- Prevent users from copying corporate data to public locations. +- Help ensure business data is inaccessible when the device is in a locked state. ### Enlightened apps @@ -101,21 +101,21 @@ Third-party data loss protection solutions usually require developers to wrap th Windows Information Protection classifies apps into two categories: enlightened and unenlightened. Enlighted apps can differentiate between corporate and personal data, correctly determining which to protect based on internal policies. Corporate data will be encrypted on the managed device and attempts to copy/paste or share this information with non-corporate apps or users will fail. Unenlightened apps, when marked as corporate-managed, consider all data corporate and encrypt everything by default. When you do not want all data encrypted by default – because it would create a poor user experience – developers should consider enlightening apps by adding code and compiling them using the Windows Information Protection application programming interfaces. The most likely candidates for enlightenment are apps that: -- Don’t use common controls for saving files. -- Don’t use common controls for text boxes. -- Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance). +- Don’t use common controls for saving files. +- Don’t use common controls for text boxes. +- Work on personal and enterprise data simultaneously (e.g., contact apps that display personal and enterprise data in a single view or a browser that displays personal and enterprise web pages on tabs within a single instance). In many cases, most apps don’t require enlightenment for them to use Windows Information Protection. Simply adding them to the allow list is the only step you need to take. Line-of-Business (LOB) apps are a good example of where this works well because they only handle corporate data. **When is app enlightenment required?** -- **Required** - - App needs to work with both personal and enterprise data. -- **Recommended** - - App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldn’t be able to properly revoke these apps. - - App needs to access enterprise data, while protection under lock is activated. -- **Not required** - - App handles only corporate data - - App handles only personal data +- **Required** + - App needs to work with both personal and enterprise data. +- **Recommended** + - App handles only corporate data, but needs to modify a file (such as a configuration file) in order to launch, uninstall itself, update etc. Without enlightenment you wouldn’t be able to properly revoke these apps. + - App needs to access enterprise data, while protection under lock is activated. +- **Not required** + - App handles only corporate data + - App handles only personal data ### Data leakage control @@ -124,10 +124,10 @@ To configure Windows Information Protection in a Mobile Device Management (MDM) Windows Information Protection works seamlessly until users try to access enterprise data with or paste enterprise data into unauthorized apps or locations on the web. For example, copying enterprise data from an authorized app to another authorized app works as usual, but Window Information Protection can block users from copying enterprise data from an authorized app to an unauthorized app. Likewise, it will block users from using an unauthorized app to open a file that contains enterprise data. The extent to which users will be prevented from copying and pasting data from authorized apps to unauthorized apps or locations on the web depends on which protection level is set: -- **Block.** Windows Information Protection blocks users from completing the operation. -- **Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log. -- **Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log. -- **Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log. +- **Block.** Windows Information Protection blocks users from completing the operation. +- **Override.** Windows Information Protection notifies users that the operation is inappropriate but allows them to override the policy, although it logs the operation in the audit log. +- **Audit.** Windows Information Protection does not block or notify users but logs the operation in the audit log. +- **Off.** Windows Information Protection does not block or notify users and does not log operations in the audit log. ### Data separation @@ -140,11 +140,11 @@ Windows Information Protection provides data separation without requiring a cont Windows 10 Mobile uses device encryption, based on BitLocker technology, to encrypt all internal storage, including operating systems and data storage partitions. The user can activate device encryption, or the IT department can activate and enforce encryption for company-managed devices through MDM tools. When device encryption is turned on, all data stored on the phone is encrypted automatically. A Windows 10 Mobile device with encryption turned on helps protect the confidentiality of data stored – even if the device is lost or stolen. The combination of Windows Hello lock and data encryption makes it extremely difficult for an unauthorized party to retrieve sensitive information from the device. You can customize how device encryption works to meet your unique security requirements. Device encryption even enables you to define your own cipher suite. For example, you can specify the algorithm and key size that Windows 10 Mobile uses for data encryption, which Transport Layer Security (TLS) cipher suites are permitted, and whether Federal Information Processing Standard (FIPS) policy is enabled. The list below shows the policies you can change to customize device encryption on Windows 10 Mobile devices. -- Cryptography - - Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled. - - TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections. -- BitLocker - - Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one. +- Cryptography + - Allow FIPS Algorithm: This policy enables or disable the FIPS policy. A restart is needed to enforce this policy. The default value is disabled. + - TLS Cipher Suite: This policy contains a list of the cryptographic cipher algorithms allowed for Secure Sockets Layer connections. +- BitLocker + - Encryption Method: Configures the BitLocker Drive Encryption Method and cipher strength. The default value is AES-CBC 128-bit. If the device cannot use the value specified, it will use another one. To help make the device even more secured against outside interference, Windows 10 Mobile also now includes protection-under-lock. That means that encryption keys are removed from memory whenever a device is locked. Apps are unable to access sensitive data while the device is in a locked state, so hackers and malware have no way to find and co-opt keys. Everything is locked up tight with the TPM until the user unlocks the device with Windows Hello. @@ -230,9 +230,9 @@ A Trusted Platform Module (TPM) is a tamper-resistant cryptographic module that A proper implementation of a TPM as part of a trusted computing platform provides a hardware root of trust, meaning that the hardware behaves in a trusted way. For example, if you create a key in a TPM with the property that no one can export that key from the TPM, the key absolutely cannot leave the TPM. The close integration of a TPM with a platform increases the transparency of the boot process and supports device health scenarios by enabling a reliable report of the software used to start a platform. The following list describes key functionality that a TPM provides in Windows 10 Mobile: -- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys. -- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component – from firmware up through the drivers – and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device. -- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM. +- **Managing cryptographic keys.** A TPM can create, store, and permit the use of keys in defined ways. Windows 10 Mobile uses the TPM to protect the encryption keys for BitLocker volumes, virtual smart cards, certificates, and various other keys. +- **Safeguarding and reporting integrity measurements.** Windows 10 Mobile uses the TPM to record and help protect integrity-related measurements of select hardware and Windows boot components for the Measured Boot feature. In this scenario, Measured Boot measures each component – from firmware up through the drivers – and then stores those measurements in the device’s TPM. From here, you can test the measurement log remotely so that a separate system verifies the boot state of the Windows 10 Mobile device. +- **Proving a TPM is really a TPM.** Managing cryptographic keys and measuring integrity are so central to protecting privacy and security that a TPM must differentiate itself from malware masquerading as a TPM. Windows 10 Mobile supports TPM implementations that comply with the 2.0 standard. The TPM 2.0 standard includes several improvements that make it superior to the 1.2 standard, the most notable of which is cryptographic agility. TPM 1.2 is restricted to a fixed set of encryption and hash algorithms. When the TPM 1.2 standard appeared in the early 2000s, the security community considered these algorithms cryptographically strong. Since then, advances in cryptographic algorithms and cryptanalysis attacks have increased expectations for stronger cryptography. TPM 2.0 supports additional algorithms that offer stronger cryptographic protection, as well as the ability to plug-in algorithms that certain geographies or industries may prefer. It also opens the possibility for inclusion of future algorithms without changing the TPM component itself. @@ -241,9 +241,9 @@ Many assume that original equipment manufacturers (OEMs) must implant a TPM in h >Microsoft requires TPM 2.0 on devices running any version of Windows 10 Mobile. For more information, see [minimum hardware requirements](https://technet.microsoft.com/library/dn915086.aspx) Several Windows 10 Mobile security features require TPM: -- Virtual smart cards -- Measured Boot -- Health attestation (requires TPM 2.0 or later) +- Virtual smart cards +- Measured Boot +- Health attestation (requires TPM 2.0 or later) Still other features will use the TPM if it is available. For example, Windows Hello does not require TPM but uses it if it’s available. Organizations can configure policy to require TPM for Windows Hello. @@ -312,9 +312,9 @@ Malware depends on its ability to insert a malicious payload into memory with th The heap is a location in memory that Windows uses to store dynamic application data. Microsoft continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that an attacker could use. Windows 10 Mobile has made several important improvements to the security of the heap over previous versions of Windows: -- Internal data structures that the heap uses are better protected against memory corruption. -- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable. -- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app. +- Internal data structures that the heap uses are better protected against memory corruption. +- Heap memory allocations have randomized locations and sizes, making it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 Mobile adds a random offset to the address of a newly allocated heap, making the allocation much less predictable. +- Windows 10 Mobile uses “guard pages” before and after blocks of memory as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 Mobile responds by instantly terminating the app. ### Memory reservations @@ -342,9 +342,9 @@ The security policy of a specific AppContainer defines the operating system capa A set of default permissions are granted to all AppContainers, including access to a unique, isolated storage location. Access to other capabilities can be declared within the app code itself. Unlike traditional desktop applications, access to additional capabilities and privileges cannot be requested at run time. The AppContainer concept is advantageous because it provides: -- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions. -- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent. -- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types. +- **Attack surface reduction.** Apps can access only those capabilities that are declared in the application code and needed to perform their functions. +- **User consent and control.** Capabilities that apps use are automatically published to the app details page in the Microsoft Store. App access to capabilities that may expose sensitive information automatically prompt the user to acknowledge and provide consent. +- **App isolation.** Communication between Windows apps is tightly controlled. Apps are isolated from one another and can communicate only by using predefined communication channels and data types. Apps receive the minimal privileges they need to perform their legitimate tasks. This means that even if a malicious attacker exploits an app, the potential damage is limited because the app cannot elevate its privileges and is contained within its AppContainer. Microsoft Store displays the permissions that the app requires along with the app’s age rating and publisher. @@ -355,9 +355,9 @@ The combination of Device Guard and AppContainer help to prevent unauthorized ap The web browser is a critical component of any security strategy. It is the user’s interface to the Internet, an environment teeming with malicious sites and potentially dangerous content. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the number one pathway from which malicious hackers initiate their attacks. Windows 10 Mobile includes Microsoft Edge, an entirely new web browser that goes beyond browsing with features like Reading View. Microsoft Edge is more secure than previous Microsoft web browsers in several ways: -- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability. -- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. -- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design. +- **Microsoft Edge on Windows 10 Mobile does not support extensions.** Microsoft Edge has built-in PDF viewing capability. +- **Microsoft Edge is designed as a UWP app.** It is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. +- **Microsoft Edge simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, fewer security settings are required. In addition, Microsoft established Microsoft Edge default settings that align with security best practices, making it more secure by design. ## Summary From 84cb9b95e1a174bf70999f71ccd5b14f12f7cb0c Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 21 Jul 2019 07:45:25 +0500 Subject: [PATCH 127/248] Update windows/security/identity-protection/credential-guard/credential-guard-manage.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 49f533818e..94de9e1a91 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -115,7 +115,7 @@ You can also enable Windows Defender Credential Guard by using the [Windows Defe DG_Readiness_Tool_v3.5.ps1 -Enable -AutoReboot ``` > [!IMPORTANT] -> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSAch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. +> When running the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool on a non-English operating system, within the script, change `$OSArch = $(gwmi win32_operatingsystem).OSArchitecture` to be `$OSArch = $((gwmi win32_operatingsystem).OSArchitecture).tolower()` instead, in order for the tool to work. > This is a known issue. ### Review Windows Defender Credential Guard performance From 1787a09c0a4c8b7cef8702ffa6646cb61bd0c15b Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 21 Jul 2019 07:53:06 +0500 Subject: [PATCH 128/248] markdown syntex issue There was a syntex issue with formating. It has been fixed. --- .../credential-guard/credential-guard-manage.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 94de9e1a91..237aa7e0f4 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -106,7 +106,8 @@ You can do this by using either the Control Panel or the Deployment Image Servic > [!NOTE] > You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](https://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting. - + + ### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). From d632f5c5b4381c71ed2780d0511f5a22ff62d0de Mon Sep 17 00:00:00 2001 From: Mohamed Kamal Date: Sun, 21 Jul 2019 15:40:08 +0200 Subject: [PATCH 129/248] Update MDM Path https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflash Issue https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3553 --- browsers/edge/includes/allow-adobe-flash-include.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md index 47675924db..8f774871e7 100644 --- a/browsers/edge/includes/allow-adobe-flash-include.md +++ b/browsers/edge/includes/allow-adobe-flash-include.md @@ -34,7 +34,7 @@ ms.topic: include #### MDM settings - **MDM name:** Browser/[AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser\#browser-allowflash) - **Supported devices:** Desktop -- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowAdobeFlash +- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/AllowFlash - **Data type:** Integer #### Registry settings From 195819dff6dbb4f83e89359d80f025f9415bb150 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 22 Jul 2019 10:06:00 +0500 Subject: [PATCH 130/248] HTML Tag fix There was issue with HTML tag in live 203 and has been fixed. --- .../credential-guard/credential-guard-manage.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 237aa7e0f4..a583960ecd 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -200,7 +200,8 @@ To disable Windows Defender Credential Guard, you can use the following set of p For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). - + + #### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337). From dadef4ff118b33504994ff65a3a2ec90b3757074 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 22 Jul 2019 10:13:03 +0500 Subject: [PATCH 131/248] Update windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-information-protection/testing-scenarios-for-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index f5c7d7c720..96b109ce32 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -176,7 +176,7 @@ You can try any of the processes included in these scenarios, but you should foc Stop Google Drive from syncing WIP protected files and folders.
        -
      • In silent configuration, add Google Drive in Protected Apps and set it to Deny. This way, Google Drive will not sync WIP protected files and folders.
        • +
      • In silent configuration, add Google Drive to Protected Apps and set it to Deny. This way, Google Drive will not sync WIP protected files and folders.
      • Google Drive details
        • Publisher=O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US File=GOOGLEDRIVESYNC.EXE From 53c49c7508c9223e92126e271128d67bced406e0 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 22 Jul 2019 10:15:14 +0500 Subject: [PATCH 132/248] Update windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../enable-controlled-folders-exploit-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md index c6c845ae2d..7ed8ec4621 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md @@ -53,7 +53,7 @@ For more information about disabling local list merging, see [Prevent or allow u >If controlled folder access is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device. >If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**. ->If you are protecting user profile data, it is recommended that the user profile should be on the default Windows installation drive. +>If you are protecting user profile data, we recommend that the user profile should be on the default Windows installation drive. ## Intune From 85a7880b9f3f1ab15d6b08aa35eb977467e3e412 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Mon, 22 Jul 2019 12:32:29 +0200 Subject: [PATCH 133/248] Update windows/deployment/update/waas-overview.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 07acf89db8..da5c4df2fc 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -144,7 +144,7 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. ->[!NOTE] +> [!NOTE] >Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information about Windows support for the latest processor and chipsets, see [Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements). The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. From b480942e45cbfd37b26f95dd0c7e4e8bc1207079 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Mon, 22 Jul 2019 12:34:37 +0200 Subject: [PATCH 134/248] Update waas-overview.md --- windows/deployment/update/waas-overview.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index da5c4df2fc..68f993905f 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -114,8 +114,8 @@ With that in mind, Windows 10 offers 3 servicing channels. The [Windows Insider The concept of servicing channels is new, but organizations can use the same management tools they used to manage updates and upgrades in previous versions of Windows. For more information about the servicing tool options for Windows 10 and their capabilities, see [Servicing tools](#servicing-tools). ->[!NOTE] ->Servicing channels are not the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). +> [!NOTE] +> Servicing channels are not the only way to separate groups of devices when consuming updates. Each channel can contain subsets of devices, which staggers servicing even further. For information about the servicing strategy and ongoing deployment process for Windows 10, including the role of servicing channels, see [Plan servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md). ### Semi-Annual Channel @@ -137,20 +137,20 @@ Organizations are expected to initiate targeted deployment on Semi-Annual Channe Specialized systems—such as PCs that control medical equipment, point-of-sale systems, and ATMs—often require a longer servicing option because of their purpose. These devices typically perform a single important task and don’t need feature updates as frequently as other devices in the organization. It’s more important that these devices be kept as stable and secure as possible than up to date with user interface changes. The LTSC servicing model prevents Windows 10 Enterprise LTSB devices from receiving the usual feature updates and provides only quality updates to ensure that device security stays up to date. With this in mind, quality updates are still immediately available to Windows 10 Enterprise LTSB clients, but customers can choose to defer them by using one of the servicing tools mentioned in the section Servicing tools. ->[!NOTE] ->Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. +> [!NOTE] +> Windows 10 Enterprise LTSB is a separate Long Term Servicing Channel version. > >Long-term Servicing channel is not intended for deployment on most or all the PCs in an organization; it should be used only for special-purpose devices. As a general guideline, a PC with Microsoft Office installed is a general-purpose device, typically used by an information worker, and therefore it is better suited for the Semi-Annual servicing channel. Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle. > [!NOTE] ->Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information about Windows support for the latest processor and chipsets, see [Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements). +> Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information about Windows support for the latest processor and chipsets, see [Windows Processor Requirements](https://docs.microsoft.com/windows-hardware/design/minimum/windows-processor-requirements). The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even if you install by using sideloading. ->[!NOTE] ->If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel. +> [!NOTE] +> If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel. ### Windows Insider @@ -158,8 +158,8 @@ For many IT pros, gaining visibility into feature updates early—before they’ Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program and provide feedback on any issues they encounter. For information about the Windows Insider Program for Business, go to [Windows Insider Program for Business](waas-windows-insider-for-business.md). ->[!NOTE] ->Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. +> [!NOTE] +> Microsoft recommends that all organizations have at least a few PCs enrolled in the Windows Insider Program, to include the Windows Insider Program in their deployment plans and to provide feedback on any issues they encounter to Microsoft via our Feedback Hub app. > >The Windows Insider Program isn’t intended to replace Semi-Annual Channel deployments in an organization. Rather, it provides IT pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft. @@ -185,8 +185,8 @@ With all these options, which an organization chooses depends on the resources, | WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability | | Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options | ->[!NOTE] ->Due to [naming changes](#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products. +> [!NOTE] +> Due to [naming changes](#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
        From e9886154516992da3b62038cbcba1db039a3e46f Mon Sep 17 00:00:00 2001 From: Scott Kissel <32919113+sckissel@users.noreply.github.com> Date: Mon, 22 Jul 2019 08:33:21 -0500 Subject: [PATCH 135/248] Update hello-hybrid-cert-whfb-settings-policy.md removing extra "want" --- .../hello-hybrid-cert-whfb-settings-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md index 05a4294ad7..f65eaf8b20 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md @@ -151,7 +151,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business. -Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. +Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object. #### Use biometrics From 8df1dece808656a24c53886adf2111c4a3b42759 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 22 Jul 2019 11:30:24 -0500 Subject: [PATCH 136/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 13f762f32c..f5b6280655 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -36,7 +36,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit successful events, click **Success.** - To audit failure events, click **Fail.** - To audit all events, click **All.** -6. In the **Applies to** box, indicate to which object or objects the audit of events will apply, can be to: +6. In the **Applies to** box, click the object or objects that the audit of events will apply to. It can be to: - **This folder only.** - **This folder, subfolders and files.** - **This folder and subfolders.** From e4071f2103ffaae72745961fdc637d18c76b4dcc Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 22 Jul 2019 11:46:48 -0500 Subject: [PATCH 137/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index f5b6280655..884c9301e9 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -42,7 +42,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder and subfolders.** - **This folder and files.** - **Subfolders and files only.** - - **Subfolders only** + - **Subfolders only.** - **Files only.** 7. By default the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** From 37e156d2f16893462ebf808c6eadefdbd3dd5da4 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 22 Jul 2019 11:47:00 -0500 Subject: [PATCH 138/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 884c9301e9..7f8bc35340 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -44,7 +44,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Subfolders and files only.** - **Subfolders only.** - **Files only.** -7. By default the selected **Basic Permissions** to Audit are the following: +7. By default, the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** - **List folder contents.** - **Read.** From c833bd82c174af38d091036a19777d91bf93b218 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 22 Jul 2019 11:47:10 -0500 Subject: [PATCH 139/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 7f8bc35340..0aaadd7eb7 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -48,7 +48,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Read & Execute.** - **List folder contents.** - **Read.** - - You can additionally select the audit of **Full control**, **Modify** and/or **Write** permissions. With your desired combination. + - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. From 5efcadb176a4c3e56d1dd8ebb94fbe45f276a9a4 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 22 Jul 2019 12:21:09 -0500 Subject: [PATCH 140/248] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 04dc168342..bb021a898f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -167,7 +167,7 @@ Choose a trust type that is best suited for your organizations. Remember, the t One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). -Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. +Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. If you will use a federated environment, you must activate the Device Writeback option in Azure AD Connect. If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. From d1f016272c13fff626972cacaa1019c7cd6912a5 Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Mon, 22 Jul 2019 14:36:36 -0500 Subject: [PATCH 141/248] Update windows/deployment/update/waas-delivery-optimization-reference.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 164db3333a..0ae9156e23 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -106,7 +106,7 @@ Download mode dictates which download sources clients are allowed to use when do | --- | --- | | HTTP Only (0) | This setting disables peer-to-peer caching but still allows Delivery Optimization to download content over HTTP from the download's original source. This mode uses additional metadata provided by the Delivery Optimization cloud services for a peerless reliable and efficient download experience. | | LAN (1 – Default) | This default operating mode for Delivery Optimization enables peer sharing on the same network. The Delivery Optimization cloud service finds other clients that connect to the Internet using the same public IP as the target client. These clients then attempts to connect to other peers on the same network by using their private subnet IP.| -| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607) or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and Active Directory Domain Services sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other methods to create groups dynamically. Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization. | +| Group (2) | When group mode is set, the group is automatically selected based on the device’s Active Directory Domain Services (AD DS) site (Windows 10, version 1607), or the domain the device is authenticated to (Windows 10, version 1511). In group mode, peering occurs across internal subnets, between devices that belong to the same group, including devices in remote offices. You can use the GroupID option to create your own custom group independently of domains and Active Directory Domain Services sites. Starting with Windows 10, version 1803, you can use the GroupIDSource parameter to take advantage of other methods to create groups dynamically. Group download mode is the recommended option for most organizations looking to leverage bandwidth with Delivery Optimization. | | Internet (3) | Enable Internet peer sources for Delivery Optimization. | | Simple (99) | Simple mode disables the use of Delivery Optimization cloud services completely (for offline environments). Delivery Optimization switches to this mode automatically when the Delivery Optimization cloud services are unavailable, unreachable or when the content file size is less than 10 MB. In this mode, Delivery Optimization provides a reliable download experience, with no peer-to-peer caching. | |Bypass (100) | Bypass Delivery Optimization and use BITS, instead. You should only select this mode if you use WSUS and prefer to use BranchCache. You do not need to set this option if you are using SCCM. If you want to disable peer-to-peer functionality, it's best to set **DownloadMode** to **0** or **99**. | From e680a3af81480df3e1f0a1b4c748c067c7c1ca0c Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Mon, 22 Jul 2019 14:36:45 -0500 Subject: [PATCH 142/248] Update windows/deployment/update/waas-delivery-optimization-reference.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../deployment/update/waas-delivery-optimization-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization-reference.md b/windows/deployment/update/waas-delivery-optimization-reference.md index 0ae9156e23..53b0e9a3bf 100644 --- a/windows/deployment/update/waas-delivery-optimization-reference.md +++ b/windows/deployment/update/waas-delivery-optimization-reference.md @@ -116,7 +116,7 @@ Download mode dictates which download sources clients are allowed to use when do ### Group ID -By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization but do not fall within those domain or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. +By default, peer sharing on clients using the group download mode is limited to the same domain in Windows 10, version 1511, and the same domain and Active Directory Domain Services site in Windows 10, version 1607. By using the Group ID setting, you can optionally create a custom group that contains devices that should participate in Delivery Optimization, but do not fall within those domains or Active Directory Domain Services site boundaries, including devices in another domain. Using Group ID, you can further restrict the default group (for example, you could create a sub-group representing an office building), or extend the group beyond the domain, allowing devices in multiple domains in your organization to be peers. This setting requires the custom group to be specified as a GUID on each device that participates in the custom group. [//]: # (SCCM Boundary Group option; GroupID Source policy) From cb8e5989cad45fe65c114959d0421aa588b34d5e Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 22 Jul 2019 16:21:16 -0500 Subject: [PATCH 143/248] Update whiteboard-collaboration.md --- devices/surface-hub/whiteboard-collaboration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index 9a68506147..f64f6e76c3 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -32,7 +32,7 @@ To get Whiteboard to Whiteboard collaboration up and running, you’ll need to m - Currently not utilizing Office 365 Germany or Office 365 operated by 21Vianet - Surface Hub needs to be updated to Windows 10, version 1607 or newer - Port 443 needs to be open since Whiteboard makes standard https requests -- Whiteboard.ms, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies +- Whiteboard.ms, whiteboard.microsoft.com, wbd.ms, \*.onenote.com, and your company's SharePoint tenant domain URLs need to be whitelisted for proxies >[!NOTE] @@ -66,4 +66,4 @@ After you’re done, you can export a copy of the Whiteboard collaboration for y ## Related topics - [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub) -- [Support documentation for Microsoft Whiteboard](https://support.office.com/en-us/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01) \ No newline at end of file +- [Support documentation for Microsoft Whiteboard](https://support.office.com/en-us/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01) From c65e8947c89ffd41716c79c12fe12d672dd298a7 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Mon, 22 Jul 2019 16:37:14 -0500 Subject: [PATCH 144/248] Update hello-key-trust-policy-settings.md --- .../hello-for-business/hello-key-trust-policy-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index e8cd8acaa1..703bf1305e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -34,7 +34,7 @@ On-premises certificate-based deployments of Windows Hello for Business needs on The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. +You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. For this settings to be configured using GPO, you must download and install the latest Administrative Templates (.admx) for Windows 10. ## Create the Windows Hello for Business Group Policy object @@ -130,4 +130,4 @@ Users must receive the Windows Hello for Business group policy settings and have 2. [Validate and Configure Public Key Infrastructure](hello-cert-trust-validate-pki.md) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-cert-trust-adfs.md) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-cert-trust-validate-deploy-mfa.md) -5. Configure Windows Hello for Business Policy settings (*You are here*) \ No newline at end of file +5. Configure Windows Hello for Business Policy settings (*You are here*) From fcde4972eaae1ab758c4d3be4a9d5789597a9e20 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 23 Jul 2019 08:48:18 +0500 Subject: [PATCH 145/248] Update integrate-configuration-manager-with-mdt.md --- .../integrate-configuration-manager-with-mdt.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md index 615e6cdb7b..452f2cbdc1 100644 --- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md @@ -27,6 +27,10 @@ MDT is a free, supported download from Microsoft that adds approximately 280 enh As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. +>[!Note] +>Microsoft Deployment Toolkit requires [Windows PowerShell 2.0 Engine](https://docs.microsoft.com/powershell/scripting/install/installing-the-windows-powershell-2.0-engine) to be installed on the server. + + ### MDT enables dynamic deployment When MDT is integrated with Configuration Manager, the task sequence takes additional instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. From 65cff4652005601bb54b79480ed5c3b9c63af1c1 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 23 Jul 2019 10:09:07 +0500 Subject: [PATCH 146/248] Update use-system-center-configuration-manager-to-manage-devices-with-semm.md --- ...ion-manager-to-manage-devices-with-semm.md | 321 ++++++++++++------ 1 file changed, 214 insertions(+), 107 deletions(-) diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index af796bd2c4..2079cf5c8f 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -103,39 +103,45 @@ The sample scripts include examples of how to set Surface UEFI settings and how ### Specify certificate and package names -The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates the names for the SEMM configuration package and SEMM reset package. The certificate and package names are specified on lines 56 through 67 in the ConfigureSEMM.ps1 script: +The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script: ``` 56 $WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition 57 $packageRoot = "$WorkingDirPath\Config" - 58 - 59 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot } - 60 Copy-Item "$WorkingDirPath\FabrikamOwnerSigner.pfx" $packageRoot - 61 - 62 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath "FabrikamOwnerSigner.pfx" - 63 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamSignerProvisioningPackage.pkg" - 64 $resetPackageName = Join-Path -Path $packageRoot -ChildPath "FabrikamUniversalResetPackage.pkg" - 65 - 66 # If your PFX file requires a password then it can be set here, otherwise use a blank string. - 67 $password = "1234" + 58 $certName = "FabrikamSEMMSample.pfx" + 59 $DllVersion = "2.26.136.0" + 60 + 61 $certNameOnly = [System.IO.Path]::GetFileNameWithoutExtension($certName) + 62 $ProvisioningPackage = $certNameOnly + "ProvisioningPackage.pkg" + 63 $ResetPackage = $certNameOnly + "ResetPackage.pkg" + 64 + 65 if (-not (Test-Path $packageRoot)) { New-Item -ItemType Directory -Force -Path $packageRoot } + 66 Copy-Item "$WorkingDirPath\$certName" $packageRoot + 67 + 68 $privateOwnerKey = Join-Path -Path $packageRoot -ChildPath $certName + 69 $ownerPackageName = Join-Path -Path $packageRoot -ChildPath $ProvisioningPackage + 70 $resetPackageName = Join-Path -Path $packageRoot -ChildPath $ResetPackage + 71 + 72 # If your PFX file requires a password then it can be set here, otherwise use a blank string. + 73 $password = "1234" ``` -Replace the **FabrikamOwnerSigner.pfx** value for the **$privateOwnerKey** variable with the name of your SEMM Certificate file on both lines 60 and 62. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory. +Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory. -Replace the **FabrikamSignerProvisioningPackage.pkg** and **FabrikamUniversalResetPackage.pkg** values on lines 63 and 64 to define the **$ownerPackageName** and **$resetPackageName** variables with your desired names for the SEMM configuration and reset packages. These packages will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script. +Owner pakage and reset pakage will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script. -On line 67, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text. +On line 73, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text. >[!Note] ->The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 144-149, to accomplish this: +>The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this: ``` -144 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership. -145 # For convenience we get the thumbprint here and present to the user. -146 $pw = ConvertTo-SecureString $password -AsPlainText -Force -147 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 -148 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet) -149 Write-Host "Thumbprint =" $certPrint.Thumbprint +150 # Device owners will need the last two characters of the thumbprint to accept SEMM ownership. +151 # For convenience we get the thumbprint here and present to the user. +152 $pw = ConvertTo-SecureString $password -AsPlainText -Force +153 $certPrint = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 +154 $certPrint.Import($privateOwnerKey, $pw, [System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::DefaultKeySet) +155 Write-Host "Thumbprint =" $certPrint.Thumbprint ``` Administrators with access to the certificate file (.pfx) can read the thumbprint at any time by opening the .pfx file in CertMgr. To view the thumbprint with CertMgr, follow this process: @@ -153,46 +159,47 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin ### Configure permissions -The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 202 in the sample script with the comment **# Configure Permissions** and continues to line 238. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras: +The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras: ``` -202 # Configure Permissions -203 foreach ($uefiV2 IN $surfaceDevices.Values) { -204 # Here we define which "identities" will be allowed to modify which settings -205 # PermissionSignerOwner = The primary SEMM enterprise owner identity -206 # PermissionLocal = The user when booting to the UEFI pre-boot GUI -207 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 = -208 # Additional user identities created so that the signer owner -209 # can delegate permission control for some settings. -210 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -211 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal) -212 -213 # Make all permissions owner only by default -214 foreach ($setting IN $uefiV2.Settings.Values) { -215 $setting.ConfiguredPermissionFlags = $ownerOnly -216 } -217 # Allow the local user to change their own password -218 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser -219 -220 # Allow the local user to change the state of the TPM -221 $uefiV2.Settings["Trusted Platform Module (TPM)"].ConfiguredPermissionFlags = $ownerAndLocalUser -222 -223 # Allow the local user to change the state of the Front and Rear cameras -224 $uefiV2.SettingsById[302].ConfiguredPermissionFlags = $ownerAndLocalUser -225 $uefiV2.SettingsById[304].ConfiguredPermissionFlags = $ownerAndLocalUser -226 -227 -228 # Create a unique package name based on family and LSV. -229 # We will choose a name that can be parsed by later scripts. -230 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg" -231 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName -232 -233 # Build and sign the Permission package then save it to a file. -234 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv) -235 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write) -236 $permissionPackageStream.CopyTo($permissionPackage) -237 $permissionPackage.Close() -238 } +210 # Configure Permissions +211 foreach ($uefiV2 IN $surfaceDevices.Values) { +212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) { +213 Write-Host "Configuring permissions" +214 Write-Host $Device.Model +215 Write-Host "=======================" +216 +217 # Here we define which "identities" will be allowed to modify which settings +218 # PermissionSignerOwner = The primary SEMM enterprise owner identity +219 # PermissionLocal = The user when booting to the UEFI pre-boot GUI +220 # PermissionSignerUser, PermissionSignerUser1, PermissionSignerUser2 = +221 # Additional user identities created so that the signer owner +222 # can delegate permission control for some settings. +223 $ownerOnly = [Microsoft.Surface.IUefiSetting]::PermissionSignerOwner +224 $ownerAndLocalUser = ([Microsoft.Surface.IUefiSetting]::PermissionSignerOwner -bor [Microsoft.Surface.IUefiSetting]::PermissionLocal) +225 +226 # Make all permissions owner only by default +227 foreach ($setting IN $uefiV2.Settings.Values) { +228 $setting.ConfiguredPermissionFlags = $ownerOnly +229 } +230 +231 # Allow the local user to change their own password +232 $uefiV2.SettingsById[501].ConfiguredPermissionFlags = $ownerAndLocalUser +233 +234 Write-Host "" +235 +236 # Create a unique package name based on family and LSV. +237 # We will choose a name that can be parsed by later scripts. +238 $packageName = $uefiV2.SurfaceUefiFamily + "^Permissions^" + $lsv + ".pkg" +239 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName +240 +241 # Build and sign the Permission package then save it to a file. +242 $permissionPackageStream = $uefiV2.BuildAndSignPermissionPackage($privateOwnerKey, $password, "", $null, $lsv) +243 $permissionPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write) +244 $permissionPackageStream.CopyTo($permissionPackage) +245 $permissionPackage.Close() +246 } +247 } ``` Each **$uefiV2** variable identifies a Surface UEFI setting by setting name or ID, and then configures the permissions to one of the following values: @@ -204,69 +211,169 @@ You can find information about the available settings names and IDs for Surface ### Configure settings -The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 282 through line 312 in the sample script. The region appears as follows: +The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows: ``` -282 # Configure Settings -283 foreach ($uefiV2 IN $surfaceDevices.Values) { -284 # In this demo, we will start by setting every setting to the default factory setting. -285 # You may want to start by doing this in your scripts -286 # so that every setting gets set to a known state. -287 foreach ($setting IN $uefiV2.Settings.Values) { -288 $setting.ConfiguredValue = $setting.DefaultValue -289 } -290 -291 # If you want to set something to a different value from the default, -292 # here are examples of how to accomplish this. -293 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = "Disabled" -294 -295 # If you want to leave the setting unmodified, set it to $null -296 # PowerShell has issues setting things to $null so ClearConfiguredValue() -297 # is supplied to do this explicitly. -298 # Here is an example of leaving the UEFI administrator password as-is, -299 # even after we initially set it to factory default above. -300 $uefiV2.SettingsById[501].ClearConfiguredValue() -301 -302 # Create a unique package name based on family and LSV. -303 # We will choose a name that can be parsed by later scripts. -304 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg" -305 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName -306 -307 # Build and sign the Settings package then save it to a file. -308 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv) -309 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write) -310 $settingsPackageStream.CopyTo($settingsPackage) -311 $settingsPackage.Close() -312 } +291 # Configure Settings +292 foreach ($uefiV2 IN $surfaceDevices.Values) { +293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) { +294 Write-Host "Configuring settings" +295 Write-Host $Device.Model +296 Write-Host "====================" +297 +298 # In this demo, we will start by setting every setting to the default factory setting. +299 # You may want to start by doing this in your scripts +300 # so that every setting gets set to a known state. +301 foreach ($setting IN $uefiV2.Settings.Values) { +302 $setting.ConfiguredValue = $setting.DefaultValue +303 } +304 +305 $EnabledValue = "Enabled" +306 $DisabledValue = "Disabled" +307 +308 # If you want to set something to a different value from the default, +309 # here are examples of how to accomplish this. +310 # This disables IPv6 PXE boot by name: +311 $uefiV2.Settings["IPv6 for PXE Boot"].ConfiguredValue = $DisabledValue +312 +313 # This disables IPv6 PXE Boot by ID: +314 $uefiV2.SettingsById[400].ConfiguredValue = $DisabledValue +315 +316 Write-Host "" +317 +318 # If you want to leave the setting unmodified, set it to $null +319 # PowerShell has issues setting things to $null so ClearConfiguredValue() +320 # is supplied to do this explicitly. +321 # Here is an example of leaving the UEFI administrator password as-is, +322 # even after we initially set it to factory default above. +323 $uefiV2.SettingsById[501].ClearConfiguredValue() +324 +325 # Create a unique package name based on family and LSV. +326 # We will choose a name that can be parsed by later scripts. +327 $packageName = $uefiV2.SurfaceUefiFamily + "^Settings^" + $lsv + ".pkg" +328 $fullPackageName = Join-Path -Path $packageRoot -ChildPath $packageName +329 +330 # Build and sign the Settings package then save it to a file. +331 $settingsPackageStream = $uefiV2.BuildAndSignSecuredSettingsPackage($privateOwnerKey, $password, "", $null, $lsv) +332 $settingsPackage = New-Object System.IO.Filestream($fullPackageName, [System.IO.FileMode]::CreateNew, [System.IO.FileAccess]::Write) +333 $settingsPackageStream.CopyTo($settingsPackage) +334 $settingsPackage.Close() +335 } ``` Like the permissions set in the **Configure Permissions** section of the script, the configuration of each Surface UEFI setting is performed by defining the **$uefiV2** variable. For each line defining the **$uefiV2** variable, a Surface UEFI setting is identified by setting name or ID and the configured value is set to **Enabled** or **Disabled**. -If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 300 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**. +If you do not want to alter the configuration of a Surface UEFI setting, for example to ensure that the Surface UEFI administrator password is not cleared by the action of resetting all Surface UEFI settings to their default, you can use **ClearConfiguredValue()** to enforce that this setting will not be altered. In the sample script, this is used on line 323 to prevent the clearing of the Surface UEFI Administrator password, identified in the sample script by its setting ID, **501**. You can find information about the available settings names and IDs for Surface UEFI in the [Settings Names and IDs](#settings-names-and-ids) section later in this article. ### Settings registry key -To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry key that can be used to identify enrolled systems as having been installed with the SEMM configuration script. This key can be found at the following location: +To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location: -`HKLM\SOFTWARE\Microsoft\Surface\SEMM\Enabled_Version1000` +`HKLM\SOFTWARE\Microsoft\Surface\SEMM` -The following code fragment, found on lines 352-363, is used to write this registry key: +The following code fragment, found on lines 380-477, is used to write these registry keys: ``` -352 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM" -353 New-RegKey $SurfaceRegKey -354 $SurfaceRegValue = Get-ItemProperty $SurfaceRegKey Enabled_Version1000 -ErrorAction SilentlyContinue -355 -356 If ($SurfaceRegValue -eq $null) -357 { -358 New-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -PropertyType String -Value 1 | Out-Null -359 } -360 Else -361 { -362 Set-ItemProperty -Path $SurfaceRegKey -Name Enabled_Version1000 -Value 1 -363 } +380 # For SCCM or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry: +381 $UTCDate = (Get-Date).ToUniversalTime().ToString() +382 $certIssuer = $certPrint.Issuer +383 $certSubject = $certPrint.Subject +384 +385 $SurfaceRegKey = "HKLM:\SOFTWARE\Microsoft\Surface\SEMM" +386 New-RegKey $SurfaceRegKey +387 $LSVRegValue = Get-ItemProperty $SurfaceRegKey LSV -ErrorAction SilentlyContinue +388 $DateTimeRegValue = Get-ItemProperty $SurfaceRegKey LastConfiguredUTC -ErrorAction SilentlyContinue +389 $OwnershipSessionIdRegValue = Get-ItemProperty $SurfaceRegKey OwnershipSessionId -ErrorAction SilentlyContinue +390 $PermissionSessionIdRegValue = Get-ItemProperty $SurfaceRegKey PermissionSessionId -ErrorAction SilentlyContinue +391 $SettingsSessionIdRegValue = Get-ItemProperty $SurfaceRegKey SettingsSessionId -ErrorAction SilentlyContinue +392 $IsResetRegValue = Get-ItemProperty $SurfaceRegKey IsReset -ErrorAction SilentlyContinue +393 $certUsedRegValue = Get-ItemProperty $SurfaceRegKey CertName -ErrorAction SilentlyContinue +394 $certIssuerRegValue = Get-ItemProperty $SurfaceRegKey CertIssuer -ErrorAction SilentlyContinue +395 $certSubjectRegValue = Get-ItemProperty $SurfaceRegKey CertSubject -ErrorAction SilentlyContinue +396 +397 +398 If ($LSVRegValue -eq $null) +399 { +400 New-ItemProperty -Path $SurfaceRegKey -Name LSV -PropertyType DWORD -Value $lsv | Out-Null +401 } +402 Else +403 { +404 Set-ItemProperty -Path $SurfaceRegKey -Name LSV -Value $lsv +405 } +406 +407 If ($DateTimeRegValue -eq $null) +408 { +409 New-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -PropertyType String -Value $UTCDate | Out-Null +410 } +411 Else +412 { +413 Set-ItemProperty -Path $SurfaceRegKey -Name LastConfiguredUTC -Value $UTCDate +414 } +415 +416 If ($OwnershipSessionIdRegValue -eq $null) +417 { +418 New-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -PropertyType String -Value $ownerSessionIdValue | Out-Null +419 } +420 Else +421 { +422 Set-ItemProperty -Path $SurfaceRegKey -Name OwnershipSessionId -Value $ownerSessionIdValue +423 } +424 +425 If ($PermissionSessionIdRegValue -eq $null) +426 { +427 New-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -PropertyType String -Value $permissionSessionIdValue | Out-Null +428 } +429 Else +430 { +431 Set-ItemProperty -Path $SurfaceRegKey -Name PermissionSessionId -Value $permissionSessionIdValue +432 } +433 +434 If ($SettingsSessionIdRegValue -eq $null) +435 { +436 New-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -PropertyType String -Value $settingsSessionIdValue | Out-Null +437 } +438 Else +439 { +440 Set-ItemProperty -Path $SurfaceRegKey -Name SettingsSessionId -Value $settingsSessionIdValue +441 } +442 +443 If ($IsResetRegValue -eq $null) +444 { +445 New-ItemProperty -Path $SurfaceRegKey -Name IsReset -PropertyType DWORD -Value 0 | Out-Null +446 } +447 Else +448 { +449 Set-ItemProperty -Path $SurfaceRegKey -Name IsReset -Value 0 +450 } +451 +452 If ($certUsedRegValue -eq $null) +453 { +454 New-ItemProperty -Path $SurfaceRegKey -Name CertName -PropertyType String -Value $certName | Out-Null +455 } +456 Else +457 { +458 Set-ItemProperty -Path $SurfaceRegKey -Name CertName -Value $certName +459 } +460 +461 If ($certIssuerRegValue -eq $null) +462 { +463 New-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -PropertyType String -Value $certIssuer | Out-Null +464 } +465 Else +466 { +467 Set-ItemProperty -Path $SurfaceRegKey -Name CertIssuer -Value $certIssuer +468 } +469 +470 If ($certSubjectRegValue -eq $null) +471 { +472 New-ItemProperty -Path $SurfaceRegKey -Name CertSubject -PropertyType String -Value $certSubject | Out-Null +473 } +474 Else +475 { +476 Set-ItemProperty -Path $SurfaceRegKey -Name CertSubject -Value $certSubject +477 } ``` ### Settings names and IDs From 8109c50a6938611a0fd340974912747e23137b95 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Tue, 23 Jul 2019 14:42:12 +0200 Subject: [PATCH 147/248] Update start-layout-xml-desktop.md Added syntax and note --- windows/configuration/start-layout-xml-desktop.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index 529e59e779..cbaaf8af2b 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -53,6 +53,7 @@ The XML schema for `LayoutModification.xml` requires the following order for tag 1. TopMFUApps 1. CustomTaskbarLayoutCollection 1. InkWorkspaceTopApps +1. StartLayoutCollection Comments are not supported in the `LayoutModification.xml` file. @@ -66,6 +67,8 @@ Comments are not supported in the `LayoutModification.xml` file. >- Do not add multiple rows of comments. The following table lists the supported elements and attributes for the LayoutModification.xml file. +> [!NOTE] +> RequiredStartGroupsCollection and AppendGroup syntax only applies to the special case of the Import-StartLayout method used for building and deploying Windows images. | Element | Attributes | Description | | --- | --- | --- | From d34ec3dade35a269ded076d327ffc473873e76d8 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 23 Jul 2019 16:49:56 +0300 Subject: [PATCH 148/248] remove reference about Windows 10 Pro https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3255 --- .../windows-defender-application-control.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index 9617e485b3..3605322e2c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -18,7 +18,7 @@ ms.date: 01/08/2019 **Applies to:** -- Windows 10 +- Windows 10 Enterprise - Windows Server 2016 - Windows Server 2019 @@ -40,8 +40,8 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs ## WDAC System Requirements -WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Professional editions or Windows Server 2016. -They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. +WDAC policies can only be created on computers beginning with Windows 10 Enterprise or Windows Server 2016 and above. +They can be applied to computers running Windows 10 Enterprise or Windows Server 2016 and above and optionally managed via Mobile Device Management (MDM), such as Microsoft Intune. Group Policy or Intune can be used to distribute WDAC policies. ## New and changed functionality From fcd9105a721254a4c53b12ef664061d05557eeaf Mon Sep 17 00:00:00 2001 From: Adam Gross Date: Tue, 23 Jul 2019 10:57:00 -0500 Subject: [PATCH 149/248] Fixed Typo --- windows/deployment/upgrade/setupdiag.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md index e6407618c1..5eb09cda0d 100644 --- a/windows/deployment/upgrade/setupdiag.md +++ b/windows/deployment/upgrade/setupdiag.md @@ -334,7 +334,7 @@ Each rule name and its associated unique rule identifier are listed with a descr - For an example, see [Sample registry key](#sample-registry-key). 05/17/2019 - SetupDiag v1.4.1.0 is released with 53 rules, as a standalone tool available from the Download Center. - - This release dds the ability to find and diagnose reset and recovery failures (Push Button Reset). + - This release adds the ability to find and diagnose reset and recovery failures (Push Button Reset). 12/18/2018 - SetupDiag v1.4.0.0 is released with 53 rules, as a standalone tool available from the Download Center. - This release includes major improvements in rule processing performance: ~3x faster rule processing performance! From 292366ff98410a7458b3011af14403bcd8f749b8 Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Tue, 23 Jul 2019 15:25:58 -0400 Subject: [PATCH 150/248] Adding Question to FAQ https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4288 --- .../wd-app-guard-overview.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 4aadf6d205..6cd5702688 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -105,6 +105,13 @@ Application Guard has been created to target several types of systems:
        +| | | +|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? | +| **A:** | When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). | + +
        + ## Related topics |Topic |Description | From 82a6136ad525ec5599b24b14f69f8a1b68b68ec4 Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Tue, 23 Jul 2019 15:26:23 -0400 Subject: [PATCH 151/248] Adding Question to FAQ https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4288 --- .../faq-wd-app-guard.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 8a0d017824..1d5756d650 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -103,3 +103,11 @@ Answering frequently asked questions about Windows Defender Application Guard (A | **A:** | To trust a subdomain, you must precede your domain with two dots, for example: ..contoso.com. |
        + +| | | +|--------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Q:** | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? | +| **A:** | When using Windows Pro and Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). | + +
        + From 680279af4d27e6d0d83c089030e0c74b1ea8f94e Mon Sep 17 00:00:00 2001 From: Dulce Montemayor Date: Tue, 23 Jul 2019 14:28:55 -0700 Subject: [PATCH 152/248] Updated with TVM refs --- .../microsoft-defender-atp/overview-secure-score.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md index cb57adc063..a2c2292416 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md +++ b/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score.md @@ -21,6 +21,9 @@ ms.topic: conceptual **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +>[!NOTE] +> Secure score is now part of Threat & Vulnerability Management as [Configuration score](configuration-score.md). The secure score page will be available for a few weeks. View the [Secure score](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-secure-score) page. + The Secure score dashboard expands your visibility into the overall security posture of your organization. From this dashboard, you'll be able to quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to further reduce the attack surface in your organization - all in one place. From there you can take action based on the recommended configuration baselines. >[!IMPORTANT] @@ -77,5 +80,14 @@ Within the tile, you can click on each control to see the recommended optimizati Clicking the link under the **Misconfigured machines** column opens up the **Machines list** with filters applied to show only the list of machines where the recommendation is applicable. You can export the list in Excel to create a target collection and apply relevant policies using a management solution of your choice. ## Related topic +- [Configuration score](configuration-score.md) +- [Risk-based Threat & Vulnerability Management](next-gen-threat-and-vuln-mgt.md) +- [Threat & Vulnerability Management dashboard overview](tvm-dashboard-insights.md) +- [Exposure score](tvm-exposure-score.md) +- [Security recommendations](tvm-security-recommendation.md) +- [Remediation](tvm-remediation.md) +- [Software inventory](tvm-software-inventory.md) +- [Weaknesses](tvm-weaknesses.md) +- [Scenarios](threat-and-vuln-mgt-scenarios.md) - [Threat analytics](threat-analytics.md) From e9be7e65844f361190535f682fdddc380ee17d8f Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Tue, 23 Jul 2019 17:39:09 -0400 Subject: [PATCH 153/248] Emphasize Device Sync https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4401 --- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 71517e7da8..cd40458897 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -74,6 +74,9 @@ The two directories used in hybrid deployments must be synchronized. You need A Organizations using older directory synchronization technology, such as DirSync or Azure AD sync, need to upgrade to Azure AD Connect. In case the schema of your local AD DS was changed since the last directory synchronization, you may need to [refresh directory schema](https://docs.microsoft.com/azure/active-directory/hybrid/how-to-connect-installation-wizard#refresh-directory-schema). +> [!NOTE] +> Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory. + ### Section Review > [!div class="checklist"] > * Azure Active Directory Connect directory synchronization From 4e98ea6b9bc79e43a0ac5b12b545f5186438f031 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Tue, 23 Jul 2019 17:58:57 -0500 Subject: [PATCH 154/248] Update windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-atp/configure-mssp-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md index 7cf8f93bca..caa236d9af 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md @@ -165,7 +165,7 @@ You'll need to create an application and grant it permissions to fetch alerts fr 6. Select the application, then click **Overview**. -7. Copy the value from the **Application (client) ID** field to a safe place, you will need this on the next step. +7. Copy the value from the **Application (client) ID** field to a safe place, you will need this in the next step. 8. Select **Certificate & secrets** in the new application panel. From eeec4a2b91423720fb99897c4fe7dd0dfe1eb5e9 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Tue, 23 Jul 2019 17:59:09 -0500 Subject: [PATCH 155/248] Update windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../windows-defender-atp/configure-mssp-support.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md index caa236d9af..c397e1ed61 100644 --- a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md +++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md @@ -174,7 +174,7 @@ You'll need to create an application and grant it permissions to fetch alerts fr - Description: Enter a description for the key. - Expires: Select **In 1 year** -10. Click **Add**, copy the value of the client secret to a safe place, you will need this on the next step. +10. Click **Add**, copy the value of the client secret to a safe place, you will need this in the next step. ### Step 2: Get access and refresh tokens from your customer's tenant This section guides you on how to use a PowerShell script to get the tokens from your customer's tenant. This script uses the application from the previous step to get the access and refresh tokens using the OAuth Authorization Code Flow. From 536872ec34122bfcbff8dccf7c0b9e33470ef245 Mon Sep 17 00:00:00 2001 From: Nick Schonning Date: Tue, 23 Jul 2019 21:06:31 -0400 Subject: [PATCH 156/248] fix: MD005/list-indent Inconsistent indentation for list items at the same level --- devices/surface-hub/surface-hub-2s-setup.md | 2 +- ...-by-step-surface-deployment-accelerator.md | 8 +- ...l-the-application-virtualization-client.md | 100 ++++++------------ .../mdm/appv-deploy-and-config.md | 2 +- .../mdm/enable-admx-backed-policies-in-mdm.md | 2 +- windows/client-management/mdm/index.md | 2 +- .../mdm/policy-csp-devicelock.md | 12 +-- windows/deployment/update/waas-wu-settings.md | 54 +++++----- .../exposed-apis-create-app-nativeapp.md | 95 +++++++++-------- .../microsoft-defender-atp/user-roles.md | 46 ++++---- 10 files changed, 146 insertions(+), 177 deletions(-) diff --git a/devices/surface-hub/surface-hub-2s-setup.md b/devices/surface-hub/surface-hub-2s-setup.md index 6329c3b696..5e8872b4a8 100644 --- a/devices/surface-hub/surface-hub-2s-setup.md +++ b/devices/surface-hub/surface-hub-2s-setup.md @@ -97,5 +97,5 @@ If you insert a USB thumb drive with a provisioning package into one of the USB ![* Select a device account and friendly name from your configuration file*](images/sh2-run14.png)
        - 4. Follow the instructions to complete first time Setup. +4. Follow the instructions to complete first time Setup. diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md index 2d0b406711..a1e5874ea2 100644 --- a/devices/surface/step-by-step-surface-deployment-accelerator.md +++ b/devices/surface/step-by-step-surface-deployment-accelerator.md @@ -61,8 +61,8 @@ The following steps show you how to create a deployment share for Windows 10 tha >[!NOTE] >As of SDA version 1.96.0405, SDA will install only the components of the Windows ADK that are required for deployment, as follows: > * Deployment tools - > * User State Migration Tool (USMT) - > * Windows Preinstallation Environment (WinPE) + > * User State Migration Tool (USMT) + > * Windows Preinstallation Environment (WinPE) > [!NOTE] > As of SDA version 1.96.0405, SDA will install and use MDT 2013 Update 2. Earlier versions of SDA are compatible only with MDT 2013 Update 1. @@ -75,11 +75,11 @@ The following steps show you how to create a deployment share for Windows 10 tha - **Local Path** – Specify or browse to a location on the local storage device where you would like to store the deployment share files for the Windows 10 SDA deployment share. For example, **E:\\SDAWin10\\** is the location specified in Figure 3. - - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**. + - **Share Name** – Specify a name for the file share that will be used to access the deployment share on this server from the network. For example, **SDAWin10** is the deployment share name shown in Figure 3. The local path folder is automatically shared by the SDA scripts under this name to the group **Everyone** with a permission level of **Full Control**. - **Windows 10 Deployment Services** - - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot. + - Select the **Import boot media into the local Windows Deployment Service** check box if you would like to boot your Surface devices from the network to perform the Windows deployment. Windows Deployment Services must be installed and configured to respond to PXE boot requests. See [Windows Deployment Services Getting Started Guide for Windows Server 2012](https://technet.microsoft.com/library/jj648426.aspx) for more information about how to configure Windows Deployment Services for PXE boot. - **Windows 10 Source Files** diff --git a/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md b/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md index 014d912472..9d90ff5071 100644 --- a/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md +++ b/mdop/appv-v4/how-to-manually-install-the-application-virtualization-client.md @@ -13,52 +13,42 @@ ms.prod: w8 ms.date: 08/30/2016 --- - # How to Manually Install the Application Virtualization Client - There are two types of Application Virtualization Client components: the Application Virtualization Desktop Client, which is designed for installation on desktop computers, and the Application Virtualization Client for Remote Desktop Services (formerly Terminal Services), which you can install on Remote Desktop Session Host (RD Session Host) servers . Although the two client installer programs are different, you can use the following procedure to manually install either the Application Virtualization Desktop Client on a single desktop computer or the Application Virtualization Client for Remote Desktop Services on a single RD Session Host server. In a production environment, you most likely will install the Application Virtualization Desktop Client on multiple desktop computers with an automated scripted installation process. For information about how to install multiple clients by using a scripted installation process, see [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md). **Note** -1. If you are installing the Application Virtualization Client for Remote Desktop Services software on a RD Session Host server, advise users who have an open RDP or ICA client session with the RD Session Host server that they must save their work and close their sessions. In a Remote Desktop session, you can install the client the client manually. For more information about upgrading the client, see [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md). - -2. If you have any configuration on the user’s computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder. - +1. If you are installing the Application Virtualization Client for Remote Desktop Services software on a RD Session Host server, advise users who have an open RDP or ICA client session with the RD Session Host server that they must save their work and close their sessions. In a Remote Desktop session, you can install the client the client manually. For more information about upgrading the client, see [How to Upgrade the Application Virtualization Client](how-to-upgrade-the-application-virtualization-client.md). +2. If you have any configuration on the user’s computer that depends on the client install path, note that the Application Virtualization (App-V) 4.5 client uses a different install folder than previous versions. By default, a new install of the Application Virtualization (App-V) 4.5 client will install to the \\Program Files\\Microsoft Application Virtualization Client folder. If an earlier version of the client is already installed, installing the App-V client will perform an upgrade into the existing installation folder. **Note** For App-V version 4.6 and later, when the App-V client is installed, SFTLDR.DLL is installed in the Windows\\system32 directory. If the App-V client is installed on a 64-bit system, SFTLDR\_WOW64.DLL is installed in the Windows\\SysWOW64 directory. - - **To manually install Application Virtualization Desktop Client** -1. After you have obtained the correct installer archive file and saved it to your computer, make sure you are logged on with an account having administrator rights on the computer and double-click the file to expand the archive. +1. After you have obtained the correct installer archive file and saved it to your computer, make sure you are logged on with an account having administrator rights on the computer and double-click the file to expand the archive. -2. Choose the folder in which to save the files, and then open the folder after the files have been copied to it. +2. Choose the folder in which to save the files, and then open the folder after the files have been copied to it. -3. Review the Release Notes if appropriate. +3. Review the Release Notes if appropriate. -4. Browse to find the setup.exe file, and double-click setup.exe to start the installation. +4. Browse to find the setup.exe file, and double-click setup.exe to start the installation. -5. The wizard checks the system to ensure that all prerequisite software is installed, and if any of the following are missing, the wizard will automatically prompt you to install them: +5. The wizard checks the system to ensure that all prerequisite software is installed, and if any of the following are missing, the wizard will automatically prompt you to install them: - - Microsoft Visual C++ 2005 SP1 Redistributable Package (x86) + - Microsoft Visual C++ 2005 SP1 Redistributable Package (x86) - - Microsoft Core XML Services (MSXML) 6.0 SP1 (x86) + - Microsoft Core XML Services (MSXML) 6.0 SP1 (x86) - - Microsoft Application Error Reporting + - Microsoft Application Error Reporting **Note** For App-V version 4.6 and later, the wizard will also install Microsoft Visual C++ 2008 SP1 Redistributable Package (x86). - For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see (https://go.microsoft.com/fwlink/?LinkId=150700). + For more information about installing Microsoft Visual C++ 2008 SP1 Redistributable Package (x86), see [https://go.microsoft.com/fwlink/?LinkId=150700](https://go.microsoft.com/fwlink/?LinkId=150700). - - -~~~ -If prompted, click **Install**. Installation progress is displayed, and the status changes from **Pending** to **Installing**. Installation status changes to **Succeeded** as each step is completed successfully. -~~~ + If prompted, click **Install**. Installation progress is displayed, and the status changes from **Pending** to **Installing**. Installation status changes to **Succeeded** as each step is completed successfully. 6. When the **Microsoft Application Virtualization Desktop Client – InstallShield Wizard** is displayed, click **Next**. @@ -76,88 +66,66 @@ If prompted, click **Install**. Installation progress is displayed, and the stat 12. On the **Application Virtualization Data Location** screen, click **Next** to accept the default data locations or complete the following actions to change where the data is stored: - 1. Click **Change**, and then browse to or, in the **Global Data Location** field, enter the destination folder for the global data location, and click **OK**. The Global Data Directory is where the Application Virtualization Desktop Client caches data shared by all users on the computer, like OSD files and SFT file data. + 1. Click **Change**, and then browse to or, in the **Global Data Location** field, enter the destination folder for the global data location, and click **OK**. The Global Data Directory is where the Application Virtualization Desktop Client caches data shared by all users on the computer, like OSD files and SFT file data. - 2. If you want to change the drive letter to be used, select the preferred drive letter from the drop-down list. + 2. If you want to change the drive letter to be used, select the preferred drive letter from the drop-down list. - 3. Enter a new path to store the user-specific data in the **User-specific Data Location** field if you want to change the data location. The User Data Directory is where the Application Virtualization Desktop Client stores user-specific information, like personal settings for virtualized applications. + 3. Enter a new path to store the user-specific data in the **User-specific Data Location** field if you want to change the data location. The User Data Directory is where the Application Virtualization Desktop Client stores user-specific information, like personal settings for virtualized applications. **Note** This path must be different for every user, so it should include a user-specific environment variable or a mapped drive or something else that will resolve to a unique path for each user. - - - 4. When you have finished making the changes, click **Next**. + 4. When you have finished making the changes, click **Next**. 13. On the **Cache Size Settings** screen, you can accept or change the default cache size. Click one of the following radio buttons to choose how to manage the cache space: - 1. **Use maximum cache size**. Enter a numeric value from 100–1,048,576 (1 TB) in the **Maximum size (MB)** field to specify the maximum size of the cache. + 1. **Use maximum cache size**. Enter a numeric value from 100–1,048,576 (1 TB) in the **Maximum size (MB)** field to specify the maximum size of the cache. - 2. **Use free disk space threshold**. Enter a numeric value to specify the amount of free disk space, in MB, that the Application Virtualization Client must leave available on the disk. This allows the cache to grow until the amount of free disk space reaches this limit. The value shown in **Free disk space remaining** indicates how much disk space is currently unused. + 2. **Use free disk space threshold**. Enter a numeric value to specify the amount of free disk space, in MB, that the Application Virtualization Client must leave available on the disk. This allows the cache to grow until the amount of free disk space reaches this limit. The value shown in **Free disk space remaining** indicates how much disk space is currently unused. - **Important** - To ensure that the cache has sufficient space allocated for all packages that might be deployed, use the **Use free disk space threshold** setting when you configure the client so that the cache can grow as needed. Alternatively, determine in advance how much disk space will be needed for the App-V cache, and at installation time, set the cache size accordingly. For more information about the cache space management feature, in the Microsoft Application Virtualization (App-V) Operations Guide, see **How to Use the Cache Space Management Feature**. + **Important** + To ensure that the cache has sufficient space allocated for all packages that might be deployed, use the **Use free disk space threshold** setting when you configure the client so that the cache can grow as needed. Alternatively, determine in advance how much disk space will be needed for the App-V cache, and at installation time, set the cache size accordingly. For more information about the cache space management feature, in the Microsoft Application Virtualization (App-V) Operations Guide, see **How to Use the Cache Space Management Feature**. - - -~~~ -Click **Next** to continue. -~~~ + Click **Next** to continue. 14. In the following sections of the **Runtime Package Policy Configuration** screen, you can change the parameters that affect how the Application Virtualization client behaves during runtime: - 1. **Application Source Root**. Specifies the location of SFT files. If used, overrides the protocol, server, and port portions of the CODEBASE HREF URL in the OSD file. + 1. **Application Source Root**. Specifies the location of SFT files. If used, overrides the protocol, server, and port portions of the CODEBASE HREF URL in the OSD file. - 2. **Application Authorization**. When **Require User authorization even when cached** is checked, users are required to connect to a server and validate their credentials at least once before they are allowed to start each virtual application. + 2. **Application Authorization**. When **Require User authorization even when cached** is checked, users are required to connect to a server and validate their credentials at least once before they are allowed to start each virtual application. - 3. **Allow streaming from file**. Indicates whether streaming from file will be enabled, regardless of how the **Application Source Root** field is used. If not checked, streaming from files is disabled. This must be checked if **Application Source Root** contains a UNC path in the form \\\\server\\share. + 3. **Allow streaming from file**. Indicates whether streaming from file will be enabled, regardless of how the **Application Source Root** field is used. If not checked, streaming from files is disabled. This must be checked if **Application Source Root** contains a UNC path in the form \\\\server\\share. - 4. **Automatically Load Application**. Controls when and how automatic background loading of applications occurs. + 4. **Automatically Load Application**. Controls when and how automatic background loading of applications occurs. **Note** When you install the App-V client to use with a read-only cache, for example, with a VDI server implementation, set **What applications to Auto Load** to **Do not automatically load applications** to prevent the client from trying to update applications in the read-only cache. - - -~~~ -Click **Next** to continue. -~~~ + Click **Next** to continue. 15. On the **Publishing Server** screen, select the **Set up a Publishing Server now** check box if you want to define a publishing server, or click **Next** if you want to complete this later. To define a publishing server, specify the following information: - 1. **Display Name**—Enter the name you want to display for the server. + 1. **Display Name**—Enter the name you want to display for the server. - 2. **Type**—Select the server type from the drop-down list of server types. + 2. **Type**—Select the server type from the drop-down list of server types. - 3. **Host Name** and **Port**—Enter the host name and the port in the corresponding fields. When you select a server type in the drop-down list, the port field will automatically fill with the standard port numbers. To change a port number, click the server type in the list and change the port number according to your needs. + 3. **Host Name** and **Port**—Enter the host name and the port in the corresponding fields. When you select a server type in the drop-down list, the port field will automatically fill with the standard port numbers. To change a port number, click the server type in the list and change the port number according to your needs. - 4. **Path**—If you have selected either **Standard HTTP Server** or **Enhanced Security HTTP Server**, you must enter the complete path to the XML file containing publishing data in this field. If you select either **Application Virtualization Server** or **Enhanced Security Application Virtualization Server**, this field is not active. + 4. **Path**—If you have selected either **Standard HTTP Server** or **Enhanced Security HTTP Server**, you must enter the complete path to the XML file containing publishing data in this field. If you select either **Application Virtualization Server** or **Enhanced Security Application Virtualization Server**, this field is not active. - 5. **Automatically contact this server to update settings when a user logs in**—Select this check box if you want this server to be queried automatically when users log in to their account on the Application Virtualization Client. + 5. **Automatically contact this server to update settings when a user logs in**—Select this check box if you want this server to be queried automatically when users log in to their account on the Application Virtualization Client. - 6. When finished with the configuration steps, click **Next**. + 6. When finished with the configuration steps, click **Next**. 16. On the **Ready to Install the Program** screen, click **Install**. A screen is displayed that shows the progress of the installation. 17. On the **Install Wizard Completed** screen, click **Finish**. - **Note** - If the installation fails for any reason, you might need to restart the computer before trying the install again. - - + **Note** + If the installation fails for any reason, you might need to restart the computer before trying the install again. ## Related topics - [How to Install the Client by Using the Command Line](how-to-install-the-client-by-using-the-command-line-new.md) [Stand-Alone Delivery Scenario Overview](stand-alone-delivery-scenario-overview.md) - - - - - - - - - diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md index 87f038c663..80079aaef9 100644 --- a/windows/client-management/mdm/appv-deploy-and-config.md +++ b/windows/client-management/mdm/appv-deploy-and-config.md @@ -37,7 +37,7 @@ manager: dansimp - LastErrorDescription - SyncStatusDescription - SyncProgress - - Sync + - Sync - PublishXML - AppVDynamicPolicy diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index fe5a5b2d1e..07b451a006 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -32,7 +32,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( ## Enable a policy 1. Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description. - - GP English name + - GP English name - GP name - GP ADMX file name - GP path diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md index b9bc55a06a..682ae5b63d 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/index.md @@ -44,7 +44,7 @@ The MDM security baseline includes policies that cover the following areas: For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see: - [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip) - - [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) +- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](https://docs.microsoft.com/intune/security-baseline-settings-windows) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 524745b05b..1682e10bd8 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -387,12 +387,12 @@ Specifies whether device lock is enabled. > [!Important] > **DevicePasswordEnabled** should not be set to Enabled (0) when WMI is used to set the EAS DeviceLock policies given that it is Enabled by default in Policy CSP for back compat with Windows 8.x. If **DevicePasswordEnabled** is set to Enabled(0) then Policy CSP will return an error stating that **DevicePasswordEnabled** already exists. Windows 8.x did not support DevicePassword policy. When disabling **DevicePasswordEnabled** (1) then this should be the only policy set from the DeviceLock group of policies listed below: > - **DevicePasswordEnabled** is the parent policy of the following: -> - AllowSimpleDevicePassword -> - MinDevicePasswordLength -> - AlphanumericDevicePasswordRequired -> - MinDevicePasswordComplexCharacters  -> - DevicePasswordExpiration -> - DevicePasswordHistory +> - AllowSimpleDevicePassword +> - MinDevicePasswordLength +> - AlphanumericDevicePasswordRequired +> - MinDevicePasswordComplexCharacters  +> - DevicePasswordExpiration +> - DevicePasswordHistory > - MaxDevicePasswordFailedAttempts > - MaxInactivityTimeDeviceLock diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index 2cf601685a..b18360e804 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -190,47 +190,47 @@ To do this, follow these steps: 3. Add one of the following registry values to configure Automatic Update. - * NoAutoUpdate (REG_DWORD): - - * **0**: Automatic Updates is enabled (default). - - * **1**: Automatic Updates is disabled. - - * AUOptions (REG_DWORD): - - * **1**: Keep my computer up to date is disabled in Automatic Updates. - - * **2**: Notify of download and installation. - - * **3**: Automatically download and notify of installation. - - * **4**: Automatically download and scheduled installation. + * NoAutoUpdate (REG_DWORD): + + * **0**: Automatic Updates is enabled (default). + + * **1**: Automatic Updates is disabled. + + * AUOptions (REG_DWORD): + + * **1**: Keep my computer up to date is disabled in Automatic Updates. + + * **2**: Notify of download and installation. + + * **3**: Automatically download and notify of installation. + + * **4**: Automatically download and scheduled installation. * ScheduledInstallDay (REG_DWORD): - + * **0**: Every day. - + * **1** through **7**: The days of the week from Sunday (1) to Saturday (7). - + * ScheduledInstallTime (REG_DWORD): - + **n**, where **n** equals the time of day in a 24-hour format (0-23). - + * UseWUServer (REG_DWORD) - + Set this value to **1** to configure Automatic Updates to use a server that is running Software Update Services instead of Windows Update. - + * RescheduleWaitTime (REG_DWORD) - + **m**, where **m** equals the time period to wait between the time Automatic Updates starts and the time that it begins installations where the scheduled times have passed. The time is set in minutes from 1 to 60, representing 1 minute to 60 minutes) - + > [!NOTE] > This setting only affects client behavior after the clients have updated to the SUS SP1 client version or later versions. - + * NoAutoRebootWithLoggedOnUsers (REG_DWORD): - + **0** (false) or **1** (true). If set to **1**, Automatic Updates does not automatically restart a computer while users are logged on. - + > [!NOTE] > This setting affects client behavior after the clients have updated to the SUS SP1 client version or later versions. diff --git a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md index 6d064aed64..05a804b816 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md +++ b/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-create-app-nativeapp.md @@ -62,29 +62,29 @@ This page explains how to create an AAD application, get an access token to Micr 4. Allow your Application to access Microsoft Defender ATP and assign it 'Read alerts' permission: - - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. + - On your application page, click **API Permissions** > **Add permission** > **APIs my organization uses** > type **WindowsDefenderATP** and click on **WindowsDefenderATP**. - - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. + - **Note**: WindowsDefenderATP does not appear in the original list. You need to start writing its name in the text box to see it appear. - ![Image of API access and API selection](images/add-permission.png) + ![Image of API access and API selection](images/add-permission.png) - - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions** + - Choose **Delegated permissions** > **Alert.Read** > Click on **Add permissions** - ![Image of API access and API selection](images/application-permissions-public-client.png) + ![Image of API access and API selection](images/application-permissions-public-client.png) - - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example! + - **Important note**: You need to select the relevant permissions. 'Read alerts' is only an example! - For instance, + For instance, - - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission - - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission - - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. + - To [run advanced queries](run-advanced-query-api.md), select 'Run advanced queries' permission + - To [isolate a machine](isolate-machine.md), select 'Isolate machine' permission + - To determine which permission you need, please look at the **Permissions** section in the API you are interested to call. - - Click **Grant consent** + - Click **Grant consent** - **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect. + **Note**: Every time you add permission you must click on **Grant consent** for the new permission to take effect. - ![Image of Grant permissions](images/grant-consent.png) + ![Image of Grant permissions](images/grant-consent.png) 6. Write down your application ID and your tenant ID: @@ -102,42 +102,42 @@ For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.co - Copy/Paste the below class in your application. - Use **AcquireUserTokenAsync** method with the your application ID, tenant ID, user name and password to acquire a token. - ``` - namespace WindowsDefenderATP - { - using System.Net.Http; - using System.Text; - using System.Threading.Tasks; - using Newtonsoft.Json.Linq; + ```csharp + namespace WindowsDefenderATP + { + using System.Net.Http; + using System.Text; + using System.Threading.Tasks; + using Newtonsoft.Json.Linq; - public static class WindowsDefenderATPUtils - { - private const string Authority = "https://login.windows.net"; + public static class WindowsDefenderATPUtils + { + private const string Authority = "https://login.windows.net"; - private const string WdatpResourceId = "https://api.securitycenter.windows.com"; + private const string WdatpResourceId = "https://api.securitycenter.windows.com"; - public static async Task AcquireUserTokenAsync(string username, string password, string appId, string tenantId) - { - using (var httpClient = new HttpClient()) - { - var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}"; + public static async Task AcquireUserTokenAsync(string username, string password, string appId, string tenantId) + { + using (var httpClient = new HttpClient()) + { + var urlEncodedBody = $"resource={WdatpResourceId}&client_id={appId}&grant_type=password&username={username}&password={password}"; - var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded"); + var stringContent = new StringContent(urlEncodedBody, Encoding.UTF8, "application/x-www-form-urlencoded"); - using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false)) - { - response.EnsureSuccessStatusCode(); + using (var response = await httpClient.PostAsync($"{Authority}/{tenantId}/oauth2/token", stringContent).ConfigureAwait(false)) + { + response.EnsureSuccessStatusCode(); - var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false); + var json = await response.Content.ReadAsStringAsync().ConfigureAwait(false); - var jObject = JObject.Parse(json); + var jObject = JObject.Parse(json); - return jObject["access_token"].Value(); - } - } - } - } - } + return jObject["access_token"].Value(); + } + } + } + } + } ``` ## Validate the token @@ -156,16 +156,17 @@ Sanity check to make sure you got a correct token: - The Expiration time of the token is 1 hour (you can send more then one request with the same token) - Example of sending a request to get a list of alerts **using C#** - ``` - var httpClient = new HttpClient(); - var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); + ```csharp + var httpClient = new HttpClient(); - request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); + var request = new HttpRequestMessage(HttpMethod.Get, "https://api.securitycenter.windows.com/api/alerts"); - var response = httpClient.SendAsync(request).GetAwaiter().GetResult(); + request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); - // Do something useful with the response + var response = httpClient.SendAsync(request).GetAwaiter().GetResult(); + + // Do something useful with the response ``` ## Related topics diff --git a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md index f78005ca01..668831d19d 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/user-roles.md +++ b/windows/security/threat-protection/microsoft-defender-atp/user-roles.md @@ -34,31 +34,31 @@ The following steps guide you on how to create roles in Microsoft Defender Secur 3. Enter the role name, description, and permissions you'd like to assign to the role. - - **Role name** - - **Description** - - **Permissions** - - **View data** - Users can view information in the portal. - - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. - - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. - - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. - - >[!NOTE] - >This setting is only available in the Microsoft Defender ATP administrator (default) role. + - **Role name** + - **Description** + - **Permissions** + - **View data** - Users can view information in the portal. + - **Alerts investigation** - Users can manage alerts, initiate automated investigations, collect investigation packages, manage machine tags, and export machine timeline. + - **Active remediation actions** - Users can take response actions and approve or dismiss pending remediation actions. + - **Manage portal system settings** - Users can configure storage settings, SIEM and threat intel API settings (applies globally), advanced settings, automated file uploads, roles and machine groups. - - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + > [!NOTE] + > This setting is only available in the Microsoft Defender ATP administrator (default) role. - - **Live response capabilities** - Users can take basic or advanced live response commands.
        - - Basic commands allow users to: - - Start a live response session - - Run read only live response commands on a remote machine - - Advanced commands allow users to: - - Run basic actions - - Download a file from the remote machine - - View a script from the files library - - Run a script on the remote machine from the files library take read and write commands. - - For more information on the available commands, see [Investigate machines using Live response](live-response.md). - + - **Manage security settings** - Users can configure alert suppression settings, manage allowed/blocked lists for automation, create and manage custom detections, manage folder exclusions for automation, onboard and offboard machines, and manage email notifications. + + - **Live response capabilities** - Users can take basic or advanced live response commands. + - Basic commands allow users to: + - Start a live response session + - Run read only live response commands on a remote machine + - Advanced commands allow users to: + - Run basic actions + - Download a file from the remote machine + - View a script from the files library + - Run a script on the remote machine from the files library take read and write commands. + + For more information on the available commands, see [Investigate machines using Live response](live-response.md). + 4. Click **Next** to assign the role to an Azure AD group. 5. Use the filter to select the Azure AD group that you'd like to add to this role. From 95ceade559065148a0baa45ec64ff27d9ebe6d2f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 24 Jul 2019 09:42:57 +0500 Subject: [PATCH 157/248] Update integrate-configuration-manager-with-mdt.md --- .../integrate-configuration-manager-with-mdt.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md index 452f2cbdc1..c057de65bb 100644 --- a/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/integrate-configuration-manager-with-mdt.md @@ -27,9 +27,8 @@ MDT is a free, supported download from Microsoft that adds approximately 280 enh As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name does not reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. ->[!Note] ->Microsoft Deployment Toolkit requires [Windows PowerShell 2.0 Engine](https://docs.microsoft.com/powershell/scripting/install/installing-the-windows-powershell-2.0-engine) to be installed on the server. - +> [!Note] +> Microsoft Deployment Toolkit requires you to install [Windows PowerShell 2.0 Engine](https://docs.microsoft.com/powershell/scripting/install/installing-the-windows-powershell-2.0-engine) on your server. ### MDT enables dynamic deployment From 934f9ec8adbbb92a4f226b6b9b1eb321360c72aa Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 24 Jul 2019 09:45:21 +0500 Subject: [PATCH 158/248] Update use-system-center-configuration-manager-to-manage-devices-with-semm.md --- ...enter-configuration-manager-to-manage-devices-with-semm.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md index 2079cf5c8f..dff968bbf3 100644 --- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md +++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md @@ -128,7 +128,7 @@ The first region of the script that you need to modify is the portion that speci Replace the **FabrikamSEMMSample.pfx** value for the **$certName** variable with the name of your SEMM Certificate file on line 58. The script will create a working directory (named Config) in the folder where your scripts are located, and will then copy the certificate file to this working directory. -Owner pakage and reset pakage will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script. +Owner package and reset package will also be created in the Config directory and hold the configuration for Surface UEFI settings and permissions generated by the script. On line 73, replace the value of the **$password** variable, from 1234, to the password for your certificate file. If a password is not required, delete the **1234** text. @@ -269,7 +269,7 @@ You can find information about the available settings names and IDs for Surface ### Settings registry key -To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes a registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location: +To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 script writes registry keys that can be used to identify enrolled systems as having been installed with the SEMM configuration script. These keys can be found at the following location: `HKLM\SOFTWARE\Microsoft\Surface\SEMM` From d47b5a0944322c4deb9b78de1c424484c3c65cda Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Wed, 24 Jul 2019 16:22:59 +0200 Subject: [PATCH 159/248] Update enable-admx-backed-policies-in-mdm.md Added two links to notes. --- .../mdm/enable-admx-backed-policies-in-mdm.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index fe5a5b2d1e..39c09ab52e 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -24,13 +24,16 @@ Summary of steps to enable a policy: - Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. - Create the data payload for the SyncML. -See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) for a walk-through using Intune. +See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX-Backed policies using Microsoft Intune](https://blogs.technet.microsoft.com/senthilkumar/2018/05/21/intune-deploying-admx-backed-policies-using-microsoft-intune/) for a walk-through using Intune. >[!TIP] >Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](https://docs.microsoft.com/intune/administrative-templates-windows) ## Enable a policy +> [!NOTE] +> See [Understanding ADMX-backed policies](https://docs.microsoft.com/en-us/windows/client-management/mdm/understanding-admx-backed-policies). + 1. Find the policy from the list [ADMX-backed policies](policy-configuration-service-provider.md#admx-backed-policies). You need the following information listed in the policy description. - GP English name - GP name From 3ebf645756b9c669e5ebabad2064412853e9d050 Mon Sep 17 00:00:00 2001 From: Lindsay <45809756+lindspea@users.noreply.github.com> Date: Wed, 24 Jul 2019 17:24:50 +0200 Subject: [PATCH 160/248] Update windows/configuration/start-layout-xml-desktop.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/configuration/start-layout-xml-desktop.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md index cbaaf8af2b..520de10950 100644 --- a/windows/configuration/start-layout-xml-desktop.md +++ b/windows/configuration/start-layout-xml-desktop.md @@ -68,7 +68,7 @@ Comments are not supported in the `LayoutModification.xml` file. The following table lists the supported elements and attributes for the LayoutModification.xml file. > [!NOTE] -> RequiredStartGroupsCollection and AppendGroup syntax only applies to the special case of the Import-StartLayout method used for building and deploying Windows images. +> RequiredStartGroupsCollection and AppendGroup syntax only apply when the Import-StartLayout method is used for building and deploying Windows images. | Element | Attributes | Description | | --- | --- | --- | From 874aa44ae9f4282902f21ea82cede34ab527a6a1 Mon Sep 17 00:00:00 2001 From: essdeekay <15057151+essdeekay@users.noreply.github.com> Date: Wed, 24 Jul 2019 18:29:09 +0100 Subject: [PATCH 161/248] Update index.md Corrected typo: 'annd' to 'and' --- windows/security/identity-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/index.md b/windows/security/identity-protection/index.md index b6001998ed..d55a5400cc 100644 --- a/windows/security/identity-protection/index.md +++ b/windows/security/identity-protection/index.md @@ -17,7 +17,7 @@ ms.date: 02/05/2018 # Identity and access management -Learn more about identity annd access management technologies in Windows 10 and Windows 10 Mobile. +Learn more about identity and access management technologies in Windows 10 and Windows 10 Mobile. | Section | Description | |-|-| From c0deea95a1bc2e5dac75548fc12f6bd9cb4a1180 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:16:44 -0500 Subject: [PATCH 162/248] Update windows/security/identity-protection/hello-for-business/hello-planning-guide.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-planning-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index bb021a898f..7e3df82276 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -167,7 +167,7 @@ Choose a trust type that is best suited for your organizations. Remember, the t One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). -Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. If you will use a federated environment, you must activate the Device Writeback option in Azure AD Connect. +Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. From 5b64845f1bef4e97eb025c68a43e437d46e0b505 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:17:33 -0500 Subject: [PATCH 163/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 0aaadd7eb7..fd135fd5a3 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -37,7 +37,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit failure events, click **Fail.** - To audit all events, click **All.** 6. In the **Applies to** box, click the object or objects that the audit of events will apply to. It can be to: - - **This folder only.** + - **This folder only** - **This folder, subfolders and files.** - **This folder and subfolders.** - **This folder and files.** From 0203599431d9fa6b19112e0862c71283a0733007 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:17:46 -0500 Subject: [PATCH 164/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index fd135fd5a3..8583be9b99 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -38,7 +38,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit all events, click **All.** 6. In the **Applies to** box, click the object or objects that the audit of events will apply to. It can be to: - **This folder only** - - **This folder, subfolders and files.** + - **This folder, subfolders and files** - **This folder and subfolders.** - **This folder and files.** - **Subfolders and files only.** From 4cbf9aa9531a2365e193040d42c379f83a4d46eb Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:18:14 -0500 Subject: [PATCH 165/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 8583be9b99..376607a36a 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -39,7 +39,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad 6. In the **Applies to** box, click the object or objects that the audit of events will apply to. It can be to: - **This folder only** - **This folder, subfolders and files** - - **This folder and subfolders.** + - **This folder and subfolders** - **This folder and files.** - **Subfolders and files only.** - **Subfolders only.** From 1b95266f6e51e8b019fe4b9080f011b3867243cf Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:18:47 -0500 Subject: [PATCH 166/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 376607a36a..c3ca179983 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -40,7 +40,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder only** - **This folder, subfolders and files** - **This folder and subfolders** - - **This folder and files.** + - **This folder and files** - **Subfolders and files only.** - **Subfolders only.** - **Files only.** From e339cf241014f4bfaab80b45a947ba02f5ae5b68 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:19:15 -0500 Subject: [PATCH 167/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index c3ca179983..8e1439d17a 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -41,7 +41,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder, subfolders and files** - **This folder and subfolders** - **This folder and files** - - **Subfolders and files only.** + - **Subfolders and files only** - **Subfolders only.** - **Files only.** 7. By default, the selected **Basic Permissions** to Audit are the following: From 64d06d43514118cd7e8e15d748538ee79907283a Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:19:47 -0500 Subject: [PATCH 168/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 8e1439d17a..571146ed8c 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -42,7 +42,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder and subfolders** - **This folder and files** - **Subfolders and files only** - - **Subfolders only.** + - **Subfolders only** - **Files only.** 7. By default, the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** From ec2aa8a52f02879f3565d6702e99352d6d9197a0 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:19:58 -0500 Subject: [PATCH 169/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 571146ed8c..b8c3006976 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -43,7 +43,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder and files** - **Subfolders and files only** - **Subfolders only** - - **Files only.** + - **Files only** 7. By default, the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** - **List folder contents.** From b93db8b98f704bdade06392f8181616426d7aaef Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:20:24 -0500 Subject: [PATCH 170/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index b8c3006976..b27ab6fafe 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -36,7 +36,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit successful events, click **Success.** - To audit failure events, click **Fail.** - To audit all events, click **All.** -6. In the **Applies to** box, click the object or objects that the audit of events will apply to. It can be to: +6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include: - **This folder only** - **This folder, subfolders and files** - **This folder and subfolders** From c07cbf088af7f48647e9f75dff901ce66817f52f Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:20:45 -0500 Subject: [PATCH 171/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index b27ab6fafe..5f8a82f60e 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -47,7 +47,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad 7. By default, the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** - **List folder contents.** - - **Read.** + - **Read** - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. From 7efc49e430152f01850d58f8e5d5230c1031b56f Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:21:03 -0500 Subject: [PATCH 172/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 5f8a82f60e..9cfbeb0861 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -45,7 +45,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Subfolders only** - **Files only** 7. By default, the selected **Basic Permissions** to Audit are the following: - - **Read & Execute.** + - **Read and execute** - **List folder contents.** - **Read** - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. From c821d90e1efbb9c7bc3b4418b418697566bdbd2a Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:21:15 -0500 Subject: [PATCH 173/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 9cfbeb0861..2b291c0cde 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -44,7 +44,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Subfolders and files only** - **Subfolders only** - **Files only** -7. By default, the selected **Basic Permissions** to Audit are the following: +7. By default, the selected **Basic Permissions** to audit are the following: - **Read and execute** - **List folder contents.** - **Read** From 19675214fed8db95124ba920772a1861d7f77eb2 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:21:28 -0500 Subject: [PATCH 174/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 2b291c0cde..7d80930c21 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -46,7 +46,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Files only** 7. By default, the selected **Basic Permissions** to audit are the following: - **Read and execute** - - **List folder contents.** + - **List folder contents** - **Read** - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. From 60770b0211e1d276ee72811f9a16e234fafae9f6 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:24:23 -0500 Subject: [PATCH 175/248] Update devices/surface-hub/whiteboard-collaboration.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- devices/surface-hub/whiteboard-collaboration.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/whiteboard-collaboration.md b/devices/surface-hub/whiteboard-collaboration.md index f64f6e76c3..d3d7ad2206 100644 --- a/devices/surface-hub/whiteboard-collaboration.md +++ b/devices/surface-hub/whiteboard-collaboration.md @@ -66,4 +66,4 @@ After you’re done, you can export a copy of the Whiteboard collaboration for y ## Related topics - [Windows 10 Creators Update for Surface Hub](https://www.microsoft.com/surface/support/surface-hub/windows-10-creators-update-surface-hub) -- [Support documentation for Microsoft Whiteboard](https://support.office.com/en-us/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01) +- [Support documentation for Microsoft Whiteboard](https://support.office.com/article/Whiteboard-Help-0c0f2aa0-b1bb-491c-b814-fd22de4d7c01) From ab65fff6d478b56cefba18eddddcca0cddaf0031 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:24:42 -0500 Subject: [PATCH 176/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 0aaadd7eb7..fd135fd5a3 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -37,7 +37,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit failure events, click **Fail.** - To audit all events, click **All.** 6. In the **Applies to** box, click the object or objects that the audit of events will apply to. It can be to: - - **This folder only.** + - **This folder only** - **This folder, subfolders and files.** - **This folder and subfolders.** - **This folder and files.** From 4ec712e7d7c1c0af5db2ccc32301473ec4240a27 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:27:03 -0500 Subject: [PATCH 177/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 85c98c1b43..714dd195c7 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -43,7 +43,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder, subfolders and files.** - **This folder and subfolders.** - **This folder and files.** - - **Subfolders and files only.** + - **Subfolders and files only** - **Subfolders only.** - **Files only.** 7. By default, the selected **Basic Permissions** to Audit are the following: From 5e499b9d7289404fa370aa952c4ceae634c665f9 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:27:13 -0500 Subject: [PATCH 178/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 714dd195c7..5c35afb310 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -38,7 +38,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit successful events, click **Success.** - To audit failure events, click **Fail.** - To audit all events, click **All.** -6. In the **Applies to** box, click the object or objects that the audit of events will apply to. It can be to: +6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include: - **This folder only** - **This folder, subfolders and files.** - **This folder and subfolders.** From 846d4eb3c10a81e35909e23676458faa2cd56d5c Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:27:30 -0500 Subject: [PATCH 179/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 5c35afb310..403d6d95bc 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -49,7 +49,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad 7. By default, the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** - **List folder contents.** - - **Read.** + - **Read** - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. From a2a5793cb638d0dd084d97a15ecb1416be3a2e81 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:27:40 -0500 Subject: [PATCH 180/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 403d6d95bc..9ac4757609 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -42,7 +42,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder only** - **This folder, subfolders and files.** - **This folder and subfolders.** - - **This folder and files.** + - **This folder and files** - **Subfolders and files only** - **Subfolders only.** - **Files only.** From 57974970ef4f9ac9c41892f57fbb72e998d2a675 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:27:51 -0500 Subject: [PATCH 181/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 9ac4757609..d126c4a736 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -40,7 +40,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit all events, click **All.** 6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include: - **This folder only** - - **This folder, subfolders and files.** + - **This folder, subfolders and files** - **This folder and subfolders.** - **This folder and files** - **Subfolders and files only** From 9939c49a73f76d0c88f6024138ddda1b0fb5170f Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:28:01 -0500 Subject: [PATCH 182/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index d126c4a736..4dbbb5c747 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -44,7 +44,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder and subfolders.** - **This folder and files** - **Subfolders and files only** - - **Subfolders only.** + - **Subfolders only** - **Files only.** 7. By default, the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** From 0b80eb714f62a83d6987685071b6d5d45f75734b Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:28:26 -0500 Subject: [PATCH 183/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 4dbbb5c747..e86cbcc038 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -41,7 +41,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad 6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include: - **This folder only** - **This folder, subfolders and files** - - **This folder and subfolders.** + - **This folder and subfolders** - **This folder and files** - **Subfolders and files only** - **Subfolders only** From ccbc36f55e6f1744974503f66b020a33b364cacb Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:30:07 -0500 Subject: [PATCH 184/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index e86cbcc038..ceac93de68 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -48,7 +48,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Files only.** 7. By default, the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** - - **List folder contents.** + - **List folder contents** - **Read** - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. From f985a71b25dd2b2302477bed3cd8ad0ff67e9fb9 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:30:18 -0500 Subject: [PATCH 185/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index ceac93de68..898081c254 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -45,7 +45,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder and files** - **Subfolders and files only** - **Subfolders only** - - **Files only.** + - **Files only** 7. By default, the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** - **List folder contents** From 276434955e677e6e2a0214d5f3f6c11f30c5b699 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:30:31 -0500 Subject: [PATCH 186/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 898081c254..82f43bbaea 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -46,7 +46,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Subfolders and files only** - **Subfolders only** - **Files only** -7. By default, the selected **Basic Permissions** to Audit are the following: +7. By default, the selected **Basic Permissions** to audit are the following: - **Read & Execute.** - **List folder contents** - **Read** From c24401be85bc54a6d76fe126a58e89240aa13b3d Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:30:43 -0500 Subject: [PATCH 187/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 82f43bbaea..328729bd6b 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -47,7 +47,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Subfolders only** - **Files only** 7. By default, the selected **Basic Permissions** to audit are the following: - - **Read & Execute.** + - **Read and execute** - **List folder contents** - **Read** - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. From f2037f69e6c72f34109cec03fa28b8c2e4f3a893 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:31:48 -0500 Subject: [PATCH 188/248] Update windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-key-trust-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 703bf1305e..257948cc83 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -34,7 +34,7 @@ On-premises certificate-based deployments of Windows Hello for Business needs on The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. -You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence. For this settings to be configured using GPO, you must download and install the latest Administrative Templates (.admx) for Windows 10. +If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows 10. ## Create the Windows Hello for Business Group Policy object From 90f133ee410ca57b55b7e304d49deb316c75138b Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:31:59 -0500 Subject: [PATCH 189/248] Update windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../hello-for-business/hello-key-trust-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md index 257948cc83..0d06320e9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md @@ -32,7 +32,7 @@ On-premises certificate-based deployments of Windows Hello for Business needs on ## Enable Windows Hello for Business Group Policy -The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled. +The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users. If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows 10. From 1a09b7cf9be7e6a5b9a1cea3439637bf6634acd8 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:32:12 -0500 Subject: [PATCH 190/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 0aaadd7eb7..fd135fd5a3 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -37,7 +37,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit failure events, click **Fail.** - To audit all events, click **All.** 6. In the **Applies to** box, click the object or objects that the audit of events will apply to. It can be to: - - **This folder only.** + - **This folder only** - **This folder, subfolders and files.** - **This folder and subfolders.** - **This folder and files.** From 40cbe9d9cab9f1cd574e2bdb1777f421e49fcd24 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:32:22 -0500 Subject: [PATCH 191/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index fd135fd5a3..8583be9b99 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -38,7 +38,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit all events, click **All.** 6. In the **Applies to** box, click the object or objects that the audit of events will apply to. It can be to: - **This folder only** - - **This folder, subfolders and files.** + - **This folder, subfolders and files** - **This folder and subfolders.** - **This folder and files.** - **Subfolders and files only.** From 37bdec4a02be7cfd60bd895836b2e4931f095ead Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:34:05 -0500 Subject: [PATCH 192/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 8583be9b99..a5318f7af1 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -36,7 +36,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - To audit successful events, click **Success.** - To audit failure events, click **Fail.** - To audit all events, click **All.** -6. In the **Applies to** box, click the object or objects that the audit of events will apply to. It can be to: +6. In the **Applies to** box, click the object(s) that the audit of events will apply to. These include: - **This folder only** - **This folder, subfolders and files** - **This folder and subfolders.** From cb1ef40394cbf6822d66febb043db772e49c4510 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:34:28 -0500 Subject: [PATCH 193/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index a5318f7af1..4f2f4c9cfb 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -47,7 +47,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad 7. By default, the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** - **List folder contents.** - - **Read.** + - **Read** - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. From 125222f338314f8e2799778140b94cff5dd59be3 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:34:39 -0500 Subject: [PATCH 194/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 4f2f4c9cfb..024f685e20 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -39,7 +39,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad 6. In the **Applies to** box, click the object(s) that the audit of events will apply to. These include: - **This folder only** - **This folder, subfolders and files** - - **This folder and subfolders.** + - **This folder and subfolders** - **This folder and files.** - **Subfolders and files only.** - **Subfolders only.** From 80d1862d64cadcb761759d7d2ef3020ba7dfc5e4 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:34:53 -0500 Subject: [PATCH 195/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 024f685e20..4551941fcd 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -40,7 +40,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder only** - **This folder, subfolders and files** - **This folder and subfolders** - - **This folder and files.** + - **This folder and files** - **Subfolders and files only.** - **Subfolders only.** - **Files only.** From deef74a83ebec101aea801761dc3c7c28ce9171c Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:35:03 -0500 Subject: [PATCH 196/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 4551941fcd..2e84c8e98a 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -41,7 +41,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder, subfolders and files** - **This folder and subfolders** - **This folder and files** - - **Subfolders and files only.** + - **Subfolders and files only** - **Subfolders only.** - **Files only.** 7. By default, the selected **Basic Permissions** to Audit are the following: From ca7d8c4a675f2d49c8cb0e3db29618d2d20badb1 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:35:13 -0500 Subject: [PATCH 197/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 2e84c8e98a..4f98f463a7 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -42,7 +42,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **This folder and subfolders** - **This folder and files** - **Subfolders and files only** - - **Subfolders only.** + - **Subfolders only** - **Files only.** 7. By default, the selected **Basic Permissions** to Audit are the following: - **Read & Execute.** From 09f5cc6fe1a1361503a6d0f1fa7db91488761cae Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:35:29 -0500 Subject: [PATCH 198/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 4f98f463a7..7601fcbd93 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -44,7 +44,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Subfolders and files only** - **Subfolders only** - **Files only.** -7. By default, the selected **Basic Permissions** to Audit are the following: +7. By default, the selected **Basic Permissions** to audit are the following: - **Read & Execute.** - **List folder contents.** - **Read** From 6a85adc6ad668c420632684a5d2fc2e6b550c35a Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:35:56 -0500 Subject: [PATCH 199/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 7601fcbd93..484ac6c93b 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -46,7 +46,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Files only.** 7. By default, the selected **Basic Permissions** to audit are the following: - **Read & Execute.** - - **List folder contents.** + - **List folder contents** - **Read** - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. From 80245d98a3068f3b9a0d52cf765149058dfa130b Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Wed, 24 Jul 2019 15:36:08 -0500 Subject: [PATCH 200/248] Update windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- .../auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md index 484ac6c93b..13d4e3710e 100644 --- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md +++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md @@ -45,7 +45,7 @@ To complete this procedure, you must be logged on as a member of the built-in Ad - **Subfolders only** - **Files only.** 7. By default, the selected **Basic Permissions** to audit are the following: - - **Read & Execute.** + - **Read and execute** - **List folder contents** - **Read** - Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination. From 547ecf4336473ce4e97448093ebcbc0b24ee7a33 Mon Sep 17 00:00:00 2001 From: GirlGerms Date: Thu, 25 Jul 2019 09:06:57 +1000 Subject: [PATCH 201/248] Create troubleshooting-agpm40-upgrades.md --- mdop/agpm/troubleshooting-agpm40-upgrades.md | 41 ++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 mdop/agpm/troubleshooting-agpm40-upgrades.md diff --git a/mdop/agpm/troubleshooting-agpm40-upgrades.md b/mdop/agpm/troubleshooting-agpm40-upgrades.md new file mode 100644 index 0000000000..a1b6663214 --- /dev/null +++ b/mdop/agpm/troubleshooting-agpm40-upgrades.md @@ -0,0 +1,41 @@ +--- +title: Troubleshooting AGPM Upgrades +description: Troubleshooting AGPM Upgrades +author: jedodson +ms.assetid: 1abbf0c1-fd32-46a8-a3ba-c005f066523d +ms.reviewer: +manager: dansimp +ms.author: jedodson +ms.pagetype: mdop +ms.mktglfcycl: manage +ms.sitesec: library +ms.prod: w10 +ms.date: 06/16/2016 +--- + + +# Troubleshooting AGPM Upgrades + +This section lists common issues that you may encounter when you upgrade your Advanced Group Policy Management (AGPM) server to a newer version (e.g. AGPM 4.0 to AGPM 4.3). To diagnose issues not listed here, it may be helpful to view the [Troubleshooting AGPM](troubleshooting-agpm-agpm40.md) or for an AGPM Administrator (Full Control) to use logging and tracing. For more information, see [Configure Logging and Tracing](configure-logging-and-tracing-agpm40.md). + +## What problems are you having? + +- [Failed to generate a HTML GPO difference report (Error code 80004003)](#bkmk-error-80004003) + +### Failed to generate a HTML GPO difference report (Error code 80004003) + +- **Cause**: You have installed the AGPM upgrade package with an incorrect account. + +- **Solution**: You will need to be an AGPM administrator in order to fix this issue. + + - Ensure you know the username & password of your **AGPM service account**. + + - Log onto your AGPM server interactively as your AGPM service account. + + - This is critically important, as the install will fail if you use a different account. + + - Shutdown the AGPM service. + + - Install the required hotfix. + + - Connect to AGPM using an AGPM client to test that your difference reports are now functioning. From 54d9cb70f28edf5b96fc07de592385c70f78e646 Mon Sep 17 00:00:00 2001 From: GirlGerms Date: Thu, 25 Jul 2019 09:15:52 +1000 Subject: [PATCH 202/248] Update TOC.md Addition of Troubleshooting AGPM Upgrades top-level link --- mdop/agpm/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/mdop/agpm/TOC.md b/mdop/agpm/TOC.md index 1443cf78ae..319eeaf746 100644 --- a/mdop/agpm/TOC.md +++ b/mdop/agpm/TOC.md @@ -240,5 +240,6 @@ ###### [AGPM Server Connection Settings](agpm-server-connection-settings.md) ###### [Feature Visibility Settings](feature-visibility-settings.md) ##### [Other Enhancements to the GPMC](other-enhancements-to-the-gpmc.md) +## [Troubleshooting AGPM Upgrades](troubleshooting-agpm40-upgrades.md) ## [Resources for AGPM](resources-for-agpm.md) From 9c23fbbc18260d3ca2abd2108ffa25444a128c2f Mon Sep 17 00:00:00 2001 From: andrewjohnporter <53306271+andrewjohnporter@users.noreply.github.com> Date: Thu, 25 Jul 2019 09:09:11 -0500 Subject: [PATCH 203/248] Update windows-10-upgrade-paths.md --- windows/deployment/upgrade/windows-10-upgrade-paths.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/windows-10-upgrade-paths.md b/windows/deployment/upgrade/windows-10-upgrade-paths.md index 42361c65c9..5b9a5ec10f 100644 --- a/windows/deployment/upgrade/windows-10-upgrade-paths.md +++ b/windows/deployment/upgrade/windows-10-upgrade-paths.md @@ -27,7 +27,7 @@ This topic provides a summary of available upgrade paths to Windows 10. You can > > **Windows 10 LTSC/LTSB**: Due to [naming changes](https://docs.microsoft.com/windows/deployment/update/waas-overview#naming-changes), product versions that display Windows 10 LTSB will be replaced with Windows 10 LTSC in subsequent feature updates. The term LTSC is used here to refer to all long term servicing versions. > -> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). +> In-place upgrade from Windows 7, Windows 8.1, or [Windows 10 semi-annual channel](https://docs.microsoft.com/windows/release-information/) to Windows 10 LTSC is not supported. **Note**: Windows 10 LTSC 2015 did not block this upgrade path. This was corrected in the Windows 10 LTSC 2016 release, which will now only allow data-only and clean install options. You can upgrade from Windows 10 LTSC to Windows 10 semi-annual channel, provided that you upgrade to the same or a newer build version. For example, Windows 10 Enterprise 2016 LTSB can be upgraded to Windows 10 Enterprise version 1607 or later. Upgrade is supported using the in-place upgrade process (using Windows setup). You will need to use the Product Key switch if you want to keep your apps. If you don't use the switch the option 'Keep personal files and apps' will be grayed out. The command line would be: setup.exe /pkey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx using your relevant Windows 10 SAC product key. For example, if using a KMS, the command line would be setup.exe /pkey NPPR9-FWDCX-D2C8J-H872K-2YT43 > > **Windows N/KN**: Windows "N" and "KN" SKUs (editions without media-related functionality) follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process. > From 9165e12732c9a74a924e449024378d86f9c0aaed Mon Sep 17 00:00:00 2001 From: Barry Harriman <31367660+LegoSCCMGuy@users.noreply.github.com> Date: Fri, 26 Jul 2019 00:34:42 +1000 Subject: [PATCH 204/248] Update white-glove.md Removed a singular reference to WG and replaced with white glove --- windows/deployment/windows-autopilot/white-glove.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/white-glove.md b/windows/deployment/windows-autopilot/white-glove.md index 4c997d322d..228a9cf358 100644 --- a/windows/deployment/windows-autopilot/white-glove.md +++ b/windows/deployment/windows-autopilot/white-glove.md @@ -44,7 +44,7 @@ In addition to [Windows Autopilot requirements](windows-autopilot-requirements.m ## Preparation -Devices slated for WG provisioning are registered for Autopilot via the normal registration process. +Devices slated for white glove provisioning are registered for Autopilot via the normal registration process. To be ready to try out Windows Autopilot for white glove deployment, ensure that you can first successfully use existing Windows Autopilot user-driven scenarios: From f9ec0c3a95f72506de7a4af3bc0278ab2a9fdb60 Mon Sep 17 00:00:00 2001 From: v-savila Date: Thu, 25 Jul 2019 15:19:47 -0700 Subject: [PATCH 205/248] remove last 3 blocks in IT Admin --- education/index.md | 59 ---------------------------------------------- 1 file changed, 59 deletions(-) diff --git a/education/index.md b/education/index.md index 6c696d9f4b..7db140e12d 100644 --- a/education/index.md +++ b/education/index.md @@ -63,65 +63,6 @@ ms.prod: w10 -
      • -
        • -
      • - -
        -
        -
        -
        -
        - -
        -
        -
        -

        1. M365 EDU deployment

        -

        Get started by creating your Office 365 tenant, setting up a cloud infrastructure for your school, and creating, managing, and syncing user accounts.

        -
        -
        -
        -
        -         -
        • -
      • - -
        -
        -
        -
        -
        - -
        -
        -
        -

        2. Device Management

        -

        Improve student learning outcomes through connected classrooms and engaging new technologies with streamlined device management.

        -
        -
        -
        -
        -         -
        • -
      • - -
        -
        -
        -
        -
        - -
        -
        -
        -

        3. Post Deployment Next Steps

        -

        Migrate to Sharepoint Server Hybrid or Sharepoint Online, and Exchange Server Hybrid or Exchange Online. Configure settings in your Admin portals.

        -
        -
        -
        -
        -         -
    From 48d0240d8d9d7c445d86a97303c317d0ed98a253 Mon Sep 17 00:00:00 2001 From: Joyce Y <47188252+mypil@users.noreply.github.com> Date: Fri, 26 Jul 2019 23:42:29 +0800 Subject: [PATCH 206/248] Fixes typo issue in line 47 Closes #4557 --- .../hello-for-business/hello-biometrics-in-enterprise.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index 3c60042dd6..18314f3f58 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -44,7 +44,7 @@ Windows Hello provides many benefits, including: - Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
    For more info about the available Group Policies and MDM CSPs, see the [Implement Windows Hello for Business in your organization](hello-manage-in-organization.md) topic. -## Where is Microsoft Hello data stored? +## Where is Windows Hello data stored? The biometric data used to support Windows Hello is stored on the local device only. It doesn’t roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still can’t be easily converted to a form that could be recognized by the biometric sensor. ## Has Microsoft set any device requirements for Windows Hello? From ea31f582d533d1be93ae7dcb6c44bac5bfe34dce Mon Sep 17 00:00:00 2001 From: Onur Date: Sat, 27 Jul 2019 20:45:48 +0300 Subject: [PATCH 207/248] Update metadata to replace non-existent author --- mdop/agpm/index.md | 2 +- mdop/appv-v4/index.md | 2 +- mdop/appv-v5/index.md | 2 +- mdop/dart-v10/index.md | 2 +- mdop/dart-v7/index.md | 2 +- mdop/dart-v8/index.md | 2 +- mdop/index.md | 2 +- mdop/mbam-v1/index.md | 2 +- mdop/mbam-v2/index.md | 2 +- mdop/mbam-v25/index.md | 2 +- mdop/medv-v1/index.md | 2 +- mdop/medv-v2/index.md | 2 +- mdop/solutions/index.md | 2 +- mdop/uev-v1/index.md | 2 +- mdop/uev-v2/index.md | 2 +- 15 files changed, 15 insertions(+), 15 deletions(-) diff --git a/mdop/agpm/index.md b/mdop/agpm/index.md index 324327c269..3832e088c4 100644 --- a/mdop/agpm/index.md +++ b/mdop/agpm/index.md @@ -1,7 +1,7 @@ --- title: Advanced Group Policy Management description: Advanced Group Policy Management -author: jamiejdt +author: dansimp ms.assetid: 493ca3c3-c3d6-4bb1-9430-dc1e43c86bb0 ms.pagetype: mdop ms.mktglfcycl: manage diff --git a/mdop/appv-v4/index.md b/mdop/appv-v4/index.md index 8f75ce1701..18986550cc 100644 --- a/mdop/appv-v4/index.md +++ b/mdop/appv-v4/index.md @@ -1,7 +1,7 @@ --- title: Application Virtualization 4 description: Application Virtualization 4 -author: jamiejdt +author: dansimp ms.assetid: 9da557bc-f433-47d3-8af7-68ec4ff9bd3f ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/mdop/appv-v5/index.md b/mdop/appv-v5/index.md index ca33b4be38..c51ad7bc30 100644 --- a/mdop/appv-v5/index.md +++ b/mdop/appv-v5/index.md @@ -1,7 +1,7 @@ --- title: Application Virtualization 5 description: Application Virtualization 5 -author: jamiejdt +author: dansimp ms.assetid: e82eb44b-9ccd-41aa-923b-71400230ad23 ms.pagetype: mdop, appcompat, virtualization ms.mktglfcycl: deploy diff --git a/mdop/dart-v10/index.md b/mdop/dart-v10/index.md index ca199090fb..5d88fce5c0 100644 --- a/mdop/dart-v10/index.md +++ b/mdop/dart-v10/index.md @@ -1,7 +1,7 @@ --- title: Diagnostics and Recovery Toolset 10 description: Diagnostics and Recovery Toolset 10 -author: jamiejdt +author: dansimp ms.assetid: 64403eca-ff05-4327-ac33-bdcc96e706c8 ms.pagetype: mdop ms.mktglfcycl: support diff --git a/mdop/dart-v7/index.md b/mdop/dart-v7/index.md index 9dfe1fceaf..c4afe5d9d3 100644 --- a/mdop/dart-v7/index.md +++ b/mdop/dart-v7/index.md @@ -1,7 +1,7 @@ --- title: Diagnostics and Recovery Toolset 7 Administrator's Guide description: Diagnostics and Recovery Toolset 7 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: bf89eccd-fc03-48ff-9019-a8640e11dd99 ms.pagetype: mdop ms.mktglfcycl: support diff --git a/mdop/dart-v8/index.md b/mdop/dart-v8/index.md index 4f39c5a258..346bf905a0 100644 --- a/mdop/dart-v8/index.md +++ b/mdop/dart-v8/index.md @@ -1,7 +1,7 @@ --- title: Diagnostics and Recovery Toolset 8 Administrator's Guide description: Diagnostics and Recovery Toolset 8 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: 33685dd7-844f-4864-b504-3ef384ef01de ms.pagetype: mdop ms.mktglfcycl: support diff --git a/mdop/index.md b/mdop/index.md index 78fffc67fd..93ce634a80 100644 --- a/mdop/index.md +++ b/mdop/index.md @@ -2,7 +2,7 @@ title: MDOP Information Experience description: MDOP Information Experience ms.assetid: 12b8ab56-3267-450d-bb22-1c7e44cb8e52 -author: jamiejdt +author: dansimp ms.pagetype: mdop ms.mktglfcycl: manage ms.sitesec: library diff --git a/mdop/mbam-v1/index.md b/mdop/mbam-v1/index.md index 4424f1bfa5..a5e8ee0170 100644 --- a/mdop/mbam-v1/index.md +++ b/mdop/mbam-v1/index.md @@ -1,7 +1,7 @@ --- title: Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide description: Microsoft BitLocker Administration and Monitoring 1 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: 4086e721-db24-4439-bdcd-ac5ef901811f ms.pagetype: mdop, security ms.mktglfcycl: manage diff --git a/mdop/mbam-v2/index.md b/mdop/mbam-v2/index.md index 7f73c171c5..0582083a34 100644 --- a/mdop/mbam-v2/index.md +++ b/mdop/mbam-v2/index.md @@ -1,7 +1,7 @@ --- title: Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide description: Microsoft BitLocker Administration and Monitoring 2 Administrator's Guide -author: jamiejdt +author: dansimp ms.assetid: fdb43f62-960a-4811-8802-50efdf04b4af ms.pagetype: mdop, security ms.mktglfcycl: manage diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md index 244e0ae818..e5988391c0 100644 --- a/mdop/mbam-v25/index.md +++ b/mdop/mbam-v25/index.md @@ -1,7 +1,7 @@ --- title: Microsoft BitLocker Administration and Monitoring 2.5 description: Microsoft BitLocker Administration and Monitoring 2.5 -author: jamiejdt +author: dansimp ms.assetid: fd81d7de-b166-47e8-b6c7-d984830762b6 ms.pagetype: mdop, security ms.mktglfcycl: manage diff --git a/mdop/medv-v1/index.md b/mdop/medv-v1/index.md index 807accc058..42f4387220 100644 --- a/mdop/medv-v1/index.md +++ b/mdop/medv-v1/index.md @@ -1,7 +1,7 @@ --- title: Microsoft Enterprise Desktop Virtualization Planning, Deployment, and Operations Guide description: Microsoft Enterprise Desktop Virtualization Planning, Deployment, and Operations Guide -author: jamiejdt +author: dansimp ms.assetid: 7bc3e120-df77-4f4c-bc8e-7aaa4c2a6525 ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/mdop/medv-v2/index.md b/mdop/medv-v2/index.md index 5c86cb32d1..faa965a4f7 100644 --- a/mdop/medv-v2/index.md +++ b/mdop/medv-v2/index.md @@ -1,7 +1,7 @@ --- title: Microsoft Enterprise Desktop Virtualization 2.0 description: Microsoft Enterprise Desktop Virtualization 2.0 -author: jamiejdt +author: dansimp ms.assetid: 84109be0-4613-42e9-85fc-fcda8de6e4c4 ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/mdop/solutions/index.md b/mdop/solutions/index.md index 6183633995..98575f68c7 100644 --- a/mdop/solutions/index.md +++ b/mdop/solutions/index.md @@ -1,7 +1,7 @@ --- title: MDOP Solutions and Scenarios description: MDOP Solutions and Scenarios -author: jamiejdt +author: dansimp ms.assetid: 1cb18bef-fbae-4e96-a4f1-90cf111c3b5f ms.pagetype: mdop ms.mktglfcycl: deploy diff --git a/mdop/uev-v1/index.md b/mdop/uev-v1/index.md index 49e6e8a74c..1c16c18b22 100644 --- a/mdop/uev-v1/index.md +++ b/mdop/uev-v1/index.md @@ -1,7 +1,7 @@ --- title: Microsoft User Experience Virtualization (UE-V) 1.0 description: Microsoft User Experience Virtualization (UE-V) 1.0 -author: jamiejdt +author: dansimp ms.assetid: 7c2b59f6-bbe9-4373-8b08-c1738665a37b ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy diff --git a/mdop/uev-v2/index.md b/mdop/uev-v2/index.md index 5e5f69c25f..b0a92410ba 100644 --- a/mdop/uev-v2/index.md +++ b/mdop/uev-v2/index.md @@ -1,7 +1,7 @@ --- title: Microsoft User Experience Virtualization (UE-V) 2.x description: Microsoft User Experience Virtualization (UE-V) 2.x -author: jamiejdt +author: dansimp ms.assetid: b860fed0-b846-415d-bdd6-ba60231a64be ms.pagetype: mdop, virtualization ms.mktglfcycl: deploy From 210b4d721a8d8e3f2e774ae2948f1466c8315be7 Mon Sep 17 00:00:00 2001 From: essdeekay <15057151+essdeekay@users.noreply.github.com> Date: Sat, 27 Jul 2019 20:37:34 +0100 Subject: [PATCH 208/248] Update index.md Typo - corrected 'Bitlocker' to 'BitLocker' --- windows/deployment/windows-autopilot/index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopilot/index.md b/windows/deployment/windows-autopilot/index.md index 0b030458a3..2d71d33187 100644 --- a/windows/deployment/windows-autopilot/index.md +++ b/windows/deployment/windows-autopilot/index.md @@ -57,7 +57,7 @@ This guide is intended for use by an IT-specialist, system architect, or busines Registering devicesThe process of registering a device with the Windows Autopilot deployment service is described. Configuring device profilesThe device profile settings that specifie its behavior when it is deployed are described. Enrollment status pageSettings that are available on the Enrollment Status Page are described. -Bitlocker encryption Available options for configuring BitLocker on Windows Autopilot devices are described. +BitLocker encryption Available options for configuring BitLocker on Windows Autopilot devices are described. Troubleshooting Windows AutopilotDiagnotic event information and troubleshooting procedures are provided. Known issuesA list of current known issues and solutions is provided. @@ -72,4 +72,4 @@ This guide is intended for use by an IT-specialist, system architect, or busines ## Related topics -[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot) \ No newline at end of file +[Windows Autopilot](https://www.microsoft.com/windowsforbusiness/windows-autopilot) From 2171d57e65c7aa7c986f172e8ae47f8f4fef4d18 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Sun, 28 Jul 2019 07:42:08 -0500 Subject: [PATCH 209/248] Rename windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md to windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md --- .../configure-mssp-support.md | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/security/threat-protection/{windows-defender-atp => microsoft-defender-atp}/configure-mssp-support.md (100%) diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md b/windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md similarity index 100% rename from windows/security/threat-protection/windows-defender-atp/configure-mssp-support.md rename to windows/security/threat-protection/microsoft-defender-atp/configure-mssp-support.md From 30087dcbbeec4521307cc4472f9a8a2b86ea4999 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Sun, 28 Jul 2019 08:57:47 -0500 Subject: [PATCH 210/248] Update hello-planning-guide.md --- .../hello-for-business/hello-planning-guide.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index 6c8468fced..207675b3e4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -166,11 +166,13 @@ If your organization does not have cloud resources, write **On-Premises** in box ### Trust type +Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. + Choose a trust type that is best suited for your organizations. Remember, the trust type determines two things. Whether you issue authentication certificates to your users and if your deployment needs Windows Server 2016 domain controllers. One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust). -Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. +Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. In a federated environment, you need to activate the Device Writeback option in Azure AD Connect. If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**. From e58a94f48ace557fe76eb33e3c0678681d5c35cd Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Sun, 28 Jul 2019 09:39:07 -0500 Subject: [PATCH 211/248] Update configure-wd-app-guard.md --- .../configure-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 80dbb5a03b..5f2dc58ee5 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -30,7 +30,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |Policy name|Supported versions|Description| |-----------|------------------|-----------| |Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| -|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) Please include a full domain name (www.contoso.com) in the configuration 2) You may optionally use "." as a wildcard character to automatically trust subdomains. Configuring ".constoso.com" will automatically trust "subdomain1.contoso.com", "subdomain2.contoso.com" etc. | +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specfy a complete domain, please include a full domain name **"contoso.com"** for expample, in the configuration 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (When exists more than one subdomains). Configuring **".constoso.com"** will automatically trust **"subdomain1.contoso.com"**, **"subdomain2.contoso.com"** etc. 3) To trust a subdomain, you must precede your domain with two dots, for example: **"..contoso.com"** | |Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.| ## Application-specific settings From 0dcceb64f91aac538ba875e1dd75afe40a988d72 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Sun, 28 Jul 2019 09:40:53 -0500 Subject: [PATCH 212/248] Update configure-wd-app-guard.md --- .../configure-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 5f2dc58ee5..89ddaa65e0 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -30,7 +30,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |Policy name|Supported versions|Description| |-----------|------------------|-----------| |Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| -|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specfy a complete domain, please include a full domain name **"contoso.com"** for expample, in the configuration 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (When exists more than one subdomains). Configuring **".constoso.com"** will automatically trust **"subdomain1.contoso.com"**, **"subdomain2.contoso.com"** etc. 3) To trust a subdomain, you must precede your domain with two dots, for example: **"..contoso.com"** | +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, please include a full domain name **"contoso.com"** for expample, in the configuration 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (When exists more than one subdomains). Configuring **".constoso.com"** will automatically trust **"subdomain1.contoso.com"**, **"subdomain2.contoso.com"** etc. 3) To trust a subdomain, you must precede your domain with two dots, for example: **"..contoso.com"** | |Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.| ## Application-specific settings From a269140409a80c9f2c8b0ba80361f60db93ccce2 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Sun, 28 Jul 2019 09:45:29 -0500 Subject: [PATCH 213/248] Update configure-wd-app-guard.md --- .../configure-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 89ddaa65e0..0eada23c25 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -30,7 +30,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |Policy name|Supported versions|Description| |-----------|------------------|-----------| |Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| -|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, please include a full domain name **"contoso.com"** for expample, in the configuration 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (When exists more than one subdomains). Configuring **".constoso.com"** will automatically trust **"subdomain1.contoso.com"**, **"subdomain2.contoso.com"** etc. 3) To trust a subdomain, you must precede your domain with two dots, for example: **"..contoso.com"** | +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, please include a full domain name **"contoso.com"** for example, in the configuration 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (When there is more than one subdomain). Configuring **".constoso.com"** will automatically trust **"subdomain1.contoso.com"**, **"subdomain2.contoso.com"** etc. 3) To trust a subdomain, you must precede your domain with two dots, for example: **"..contoso.com"** | |Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.| ## Application-specific settings From db307f6056ca1008fa0c807898833c4e0aa85f19 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 29 Jul 2019 16:44:26 +0500 Subject: [PATCH 214/248] Update kiosk-xml.md --- windows/configuration/kiosk-xml.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 2cde6940fa..2f79813558 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -26,7 +26,7 @@ ms.topic: article ## Full XML sample >[!NOTE] ->Updated for Windows 10, version 1903, and Windows 10 Prerelease +>Updated for Windows 10, version 1903, and Windows 10 20H1 Insider Preview ```xml @@ -255,7 +255,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` ## [Preview] Global Profile Sample XML -Global Profile is currently supported in Windows 10 Prerelease. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. +Global Profile is currently supported in Windows 10 20H1 Insider Preview. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in ```xml @@ -394,7 +394,7 @@ Below sample shows dedicated profile and global profile mixed usage, aauser woul ``` ## [Preview] Folder Access sample xml -In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in current Windows 10 Prerelease. +In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in Windows 10 20H1 Insider Preview. IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Note that Downloads and Removable Drives can be allowed at the same time. @@ -636,7 +636,7 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n ## XSD for AssignedAccess configuration XML >[!NOTE] ->Updated for Windows 10, version 1903 and Windows 10 Prerelease. +>Updated for Windows 10, version 1903 and Windows 10 20H1 Insider Preview. Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ```xml @@ -859,7 +859,7 @@ Here is the schema for new features introduced in Windows 10 1809 release ``` -Schema for Windows 10 prerelease +Schema for Windows 10 20H1 Insider Preview ```xml ``` -To authorize a compatible configuration XML that includes 1809 or prerelease elements and attributes, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. ```xml Date: Mon, 29 Jul 2019 16:55:27 +0500 Subject: [PATCH 215/248] Update kiosk-xml.md --- windows/configuration/kiosk-xml.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index 2f79813558..c3e380fbb2 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -26,7 +26,7 @@ ms.topic: article ## Full XML sample >[!NOTE] ->Updated for Windows 10, version 1903, and Windows 10 20H1 Insider Preview +>Updated for Windows 10, version 1903, and Windows 10 Insider Preview (19H2, 20H1 builds) ```xml @@ -255,7 +255,7 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom ``` ## [Preview] Global Profile Sample XML -Global Profile is currently supported in Windows 10 20H1 Insider Preview. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. +Global Profile is currently supported in Windows 10 Insider Preview (19H2, 20H1 builds). Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lock down mode, or used as mitigation when a profile cannot be determined for an user. This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in ```xml @@ -394,7 +394,7 @@ Below sample shows dedicated profile and global profile mixed usage, aauser woul ``` ## [Preview] Folder Access sample xml -In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in Windows 10 20H1 Insider Preview. +In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in Windows 10 Insider Preview (19H2, 20H1 builds). IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Note that Downloads and Removable Drives can be allowed at the same time. @@ -636,7 +636,7 @@ IT Admin now can specify user access to Downloads folder, Removable drives, or n ## XSD for AssignedAccess configuration XML >[!NOTE] ->Updated for Windows 10, version 1903 and Windows 10 20H1 Insider Preview. +>Updated for Windows 10, version 1903 and Windows 10 Insider Preview (19H2, 20H1 builds). Below schema is for AssignedAccess Configuration up to Windows 10 1803 release. ```xml @@ -859,7 +859,7 @@ Here is the schema for new features introduced in Windows 10 1809 release ``` -Schema for Windows 10 20H1 Insider Preview +Schema for Windows 10 Insider Preview (19H2, 20H1 builds) ```xml Date: Mon, 29 Jul 2019 08:52:54 -0400 Subject: [PATCH 216/248] Update waas-servicing-differences.md Removed double use of the word critical --- windows/deployment/update/waas-servicing-differences.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md index 9e0f207f1f..b4d7c089e3 100644 --- a/windows/deployment/update/waas-servicing-differences.md +++ b/windows/deployment/update/waas-servicing-differences.md @@ -19,7 +19,7 @@ ms.collection: M365-modern-desktop > > **February 15, 2019: This document has been corrected and edited to reflect that security-only updates for legacy OS versions are not cumulative. They were previously identified as cumulative similar to monthly rollups, which is inaccurate.** -Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need critical to understand how best to leverage a modern workplace to support system updates. +Today, many enterprise customers have a mix of modern and legacy client and server operating systems. Managing the servicing and updating differences between those legacy operating systems and Windows 10 versions adds a level of complexity that is not well understood. This can be confusing. With the end of support for legacy [Windows 7 SP1](https://support.microsoft.com/help/4057281/windows-7-support-will-end-on-january-14-2020) and Windows Server 2008 R2 variants on January 14, 2020, System Administrators have a critical need to understand how best to leverage a modern workplace to support system updates. The following provides an initial overview of how updating client and server differs between the Windows 10-era Operating Systems (such as, Windows 10 version 1709, Windows Server 2016) and legacy operating systems (such as Windows 7, Windows 8.1, Windows Server 2008 R2, Windows Server 2012 R2). From 681e5e099c04320d7af029d5a653871c33c65436 Mon Sep 17 00:00:00 2001 From: brbrahm <43386070+brbrahm@users.noreply.github.com> Date: Mon, 29 Jul 2019 10:31:22 -0700 Subject: [PATCH 217/248] Minor update to properly reflect supported macros --- .../create-path-based-rules.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md index 105f6a46bb..babbce2e0b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-path-based-rules.md @@ -52,10 +52,10 @@ Beginning with Windows 10 version 1903, Windows Defender Application Control (WD - Suffix (ex. C:\foo\\*) OR Prefix (ex. *\foo\bar.exe) - One or the other, not both at the same time - Does not support wildcard in the middle (ex. C:\\*\foo.exe) - - Examples: - - %WINDIR%\\... - - %SYSTEM32%\\... - - %OSDRIVE%\\... +- Supported Macros: + - %WINDIR%\\... + - %SYSTEM32%\\... + - %OSDRIVE%\\... - Disable default FilePath rule protection of enforcing user-writeability. For example, to add “Disabled:Runtime FilePath Rule Protection” to the policy: From bc14cfad4894ad080727512fa8ddce437e616e60 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 30 Jul 2019 15:52:37 +0500 Subject: [PATCH 218/248] Update applocker-csp.md --- .../client-management/mdm/applocker-csp.md | 20 ++++--------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index 7018d14a99..a56feb5fbf 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -156,22 +156,8 @@ Each of the previous nodes contains one or more of the following leaf nodes:

    Policy

    Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.

    -

    Policy nodes are a Base64-encoded blob of the binary policy representation. The binary policy may be signed or unsigned.

    -

    For CodeIntegrity/Policy, you can use the certutil -encode command line tool to encode the data to base-64.

    -

    Here is a sample certutil invocation:

    - -``` -certutil -encode WinSiPolicy.p7b WinSiPolicy.cer -``` - -

    An alternative to using certutil would be to use the following PowerShell invocation:

    - -``` -[Convert]::ToBase64String($(Get-Content -Encoding Byte -ReadCount 0 -Path )) -``` - -

    If you are using hybrid MDM management with System Center Configuration Manager or using Intune, ensure that you are using Base64 as the Data type when using Custom OMA-URI functionality to apply the Code Integrity policy.

    -

    Data type is string. Supported operations are Get, Add, Delete, and Replace.

    +

    For nodes, other than CodeIntegrity, policy leaf data type is string. Supported operations are Get, Add, Delete, and Replace.

    +

    For CodeIntegrity/Policy, data type is Base64. Supported operations are Get, Add, Delete, and Replace.

    EnforcementMode

    @@ -186,6 +172,8 @@ certutil -encode WinSiPolicy.p7b WinSiPolicy.cer +> [!NOTE] +> To use Code Integrity Policy, you need first to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP ## Find publisher and product name of apps From 0f13e401d461fb27859504a42cb7b6d9ce5a3453 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 31 Jul 2019 09:44:41 +0500 Subject: [PATCH 219/248] Update kiosk-xml.md --- windows/configuration/kiosk-xml.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md index c3e380fbb2..ff9c230e83 100644 --- a/windows/configuration/kiosk-xml.md +++ b/windows/configuration/kiosk-xml.md @@ -26,7 +26,7 @@ ms.topic: article ## Full XML sample >[!NOTE] ->Updated for Windows 10, version 1903, and Windows 10 Insider Preview (19H2, 20H1 builds) +>Updated for Windows 10, version 1903, and Windows 10 Insider Preview (19H2, 20H1 builds). ```xml @@ -394,7 +394,7 @@ Below sample shows dedicated profile and global profile mixed usage, aauser woul ``` ## [Preview] Folder Access sample xml -In Windows 10 1809 release, folder access is locked down that when common file dialog is opened, IT Admin can specify if user has access to the Downloads folder, or no access to any folder at all. This restriction has be redesigned for finer granulatity and easier use, available in Windows 10 Insider Preview (19H2, 20H1 builds). +In Windows 10, version 1809, folder access is locked down so that when common file dialog is opened, IT Admin can specify if the user has access to the Downloads folder, or no access to any folder at all. This restriction has been redesigned for finer granulatity and easier use, and is available in Windows 10 Insider Preview (19H2, 20H1 builds). IT Admin now can specify user access to Downloads folder, Removable drives, or no restrictions at all. Note that Downloads and Removable Drives can be allowed at the same time. @@ -889,7 +889,7 @@ Schema for Windows 10 Insider Preview (19H2, 20H1 builds)     ``` -To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. e.g. to configure auto-launch feature which is added in 1809 release, use below sample, notice an alias r1809 is given to the 201810 namespace for 1809 release, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. +To authorize a compatible configuration XML that includes elements and attributes from Windows 10, version 1809 or newer, always include the namespace of these add-on schemas, and decorate the attributes and elements accordingly with the namespace alias. For example, to configure the auto-launch feature which is added in Windows 10, version 1809, use the following sample. Notice an alias r1809 is given to the 201810 namespace for Windows 10, version 1809, and the alias is tagged on AutoLaunch and AutoLaunchArguments inline. ```xml Date: Wed, 31 Jul 2019 09:47:27 +0500 Subject: [PATCH 220/248] Update applocker-csp.md --- windows/client-management/mdm/applocker-csp.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md index a56feb5fbf..4a812ecc97 100644 --- a/windows/client-management/mdm/applocker-csp.md +++ b/windows/client-management/mdm/applocker-csp.md @@ -156,7 +156,7 @@ Each of the previous nodes contains one or more of the following leaf nodes:

    Policy

    Policy nodes define the policy for launching executables, Windows Installer files, scripts, store apps, and DLL files. The contents of a given Policy node is precisely the XML format for a RuleCollection node in the corresponding AppLocker XML policy.

    -

    For nodes, other than CodeIntegrity, policy leaf data type is string. Supported operations are Get, Add, Delete, and Replace.

    +

    For nodes, other than CodeIntegrity, policy leaf data type is string. Supported operations are Get, Add, Delete, and Replace.

    For CodeIntegrity/Policy, data type is Base64. Supported operations are Get, Add, Delete, and Replace. @@ -173,7 +173,7 @@ Each of the previous nodes contains one or more of the following leaf nodes: > [!NOTE] -> To use Code Integrity Policy, you need first to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP +> To use Code Integrity Policy, you first need to convert the policies to binary format using the ConvertFrom-CIPolicy cmdlet. Then a Base64-encoded blob of the binary policy representation should be created (for example, using the [certutil -encode](https://go.microsoft.com/fwlink/p/?LinkId=724364) command line tool) and added to the Applocker-CSP. ## Find publisher and product name of apps From 166dfc3c1214befe4b5f63dc7864ad772ad3461b Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 31 Jul 2019 16:02:51 +0300 Subject: [PATCH 221/248] updated image needed I don't have rights to upload a new file (the updated error image) More details here: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/2489 --- .../hello-for-business/images/pinerror.png | Bin 53039 -> 0 bytes 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 windows/security/identity-protection/hello-for-business/images/pinerror.png diff --git a/windows/security/identity-protection/hello-for-business/images/pinerror.png b/windows/security/identity-protection/hello-for-business/images/pinerror.png deleted file mode 100644 index 28a759f2fc49118f20ff4031d8ee451419496f6c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 53039 zcmce7Wl$Vlw>1_BPH-oI5D4xzNN~5{Hn@9$!65_-9zt-3;2zu^g1Ze2Zi5f*^YJ|I zTlM|DKW^Qsp6cpTea`egXZJe2_Fg+eO+^+PgB$|^0RdZHPU7n_K8{^UZFaK)f%s9Z+v0J1Ij~+1I-A#5f#hMPq%Vi~H}p^c zwno40MalWMN#=(s(&T?`{L6u8^UqyjZ!A&}c>d|z`M>^UzA-Im+IT`+T%b3o9xS^(TX#S2RJnw9r`LT6;Xvf)CsEUJW zFRzF5pMT#Hd-q}oZ0&NGZ0U7GgjC{h0m7)*PZnM&%bChk@kyz{$^fqTq%7=^rT06X z->z9w@q&lxw`_*-wlA{d@GLa`T3YOxE`bTxDqkCu33veureTb4NJ70IMO4i=-uFdx z-fJnCS!=UtJ1gwqeS4@2R8@PFmJQ8!3Pl;!%Y4)k_}9!wYsvt`V!fPgcP!`vo;9dA zfY1jaIg)VqG~ArSJmq8HK;VH{Ja*ai(w*eJ6mskUEx!meij z3VLm)>n*nNVry=8WCCi>V8{NPza4osJFhj$bvvnk$f?Q?HmI^oN!gGdtlbLE%b}c% z;Si=!Q6vp6`aYae$NsxoaI$buALUvx+odM>PnFx-(i0oq5)>bia}hh>4Oyw-Q^c~J zF`O(G-bsT;a!f)ii%%F>GZlZkKfk&^|NH0ZpI!A&KH8NJ(V}~fngucSTCKYT);FzU znX!lWygkVaS5gjsbyd-iM>$@jf5)YrR!_`Bus@Q0x4!cWFv2yt821N)=aljpDgXO8 z*x{-Oc2uOHJw=|E{YDIYlBcqrvK6&!eX1Hd&5A$D_)lDxfAW4L6|tme!t$kHR1yF3 zUK~-Q)`2r)z5^BCjMmRvDDtmfD^;0|xg#_Gkqanry#i+AG04BK+lV!OpxHaNcpP;$ zsa6h23ghEd+^V7QLBdawO=bPpwNnKBkT^srZnEYvit0+jM%FUE(hRa7{@e`u%dti; zWkft%cnT(=@sO${8kwUv`RU1nk>x_%Xl*?)-=A0W-AwK9qVja%FT?J&I7)A74HsFQ zp9ldzj!nqcvUX#-@V`#TxOw*aQ>Si=wF|c}yw|Vo@`_~*EQ;QiCk0f0@U%i)=Jt~? zxBgJgioMt})3_#yB-L4j`dI1VI0XG9GrsmJ@_C+qLg_iF#~f)w-7u)uwB=ps1HaS6 z_Q%$0`b1cZdGklnIArDC4z+tOQcra#W|QGV96Gi*Q}0v2wLalOxmC9^t#6Tq;d>{z z7n8Pwd_P69yTmV)hiw>EQ|KN+P{4*(g&$H!yYr{+)4TjCsq-R|jh+B(|8L_2CimOK zBoqUHXmBFgaz@C)9>`(d)znArUx4-a(kg~Jt?n5f@3 z)iWv^^6OWxv}&3d4MnTb`TV`QoiWPTm_Pb?l2(bIEb6>R3;0Q6{o^>7Na zU|~ByN1Ab9B%B<=Cr~Q?V^HRcL2eh5?c&}_hJVm8tty@lRc4Ui(z7m)@%j5{>F`u( zV_0{b0m6hIn1Ro>L8m`mwJTef-3RD`Z>@_To_<*ebmuSx^n?>6ZOmZ;Hpgf5pLxyY zGV$NMiEU&*{5DYqz+r!`Mz9u!15m}DxW{QkiQ@@NxZfYW*X)&qAq9#ZHygXoEfYW> zbvJ>Wy`ld17o8iis)dMCZ_u*B{JVwYS_(*j0#zcbkLD3k#!$fC4ksfSP3RKb6JO!i z_a{$o=hk!eHeDW6zN+Z8T}OeO!4s(|8R!sH;40O4s?P4Cp`Szo#9H!SL=~VF6h`6z z;9BD6aRx#_7zKeKPiGuym8eqssZtqya>%Wq=&h@$=#xLEjItioU}9hm-qcDXnp%hC zPfZ$u%ZMdbWOHw|!e#h;5=P^FA({jr!Xhp-i~!|k{4&5kM{oQRJQHz$uB$QnE}bjQlo`b zX!U_=IQe`3$X=s$mY&Lg)+GLAO-P9&^`iJ&Q)|v2=nAhtdFj61tx^_ONV7Ucl2TY@ z(<}oHLlS+|<62TKx?kzuf>Q&RtpeQv(ATqe0qoTf)@C!C%35i@Ac_Jo@gIv-cUzc+JAO=@=btPLW9~VZWoYG zWPARZ`d)$Z7c&^uOgDZFJDL5&btDv{jkI;1HxHc{4YdMOhuVm)vKMKEBGkpzA%GZB5{K+zY)8qpe4GWJYYw9{P_Hak%QT zAu5tSa@ez`X&~^;q_uSI9a16q#8tGy-r`~K7-7tjcSl6=Z`?Bkc5AUes&9jM8;d$p zpazP`iBa8Db|#zt$Q)K1GIi|_285mKB0Np|{+G>96o#-fn^FCmG00e}>a#8RbqGO` zH|a{Hkd=rJE%gHkr)5P9pFX@j=0mdI*VV?r7<-yK>W@&pSIGl6m=$!hmO$s3f>Y$C zL(gnEl%(i>dUklw?5IPVhb@UG`a`jwO~XHUPT5OIjYvur8!no9&;j)IL%t~)DMWjP zk;7`QQEjG3uCJ~7C7BjtAQcJbnb|?F8l`OW6Gv;~wnAs~z1C5hr&Bvm{UD-UKpIz| z8~GY{t#hd?FfB|(yjxTF9V%`Hcv>XquA6_rJo@G~L#j}<>TeW=Cx6~!@X)NJBI89? zavT9QoNTNtu}@>K!EJN#pKsl0y6~4Rh92X~g$wj>%T;9$+@wDdHDi?5Qj*K~Du1M{ z<(+xpWVwbeV@GBKMzDd7bbA=lb3k~-ritMOzSXJ&p_n2`)Ij;%P)8>(pwRt5cL36) zXL)I(8(VZNYEYsl7f<0uF!W6c_3<hOSaBUMM-=Bl?)dSY4{V`C923V0Gp(AJ{49 zoY>5bA)TCPJGGeeiJ@3i>3G7WO_Wfa0-gUn2tDTEe9x_R;|F<}ay<_35OCZlt$q@M z6BBCKHx!uKJdk$)9Isrgs75YIb=ZQE$DL2zGcUCfg{|oVCq{=PE6)4BQauY?uCxaJ z3=`@8u91>O#@x6e)Gi`rHmzuEM_fANv~_ZP%7*Cs?ee>XZJv!kbnq1^uQ~RKaLLDM z3{10sNy0O?gv$WMLrSdBcbj>378DX19o#Cz$?jwFMjJY-3Wb5|O9xN+TGIll*#foF zG{U$a9TUg}n;Ey>H@iR^U;!Z*@<0VrcufRsl?j^aaD5fs>51_3?g4EpS>0{tlk>5S zUOnMGPsO&?2rXL2cI&93tG8j)@GbPZL$}QoO*E}KI*p#N|Dz`Rp&qVkTvqr%B7u6l zJLjzMDb-qmPKkKo&R{rNu59qR*OysCyG*~Z^tk2KjP;NS!~#=QM(W5>?v^=M{=(>j zm=7$g(JO7jnrviowL)`!$i|~x@{Xmn0Be#KQGrsM^w*Iy%xJv*ZhLi-a@l(bV2@4{ zQ4jvhrA)h=`}%Cts{yKx!KvTB&5wQenysIYd4air6mOMhv^_zRB?KVbZc|VGNnYw$9|1Jzo?Cgog z>YdQg{=DKBIi$$H^>gc>WvPpJP9b+Jb8WK){?IJ~8fb5qf)b}KMMgj~Frv(KodG32R}6#!tuFe@b^@LDRKLE*NhKI`_CY3|BkPBt zx=jHOS&p=IqMW>#B|fTE$#G9Xdlldof*Bnrx4gLmd9|Z4y@a+?uTUqhp<&m!wA9uQ z{X6+@DgWz1IHy=S;UU3h1p=RNq{X}QjTmtlg;%0~0?9}OYJa2g*dJ%CF6P$zNawnE zM6>bRHK+$Nk8(KaOEQS#Gk&^kjh!j5a<0hk(Owba%iP!>_;G8q=1d(a$!(mKqrTV@ z&4R;&?c1xE-Is1nXH79c&sj9mgJJK?_vTM+&m_xk(A#w8fXG$Iutf6F4FeFj0-g}# zfvjZmUslNQ$p2sB+6-$?YCsSN`wNFkPi9|I;2YU0x)Fgmqs6g+3(q=w<;h3rm>1xK zi0cQ)6C!vP$w#!C(*bkw$UE7;#ThH%e@;q786nL|ovvQ-5E0``)xQ%r^$UTYPec3; z#6)i7`bQEDu5!26k}^#xkty{N{|*?on$bS{?P|WKAGjsw2OJaE51XuPG30w0&IUz% z0yQjTEfU^j%@HsDA;^Y!3xj7_!^7qjO-Idx;{x8uy_s$U**@O>eOvCmM_KNFV;Jq@ z^0u1q)jt#)xhia4MEp79zxVkubGb|u*pzp;CY?i>*|(h=vUwV8 z;A1Yg07mjeXy=i@akgD=2O|CUW+L#;eZ^hj0+}G_Aw8^z z1E;@00G`k?sPab&X5$BvHJ&ZeoR(VO2)WuOneS#`J8(CVkg)vK!#CnXflnSu!geaL z<}n>K2M{;bZIzoqoItFaSWBg3?qVf21*oP73az3UtOvuQ4y|Ne!zj1mSUb`#q`Nd z<<)SWrXS%8pPwvo(pzIud3z5~dn=dXHMrkOQnY7tnVy`~WBQR*A=tA#q-?slv;HF` z39yUv9)dYIlHl3aaY*U!b2mESc?Xr}{0yC4P;=cslw%@}an2Tc1;u)33fp-@^hTyO zEQcy|6B3-B9~dX}EWDjBvt(vtL}%;y?vv>k);NQQ)#k1+s=$IV#VS7ZiylTukObQ# zXgGiR_`IyiJ7Ap6-OO84KJsQs#vn-fanK6|oVt<3M!YpVU9kL6p+@Z_(EMr_SBzls zuW+?eoV_k0{U)tm(c=a)Zk^H7h-i;_wlZ2?kH6(<|5kwrUS|H<;=A_)GEa%98#}7$ z!?Jt!+2LZsFRMh<*juIp{$)LO?gc%Y)+43b%OtS5$U9Y@yY?%ZPu>->8+qaM?_}oJVI&48qaEvrrmTge$SvR)E@nYqz*B=9 z8J&gh>EsP*CEtXT5KxB@V{^NR#A?HjsId6Uq_v4Z4ol~^I?H#_{xXgCJ9t#`>7_~{ zNKf(`m%gsvHrYKl*Jy?64}xFW7+Y-`C^o1LL$?xJpI0?jk^O&}Qig`)!g73{)^J4$ znehF}8m-rJ-?6&F8D=JkH9pR%#!{Yb5MA*d8A5bQ|%gF)8Z+*Ivrv~u%o@l|E2 zI}BVQFU?b~jUT1s=%(VXJK^&^=c|6B1E$KxO_a}qY&hx;r@aRTSIU4)G`uh&El+kv zK{xYfP=$f#eFlIc5FK=;gX<8zWS{auC@kdG#&D|Y9WfUxS@hv*ZUslRBQKAM-^WPAuhlTKvzkoK(yM4XMM^|NvLbAwBBHd1)Lrcru*6>Xr+ghaIP6AGq-O{E& zk)q?u%|^D0CJW?e7_%>b7lH9u-!TLK;7tDBwCe6gSU}9#K^3O!mqR&1#Kz}!dFg(T3;3`%35jy9=7;xkIK9v zM!oJ0N!OM-6td)qYxo%~+HOEaXwFa{=H0sa+p2iLJ2ij5Q-ialCObh~aUbbpjRSL~Xve$xqTl%hBc*hQvtN?t zaKLspRX*Q~AoJCutsKre+^7Dwd)Os{SerTVEv$Ml_OwGpytC zdywb^Ajj3XeW0mD&GHP%_)fOT;_M0+N!V5(Nna=SV*yGvNbxG6qU0teNzEGFun zXWcuI(_D*d+U8W0C7(IgdHVoNJ0Ge!X5jjm(|Gs z%ibTHrk1`xCtW<3yLU4rXNJ@ZA+FiexgQES+AGL)y2dCoF7qmwl0Jr!%`D`+N8?<; zaR{m5o^NR*EOKNs*HblYn@W@hL|%3u+vR`?q?9y#2;)MKMl?Vj8G}sihc-834(SmQ zH3AhHtaWBaq6Oy44Qm#&B|pAW=neXCw*C07R%e-+-flx6k=j_qzP~oSc36qVnOhi+%S z)K5tVJ+~j3e@t+VtCsu2o&g@ zT927h+cb{oPB8z;m@oluV`|eEnNu9vcqd7+gLBP;zf@Aqnv;JRB2f#Os~EVKe7LgJ zBLnPv&O0eRm95r@+?WJZA2C@4`EFr%P0FxU(C~m_sEs z47&#chYq(gno0(7ES|T5Yrf2=`1Rv#=nH|Dm+;*7rLyuEm6&!rrIZ-X&ulByqB1uc z&676Uvq?U$tEC)chjE6CpU`4RM$mbD_nflzs5HQV02X?-tQ!V=x03SM0Kt*;=IYTn zTMq_48tzVmb{G-y{8tiWLNfe9^h56WaM}2U^voogkVM7)ja&@_Gm6lOO$JqI<-+6I zA!ZltL4B`>X|~E*->*20Brp58YEJKiSY(U>{ia$H(oKF@OD-oMRczPUB)eR|OX4kf zP^A!KOMa#}F+lhSDfkLoXb8L$xrMV^X0lEGI&*_usJQ>=wI^3JCnmqi$IwN1<#Eu( z{#mC91HNjmz(&V2qoTDg2S9o`Q$^NS1fWqM&W*^QJxPkZB>q)m^Ue*t!3C1aUxcl= znh|6`nj4(!j>L0052wU!fE9#Wx)Ft13Y*ImzUmfIIRY1Aunt7sUh{eGa$pRT8pF}~ z($~zn*I*-%UQMc*awf?|b&|Jki!B;R&E!eNS3W24drVK)E};csErW(qr(b}q=c6)m zT8{CB!fQ*khoyQ5X9U%uPZGqth37bCF?E8AFoEFo^zt5Uj7mBkv#gnis=kU->VLRssUz`TLc2bSsax_(8a zL8A79Et1H(;qpdo+bYVcBb44sr8h1U>sBg1s#M3jJo&GsI3sH}37LbgPfPAcg*ssc zGx4M(JHv;c!L%8JD&8&##A?e9Ol6w52Rt!tuVM!JMY7cwoU&`OR zixRZgnQ%(qKeoBo{a*A|P6pSZ1RcxR9xVSxBLDnL#rq7!Z=COfH+0@@^l}+#Npu_@%)t?b?>56Vys*wUt;S)Sg^;bP}l<{8m~rkAnS-(Pdl<&n`T=&eZb+1 zO~xAcDOwKf=qaOK$r^P^MXEm88xY~@h}s*2WDk%IvuH*&R$R5xgBr{C!3l?8>y(b0 z0X9n`4e$FTpbZ|#YLHx4rkf|s>{1b|;_>W*^Y{aAOxziBG5R3AQjNdgjnHC~ zDZt6!{2PUw*f^q8z5@LjcfYM?q#An3H!_|9&xxV2jBMYBIC`&4Q*1R~6KbGv6*90n zhmM#ts{&BVxqA}ueb04A@7dUJA=s5+V^HvL1>qs|0{kwmL-E)S-G3N0$<{f^T-=Db ze1biDjhdz=fF-x-expJ3`xb(H$XV(e0~cd4ovXvHb}z3%s;1a0Y_pEw&_c zLrt&lkaRj$G-Jax0T(mf6d!2Yit%kLlXj=evG?zCdHDz=}q zwMp%6DP!E)jx?HJ_OBseK#;O+|G_jMLMcI!?jZ;+CmiVHi%}^hG^}+}tx zcKMLN=`=t-+x+atkXHKV;@AGr@)%}uMNJKK`YYS%F&Y^m5b7R44Omh?`ki9i6U)r) zOHw$Ej@y0%7|m)%?Oa_Vp_yuq-n|)GF;2^Lhn)9AS5ibN&^S!si z6I^*ir$8WW>oveP2~TVluSbSGLf(YyxT;y9i~JaxX-TdV>z!VY%3<` zNwe4hb#O{tWF&TPKJHoSwQNOD$i*!$VX1ZJB^vebu}`i$M+C3qmZSzN9~ol^0t}91 z?)a~qLxd#PxXO>d~1eACDF>gq(hgw+e1R8De_=?)0ziiHd%~381Pag;0}* zGBbX*;TXt{bI;;-QPX(;nG~ye%U-8ar$Z!2qLlRKWf*m#|dM}BViMpR21y6&dj}sqni&{KNZc!eS-?-zvYmtPF@6-u zjC$nh)57F28ZL~VkxTG{+2gvGj$Z%y0y5?9H{K#nRR6ZAkatmM9VltxRZIZdNW_N? z^k=Hwgt2p2&g)|ZZ2OKDxFo#wJ8qOtY4S=)PqbC9cyH%ctv1=qsk|o)BY3`nP&!y- zS(mR2x4kENeC7u*^nK2m>%Hq8G~+=-XbgBPDpTCZBE^5~NXtBh;l>ntEr)m$KD9_u zl95Lmp9lr;KdfDV1=^k#Bb;1Z5aVb@>O9*w+*T$#IUQ3aUE46W7@ai3fdZXWLbGhg zAtUcGz;3C7^@KbxSlh2K-w$)3p{j%*RgI*+G4+Clzp69GNmJi1K5@?%5WLx`@k-|&XAU8(bmQW>^s>m>nS3OP2-+F z(NvG3Z^5wOC`t9G`F5?Iemq2hb~zk=l;e52YChYFJYGvGoR_>K5>Werb5>8N?ByHp z{XwpW&~Fac2Np@H#p$67CXxZRD9ioef^?(BkCz1Um-3A@ke4(8K2=w&eR=0?&YA6 z5!~8^7W((4=4s+>u^`{TK1yLuGropGt6ch5);LdD2M=R)J2v+*%eoV6C+f*gAF#9p z_I3M%{t{HFb|JSM;P1zo)2i=H<3gIVUB7-5qjyan1J#F^oeIrgeY~v2oOhNzOp_=5 z>yy-V&viRrb+&ipVdJ*ospPbHvSn1LPOE!tP8(lM2 zino)d?Jf$3ccjLYI4t<<%JRBsr8_Eh7Y0qEtxb47%Ycp-^J59(=T!Z%1ILZynD*ME z?#uI&t79NfOFRcNN=haapVMbP(_tT2l`9QsIIH%-{e>JmA8308@CAk47B)=fiX=bx zK7zn@4whTVZcH+RmsAub8C4ClTFV)KCoPq*ftV;cQj21rz%!T<`}Rr}P3g9G4(DGi z+Wc|YsHTSn$~WQ%O+$Z;X(egzHT|UHW#3;utKh& zRX3_1wG1(n@v&@Z}r%|oQK6b#63oFPFOst z#~#cJ+J@sq%o(v$$;G0x_>9%~!SUj$+(Xo$i3{DjLqaWM(B{KY1h;`X8Q?TI5cnOf zGY#6a1e@o;f-d7Rl0}KDK1N5iEOg68SLuYOIq{8%FK^e(%#SYC5AyfH2vx{Y93g*Z zJbnlMeSU6$Q#qy=-?ls4j+Azx;aR$(IUXGyvfJZEAXM;!JYuiG)gm)<9$L$n4j2~o z=2;1Un`F4yNZ2nLV;u+Pm@)dh>t>YZlUr3BB0p#;(8@Hd-{Esc&DV+!N}IyMjw{Q% zLB>D$LX}N};0b4AWr`l+_`YoHPS;Je` z-1=L!Wv#8LpDGAI-n*yxK6>PfoGX3}l4Etr*7|p41g@1!Wlr2!1$3!=9oLYd+vg-; z(@tJ&u}*@-G=;$VSB{1~{z}0381-tP0%n@viZ%Nmx?Y`RqU0WJ|M|3yPsVS=mw&74 zK0u;zle9YFPu~# zR&yZU-ioDt4zTi0(d}M2te(EnAq=W4SBLZfg|s9}GG8Ymbem||Wv{k#^Y$h4GM0sXqQ5)_YU{x{X>0B1=ZO6< zv9s?FDg0W`D(p-ldysZ4*lKOWVjbROF)qZPmTXe6@Fm%2r|~6$?`kH;jq8L)l_(XP zk>pk^g~V*Z&%P(=``(JJ!x}|pYyZliLe|u}Sr*@)>I|mLY_40B#wHRPU+ak!JFcKo z`}0Tv?TC{9Vm9Y<9-OOAOhj0eUSx2Lh2s-{FD-!h`=_4wLcc;kJp7!q?rQ+zY5eigZD5~_9b+YwjzyU*^`QeHa#`~lT8>P>;Tg-C7r}-wG z!BqRKs_^K0e*d6dEyc}dH}L)DWr93_w+c9{bCWVyIEQb9hL+SU^cdcm7Q=l?6~RqS z9=e?MfW5qAYj{0?!k^AjXM}Ayp`u0=t@h|0-RfS$xXtAMr%VbDc{aKi-jN>TcJds1 zWye$LeQv$h@~#TVsoa<~iNf#&UeFi-wer_|rVgy-hR>AeC$aqnfeY?GEE9L#PMqow z_CrpS*g1be7w{401a}>_z+kl9j=p9NX3PsPd2AG9Iw`cu>aLYa+HcL$0SZ7oK_Z z%SVDbD6qdkMsrXD(}M8d*% zw{`2GwG6&NCa++dUtuQt}|1}{4WCg16P=l*FcbI>vLcSNYFytCUx*jKq-5)QF8YiT8xO1P2K~~W`1l49f zo&MPi=uf?g>w)6N_J}+xC)X!7e&g%&ae)95UUHBJq_d?MY!*hBR>dA6_jIhRKfii< ztcfkBjh{+pKTuiMK8{;Ib?$_&88r)Ep6mWHv&)yoNx;by0JV?;M~M;VmWhogJwphC4m zS)s4pZQw~22R_IVekT$BCnDb%;sqNoFmjpL<6aROSk8ivRk-?|4*-k*o{6=Twkke+ zh)mg&ndt3xZ!-cc^o>1H)M`Y25!Jk#w4BHj;;zbfRZ-Z~qVuN>EQ~caQz>db1(OYo zf0a0V)EQ_};o*ziLlaV^Zu`iKtfkPO|2hBsHq6%7d4)?UV2@JMg28oS2O`ii0ZJZS z+3^s6^Su3iX95z66GeP#$n~kQ;>#CYW9Iu1ry{7TvuIp&U98dw^%{L{q(8~)clnIk`dX?z zZ|B=pjws#pW2$EU4r(0rC5!rVmCmz=3tbIw-0X!3>}B_IX%!U<@y-V#f1A!tEu*5W zTTyVWy@YD0#b(abCWB-=vfzu~1#geiwkBIu{jrYpaGh&`^dI^j=L8=F<2@?(s}Lg>NP2IgU*?UEF6Ck4~&*(R>qn^t%e%T9ipM?Y(v{U;KG6KQbP0 zW2mVRneR2y2d;pMzS*<<2AwD@p6`-6G|z-E(o)}9eGqN>!(6H+rJ0Wx2z$J4x*&*@ zq<)y2)k=9>|Fm$OO)j&+Mw-PoWsi5mue%!;0HAQLegfHP5fxoJ?ps0FyewHRsCEv* zm<_ITR57Lx8eaY8bk(j}T%x3n zvpcPRcbiSw4J8wgVxQo7-N^^3;eN#im2Vei6x{G`=lqeUvhSvRB(V!u%2%Cu(f4PX zXchP>w&%x%ln0cr4#&lnr#h5*GgdoV(&d45uB{J7_NZ~r`fsR~wcU~zCkndkCd;{i zowe)=f7on4_}=YmHWp4vep4{3LFvB*lylQYyB5a^iEYTPY0-#1_>m7Y^ld^7d~$jE zo2*PO7^6KeV#;;g)&wZ#?phC0P_H$T9J?>XMtfTtC!{?v##;&5Ujq295+1iwcqw?IWMIRnwic zHxZD}%k=>k&N6P+@<006h;qOe`J<1i;X^yoAGsxQwFex_ig4oGVqAERuFHQZ2tAFWqC zRe?>gHq*>(h?aRt``i$QqmxYRfΜV}KRBAMzJUW#3e<$o^D^&^ZPSr=lEslIZqw zY6R~a7O`~fbr`>7$hM>Frk1o>G$@N+l0`F&+A9SLg&RZa7lz@vuLfI|c4T4&JXQ^N zRg*uW)wnIZ_$EVDpXPHVjx6`LK$gXI%EGFmccU7NuQIJ#KqFD>@4n=Tjp^-Wv z!ZBQC!YF4-RLG$LRMQYU<&~U6oA{f^LhzF6k8YXa+To=XD7!P)gX(A3=F}eEH}^$> zi0|7_dJR;k;An@-cZ7{C4>vfGamq?Jx`oF&I7()zgENcou5%ZCuOGafo_-#+#e1t~ zY8a-~$G_F^CvSCUF05v=<~oXsD?1!E+m5a$74&}9!0lW**wQRrn}MlQ?Z@av#geT> zsG;9v9B1Zj44PMF?G4o1r*6(q&v+j#t7N?86fkKiq+{GXX8Qb|MRT_lH$R1ssy3GI z$$x1c>A_xp00aC~rgyk9Ms;u|W+_4iaDCO0)w&u{0E}TadF6P!y5C%Bu9Kpl;BkQ# zXg2hCWusOWJz`vzCNFRYHLi(4vS@4>X<3au_MMyOX&b0JY?Ll%m=Vlr*$ElgpDWHA znE|YgA>x~_m_0fXs$*Qh8IRlv;*MBr^1ftB*ZjUVLg<8#UegY_G4(4@VH7K_QN|UF z>gd*?qTJmkLY1tk^t!K$iqLIPWpyYDD;9TA=F?f=P^GnIBl~8batiOd6ZexeLI!ON zFgYM_Y~ZQy%ap6#1ctG_6>myn^`RuifgiT8dqViab&&?gKF;zI%d(pQ<-i5OuMPKr}-#_!^~YdP=rF;#pBaqr1PT*#vi>-BY>s8)wp2{mu1uz3x@sN+!}Q2 z!{pxKaKvUtPJOyC-#0!jf5U<6hf&oFZ$H-i$YCcF5l>~V0hoZbbLU!x1k4iy&90Qd zy8R4IyK*(`6t4SiI8m{s?y|tR2_BVtGVT06v;dVn{rxbh&WGig9v|P)&n#+y!nl~6 zwXEhZ6vUIKo$xCqtfSA%taG~KKB7NG_Z7kV-0?*-RmqWY1DV+>9>{ZugcAyTH?{Md zb1&h__x_RdUUo6gL2#bv{1Chsk(uS7sRY$8N>7u$92qt=+F5T~*0AtEp;fAhfjz6< zZ5v@iYO3FVaz}7mGY@kWCGhq1i}Ev=Sg@Umsvgq!M%0I=7_rdby=gMurxYsVcY?-{ zySqS~?l-FxYZcNr)xCy;t*S0d4oO@33KT`|4NSf1Jp1z>Z35pa*sFW1>qZ7srHxeG zWK#V+^(+Y5^M;}2T@DQ>WN&JcO}=aGd=)AoE)e9^pn-4c8OoZz|2bEbD7NSNJWrtQ zoYf(r>(9kexl3luU5TuA9|zTNII~Vz?i!MMTIhLElZB$7Q8Matg#cmY=FA7**Z%CK zPAG+v8-E8Bg4L+68r6h>`o9=*JBca};vKd#i|Uv~Ff^c-2Z`2$dFLKEAZ;Vf=S0yt z`^;h<)CTM-(S6d;qF%zJ*pCi@1s|)a4xIZnnjD$pgcd}AeSsOtDihkJ2|-l3<3*Dr zG@f*9n{U_a-w=8O_4fJu-~E!UT4g$39eW!o>Am2*TBBfKN*I`v+3x4O(3cL8^xWvfU>#F;rSx6@vD2Nf7dqGrqT_zlI5VWb*6eRkwIu^>$9w>c$ zbN{M}`oQzfG_=TE%H*-<(7sL;q@8BLojGFk3VJ0O5$G#i>FNPLr3H zeg4k8qSV(l7$}uSscJfCO*&v)?bep#jNIl2M0+ z$isPUDMk}(`Vvu=^>HdpGI-R1-d8QgM+mZGdw8PR7q)!DQfK6=(jt$;ag6DHA(?ep z_bqv--(LjCb14YIc#KGy`!lbn`m#-rD8_!+G)QxEr*Ym@Nheti^F-zAQRJpljA6V= zzrC0oGfBI<=*teb!qfu!wg{P!4yecd|3bGg(7z&iQt^QeqOba+<*)knOP^u1t}r8_B1kW66@O_wolo$0i!!5*nX1#6@qWgd4T z_DBx;hzjCm7NP0T;QX>GI9>zqsV#e}KI*{8QC~`;eq>yS5VqDPc7)*WAY~qu1rsH`d8Q5OrdZ-c|xM{KCrGU9+#AUQ&%mjHIlW_J_+HmT4*O8 zi$GF*q5BR~v~yWt&`a&rofR%7O}-w@25Z7`g5In`Y>~=AW+qIo)c*FT3GZ)-Z-|@2IFxSr0txDsj5qu z(XVO+QnS*=bv2#q4@?mPrgzw9tC0))5+?GUdN~4b!R}bn+0=OD*7HQEB-?acw3K7^ z$vc9pryc%RrAZ#y_siCR{%#Ilw*r9+uQsWO^P)~jKwuh?wzwDKi@a>oK}X!+I{Yx= zU9L+#RNz?0P+EPqIY^-OKG53B=dX7=lO=>34Wbm^b2H6CSmfE3Ec#UG)pqFsiCsAD z#8W=hDu{U!RhYzqajJihjqa;p4~(GzJ|aDV`TDxDDr~Zh#18??BW ziR@xt+n2jmy;p|f2m@iS3yjjQ?J-9cE0a;3fC1R%Vgkar-?ZtidVTgUwY}CyQkxEc zTY0IlPtP-#Aeo}Mo$5KBZN_0%hvsdTr5>L3=~cjPPorFU0aMv~m4kJHhc5l=g(s$+ z3sh@(aUG(okp6{MOQM^uanAtY?LuwVVi4t81G$|J(+1FVE|T^RvXf8h9cPmuK>x%VnKtwk@A z>S+7ky%EF5=JK(Ds9Y@Kq)yf=ei@S@tn9U~o-t-Cc9Uc|) zTNoj!eX?VB1jKIZ8}RBM{TIvXugK#SJ1ypj*04IMn?j;^d74^<)3sl<1WYvdSIiIm zJtdiTd3s}9DRu5qzWn>>N|Fu^gid*o7T%H&t&h;fLNe7Pt-akuSL_*Jqm?aB`7b%v z^kDV@wx^Njx`|0A54A!Imhsb}%YErbf}|~c@D77P!YhB<5xbW< z3`eL{R(5!T&;nC+I`z-iA9t-Gt~ke^DXz+Xb-fqCS}0fxBzciP7Hi`luZ4J5L^~3a zQltcm@H|eLI!=aPy$>F&(r=EzAt{#L@VQvG+F$;|)I)pq1Hysjph3h!PmB32+W>6On&XtHOa`C``x0qN_lj_;dOC%n!g zy8QTCbb1YQ@i~tUi?M#-Kdd*#o)QHAs1(aIxT+o9n1+)-hHcqgh_W(s!+E{^2;=s? z(s6VuNpjLMHI-b%&&MF|M(cx2H96d()*YTx#x<7Kzgz-=>xU|3p_3-$- z!uG_~`$a2A4)M-dot|vd|0sMhH`*y?9Fu8bsKm4Ef$YcS!*#4oljmPEwLe*mIxwyu zS$Ay9m_!=>oS9b5sx8?(O<(PBC8JqpNQ`Ya*^&P9%^R{fh z6#rDd*Vw*YCIf7i9%T@z^y(+B_+}+6IEr^tvqBZ^a$GZqQ@Gt~03Aj%`VI_J`>Tbb zX|omIVuk?mSy?b0-EXkV!&S2zx5NNk&;ci*isVC`crQ5d%^PX4IuA4<-jay=bdAXZ zE&tgHAa&HdgVpkHguj0!^6#~#%KYhgHesoRNXseDDP}eMQ!Uhad4lUUdbqqPjUVcn zXxW4?T6=n`K_bi1kJN|iNO6wJrnhLvNi~jWpHst}#_YBhY@_suJC5fjv6Ow$ zZL^|iX(*1WnIUc#n$Gohv>V}J(QP=Xx*rglYd1o6$ThO(tYD?k4qr9OU zxu42Xw$l;kI^MYER>qmL|4>FEZQ~2Bb%08hFUoa}2#kxClraZK?kJc-+jfe_zKFzc zNYzqu+ivmNH|EGc+3hb?=GGqLzvxV0e9oFwmI?Ti695gVJlHl^Ev&i^#=5!_ zQMAldTAo_vElZSzk1MN3S-uz33F2Gr;sGZxMfP}ZJVL5PMY1x@0L0|k9_)OI1i2~eD0oie6)V?UuctpVv|36WvGg41|iwZ{y+BK zGN`U7SQAYMu0euJ0txQ!ZVB!LcL}ZsKfxVBg1fszIQYRKxVsZv5AMu?+*|M6s+k{C zH8VA@>Q(WJv-aM-*Xq^%b?;vNm3g1Az=i0&o=i*A6uBp!8rJ@GkX{G=K@yvOP_E&> zt6L1M4)zNUs%`sx@P2@K$xe5i!0Eav-4Dngn4A8pf=iTM3*6}vgv2k&beSR6UdY8A zQD2ncX+4PcK)C)u*GL|iwo2{_1(QQI0(^I-2bG^FDV5IYjqjuNmPqiba;Aw$*@;*m zmmjIMgDy|ajAnO6b~N8`DOWZm;kv4VlPu8A_|t_z0)lC^i$jU775b!c)UnW$ zf!UtPPq@f`$ZQWIsRgbE2ZZ1@10yQnY|gv?#vL7!bu#U(_8(>+xv(5&VV^*{Hsy1D zDrQcVCS9|sZ#K$(j?fTHX)K_*ywE?is_Fdt#|;lB{kFqV=Bz`%GDz0VP~I(H(MNmy zmf6p%(R>BAqF_9)17!=$ zqF^^FbUt8`v9xyAIyid7dtxI_=hbV}{yE-5LlasV!((tOhyAT5kT+u;nOFs{ab6tE zi1RlZ)pXIrLBPiIkHf`czRWp>@yq{vaZbW+3qEx!13voI=6o@`tEfLbl zHs3(LzRXW&R46w8lC#`;!nt3kr>|b71CuV;#4un@m!e)?bGB(-+fj5_y!KpUN!gvE z$51en5tn5#nZmA@uUnpF5Ib}pkEUkVq9r;j zyKk;?5#Z|^1%Ga4auwBsgbz?awvqmrKKa$9fU3?ZZ65O3-DPiip&1`@MqL?S9RfTR zVd;|$A04_b$5jHUHJ6Q1c?(tli|=|TleR;PvWX=h{YczJ{}|Pu9SGt;%SPD3y1tky z1{xKA>K@3w85j##QP^2Pk05@-%ib|n;N01dwy;<_yXoKb3gEwtw%kIr~Om*M%NdomxIbzztoP(Z2ex5Q-OJN5WFLb(VM#=M+% zE1@Ou0Ew!A?~Tc6{xzN;iJ`DO2-VsAPf=d-RDVxo+o8eFAO8%OEwJY*F34k>kn?c7 zq2sic@D6JofOqNXY8aT)2w1ISyW@U6-Quo`w=G}SAcrN}j|Z~h8(&=Eqshi|w110> zrB$2u71ZdI`6HzUMTQ1Z;b=N_w>S(jY#If=w%7e(-jH=-s?Y;2za?@&>@|H;$97%5 zG{ZMD?F&wR#!I`4OXPWJON&2^XX9v8hA`cBsCVELd2_HRk$SNX{1aeTSk{nmoUKMz zFWO23Xj=2V$H#sLE|Zv+s9rDbvMqt_$B6tU1#*nWq{BXZr0{(!2op|p?#rjjlh9ud zhn~cnHD`2gQjBAK`WITI8)Of!nG_Eu4X830Kd8bck4+55b}3@<6%!nUF!|hS@aIuI zdDd{?zz7ZM^~QYTl&pE9RUMIiy!83#Le;}%ab`k&Eg)WPRz#u^-R^Xp!R_=g)NLn6 zsLG({8*&E!l@^Ex=TprSfE?O+fkkpiXJ1@_!L?_qpRykQaaDs2f;y7a`C!{M$ZwN- zog}?RCBk!=Ah9#lyvSO~@+||x+cRiletkmyvD%nFDa|r-W3;5;BcXsRYxF#!#x$Sj zMOaZ8_gT!C+kVqmoc4=Fs}ptWtkC~dfhXJaF=j2ZyAN_y|a9SV& zICXQG#%og>n*|d6sT|dcxw(L*FQ2UiPw-TrM@h$}9spaur%eXg3~y@xesH;X_bW!G z*G(-0{wS@gM3btg+WMm+%5q0rEoGG#ZET1O`GZ6L@fsJ^Y8(PWqsHdLansx|{JaM{ zZ8S#t?oro*%gBA0enCaY_omhybqs*(x#GhZrD{;LHy=WdPipjsrTr}ajfV6K73e|Z z2arU)ztIc>$Et(J(b8ZMoi2f#W;N0Twe?0$XIh&lV3D%!Bm zwnU7L$NtBA+5xYfclx|~6_p;Ly+Emj)QP-l{fqC125f<9U<9cK4TR#s3%!GCoM=Wg zpK~qV-@X&jFS8ret4EL4w6|O(2fQ5%LDB72vUkx=(+wWw9{CzTnkA3OguR=Sk^F|4 zh_d{lfuQgE`K#rbJ>t}zwE314Rbg(M@!BsmUhU11^$j4;?&T9E^YxqP z{Pi_EGedTXC(baK(0O%$S2&~=toKlWx!he^vB90`7UbX5cGZI`(LZe6eEL_-?cx!I z<-R=}a{pWGhj2{HAM|>_{wj_vZ_!5%g0JeU#_c?Za<*ylcj(#fNq&!W_aL;A@P&l0LE8ap#U^#t16>3)2`|Q)uXkh!j zL`kLnv~m=t6N}xAN2%8DwF&~RY%Q!my!s8YNbGjH7*sCb!nRwlmqH_i&mXmaZ<-4} zO@+#T#C58>Cn{C(klUaF%XezdTXh{zRHnj|IZbGB|MoNYSM-Usx zoZUps;Olk`WAny=2{c009MXYqrU_i*E{tE5w!eVt5h-S0;^J+JEED;?G0A83P!<|o zyIIQxy*hbM_9G-p$x>LX{t#06ZJvFKCA&K@r%!K!5mM0ZjYK`Y4V!$c;C8-vmCggOMBE62UqkAws*MGG2a%@FjiET z7#?6i3zDlv*mDyt)F}Q8yuuy&d0clL07KF zH*?Tc5=FpOhp69zUq_Q zVWrz38qMQ;^m2PknmIaV%GW~Wv{r1=+&2tdHl|vup3u&rl_+L}SkxZqy;bPNlIkr2 zm@NhQB4;IXP&-&KK}x(Mhb*A9zk??BkJRhU6e$3YLLBWkU|XUNEfK`#9U zm~dC#1?&JLE|G+7f_%@XVn#fb`@K(3Sn$aL;pX!`DI>$;t|sX}c{<{mnIcYq3x1j) z0f{7V&fQqTE8UDYSzX8*BQ5e+?WD%(hviyNhuZKtz3q+EpqgOV>2e!Yh?=7(k_57J933mWV|xYjK%LIB*PMo3HoCyTXmm9<9*-fSDn$ z+1{Va&ukk+)?tKND&fni{-D_sXIWrSuFQ)bI@q~EZ=NT?W>oRmI0~pXhwq_F*&!K5 z);6sR6#ers$j_KXT{gf@eS`_R=(fUh>EOVr|JMU8YFXa=16ofEc-MhYF0=vA5h@di(6D_wj@4 zCgIxhf(||9Acqs0flgWh!^QAA%Nf`09+pj`*Mz+JeoNNCPJ+%8F=OK$hmO~_z0S=! z)ol5kuyXRc1r48$IhE_46{j8Gu8M+$js~V!iI}}u4?Tx!#HB;Z&wf9O-FjiTS`F?k zKL;l(R>>zqoh1Vj;|?p;lJA})`@t$SwY(~-jU2&?Ohi^a;e3nn$?3t@v((UJ>L#eb ziKMhio94^o)f$s+&p|ngg0LyFbZGftDY1SG+afBm&eXQzZJ2Wy#n9WvU~VZ1BN!ZDLFD-p9w@juD@aQ zdPvW2`WYAB)_gaDrsiHlJh_a#z@yX4mTpF0;yHZSE258rCq=&CdoN14Us;k@8*Zk_ zp}k8Rbuts0JMQ4zSTQWgk;#foDMOB`_iQKDO8>6^oax<&y^~xm zaTs{?@C7R2ME4Al$@a8usg2fuLEEo|fIk znwqkcYl8!M1+IbV9Z6D_;k=$?j1~9RuN;p54B0zitdQ96mFg_=YoOnK4*OYid=GCf z$c>CAz)I+@t(?}kpwg)-wbNy#*P7z($knt%i8DvZKy)#;+cdDAUcCxgm~eVq62;-~ z-Z$uy@LLz(xq6#ZLgeudMrpdMaZ4nNBtWR8+=%sGCrrud`CIuW_v+r8?_z7yltYiKpz>q@_2(bkX35e0)JR z&7Rv-1&l?3ncA1elw$ZrF02Cnhwzlp2_9eS1EW&923oTD3dcX1l;(Krzt+><3m(U@ z)bBiE+Tto*sKPwN7XT##=>%Qby7BCV>wK0yoWU1#i;oc1W@jHyb_-=pV_aM3gkL3} z-gOQLF|`H#bzWqzMDkgyO8!0bUgTnY?q>?)!#BUKcT`W?GL(FJ=)%cG#HtAm9A(MZ z8rsuKkiZHYH^q8I(}ocv9PQ*hW!=w)2w#-|YP95aBh{bQy>I&ebeHB?jYWx4#cW63 z-Y6uXmsM%knqj+|Rt~|<%3BeIcUN~#Z?Yp1BJ=B>-Wm5`HJ_hq*yjIPVqY}}T@F?F zUPvauU%8h1i`w+(Hq;+)R#drKA=?sr5Laso;S}RluPau5qkyoCSv%GK8jp{QJk7&e zG$?xit~NOMbeEwFN!;ZN%;ByAusi(tDP&5^X$w9D*t;2h>9u|Lhr2+5FNk38j3@91 zvs3=)recsgEa!^liH5%DKr+9>da1jm1blE{m>{b=rf9>pwnCCf)2<(Upl*$= zJqJ%|Z`a}DmSTSo)mLJ#|&q;p?p{tff&7nsAo$HU9CZ~J@y9jhdLG?MM zx)&Y$pu`oEL1A9rQ)E-p)PKOQ^-2o`)@FGSeM}B_I23zmy5V?{6Iy35uuL3Hibi`d zt;x@B_0iCAzOCnag=4A6U395bypfUUmZ)M>BedB*C~H_Mql#GRLa>M?Ju~E|aoKVv z@p63uSxwwAV_dnMyp!c@GX)CCeyoVsg>wB?*=K0m$nu>TFlM7mX(-@mFF1s?Tc_FM zX=lZtD@BD(G0%j*pY7fbTK@>`pJ&{W(y3VP%zxBei!we}?_wO`S=4C2n?cNjK=Li2 z-Becls{HrZ4|1jKgK4LQHIa0RT1r_!>La%&Nsvo%s4o?#L>^%t%YK>D4t?`L@6Azl zmi2t55zPFB<#+R8TbcINnwBod+?6BNipOP<-ZTD*v$Z%~rD7e2MPbNnjna*<6K8&2+2SU6hHW+A6rp}fGfb0I6Pg4og(XBPFa=fi8TgdX|^`|b|F*Lr~5&wd^E^LbJ zMtP|xT2`?49jCJl+(*F?(nVB-#o2Hz`WfA2y?R?d9}gcyT9uOm#RIFd14`tYm2Erw zefPMw1GR+{y1h>gTI8x1lhZ-E}&{>34|+M%dg*_EY+ zPha(3lPj+6IaW-geLL9+Wf@7oMZGVdtNs+Ov9Y0_zgA1i@yN)j+DmZrgOouj*wuC= z7q{CrqUlCt8})D*#-@o=DyiR;#l#*D6jb(JfZ%I=+>M=LMKLyn<~&?0g(_Wf4r#DBwhL>8m2-UXHx)S>ct`{fh4!3lEb^3M}{=M!n zqqRA}oYA`_z=M8Y-akst-b10zf&6v;K; zF@-=a`k|)tD6MtqPxEViWC7OP3i26K1^KU{tah zJ$OYFJ?**M7b*iXNCveIE8wK%F&fJ2)^(S0@cu?idm5(Kfp(At;1!1_?1)7ft^bsp zt#sw^eDRarI(!L8$04Msw zEsR5xmKm_~+Q#t)n0)<->nyf0Ps&TLuy%gnL-tH~dAHQaEylLe+-{aacSP45M8o?T z2j#D#gwq286PQR-+N0d%zEOIxm#!YQd0(f@X*RM!iV6(}8K53A+zn~PMQk?K#O}s# zjLlc>PN*BcnaCwlVh_KFnHH)hHapXF*&`jpf%!%ASKV4(0)J#FCMj}-U98L4%d`>G zYP|YncBkPeDDCwS-P*#g)k#;=FLs;FVSwvGeP`M0d!yTLfQitfSw^vx<(pkq6ARdi z#*W*X@SCy00<(m;bOgbSDBZyo4Yrx}SWdMixevum$I;2bE-9`C^Nl3<^X0r7Wf7pS z>c1!}x=^<+ypVB28Ok)$TEEemRmhqVNRCkwRaqkJlkg4nLJwnZ)5?|v2WSdCMRY9VDP441Lo3nvLO9!H`3%=8=dp)tNp<~=hn-wlzIp$^Ext~&&BHuPv zQJ%QPb<$5um>X|#B&Fq;G5mJ5+lZ3&Vljm~{5=%voPh3X@Q&xl=;o5#z4!Yw9$N_I z;>9kzN!5dFwx&wUj~%ZEP#-@8=EH$>ULBrBy_J10xFoXmUhbItJz3^497nl`ME8^s+b57)30CG4J< zgo2*3uM8jqeSl3XSMo*ZW|HWK+~G^mZg|X35#P_4g)&JS=1kjdOa_X5=-xx~L$mSe zp|(T&nL0)+vbweXOQxk97ByW3x@KeBW9^|8l_T% z;H$jr64CaP4m{v{Q>U<|BonSXW`&fba!L-m297`(w{$93mn3BunYAVkZ@tHd%Skk> zVMdd+;>gnIbFtbDBjo7%uJI%IScZjNqWg}|e<6#3I2w(iImB?=`xI2~O|@xR$JsOi zT$$S8ycX&uSkpGk!|dgbHXYpq_f(WUe0Oy=ifDGx$pPIc>IO7txnJj%ksNGomV0dY zDjgrxr*o*O=(#GJ6Ka}&?__#+?pf$Hu?_$*AN2b5dv~@HguybCt>^fuu4q=PfH0;d z0#Xa}q4Hrfcc!sV$MG&o)o%1YNsWjlTvWz+Ppmhhq#1E(&|rs`DoOKXz8IJIO&pu zqT59q8U>}b`*ynfSjYx4P@FgYV0ahbp}s7@=UI2Q4uI_OAF15F8Dm+#!TJ`~Tcd4|)DJH) zS68{juT8@crecX&N_VTf-RH`y0Nz)Dc(~FO9|UNqFAG*2w0P09d@0d5M($NpZMj%i zONC}NGB=!?56YY<+~g_2bPDq$Pspd*lMr7{*Nb?|K04>}1oWPjYS*t3^$k?tbna-z zX(n|9TU@uNPymcv-rvrw^BSp%JWLr(-Y}t6hpsE9(&|H-W`KA3X%GWd>KS&%lcDXL zCS(wDTra0sXmi?51kO{UFjBY11?RLZRoojIw?_O=vDZc_#&czU?R|e29W{}Ef&yY8 zDPdL}_Uq`Klio&QN>h>zzTEYyu-%bFb!qdx5Lv@Zaqffd8T&3lA-@5hEYu zQ&@w`A3*_CdgBD0?phbwKj6&D-Du?cAYa~{VOwZpl$A}ic8H2yD7{m2QE}VFf|fjD zeF-;L!AL8q4;&sl)|+=p!~>sZHt*|@P=xV5RIr^`*Oxe zs}sH%P{DCIvc0^TVPPT;%mPaov|L=i`#Yr%jzw5P8)*(!qYk_};>82BUXsL@$G&AC z9|^*2%ff?pz`qAnidm{MAVJ$&lKQ9L6KE^XeuWLg>ST_Rha!LWwd_X{?sOz4u8zg? z@oi0zYl)pOMY|=wXFIg>KJmVVx=2k)@&yOP9KRPmnP8H>z>H<;*S@X6ZwG8(kB>o% zFLcn3qgs^(HZaJcG)tz#;jw8g+(AW~3u1miHBIr-so(IqEq}P^#GaN(iKR;mKEK=u z`NkGQ7stO2xM5Ws-vhJytd?>qixcPq6(r@`0t;NFCX(Y!X!!4TD>O?H686x){A*p9 z6Whu5rcnEDOLwscW4s`AeJ?FhQVq|dE^H5H@{gBqd_eTC<#-b`u8XeG1teEm>pwY&|{$t>?t zb6kpYCdiI>r3y)ltJrrP$HK!*Su7n|b7CgmEt!KCtzTzIbXrqARx08Wo2j@^?Lnc% z+*)3?mt}a^KU?ojH4ZBHkR{GiYpMCh^vgS`1xk)8lSB1bgG4H4o2XkCS}_H4g^=i; z0601p?_uRD`ux~Q=hW#MIKd}x_!{vl3ly7w-MYW^*6&87AC>2;Gwf#q_B|3?O*m-d7=5o3rFFO~-_XX( zw+-f5jfRpd9=GrxUtikVr0X5|Y>c{EDCfXbQlR0X9U!(8Hkt0<9^I9GvMRz8J2{b{ zs&C3YhdHEEIEo-;*fVPHkDScPa{K#Jb$GpmjEobvg5F?}ebF8_5yH zwq1c}fIcr`Wb$O!<-2_rzzya3;S%9zB*^tnLQx^~cLIwh+Sa5#k!Vt?bGk&Y^O(P z1XtvdXNb>9|m`U(;H`c~ji?&m(l`6@x*Y%rqV}b%R3OFG! zDHjTrtF2#r*&c;FSDtgZ*w~k~K8AGi)3tDfEMRa?Yg5oa5|SuK^iJKjCdDQ#9+U0A zDkp(iRyA7J#?#6XBti&(aIF6%&EYTR5!4+?ch+_jEp9HPF6!<~H*@Z3Fa$I84tDKz zmndZ^TRK}R59q@C?ETWOv{Yd|b+^^iB+jST3_aXUfJZDr4C&0TAz3ORQQh7s7A{DmLEG0B5tYe=C&xG^MeNf}qHhautdck3x^qU{=O3GLi#e>08i9sL+x$<~1c+C@U!1NY-x<+iSi+ZY9v? z>Jko_<(N22;emu(2G1=W6r_;hyRHE3T-hJp}Q8z-KeciL+`9H!k^S`)#?f(_G>%o-j)7K6G zqAZ%@2SJ!vo*8-|`q)^KcEm?_g9EP}S$z-K--m1WxV~qbx&p|<14mBNuzNPd+?$a^ zJDDF}f8gGT^m+n3@AFFGG29La2v&y?PIpfdxrO9DUCy`HW`>cpQ*N0@XarEo*9%PV z(s#poOMvk)_I37kLwIk)*>x!&_rl=NEPZkui z0Pm@-xz2h=X0e1r`-Q7m1u^SW4A@aAW?yEXK?GOjYxn&t^uQB3+03^Q zjOej;uf%&25!q35zJIsEfNEurh={0NFQq~E$BgTVA<|%(`%svwKW;7v5XXGug>Nf@ z&{;EDZi7yp0TwBm^;dLjO~k*OH@5xueh18ZIC# z?@N6RH`B-?Sd}+WktG!p?!pF?UAVkx3oB}s8X~q8`G((v8TfprBm#)m4Q7zBiNceA`=L=-SaVia8dvSSQGc_DB zrPu!&9molp?99Bdw`f5VZ{P79Y5b)LqjI;@neF5?g2k`sQ0PoU-=b!6Xnk}tf=U>K z={&3327Ub}_@UxmOeP|{yXl$3ifgCrA*N+^WBg&K@Hlv*FW1wUlJ<1O@c|j)nWUsG zPHaEo_OK(d{16;}g|5ebkC1_(luo$Im}2oKmwI-!X%HVU65`)4ku|e_REO!GTtiQ{ z!j~Ks#xR0f4Ps_2;2fW?T)4N0J}lD1HF@S5VQzrNQHl_x&8$c8ob9^Ti(Z2#K)S?Bm_S z&OC+*g*MH?W~xhNs-msr>De)?2uWtkrp~WGQ-k!l@OPAeUeZZ_-EXAM;C9l;3u;lJN=z;doL`BOh%;M zgA7E~WLH~AOO2+{D074{snsrY;Sl^_f07oaRvE7t{n4&SP#gnTPL~Z$xQ2{rb<|_E z0$v469c8Re@_6W`rX;bWZfN$t>?YsL-;RH*yp3!#YJfO;RX9d@RyQsyhHrtS$v5G0 z=R>@EanAByN3V}rD;cc{3J$bq34iaX!d*v#K%Iud$jd>-XAKHID?~!~AWSpZwe`s^5u&&@&Vr}z;Miy*8w9+~{ zM3qKlR_L-&|w_luN|gI{YEVQta{_ zNj98)zm*YgKj;SzlmUSv`rqL$C|B7m6LnOzD-6$_+fjx#k@QTmW;-C^BNDFQrNyh4ueL|o!*Us5Yqc*u8+6b8&`I9hxXY`e%N$Jy`L<@1O;T6!(r_0*q~v~ z^I@}RdB_%_!0k{Po_#O<2H6G-?3z| z!q>(gNu&s6Gp4DI^kh!Chrz zqjhpOzL?A^A?de=`&gA!l~J=Y1z%QtN?+p~B~oyZL4#cF|Cp@1yg)a_Ys}LFA*c;% zG59wjv(Y7BLF?&3D4_<~|1>Gwi*QiP@V|&-?!Vs7;UFdh_yZ(rcr@RsZhw#^-Pt}1 zGp??B+hPMU#!%LS(!*pw)7|w{1yXT}ilVP?VK7ZTfds?nMR%0nL<_BR=7no3Sz;`@ z4)lUYWI_bxUR(=8}21=HGDl2AQfQz7;z)L zkhBGB_`VJvx}Er+HN?TXiVTLCo*&hPXi7q-iu-^!`*>EsBP1lG?SQ7Hip}LkAmmCJ zsN;eCgynbSm27>S$Fe&k#B4e*8%wK8h(@F#WoDNC zbU@)hTB&HQ1wxven*%nPkdR;oVFJtFklVmdFh}87Ll*3scd0j&2LyGqYZ) zC7{+r4GG=Cz$wHkVqp>1Ay#M9^lM^l!OZ}&5>`2IVnY{O=%0T8N~=15q*S=ZwnGDk zlk#*?U57R9irtY@q~d#R0Y{9MQzhW6;GpprI?l^xfBH~W)#eWnf;BOHgNftjDMrrB zPyCf;0dl#2Oin@ZV3(i`9ej!KZ!jh%ju%k=>vxjygj=)6ON1xc)$5fW!=+?2SMy3J z7(x8cVKE;PSq+ijlIWhBt_WaCjwPfMv(DQV>TJ)vc@#T3 zt6T;+LDtVNFZ>T5lT}&aDHfa1ywA`_54iUNI2Pq%dF(|(m-Myqv*FqhB4@%YoXD&@ zhX3(K1csRt{vB;>Z#lmTbhi+5zqsc|is~At(JCkH78uyRJi3Z>OKxs)y^hVN| zcU0*Ds=#Z;<0B-bt~5*TyXKnFJWneVlASzbDB=|QCxF-@y#b>AW8U`0PwjFimUam(f;!}R$gQfx=d0rkJ_3B&_6gLpxguss% zx{OoJhDP&;2C=F@i0D5f5C_<|l1m`xKgcUq%VDB0KfnyS&0V2T{}ciAe?heruXdZ> z*}~g1?M1=Z-<-zD(?dc1J<*G$IBM40WyZDil5)2pkx*63aa?KDB3~4bC{1=pXXjfYf~cJkd*sr$ z2ib`H%7F$J_?1v)GBGnb)P1!Fy4TeNaZU{pKFhB1BKzQ)NqQG4oC<89fsX3O?Cah0 z3CzORV!NSScJrvY1;@It!cOez_3H5rJ)6FEK`{f_i=Cw&m4%LvRX{vFzNgrck4Zi7 zvRDUF?XE&S}%N`;@%Ga8J0|{ z&Kt{A;bXU)`BtI*FnowfMCQ-mgxLjMD-ozW+d$O8G=@GLSbRA8f zcO=BcGbJAgL!zQwf!hsevw7~KkK0QEUiFGzRSuXTvm?DtCfl!eE$1G=QK%hB*F3=C z_TkC2qw+0bEMp4$IT;{~L(HQ9bn0eiQK7+{hyp%bqS+gYnC;4Ikupc=FE zvJqyQxp=kzkRZPzGN)q<&rmTDVUSEghmO0P&do_&!k}315jm9g97*T*1*$< zw?Hna3;Fr)Cxxt6li0@D&b^h4C{AYq&o_#Rc)pPz#$IjZD04udC5ix|Hg`682WBTj za>{ZTChl;hzXb}0IY6`t>N=ebD*V_`H)f55^x*KY2>rT#BH?_C2{wT&m*4A3D~#j@ zqlpPhC^7Glw>;V`Y}xev8G;N2z&~FVL4oma3mk~OLI$bZB~0&=@Lo}2)`mMk(_-Z2 zGmIH0^dBRlI6lIJ_vb)`;y(T7f=RGwvW~`WW+G%JeA+sMiaM_SFMN914Qvze;3(O(+#>>_!IHb&COmWo13J~>__w6 z3{aMz7_rcL>C}r!@n-}g_4avbx$F8C0>6BQ>?jtn2jV^nD)SRh>Feo{#xo@bPsWzn zl4RNe5bHkL6|g-f>~EjaJccE}{VZ03-MRsg5(ESX863tt>!Ms8v!HH(d!CJOFDZ_1 z-==GBR#7XOlW%R=dFyMVJ|NGv{)aJ*YF5QMLGbo9fK(*$8alPeFCHlvWoW!CWgGi@ zmPc@(hH3uQp&R{R)WM-S)7dh_rqV~wiHl{#I%?EQtkCDmVaW-oyZW^zL5 z;y=eO`b{!TR^u>U}+{VflEN@$7{NwleoNjJKM*6UuBOXm{B`S_3AmmFnlp} zQW(luI9{eQ-K&?cf5*h66e`J;%T8zlZSCUmkBt#I_6D(E@>6{X<;&!N`;XoOA zs)b3ioI_BEWmz3YlQDi3c*po8n=>lA$~D2Y9^H`QmEdP101Y>B|4r-ru}TzbQZipF zYSpmrfTkomOv#v^qE)Ax=V-Q)qm)0TLfIuw#uZlesV!<@q^#I*dr2YW<~1Mi6T})4ce$w{*3+c zfSBochPlL`kP}5@WE$iR;h4mzNMx~_01K*D6dhtvB1m{vr&IJ~IgYc0q3U9leEg20 zGkzuN*BQT>P_BSAh+n@p2&!3ZTHpu2pikl(i%TXt3<2$UF>sG*j6~HcCN^dmp3hg` z?h?T4QtlJ{JU2Z#>dbkuuOm{7{P~dHuP_i$&&S?;Q`7aLgmV3UI1a_^wFJ(9?O0Hn z+a@Tk?<(B;S*Lbh0;`zFE;0$Ri&IE_1JEWnck>$fV;Mz6eVEaU-;^OtBKYo#@CgTL zzmDTeriXGVwmC$}(9L|2Fd#UPn4KXXUCPj<@as=ewqgTH4QW_;y?DQ9$}-5|^R0tl z_|u8!6l0;EDeG&sIbuV?sWq>tARtq7PIa3B;fSSkhf(Q)eulwvX(}q@=r2ihr1yI?8p_{_Z?3(CT5Hm4~A3&=rx|Dm;NU`N}Py=CN)&a3D9V} zj_ZyT*noD?x{;>)Du<8{2)_>aQ9GafRuKdj~cPOPC1EWUdWWyGSS6yIpY z-hVG}S0QsttF1c?Tuu2j`}3!WL>~zy4BAHKGlq_!zHN z%CM83@4ob|kC#s=@>6<&nj{3A6N=@KNeFc?cYr=7W})q3hQ}Qa?$pJ7A&L?D&1hs% zS%{OH=5+R*+!oKEVWZEFl;)!eUQ`LDKcVTmtLNWvOzVL6F>k&DsLDI*4iGbFp@TA? z^CJ-ysF$a6yKVFC_qKp5c!3+@S6%Pk^v}F;efW(&358$5&+apdnfjFz>-R_$Uq#Ql zjCMv^a(HU(XM;*C{<2s9#-yNG>r1`1u)9R`m=p_?f)Wk#oM1r0l^FOq||Bs!1!9@SN@-fe%Jl85fQ9D!=zn3lW z|4aA(^$%lF0|$G;Kt6%HR3HDll+ zYd@0z(CI0XgOtddZXWTVc|s3aGouG&ckmGYu!)+kC6fH{%y>&|x;*FQmtC^%k6^_WlO=2AprcEx7kQ{1AEf zW+A9`|0;Xbhl##I4i8s07$#oLO_REjt1KY-9Ts}z5`oz!YquiEF%*2-)i|E5PEcE> z9dG$cR8)*PSB62AN#nkP{b0S|praA@9YIi3sb|yNFT>gjeRKw^1jtkil=u|z%{jy? ze(!q+gY=b1?I#;$UY6=7-`=dTHgi5A4R>w3)r z=iT8Nt`f?k5q4nSl{Pt?WxRTK*dt@^%`ZJ`%Qf?rZ2jVCr%2b(!geV8@={cZxbJAD zQFg@|!T~^gjrk3zZ3PC5VCy-r@0K%)zgR^HA`~3U^7h?6+P!P76Ch~?*`_-tFj5+P5r8cVyo;0y7IRG|fyW_0T>G zeDameU#eOJe3Yb`flf?bZdP`+Hf>QnJR}Ji))BUZ^m(}(X+)k`a1t&1#B-K_RhEQH zyT5mQZy&wyEXz(HHr^-WYD*_aaxEu4E&`+9-;{#q=8P49$5u}(obTz`aUy9yWjA~E zrO!LQ4+NszHx)k6PoOkTwLcVaKG7XV6u|FG*&ww>SU(d@FN!b3g+P_Ymy_`;Js~J{ zz5{8O_M8LUhwz!$b8TxghtXSQs2bH+fA{hda?b*|Itx8(d+_Z=I9gbVT(8hi`L-kL zKtO~YN;HT5h52Ea%G0g)XxDR%;e@NMb0bB~=x%>s#&eZLV(sCG1pE3b{n9e0O=&)5 zivAEgIS_bt@@V$>QMQ7wh+y5ALK7V!ait9`00YEWyac>*zMu>!mt>K*qdl~-n85ro53Kh$aL1IxZMj>^HO$0% zUd)}VqdqH%XZoe*+K%Q3<#NL^&+F|*If$F(TVL=#*TZ3d2e270==5lKlP663E~ytM ztWB2WcvE9{bw!)!eV^-!d(?RDaX(SCrTTB2@;%*^L!rPl!>>qT!ml?1E3V&x)>XNe z^H=bt$dC)eK51sS=&U(i6oKP7^K>C4s4!=0vq6l&M`M?C88#s`rVG$8q~p9}hDDFJ z<)me$KF)00hg4#yX(N7p18IQeG=G^|p2blzn9xGMpp=L{ZK;S-kGp`x$P^)HsaO(g zcwG=r9m>IRZGW%ad_4i!8EQ#Ju}BE>wu2)qBx7!piDi zZg(bsqgmnbDr!P-GeH}-)BC8#5}(hij7dPxr^W4EtCYb50CL^wcsLG>s`ER)uETLn zF5>O+cYi!c2y{EXyE$595<*}vNEkmz~rV`_dhH3ej(aW|!{Bjo% zhXPb-ITUUu8*0{_Z9!i*rVh~&*uI&^(ObP)1_b6PR4nrI?Gbku8Q*vkUfC=Zl?XhZ z@65JULl6g}J5JX}SC;MO3s!JkS0VS>mK7DgEk0KrCs7WY{R+o!TP@-`ABT^%h*&V! zT5H{Jrdad{-vzZI^yDc7Zsswa@OS4J^YiW69Rr~ChYw*2EALu;&iecBCi6GWchhp1 zTfi-xO7^Hix(!Ze6H%-7tO}=5&!Q!&3j_S59^|vNQVuHu4 znFIAhL2FR|X1MWGjo9elcqZLt%0<3cYY%#D2^i?&AoxuJef%iT9Zwu{QmMs7lnq=P zQ7PVejKt_|pTuY~yM6z}KIX@k|Hj)_cE!~rSqy$LnC*uPeQi4_x;H7BE1#SdEcdkxm! zyB&T=sD7J`9tYbWPmaqxeExR4lpP|gE2`}$zH%QsyIU6zLo=gK4=gt8dBTE;@mZ$P zh0FK(MyE+rxQ}4cWd68@u@8Az_Y-eVF%qgY>}cHQ$|o=Uk}P1sXy_mY#}B~hykhcU z65J3RSB!i6oq6l}h%r$L@ccg2y+yHPJeQc!_!Ey(@ST;zP8O{38EwFep%9Z1o!*-h zc#*Fgf#aVOzoCy8{D!9S{ofPL^-E2+qw)mJop0wg`tYDHiNd{W-lUk61=R>kUGoIC zf>EO~2>{QN+-%vb@C^tI0GS{pGodb3f01D&h@m0lQ zBr?9Sk+}Ep&#jeu_+a+57gA=aQU`*y$>!ca61f^&)qFhP9jlk0aX)TFmUB~U?SPw) zBlP`hjIn#|Mi$@(;r}FrBwBs?S;kx*&OcYI&@P7hGfd}Jt%&G{}h zGr&dM%E3(}imRcj%>28DACW?H8{-l+r2yX2eeVsUN3^F za_zqf?OrWtjy|r)tIcv>G9dFdw0g<)&(vuGm0BN!!@YY4!`P{xvL4#*iv>Z8YqlUV z@kxw90O>_|)ioq=-TroYFVmg!;4iDTkps}`#PxN>Fz|J~5tbLXd1tQmZUoC-zHieL z=;)KK{d6>vr`bZCT0D-r!XfI#k3c^1{l5E_>Dpg#zjY1McG4=?s$_FA?OZ*|jlmQ2 z$|elgf+UEcqeZ!(3yU2;gs=lxkUNmBsVYFfef(zYcM3ev+vfM)b`!y%TdyawwMrZ5 z&Q}2VlFS0?^?1VjJJM!4+9FKrXd!=;b%)Wuun)YKu@!TT3DdVEr)%LbdcWZ4I%~`7 z?$rIbSu3kV?s*0n>q@@{oi502wpQogFb-4Q)e83fNNTUU;NLL+B4(ZYk8)+@f)! zMaHYl=i_+$7g-UW%l#j8%EcPGv!3nP-#(8hqjOVz=gJ)n+MDcMSMF?Ti<;r^X)_RR^`nI=f|SK&8%Cm6PXdi!N77bB;}edM|5y z?Of2$o;PQT@xKf0nexrJgK4Z*^Ia?)7o!fvFLH4`=u{%SJDlihwI3QOD z)5J*Gt0A#mn}(Royw=fojlgDC4F(19?&1-8p&m4?Z+sjKngAQd=HwXoA3diKyKY5r zo~CFhU5(6a(b;rJR}wuUzP#7xDzcW zR*adJPf$7$Wuj1zuLW(?TW)zji;dfc29*Kn2$;_wp|)ud4U)y}_L4S#o0bP^e`_hD z(iAkN+&sFxa-bxlUTT-sNFJxi-K80O>NNOB1WV!RE~5Q_G!VfB9-#8P=2J2_HyVJ= z7$d9l-ltMCM~$`|Elu#9*DCBwk(NN^3u8z2wwEv1rmL1N<~j)pu8rT6&}vmw$|~{> zPmOG^F@a;yTfp5{Eo-G@Q(X7$&Zix`nq1tSKCmhrt&r+W(we1gwPbya&dxKvoxg1k zBcmTVxoXRgYLhAIK4ta-L)fF;GKL!c$8GXAlEJ!hd742Ix5RooNfu()Sv2L7x7ve2 zJc%-I$s&&1mdISiiZkhx!xj&a0A_Ohl zFv{-n(*RyaI=Q#v{AY#(Nx!Ie-Ys=!zGhl(H{cOPdCvz0<2?jKL9d`*WQ-sa;G6dP3Ocq}ZTmH4)J7W;4r?{YRvv#RXb zPY^^-$zB>_qF1P5>FLt>mLJn%UV(xd+y=LIhk7}<)f4@l7z=^*^k8ZnJkZKEPvx_e zk*VC>my%A_i798aM#2)=%sSQWA-}_zHp}1{ZQAb?C93AkBMLHSOqSCGZe!cTKCbNf z2Gwg|f@=F!>#j7wX0afMz=wJ>Yue5vS1_;M17mpebyX<8pre}4U&?{jQVyQj?QaCI{sgLSWu77#$ZDq2q=Fxf8T|dqg z3Do8L>ZjQoEa&N;US1AzX6MV*iSi}Vv-DIvRMzIKD}8L8V2EU5Rw&yJ$`%s;Ifa`6 z$>Asj*hGlfgNqH~rojd^liaTmxJMDE)>{?=k<+Ks3Z?B@{8RcC>iaQqOSz)jGl@6m zgn{a13pB%tt6*rKP}EhQtSqV3Zd?T9I>2RIjjUo-J#KfH`x&*M>td;t8GOaJLai^< zpWKhO?Z#o_JFSylG-LutA5*xv^`z5u&zQ83oht1JI-vCK2;0zcvDpP)Zz1+=&2%9ZnMTAU!IfCC3WH6~@gI7z~-BkgG@5m9NquOp;T1 zA#MO;|47^~R|%2K?PVO?coJTFB8df<=N-Mck9YhcZpkB>EA}hI!48xe_u%BDNfX3{ z^a2Nnp|t1}D&KXtXWD$TuL8>5za=ZY+ER11s~N=MKU#b~U_u)CDjNoY3xCjS{kuy)&WrsSL zlD>X}DULe_OG$k{oY9#Jx|e}yfgau$HIRcnAvjXz`zM2$h_;|k=Kpe$F*dy#IThei zuIryQ@;>aS2hhKn)omm56h>wfsm$gH>UOi|9;dkVh+Xgoy6WE-{29Uv%@4MG_t^i& zR;~z~kA| z(|w;X2b(7yR6OPQ4h%g`JG+Xy_T3uk6XDzlGtN#&0Xa)mSYM3!fpZc|WNBk^$ZXT+ zstfRM?(Bn7pUGW5RaMrmr<81P3+O21!^}06WppMZ70yV-RB!aVsQpp3yyC!F=@Lis z7x>%})}5Kb&uI&B<_6@N_WYoG;AP=M$FK4BbokVN`0GKl{txHrg;0!=}&Kd%f#L}T!xq2`{#pK8b zZ{!Q?{HG0F+lT zTXbM}VPW9G$P?q#^RJ*I~tvv+|6aiT7Ru$y$1e#yUn6QsNO zjr+ZLLxvXUSc?(>owU)3ECTgB5mVVX{$lj}k<{~HGYZw|bYbR2fj@r6WFUz%2#X@z z8oBqvb_DcB9Qp}YIUg%7x~vcd$B-rNb0-}#QkG4$$#gRGz6tmj(;{C|g#DqrOZY}ZvKgHQ|UQSWmjVWJ2`%j z3ptw1ba-fVpP8eOyxtP$cgGMf!Fy$ z`z@;SrvO{$yS2H3#tMW3Y1-?6ra5N!O1st1<3}(eYowyUjZgDxb0VECWBTlI zDT5IPlasZu8d=z<=T)RB8#S?X!iRx{bLq!eBrblOk)C5nlT-xoSdO8bn zWL|(FT@5gnzAnkDrMV|dojnA1)7oHthYi#gcn6`4lm{)@y^^(-y0RLvwM&IUTwf!p z__D9d&~@8>!(VS4k!ZQ{aZgaXwVVrEYIv&gT$U(yrWM^Qn)wFjrwBE=S(f3O1Hn3B zK!q}%{!25HOqiuLe9V#?oy4X(d!{0vFk=|#Xfx5Bp5}Oa)IyFTh5nrd>JHYwH=9_9 zOIJ>J*1gjkLL{>J6yD4=+C3~`0t%)F;~}qiTTAReHT(o+PtADOc-|13dXITiR_MM1 z|NcZTIwd(o!1QB(u|tBujDw+-t7fD}vCr2cBLPK_R4PHmXr?S;EAY!h6#qHy!ZFQ&4}@BM>O%CK`pU}HDqf&ncPpRiTw z5K!4BZ*71vVd)R8#5B80(&17=p+wM96@T;0jbxR&5-Q8t`Jrt3oxCr%+a-03R%4I~ z%6jxi$b~SLj`erHF8eP6es^Lyvt8dLBV`>P%@!i$Hi;_U-C^KoMsi3Rb>>XS1YjH_<*867Y;b92>pC&SFF*j^Y$kmZVm zV?~e@V>Jh4_J00N+@RlLOc3@&K^LkqgL!!;v%xFwT+1yl^<`4Z}IuNe4Kdwmr^Cj-wCY z$Qz8S^a~Yp&pepg!R}P*2$?-!qQ1NtRbWIOrfixy1UvFZ5T@pE@p{$h@iw?(A@<&S zaLTg#9;$x}o_gBvIM5Yv<<d^V+{9WDnc0TNxwmprge$KZef0`C% z+v4Ajta*GU3VXa3Vr;fMfhj!e(CG^twZSHUmZ;o0x})cXDzDvSYc?{%D;{mVze{q9 z;qLc?k{WIY-z|`^t9LG^9cO=%C(RWMM0IcHi4D?% z40LAz2D#%c4`Xhjb7mpU;eTHdhAwcL_o{H}=np1p=dsmjq0_J*kuz_*wb-HE&iQ9U z9+)|bY_{3`J|~q9=t53D(agOP!%%wbKpW`y<;FZfpVao+GXp{1fV&{AUpa^g|*l)W6?!B1BAFQh}uJpEtn@tKIs@$rZ0Dz}?MzmtD-H`O% z2K%=bICCYr?opOSFX7xe_I|sT2_p0}2H30LFaJaZOtgH(ype&b(PLX%VOA;~^WRex z6y$htkN1&y70YxT`G%V`OguZ|Hsam8&P%*zt7PeY9{!Da93)LY?JFRst-|O98*g=8 zFE!x)>L=&jbP_SajE?N9ZQgKvi0&mzb-hZ}@$PirtSkIBJP+4ACo6VpaxFBG^Iq&g`$KY(>B^d`Z?I7!5qIM?n$cY&p=Ur}?CS$V}^3 zc#lD%+u7rM9FS|NazB-w_>26}ci{hMK`~m|)KX*Yswm;kqUbZCNQAhNGYJt1zIitj4vvz!0>9n{F|IzI4_OqcfW?ma0ptPG|#o7(9>sm>V_dYk%*dR(?ds! zsOq!BEM%uiza~mf3;lc9>SJT_B;6EkQ^IC>bT~xmKah{W*^aDiT*eX_Czfi5J~z2! zmG+B$-3IAk+H~zS&bFp~e0oy6CJKJKC2MP;#5vVe_~lgU;4owro)(dx_E&UfsyX)? z7mtH$g42o4rWei*54Agkt#%&Z>~EUH!-6Yy3P4t_GC7Ti!&)MSydfsleM-~f$c#vG z5}zB$l6@wD6t}pSU?f%N3j}Ocz>499`_yteg91;LnyZRe?)!__$PWjd7Xd zg7mK~6U)nELs5wSRHBQMX*9lCbpQOfKKRS9SS<8#IsgkMroQKlaX96`T0f0GyzZ17 z74o50x|hZrGDF~BdO?aW_qgP1%<)ET?{C#Z4yFLi^%nWmB)hR7-gt`#Nn7EE8l@Jl znXOZ^;x4B9QwCaR#l)$bXfxhKLtUAM{l$MRE|Z?Obgg3h?TqFhuF~ryekLPjfA5!% z?9BCQbos|z%WtV2k_`kADC9k{r0IgK=yopnB-}Kf)HDUvYONN~{j#6=gN`dcsB*Wf z>v;A`&pp((J21;-z0VY7apDJL(j>WfEv5!eB;ur&@!+v36kMe*oM|_bH6+Jb>}!9` z5wou?vo&UnndD%gHwhEDHDx8PtkXtb9L9(){_dQ6VL%E}m7l|;>=+ZD(8C60$X(Kw zL&kI(U9iXtRdlgk>r}9Z-l0qpq`3>I%95p3uZ}p2CR`}Pm0FfIQw|R+ zY&7-Ifk&QCsEm^3_#Y|y3E{*>!3pxD)T6x>R=#CZP#tDH%io&3#F_=nDXR7j4yRGtK0`(?D zi4Pm*jS84dbc4%Mu2hPP${m+vuuzKigEnW;;dp-I<%Hyz0j*vYw(Zb53S(b|!smY4 z7t10e_yeBUU~>5GxW_mLjrOKDGTQ9J5fhr(R*Tq1pG`u4y#x{$YXOS-_OVuL#omw$ zud<&QT^&}qe#qTlFs**)si?yitx**EuHThOT>1eH1Rn3Vb`slq-{sdYRGwab15RfB z>`4SS-G?h~H?Q90%a)ogDOP5iS2btQ_?|Njm_>kQe3BG==6l1GT@GDca2L1xcZ8i1 z%h2GW4?MwlOLGWJh6;s3TCAN2VGU)syGhF_4yK$o<4me-t_fYrsK0VjabEUA} z!^MKu9dfK>5b$yqeNNly?J7&=bK&e-5OFj6F>qLPb3e}J0B)tomkHMpyzg}HdX4?0 zJ=3it_Ht~$dzzjTZFj}FMrnO;CGBvXu2H?Ze#XQ1RsM;QO$ZK>w9$^E9+Bl3F3f2~>9{q2hL0>Q>Qa5PNh z;cg#w8x*Bbc0KscfT_Rduo#Hojx5;i(Dly4H{0uJbm~#EAzSsad~~RE(isQZSIu(i zX&JDDpKR=bEfx32nGQzC_V<1Uw>>oH512o>@;iVq1TQZAL(WSJTx#drbyhbkuA64w zr>^v~u*zsfKiv!8Kk65a)W@?#P`=vnYOcgdG-x4MGHs?q3IlZ z7q{~`xC+8v&s&4C*#fTBE87S+K$L*s zsNUhhnV|!+^Awdt z?;cLMd{@BX-eb=~CHzNV%CIwd-E1T5i2Bp=z1N2Qbm`i^d9XHWf=Uv=Vh~SV);uwb z3Bu!IWC$(vNck85S>5`r_%RxwJFeIHMlE#e{&5A@8Gjdf#?C*1@;-W)-j!(Lg5LQI ztb3XsXs1GlZ!rZHG`&}KJPxz91VCk6P1N+`$*reJh3O2rj1U(EK0x;p$zGt(m4`14 ziazc(^ULKSMF4VHZpho?%&qOpGjT!(B}31&ziy$)BX$_?F$nu)_j5z31RC2L(7OYP z^Xh)ZPtVSj^oolRWd!Q?`KVC)-(kncT{Ao3 zbJpTxqy3cBHYN9nzeFc$dgcQ6ta;t_$vV0MP9ykTAJ1%vXIp*UEiwrEBp+VbW{g`w zw_eM`H}t%YrgbluQ^=1#97wzra&N4j6w!d)PkH;p{b!%?Z$3{KggFBB4LXKfmD=d& zZT_p#{@>$^N{yeP_*koJIuVp+dR~(Ng3r$`{-TJEC~-@{YOfp>A=!dCL1|0Lo1LO7 zHnM~FSMqM0swZ;@u{5vSJfJs}ThMDhtzLL}*)TBEL%Zqonv=D`XU=Ssry9x0$#=%m zT9JB=KR^@3N#G*!$`?hxgem9lj=Ef#W}Dw?PoVU0_;#Zcy1zq5-u=5m(bi>8L9jRS z(j@!@=(L!UhrmxVyLD2AG*|L5{dM#V_4zNVT;3GJOKx`TlxN>5$4zERTw4O+NAu7C~c`*-oI1XQ>{ z)Oo4)v8nfM^GkjZgY5V6KN*j8x4g&GnVGESmp^Vd-OaYq`aKTo5hkN%^yvxqPfc~0 zE6ox9VWmWTxa@&Kv#&Q}yQhq?YybIr^h+!vAoaZu@@A>cyF^TJ=>6Rbz!RV@dlYI5 zGcSG&iPa3In)EnhY0_qc4c73k^%k9bD6?tud60bWYkChj#y0XvjvBwtp|qEnsO__G z&Q&aM?W?6u;#{iQw9n2hWypJ_I5vdiC_MB5;>lw%9tvUwS}wmo#h3)@)M>?~KWQmp ziYr;69dAQu?z6@5we!zqtSo0pZ&!UXuWGho#}EXh^3KPqOtfB|qv)u@5#z0mMbO#- z*{&{kf_qMXPRouY#a5iS8=+%wvVS=^s%7Psvq38qO{W{|{JA^v3S+dt0c0+)t#*_d zmwpVJXVKj*sQ@X@5J_(nZlFwU3}rk^)NL;6h|PaJa61^Y7W)-prTsXo*wt)Rhi25R z!x7;4BJF{yH0*0~>Sr>bGiDYzyy1Q~XkhT9eOHL&Op!Ouxr4ibL-5DXUW)tH?kXIn zVXv)40lgO6kzG#=hls%cp;cB)^~LC=oWbn=$2;8oS9XmkN2(P~(#Vw8@$}9ukZf-{ zNu0f*55c$wE5 zxcZ~FimafwrFPkX08Ki7)qMx?{Nvmj>iJj&HapeUz54^n?j%2?GpvP^Y$5sIDBI@z zMIkLurds&+ofTnRJhs*V9l{lPG^#b>A@(m~1i~7pk&d*i*e$&*&uUjRi%`riGKks% zmVZ8PP-qU;Q=$1MTZqBS_HNOFNgZ<$<53evL@!2CH!?8_tRxc^R3E*X-GtrgAtw8u zn#fq>yLhjU?u$-*oJXf4O;v&I{i}A?pI!KPHiNuqZuKO%*FO}ZU6S=G1 z)JPOgi3|iM0(&PYc(^}A;`a{~wK?+g8mHlMbi|nEF9x5Jv5j{gT)H}(IBUz2m66TS z(G=@^o2G2ON)(D~z|$WL2y?42Pp|Lym2hq zB#WDup#5+=kc>jMSo5n!smZo<5f)YXp7_w#<*Y(}HN|!zB&gJ_Gn{p7y5aMFPt5I( z422&`1?QxqcAoi##+7pwKLB-y7}8g`Im3q{4Vd#=vZkBi=D{& zs+e_DQAJd}KPsiZycpx8FGrUb+Ecx}6n!baqP*O6Q0n9&3wnrjDAH%v-yVcy)*b?! z<>F~_`F)2$vO;)qXK~)KSV|HqCOjSjNm14}WhvFq!K!kHBJ**UqLjY3W5DE*P_Fsi zgv{7>aq-De=3$C-afUlhrAcu-VvEvk5WJ{vIBVvK-za;``)|(5|B4A-8?&$DgovG1 zi#=34!=&9$y)=E2@-bV^CQT~Jcr3PWCY?S=_F5>*44ioH=HkwiH~nSE3s>3=#gpUf zaP-Zmfu4wQa~0t+{`_r0S5R8C*Lo`%-_Ro+s(RBA_ewTfg=+qpZ6k08V`H_NDvg8b z-c(1Lps|NzZ06yh(%2mzt)e=cf`#9PUphi5N2}{DFQQ5oqyCN``T1MZw>U@%16Ejp zm1?LFy?E1Z1%r`_f_hmV>GQ;>@zW*NuhM!iV8!6r)LU6bR_w8;eOhDptZ(A~?SO|p zCG2DDsHoof6CsqU-LQ+M?}xlHlh>CRBsRm{pW2cB4xh5^^2}yk&nl`BOquWMEFQ(+=C!S4)vf_x^=ykxsGfFQfvJ5wyOvZ|bXe*VY@g&LmZV99NUIRdY9oa*C z5SMvKh{}#?x6M^)hob>54qkLHgbML=bv2^PiJW8@SDX@|5JQJ2-*@+v(P1aL>Uw!n9P6!Sn_m`~5Z; zLmq*yy9e`1jQnG_Yn}!j^?QD!C^IkLoO{a zBP{K2`5+nzqA3;r$nm#(Ycrh{1hPvZ_ZknzG>M#uyg{$U%fOlX)`xIc!0urW=7 z!*meXikSXdhe%S18;x+G`8O&v{myyqXxOBF}(NlSu6=&8HmBw zbaRjXHlfApp9m)(B@eHh&o7HjP-P$v`h=tpO+VUwSDCU_1&5myeEC#3Frc~LZ1Nhj z9a-?&e{zove=t(;jZ-Mojk$BTleoDhLn9=jYA9Qa1IJf`IDYhrT^5cavpv z-pN{=4e^w@3BDT5P2(8-J(a`lm8p+!ujX+>fMmuIovOzlYD4jk&7@x8HVH0A`u!gn zKlbl(U0)r3uU(Ah_>+D3i87M8wcF0KjP?4ho8q!NLnD`(?R`8GOxj^eZsXFEwlID$ zy_=vZhCaQ7BWBbT{OR$I|CiYw75>3K-c6G}daDJ3HP?%Lzwy~Q=Rea*IA?SI%6&Is zo6mLkw*LA4RT3wj*%^Y-PwcXPDT915j@EI|~+;~#t zW4Cn{i<_Gh&|WNdGPM)4m9Br((kAV}?8hph;-ID&hL)%xy?KW$6?Nch&CU>>B(5p% zo^BGBY-w6upOYWho?rHMisqq=6Y$^bt2xEF_nT(Oq_fGZQExFdOw^WazC$YUX z)kI;j(oy4?5DtSn?={bakxqV2-o?mM^1?NqmcO3?cwkXQi{H8y``ZU3*`lWq7o7A- z!l`02zGEU`@@yW3eLT=58b!kA-Da)90FuM8>1n4m3&pzXZDbRaVmzV+2e@eC)dVJ( zYxSU_7^A?ar6%1OX`b}*JvhuWhtxVySmCMMlZ5@pzw2*Qc5jGFZ6c5P;jfHxZ}HZU zxA)^c0JqziJ#_IPx@1XU`}kFVQyxd7Ag4~8f{Hz+Qi%#v)K&NmO?%0LT?JJ3-*b~e5?A}bpUV&x zTZILr@`M9J3HZ!=ZGA?%j<{9++o9{h+F$;I5aLQ_xHSLohzF|rzY9bu0~8So{+lN% z86r{W{|`rx5FhPrf7ZsEPN%sA1a4TxgZ{gVPNUvaCoci2W8{Zyjv3G4MdYue>0ye9 zi%@?AKKwX_B%lVgjv`h3T%T-tbL0u97?jbFu5;6>Fy6%|ATArLUEHvHE z8r7G@_~m&%$DwUT^xt6xJSjK~+B`}E%)m-puKm+w9+Ao1Xgt7>n>?w7> zMYdE0NDaI<+n!NIhW?g!z#&Tbw7Mduct!K*j>{_WYiwtv5H(1Qrk6)xUW4Z*0CMLG z$DCYQ;n961De^8A^f&Q4tTEXnm56Fj&Wyg>EC}(K#!2Y#u7w|=;d2ZlaixLcKd<>V z9ijM>i_p|_jN;y^Eot&gEeGK|k;Yw8^pr3UIfLJX8J)+42e}bUi}F3Hq1Z*gDBm$- zsyw9@xW7uYS$jxs3RHJT^eGc!?*SAs#&DpYCJ!SmurH%a`;jr$IS_?XSP{0eB!B$9 z%iz9YJz$?YU0_3I5Z>73yNjU~kBmeA??I1q7rulCP`^p(GxIcAhiKThqvmF>a4JbU zMWeDldD{3No87iwOxZ)A^&fRvOd>Y&5(vL|>2l_oznVFo_`4!LzuO@ncu9Kndp*$_4Ie za}P4*AEYJFx*wGZ+AtGgChj8o*8-!cB$^tDpZgb+<7)BwCukvy0!pK)kQ??{;s7B* z&sJLojG#B)-7A%_gfAQZM0jj=Hx}j&0#TT4&Xgzh|3Z60lYX(u6aUJd!cvA285w!x!Qp_scN)Z57R8H! zm8!O|XPnUO{b&r@AHGK6dauLzZ}%|Q*Huxe;w<@ovMTyQB*Z3ZgisIi8m|3`uD{;E z)a84}sNQj0?Ox~947#AJk`&e&_S2$L7SR0ruX;!(bMaQpk=hAC_7A+wWP|Fy%%4j> z#^jcU5Q2EQ323xbEN42w9Th*v$j13+D+pb*oRpN1y}|IoLTn-MZy(Cl$I~V%QoVn| zQzkG59uK3hzN<-+jCx~_z2`br7y3Hf!wZFDba(vRolDH!v%h8DFH4CQf_V4OtHMF! z7Y_7`KtxEv**mXx>;>~MMdWh0<_Kvahw+BDO*CAG(*O*Bb=dIC!mFdX!jtu)uN(qi zcmqM_5>QF!5U|T~L{Y#O^1^cTnPDG9R>{Y{OY_>kKSnqO0TEkWI0ZLl~t<8Ab^6bNdQCdfi#v&~Usk4f#E=26aBGRU~NQ!yHzm(8? z@ekUU5Zf6go|*y>80g2ENZx*zne|~fR;^r%I+){)2RUR1p@=U zmncch3>a6WBE2jPtP#5o-F1Itka!)7p1eKAEQTHlHTV}Qk9%PPasjKU!rG`C6{lk;;Q<5$br^1OC z8Xhi^j3=g|ui+n115ZcAPYBz#(~ID8{}qnSCMKedcrH{yJ6ayT4p>VqiupBZ0~e8( zWIp(3bUGZ2^IKg1zd{G*rKX1ZRq?4kb$mTS`*@l#H9mCdAi8+RLci;7Bi5rj-pgh3 zuIamN%gW3%w19cdhPlGFA{_|bo1L@f*UdCR`_mVsm}#ug&`^)vK-kF!7RB%4FdL5Kt+>NCEaIW-4Htcmjr(gW zjT_M6p|GwNF(l@1cnxU69*?zO|4Yh|$DA2*9nda&yC7Qxm?5glkcC^Z=jO=;Bl~iK z(0$mRjm4l~cRM8+2T9feWV+LWSuV_OeB2N~V*Id|A8usJAB)}Gd2N*lNhHK!D|V;B zOwY(v5Y!(dZ$0csF{jbc?npy<;DzQp$ctMjRk*@LimF3GVmF>GXcyqaY1#&^!c3;# z$%z`Zxy+M*0LY*tpPPCFriUVqRP;a>sND2)uy73KDqmIDf3fedDFRNc9O?eNr{4J@ z0FEg{3iWI2#T7mC=MfYp-v+idA%g-;YR9l8klgLGOfOQi!F{voIlTHx?-ffL3_3UHI5^T+HazGtu^_^Uqe8RA zRJ7eEGkm-ijRqlH&&0PLlw>oA84oJ5R?7_pzdMeZ)60Jp!(4ryM4#tQ{_@Q%AA(EHThzqVFwZmRvCCHwxI#FE?CFD*BLV+*hnLtaGB&OX%)e!w&yxarGIocnqtC=rs2m`iP z=HJEU7t+{$6-7-hfQwY9Xn}T_OWo3_NefYiy$`%i@d$mskigDkDs{3YvM=Jl{~Tlf zR{{j(L}Yw6d?YIJYRBmWhyzvl(3p;EE~@F=}}AmJ-b})ii9Q>OQ?DELkw@vfs+@H2ZXM>Lx#8G=?@P>F-fv4!V>wR5Ln~w zi+84@W_Ha6vaKPNO-KEF(;vERe!Xu+aD6W%tW&d&9`)Uu5KO zCu3`#EY9+9(;cF|#7&VqUPk$GdeJZ+6rdZ4a1)$UlpsQ0?M`}RDlc-eqbeM-IZi>I zkAjNi+jQHhRyVC^h&is==;MmwnH<`<(GC|{9Y$CaV7ckQVvB0?Um?4btX10LY1s{J z&;O zUwhRA%%kII8v6(_OEux6Job_Se_hV;(Nk+H(2tSb0y6Jd+>iu*t5o2l>WW zp(cIpI01ef1RVC;HgTz;BGJxo`nn&GwVofeca|8ze^!|q=Q%}&bVDLK)6=im_GbuW z1(Ge=U;va)6SB%R*2jjY=--3UeOJS9e(wofQIuHd;Cah`#Q-KK0q_hPa_2hh91EL(}xFs z3>WO&#Kb@(0#01o{{i$jWvY?32SZs2v;jz4xWt}|+U>+An^ri{0VOH7D9@77oNatZ zQq;0KzOeHF7FH=dngOO{+8FVZhO6Yu*_2GRlc9Og6tn!e7bx4Ndfgxb7g_MNkxyX` zy=_MLN9v#7lYB~HFa63?6O|Ivn`HS2Vtp=Xa|havoWvbHW!?fi71zlyNh4>zGo3#( zupe9d$HWm`Fvv(qI_^bOB4s{q7nTwu8xup|F@et&s=)!DhlD@?G$C!$%p zWxZN&5d}E1l}WMH*PW;t*vN2)Y2{x9+)e?vL=v4z_%&&RvzJlWoq^gzi=t8iy$ujf zt9QR~Q#H43>(%O%f>)eCW4jEG4C{fr}lqJ-VIG zeQpbJhRx*Y#Kd?Jlg&Q~{;Q0`V22g+Dlj(m!mf3)xf+KaHI*#(wNtPP<&W<~)`MEE zYW$ZJj!~Yy%gu0CD^ivhwrI#zWpKi4SRE8ZK~D9QVK7QdCw^9Fa0Z_u7uJ=NsuTxUSps6u-Ua(KOp(Qc^ z5->&!e$TKJgbCiW^IY~*@uax4=0EP;pla+4|4T$01Jk-k3qCLG{~+AwJQ+W4L&%+y zgsyNNNtqv~s&{~6D>ebb-uzhP)9!qe&x=)0_nRskp&ZZmks zAd>gEmX$U%ny}<2W7)XY?W09(@wK(CAXG)>vxLL^-&Gn8-7_23{8nNvyZL1t$B}1G z!lHZPypq(Ud$N_V6$c&Bp{qw{z3JJ$NS+b8z$gC;9 zgeTgg2uW)Z3AZovaAUvP;v25R<}94fcL#v+juo$315W*2_PyvkDt(cixkQ6Y%)GR8 z{(OUUf+N!4N9c4WFGZN)U@qz9WuicsXtO>Hru>s^RCBR#1j)C5d{uqak~ndPX?>C} zg>kVbWh+}0Q@HrS0*rsMY~^^Rx_VO@4;>n`o)VKzg*rV>XX1IqD%)nkN$!;vWf{WU z{acLGX8s}Gp|SZ()eloOC&pbcP8Ay(8V#&r{+#~E=)IKGeV%l3k5(`J!G%d<@X!Ae zFG7i5+i-Cb%ftLx{;}RcZI|K;>n))sce~&Ve~-w}VnvN5r6`(3&HCYja@X7;{4hZ% zNsVWh%#RUkx$(zaO?_r%^SA-5PhC4PLTG#(bwv+Plkvp#n2AZxsSBTu$&|4a-R}b) z%fY7kR(8Z!zcSKh-M<43mlkd)MxCnPFdOeor9|l$Kw2Is%Z-1z^aLWPrbI-|VccNy zP{NBf|0|8i*p|^ieK#r_nVx28Mf)b`m-bO%9*w%`YlL~W=F4Pp3KW@Yp<$;ig51`)}@FdS7kAN)1nzb>3Ys zzOp_AwBh}IrJEq@ucX`PR5#)|r!iL>$6(ct2jA!D;`O&GE*R?EmqbV_}G_ zCvX+!XPxA|+p+xQe*+@nm@}b3P8eqh}V@GpN8qq5hsPMbT6=8 z`_YB3R67$#s!0N!*_C{;g_L!pZnecsgf=w09)EqCwkM1`)a^sFN{6{&BPWO`Qdn%o z15PrI^dVq0(9^^EpXCKGwvvp*k+4>&f06N}L)e|;gH`{97lBa5DEXU$KA;z>_T|t= zNcQ*p@-9mAPhn*8Fic}lvyg~B^yV)#;Od`S&d7WS&<_UCxg}a<9(jcbBtpJ0#=cnS6thMar#D$*@+q zcrj@pG>`YZK#%LFX^RbV2=^JSXt_&>|Fa<8YxYt5l9ZYrOk(r<`G|K3+jhs!!;JE? z_s>iZV2d}NlNrYR^ViIuReRE8>+_`awtV=?{p0Art0sEvJtgDtPVuF=zdcj< zUZx2ZR^Q$SZR#<8^pJim#E&`X&r3m7JKk$y8Sof4V?2y zHc$GVxcjy>2W|-dH94Dksb}XN{hapgiyR-P-Ix-m^6UOmCScEh>9t^ImIwLsZmBS6 z-h1-@%o^c}d}pm`d0x&X5emE1O%GIld{~k7&g#$ee~xL@Cg;9N+y2fz^C!i+PtH0p z_fdZY(**q@uR@MX#j+=~KDtNcY4%w&Ppn(Sb6lp*BIt$oLH6S|*G+%}S}D`n9{hIx zd81^9gxSyJgGbfCgPK{^S`4e(PH`W2HJ7=DasEf^rS$N=_@A_1+1GiY>(@wwd zFM9Xj^cv6*@X~LG>w=HQiyo-^{N+*q3I@;&3vdh}`Na_}5F>DkRT~#*KxiOYtRMcn WEaL3l77!cH00f?{elF{r5}E*Un%>?3 From d7b809080a693aba4d5cb0fea0e317d7affeecd7 Mon Sep 17 00:00:00 2001 From: illfated Date: Wed, 31 Jul 2019 16:20:59 +0200 Subject: [PATCH 222/248] MDOP May 2019 Servicing Release: new Hotfix Link Microsoft Desktop Optimization Pack May 2019 Servicing Release. Replaces the outdated MDOP link to July 2018 Servicing Release. Thanks to CaptainUnlikely for the Technet blogs information update. Closes #4574 --- mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md index a24a6d32c9..3013d8a294 100644 --- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md +++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md @@ -19,7 +19,7 @@ author: shortpatti This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 ### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1 -[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=57157) +[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=58345) #### Steps to update the MBAM Server for existing MBAM environment 1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features). From 99e690cd378c113a095c9cc73185e173f00fdcf8 Mon Sep 17 00:00:00 2001 From: Tim Steinbach Date: Wed, 31 Jul 2019 14:55:31 -0400 Subject: [PATCH 223/248] Creating a WDATP alert requires recommendedAction Otherwise the following will be returned by the API: ``` {"error":{"code":"BadRequest","message":"recommendedAction argument is missing"}} ``` --- .../microsoft-defender-atp/create-alert-by-reference.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md index c100b9ddf2..f4a2b266d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md +++ b/windows/security/threat-protection/microsoft-defender-atp/create-alert-by-reference.md @@ -61,7 +61,7 @@ machineId | String | Id of the machine on which the event was identified. **Requ severity | String | Severity of the alert. The property values are: 'Low', 'Medium' and 'High'. **Required**. title | String | Title for the alert. **Required**. description | String | Description of the alert. **Required**. -recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. +recommendedAction| String | Action that is recommended to be taken by security officer when analyzing the alert. **Required**. eventTime | DateTime(UTC) | The time of the event, as obtained from the advanced query. **Required**. reportId | String | The reportId, as obtained from the advanced query. **Required**. category| String | Category of the alert. The property values are: 'None', 'SuspiciousActivity', 'Malware', 'CredentialTheft', 'Exploit', 'WebExploit', 'DocumentExploit', 'PrivilegeEscalation', 'Persistence', 'RemoteAccessTool', 'CommandAndControl', 'SuspiciousNetworkTraffic', 'Ransomware', 'MalwareDownload', 'Reconnaissance', 'WebFingerprinting', 'Weaponization', 'Delivery', 'SocialEngineering', 'CredentialStealing', 'Installation', 'Backdoor', 'Trojan', 'TrojanDownloader', 'LateralMovement', 'ExplorationEnumeration', 'NetworkPropagation', 'Exfiltration', 'NotApplicable', 'EnterprisePolicy' and 'General'. From d20794dc34425476afe838b0e0e5e0a55fd89fb0 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Thu, 1 Aug 2019 06:44:53 -0500 Subject: [PATCH 224/248] Update windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../configure-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 5fa6b38b70..c129bb0353 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -33,7 +33,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |Policy name|Supported versions|Description| |-----------|------------------|-----------| |Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| -|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, please include a full domain name **"contoso.com"** for example, in the configuration 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (When there is more than one subdomain). Configuring **".constoso.com"** will automatically trust **"subdomain1.contoso.com"**, **"subdomain2.contoso.com"** etc. 3) To trust a subdomain, you must precede your domain with two dots, for example: **"..contoso.com"** | +|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Notes: 1) If you want to specify a complete domain, include a full domain name (for example "**contoso.com**") in the configuration. 2) You may optionally use "." as a previous wildcard character to automatically trust all subdomains (when there is more than one subdomain). Configuring "**.constoso.com**" will automatically trust "**subdomain1.contoso.com**", "**subdomain2.contoso.com**", etc. 3) To trust a subdomain, precede your domain with two dots, for example "**..contoso.com**". | |Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.| From 8fe046793c1c18c77fcabd1b857b9d2503c223ee Mon Sep 17 00:00:00 2001 From: Kellie Eickmeyer <42247317+kellieei@users.noreply.github.com> Date: Thu, 1 Aug 2019 08:27:18 -0700 Subject: [PATCH 225/248] Update guidelines-for-assigned-access-app.md --- windows/configuration/guidelines-for-assigned-access-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index fa57936276..bbe21777b6 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -68,7 +68,7 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app Kiosk Browser settings | Use this setting to --- | --- -Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

    For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs. +Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.

    For example, if you want people to be limited to `http://contoso.com` only, you would add `.contoso.com` to blocked URL exception list and then block all other URLs. Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.

    If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list. Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL. Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL. From f1e77c9ed5f099e46f87200316d57aac8293492a Mon Sep 17 00:00:00 2001 From: Matt Egen <33404218+MattEgen@users.noreply.github.com> Date: Thu, 1 Aug 2019 09:29:06 -0700 Subject: [PATCH 226/248] Corrected typo Changed "ConnecionSuccess" to "ConnectionSuccess --- .../microsoft-defender-atp/configure-proxy-internet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 84bd3f8d8a..8f23f46df6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -189,7 +189,7 @@ Event's information: ![Image of single network event](images/atp-proxy-investigation-event.png)
    **Advanced Hunting**
    -All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnecionSuccess’ action type.
    +All new connection events are available for you to hunt on through advanced hunting as well. Since these events are connection events, you can find them under the NetworkCommunicationEvents table under the ‘ConnectionSuccess’ action type.
    Using this simple query will show you all the relevant events: ``` From 87cd41cf74100b4940f1f601fb0db33420f92a41 Mon Sep 17 00:00:00 2001 From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com> Date: Thu, 1 Aug 2019 13:04:35 -0500 Subject: [PATCH 227/248] Update install-wd-app-guard.md --- .../install-wd-app-guard.md | 21 ++----------------- 1 file changed, 2 insertions(+), 19 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 7bbb3edc4c..36a250efa8 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -17,29 +17,12 @@ ms.date: 02/19/2019 - [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Review system requirements - + +Please refer to [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard), to review the hardware and software installation requirementf for Windows Defender Application Guard. >[!NOTE] >Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. -### Hardware requirements -Your environment needs the following hardware to run Windows Defender Application Guard. -|Hardware|Description| -|--------|-----------| -|64-bit CPU|A 64-bit computer with minimum 4 cores is required for the hypervisor. For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/virtualization/hyper-v-on-windows/reference/tlfs).| -|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

    **-AND-**

    One of the following virtualization extensions for VBS:

    VT-x (Intel)

    **-OR-**

    AMD-V| -|Hardware memory|Microsoft requires a minimum of 8GB RAM| -|Hard disk|5 GB free space, solid state disk (SSD) recommended| -|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended| - -### Software requirements -Your environment needs the following software to run Windows Defender Application Guard. - -|Software|Description| -|--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
    Windows 10 Professional edition, version 1803| -|Browser|Microsoft Edge and Internet Explorer| -|Management system
    (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)

    **-OR-**

    [System Center Configuration Manager](https://docs.microsoft.com/sccm/)

    **-OR-**

    [Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)

    **-OR-**

    Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| ## Prepare for Windows Defender Application Guard From fe70bc2f8e8abf3da4ac29c1b354d89ee69a77d4 Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Thu, 1 Aug 2019 20:11:09 +0200 Subject: [PATCH 228/248] Update self-deploying.md Added additional links. --- windows/deployment/windows-autopilot/self-deploying.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index ee06f80d04..8a08319014 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -29,7 +29,7 @@ Self-deploying mode joins the device into Azure Active Directory, enrolls the de Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. >[!NOTE] ->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. +>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. For more information see [Windows Autopilot scenarios and capabilities](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-scenarios) and [Setting the BitLocker encryption algorithm for Autopilot devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/bitlocker). ![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) From 4be702bbfe972daf5bae45d5298850d03a007064 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 1 Aug 2019 15:50:23 -0700 Subject: [PATCH 229/248] Update install-wd-app-guard.md --- .../windows-defender-application-guard/install-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index 36a250efa8..b95919c716 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -18,7 +18,7 @@ ms.date: 02/19/2019 ## Review system requirements -Please refer to [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard), to review the hardware and software installation requirementf for Windows Defender Application Guard. +See [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard. >[!NOTE] >Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. From fb184cbcfc9983041551a36f56de60641cb94d86 Mon Sep 17 00:00:00 2001 From: Sandeep Deo <38295759+SanDeo-MSFT@users.noreply.github.com> Date: Fri, 2 Aug 2019 10:14:56 -0700 Subject: [PATCH 230/248] Update hello-hybrid-cert-trust-devreg.md --- .../hello-hybrid-cert-trust-devreg.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md index 1df71e5f3d..433457239a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md @@ -196,10 +196,19 @@ In a federated Azure AD configuration, devices rely on Active Directory Federati Windows current devices authenticate using Integrated Windows Authentication to an active WS-Trust endpoint (either 1.3 or 2005 versions) hosted by the on-premises federation service. +When you're using AD FS, you need to enable the following WS-Trust endpoints: +`/adfs/services/trust/2005/windowstransport` +`/adfs/services/trust/13/windowstransport` +`/adfs/services/trust/2005/usernamemixed` +`/adfs/services/trust/13/usernamemixed` +`/adfs/services/trust/2005/certificatemixed` +`/adfs/services/trust/13/certificatemixed` + +> [!WARNING] +> Both **adfs/services/trust/2005/windowstransport** or **adfs/services/trust/13/windowstransport** should be enabled as intranet facing endpoints only and must NOT be exposed as extranet facing endpoints through the Web Application Proxy. To learn more on how to disable WS-Trust WIndows endpoints, see [Disable WS-Trust Windows endpoints on the proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/best-practices-securing-ad-fs#disable-ws-trust-windows-endpoints-on-the-proxy-ie-from-extranet). You can see what endpoints are enabled through the AD FS management console under **Service** > **Endpoints**. + > [!NOTE] -> When using AD FS, either **adfs/services/trust/13/windowstransport** or **adfs/services/trust/2005/windowstransport** must be enabled. If you are using the Web Authentication Proxy, also ensure that this endpoint is published through the proxy. You can see what end-points are enabled through the AD FS management console under **Service > Endpoints**. -> -> If you don't have AD FS as your on-premises federation service, follow the instructions of your vendor to make sure they support WS-Trust 1.3 or 2005 end-points and that these are published through the Metadata Exchange file (MEX). +>If you don’t have AD FS as your on-premises federation service, follow the instructions from your vendor to make sure they support WS-Trust 1.3 or 2005 endpoints and that these are published through the Metadata Exchange file (MEX). The following claims must exist in the token received by Azure DRS for device registration to complete. Azure DRS will create a device object in Azure AD with some of this information which is then used by Azure AD Connect to associate the newly created device object with the computer account on-premises. From b79bd6d1a15ddaa3580e0a437c3301e73784757c Mon Sep 17 00:00:00 2001 From: Narkis Engler <41025789+narkissit@users.noreply.github.com> Date: Fri, 2 Aug 2019 11:15:00 -0700 Subject: [PATCH 231/248] Update waas-delivery-optimization.md fixed typo --- windows/deployment/update/waas-delivery-optimization.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md index 59f1889887..a7e4b0a82e 100644 --- a/windows/deployment/update/waas-delivery-optimization.md +++ b/windows/deployment/update/waas-delivery-optimization.md @@ -116,7 +116,7 @@ For the payloads (optional): **Does Delivery Optimization use multicast?**: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. -**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimizatio uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). +**How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN?**: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more details see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). ## Troubleshooting From 1400d160af1ddf4dd7309cc01288f0e37fdfdac0 Mon Sep 17 00:00:00 2001 From: Nickolas Gupton Date: Fri, 2 Aug 2019 21:43:19 -0500 Subject: [PATCH 232/248] Fixed a small typo Changed "wwitches" to "switches". --- .../advanced-troubleshooting-802-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md index 7edad5cf25..878b065aa7 100644 --- a/windows/client-management/advanced-troubleshooting-802-authentication.md +++ b/windows/client-management/advanced-troubleshooting-802-authentication.md @@ -17,7 +17,7 @@ ms.topic: troubleshooting ## Overview -This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or wwitches, it won't be an end-to-end Microsoft solution. +This is a general troubleshooting of 802.1X wireless and wired clients. With 802.1X and wireless troubleshooting, it's important to know how the flow of authentication works, and then figuring out where it's breaking. It involves a lot of third party devices and software. Most of the time, we have to identify where the problem is, and another vendor has to fix it. Since we don't make access points or switches, it won't be an end-to-end Microsoft solution. ## Scenarios From 1e178c4f9cf64b22395d39a43c932568e1bdb15e Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 3 Aug 2019 10:48:46 +0500 Subject: [PATCH 233/248] Update for the month June 2019 I have added the content for surface hub based on an update KB4503289. There was no update released for a hub for the month of July. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4586 --- devices/surface-hub/surface-hub-update-history.md | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 881dfa5e4b..36cbd6e12d 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -26,6 +26,18 @@ Please refer to the “[Surface Hub Important Information](https://support.micro ## Windows 10 Team Creators Update 1703 +

    +June 18, 2019—update for Team edition based on KB4503289* (OS Build 15063.1897) + +This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: + +* Addresses an issue with log collection for Microsoft Surface Hub 2S. +* Addresses an issue that prevents a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully. + +Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services. +*[KB4503289](https://support.microsoft.com/help/4503289) +
    +
    May 28, 2019—update for Team edition based on KB4499162* (OS Build 15063.1835) @@ -484,4 +496,4 @@ This update to the Surface Hub includes quality improvements and security fixes. * [Windows 10 November update: FAQ](http://windows.microsoft.com/windows-10/windows-update-faq) * [Microsoft Surface update history](http://go.microsoft.com/fwlink/p/?LinkId=724327) * [Microsoft Lumia update history](http://go.microsoft.com/fwlink/p/?LinkId=785968) -* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447) \ No newline at end of file +* [Get Windows 10](http://go.microsoft.com/fwlink/p/?LinkId=616447) From 8bb9b459be8e07bfe8bb23c99d58ffda8193f023 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 3 Aug 2019 11:00:26 +0500 Subject: [PATCH 234/248] Update devices/surface-hub/surface-hub-update-history.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- devices/surface-hub/surface-hub-update-history.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 36cbd6e12d..568e515039 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -32,7 +32,7 @@ Please refer to the “[Surface Hub Important Information](https://support.micro This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: * Addresses an issue with log collection for Microsoft Surface Hub 2S. -* Addresses an issue that prevents a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully. +* Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully. Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services. *[KB4503289](https://support.microsoft.com/help/4503289) From 8dd4637d4eae3ef05e9fa69f3290d5a882daf5a5 Mon Sep 17 00:00:00 2001 From: CTroessaert <43269447+CTroessaert@users.noreply.github.com> Date: Sat, 3 Aug 2019 12:31:49 +0200 Subject: [PATCH 235/248] typo typo the Action Sataus column instead of the Action Status column --- .../volume-activation/scenario-proxy-activation-vamt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md index c06bae6554..c86af07eeb 100644 --- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md +++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md @@ -143,7 +143,7 @@ In this step, you export VAMT from the workgroup’s host computer and save it i 1. Select the products to which you want to apply CIDs. If needed, sort and filter the list to find the products. 2. In the right-side **Selected Items** menu, click **Activate**, click **Apply Confirmation ID**, and then select the appropriate credential option. If you click the **Alternate Credentials** option, you will be prompted to enter an alternate user name and password. - VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Sataus** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. + VAMT displays the **Applying Confirmation Id** dialog box while it installs the CIDs on the selected products. When VAMT finishes installing the CIDs, the status appears in the **Action Status** column of the dialog box. Click **Close** to close the dialog box. You can also click the **Automatically close when done** check box when the dialog box appears. The same status appears under the **Status of Last Action** column in the product list view in the center pane. ## Step 13: (Optional) Reactivating Reimaged Computers in the Isolated Lab From 3aac0c5f79404021653a7fae5d81fde47e780ebb Mon Sep 17 00:00:00 2001 From: andreiztm Date: Mon, 5 Aug 2019 10:14:15 +0300 Subject: [PATCH 236/248] Correcting small mistake on which version of Win10 displays MBEC Correcting initial mistake when changed docs. --- .../enable-virtualization-based-protection-of-code-integrity.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md index 0f4d7ee1dc..07172573b3 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -183,7 +183,7 @@ Windows 10 and Windows Server 2016 have a WMI class for related properties and f > The *Win32\_DeviceGuard* WMI class is only available on the Enterprise edition of Windows 10. > [!NOTE] -> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1709. +> Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803. The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. From ac484753b908f8cc182d4355a3507602a3692bfd Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Mon, 5 Aug 2019 13:16:39 +0500 Subject: [PATCH 237/248] Updated links Hotlink for configuring MTP integration and API support was missing and has been updated. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4569 --- .../threat-protection/microsoft-defender-atp/onboard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/onboard.md b/windows/security/threat-protection/microsoft-defender-atp/onboard.md index f28db7412f..05c4e3ae79 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/onboard.md +++ b/windows/security/threat-protection/microsoft-defender-atp/onboard.md @@ -33,8 +33,8 @@ Topic | Description [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats. [Configure Secure score dashboard security controls](secure-score-dashboard.md) | Configure the security controls in Secure score to increase the security posture of your organization. [Configure Microsoft Threat Experts capabilities](configure-microsoft-threat-experts.md) | Configure and manage how you would like to get cybersecurity threat intelligence from Microsoft Threat Experts. -Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Microsoft Defender ATP. -Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. +[Configure Microsoft Threat Protection integration](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/threat-protection-integration)| Configure other solutions that integrate with Microsoft Defender ATP. +[Management and API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/management-apis)| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. [Configure Microsoft Defender Security Center settings](preferences-setup.md) | Configure portal related settings such as general settings, advanced features, enable the preview experience and others. From 31cbdeeb39f555d417be45f46aabcbc29591469c Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Mon, 5 Aug 2019 12:04:27 -0400 Subject: [PATCH 238/248] Resolves #4620 - typo in command line Issue #4620 Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode should be Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode --- .../evaluate-exploit-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md index 61220879a8..4d7e28279c 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md @@ -88,7 +88,7 @@ Where: For example, to enable Arbitrary Code Guard (ACG) in audit mode for an app named *testing.exe*, run the following command: ```PowerShell -Set-ProcesMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode +Set-ProcessMitigation -Name c:\apps\lob\tests\testing.exe -Enable AuditDynamicCode ``` You can disable audit mode by replacing `-Enable` with `-Disable`. From 25178b39c9f46495663e1e70a171a294c7871887 Mon Sep 17 00:00:00 2001 From: illfated Date: Mon, 5 Aug 2019 20:07:47 +0200 Subject: [PATCH 239/248] HTML to MarkDown in hello-hybrid-aadj-sso-cert.md This is a combined effort to alleviate a translation bug as well as improving the MarkDown codestyle in this document, both for the English (en-us) version of the document as well as the translated versions. This change should in theory close the issue tickets #3451 and #3453 after the scripted translation process has been re-run on this document. This solution is based on a user discussion in issue ticket #4589 . --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index 2fc0996eb0..73c0ca23ab 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -79,7 +79,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni 1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/ 2. Click **Login** and provide Azure credentials -3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid] is the user principal name of user in Azure Active Directory. Click **Go** +3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go** 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user. ![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png) @@ -659,7 +659,7 @@ Sign-in a workstation with access equivalent to a _domain user_. 13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**. 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority. ![WHFB SCEP certificate profile Trusted Certificate selection](images/aadjcert/intunewhfbscepprofile-01.png) -15. Under **Extended key usage**, type **Smart Card Logon** under Name. Type **1.3.6.1.4.1.311.20.2.2 under **Object identifier**. Click **Add**. +15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**. 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**. ![WHFB SCEP certificate Profile EKUs](images/aadjcert/intunewhfbscepprofile-03.png) 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile. From a10869d3fc3f9f6495fc25d2e3d070ddad3a35a8 Mon Sep 17 00:00:00 2001 From: Reece Peacock <49645174+Reeced40@users.noreply.github.com> Date: Tue, 6 Aug 2019 11:09:08 +0200 Subject: [PATCH 240/248] Update windows/deployment/windows-autopilot/self-deploying.md Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com> --- windows/deployment/windows-autopilot/self-deploying.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md index 8a08319014..ea68663b28 100644 --- a/windows/deployment/windows-autopilot/self-deploying.md +++ b/windows/deployment/windows-autopilot/self-deploying.md @@ -29,7 +29,7 @@ Self-deploying mode joins the device into Azure Active Directory, enrolls the de Self-deploying mode is designed to deploy Windows 10 as a kiosk, digital signage device, or a shared device. When setting up a kiosk, you can leverage the new Kiosk Browser, an app built on Microsoft Edge that can be used to create a tailored, MDM-managed browsing experience. When combined with MDM policies to create a local account and configure it to automatically log on, the complete configuration of the device can be automated. Find out more about these options by reading simplifying kiosk management for IT with Windows 10. See [Set up a kiosk or digital sign in Intune or other MDM service](https://docs.microsoft.com/windows/configuration/setup-kiosk-digital-signage#set-up-a-kiosk-or-digital-sign-in-intune-or-other-mdm-service) for additional details. >[!NOTE] ->Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. For more information see [Windows Autopilot scenarios and capabilities](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-scenarios) and [Setting the BitLocker encryption algorithm for Autopilot devices](https://docs.microsoft.com/windows/deployment/windows-autopilot/bitlocker). +>Self-deploying mode does not presently associate a user with the device (since no user ID or password is specified as part of the process). As a result, some Azure AD and Intune capabilities (such as BitLocker recovery, installation of apps from the Company Portal, or Conditional Access) may not be available to a user that signs into the device. For more information see [Windows Autopilot scenarios and capabilities](windows-autopilot-scenarios.md) and [Setting the BitLocker encryption algorithm for Autopilot devices](bitlocker.md). ![The user experience with Windows Autopilot self-deploying mode](images/self-deploy-welcome.png) From 12120a6d90872675c5a73d390b33a2aa6d1833d8 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 6 Aug 2019 16:24:59 -0700 Subject: [PATCH 241/248] Update index.md --- windows/security/threat-protection/index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 05cbed96aa..97a809c8de 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -141,7 +141,7 @@ Integrate Microsoft Defender Advanced Threat Protection into your existing workf **[Microsoft Threat Protection](microsoft-defender-atp/threat-protection-integration.md)**
    Microsoft Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace. Bring the power of Microsoft threat protection to your organization. - [Conditional access](microsoft-defender-atp/conditional-access.md) -- [O365 ATP](microsoft-defender-atp/threat-protection-integration.md) +- [Office 365 ATP](microsoft-defender-atp/threat-protection-integration.md) - [Azure ATP](microsoft-defender-atp/threat-protection-integration.md) - [Azure Security Center](microsoft-defender-atp/threat-protection-integration.md) - [Skype for Business](microsoft-defender-atp/threat-protection-integration.md) From bb78b497a8c09ad5e30f819b95a033a228f4df3d Mon Sep 17 00:00:00 2001 From: PatCat-MSFT <45884210+PatCat-MSFT@users.noreply.github.com> Date: Wed, 7 Aug 2019 17:11:38 -0400 Subject: [PATCH 242/248] Update waas-configure-wufb.md --- windows/deployment/update/waas-configure-wufb.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md index 4960481076..b9c42b697b 100644 --- a/windows/deployment/update/waas-configure-wufb.md +++ b/windows/deployment/update/waas-configure-wufb.md @@ -28,7 +28,7 @@ ms.topic: article You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/library/windows/hardware/dn904962.aspx). >[!IMPORTANT] ->For Windows Update for Business policies to be honored, the diagnostic data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). +>Beginning with Windows 10, version 1903, organizations can use Windows Update for Business policies, regardless of the diagnostic data level chosen. If the diagnostic data level is set to **0 (Security)**, Windows Update for Business policies will still be honored. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels). Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md). From 164c021d853761c0313c797cc262ffced9aee637 Mon Sep 17 00:00:00 2001 From: Nicole Turner <39884432+nenonix@users.noreply.github.com> Date: Thu, 8 Aug 2019 02:36:08 +0200 Subject: [PATCH 243/248] Update hello-features.md Removes \ typo --- .../identity-protection/hello-for-business/hello-features.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md index b161b2f79b..37591f1f54 100644 --- a/windows/security/identity-protection/hello-for-business/hello-features.md +++ b/windows/security/identity-protection/hello-for-business/hello-features.md @@ -260,7 +260,7 @@ Users appreciate convenience of biometrics and administrators value the security ![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png) > [!IMPORTANT] -> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.\ +> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature. ## Related topics From 52343dcbdfa0af58bb08235b841ca7f5b26d1aa0 Mon Sep 17 00:00:00 2001 From: Albert Cabello Serrano Date: Thu, 8 Aug 2019 09:43:00 -0700 Subject: [PATCH 244/248] Update windows-analytics-get-started.md adding IE site discovery to GDPR blurb --- windows/deployment/update/windows-analytics-get-started.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md index 35a8196735..4ea48d71f7 100644 --- a/windows/deployment/update/windows-analytics-get-started.md +++ b/windows/deployment/update/windows-analytics-get-started.md @@ -78,7 +78,7 @@ To enable data sharing, configure your proxy server to whitelist the following e >[!NOTE] >Microsoft has a strong commitment to providing the tools and resources that put you in control of your privacy. As a result, Microsoft doesn't collect the following data from devices located in European countries (EEA and Switzerland): >- Windows diagnostic data from Windows 8.1 devices ->- App usage data for Windows 7 devices +>- App usage data and [Internet Explorer site discovery](../upgrade/upgrade-readiness-additional-insights#site-discovery) features for Windows 7 devices From dca7f5fcd38a2fd9026b7a71eb8f873805eda9a8 Mon Sep 17 00:00:00 2001 From: dianmsft <43798680+dianmsft@users.noreply.github.com> Date: Thu, 8 Aug 2019 15:04:58 -0700 Subject: [PATCH 245/248] Update sideload-apps-in-windows-10.md --- windows/application-management/sideload-apps-in-windows-10.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 8052f02284..3928061aa3 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -19,6 +19,9 @@ ms.date: 05/20/2019 - Windows 10 - Windows 10 Mobile +> [!NOTE] +> As of Windows Insider Build 18956, sideloading is enabled by default. Now, you can deploy a signed package onto a device without a special configuration. + "Line-of-Business" (LOB) apps are present in a wide range of businesses and organizations. Organizations value these apps because they solve problems unique to each business. When you sideload an app, you deploy a signed app package to a device. You maintain the signing, hosting, and deployment of these apps. Sideloading was also available with Windows 8 and Windows 8.1 From 4a3e45bf767b44382992b5c52dae520dd9b5573b Mon Sep 17 00:00:00 2001 From: Albert Cabello Serrano Date: Fri, 9 Aug 2019 07:50:59 -0700 Subject: [PATCH 246/248] Update upgrade-readiness-deployment-script.md replacing support email with official support channels --- .../deployment/upgrade/upgrade-readiness-deployment-script.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md index 6c6a70095b..9c6619d3d9 100644 --- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md +++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md @@ -186,5 +186,5 @@ Error creating or updating registry key: **CommercialId** at **HKLM:\SOFTWARE\Mi > > Then run the Enterprise Config script (RunConfig.bat) again. > -> If the script still fails, then send mail to uasupport@microsoft.com including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well. +> If the script still fails, contact support including log files from the RunConfig.bat script. These log files are stored on the drive that is specified in the RunConfig.bat file. By default this is set to **%SystemDrive%\UADiagnostics**. The log file is named with the format **UA_yyyy_mm_dd_hh_mm_ss_machineID.txt**. There will be some additional logs generated under your **\\Windows\Temp** directory with the names similar to **AslLog_....txt**. You should send those logs as well. From e3eb5cbf3859e0a603b12c4e70d992efe1ee9613 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Fri, 9 Aug 2019 14:44:07 -0400 Subject: [PATCH 247/248] missing bold on GUI element --- .../microsoft-defender-atp/respond-file-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index 230e57d75e..c7f77d1dd7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -63,7 +63,7 @@ This action takes effect on machines with Windows 10, version 1703 or later, whe 1. Select the file you want to stop and quarantine. You can select a file from any of the following views or use the Search box: - **Alerts** - click the corresponding links from the Description or Details in the Artifact timeline - - **Search box** - select File from the drop–down menu and enter the file name + - **Search box** - select **File** from the drop–down menu and enter the file name 2. Go to the top bar and select **Stop and Quarantine File**. From e79168428609552485e2529a29bf2ad0f885bbe8 Mon Sep 17 00:00:00 2001 From: Marty Hernandez Avedon Date: Fri, 9 Aug 2019 14:48:04 -0400 Subject: [PATCH 248/248] formatting again - italicize typed word --- .../microsoft-defender-atp/respond-file-alerts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md index c7f77d1dd7..3f4ceec2f5 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md +++ b/windows/security/threat-protection/microsoft-defender-atp/respond-file-alerts.md @@ -98,7 +98,7 @@ You can roll back and remove a file from quarantine if you’ve determined that 1. Open an elevated command–line prompt on the machine: - a. Go to **Start** and type cmd. + a. Go to **Start** and type _cmd_. b. Right–click **Command prompt** and select **Run as administrator**.