From 4cf8b27e76944c7e0ca7860bee687946e019e728 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Thu, 21 Jan 2021 21:40:39 +0200 Subject: [PATCH 01/28] add info about IIS 7.0 and above https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8881 --- .../impersonate-a-client-after-authentication.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md index 1d241529ee..893651d17e 100644 --- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md @@ -105,6 +105,8 @@ On member servers, ensure that only the Administrators and Service groups (Local In most cases, this configuration has no impact. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Impersonate a client after authentication** user right to additional accounts that are required by those components, such as IUSR\_*<ComputerName>*, IIS\_WPG, ASP.NET, or IWAM\_*<ComputerName>*. +In IIS 7.0 and later, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. More details [in this article](https://docs.microsoft.com/en-us/troubleshoot/iis/default-permissions-user-rights). + ## Related topics - [User Rights Assignment](user-rights-assignment.md) From d623b6c85877357e8c3489eef319d4ea993d8169 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sat, 23 Jan 2021 22:29:55 +0500 Subject: [PATCH 02/28] pointing to the Application proxy page Added a link so that users can directly get more information about the application proxy and how the application proxy works. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8988 --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index c5273dc500..df8163a715 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -396,7 +396,7 @@ Certificate enrollment for Azure AD joined devices occurs over the Internet. As Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. -Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications. +Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. See, [What is Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications. Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner. From 8f8c04c0ea899c2f0115b9a33e72f36e10a7ce76 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Sun, 24 Jan 2021 16:52:50 +0500 Subject: [PATCH 03/28] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-cert.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md index df8163a715..1c550a85f6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md @@ -396,7 +396,7 @@ Certificate enrollment for Azure AD joined devices occurs over the Internet. As Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies. -Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. See, [What is Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications. +Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. See [What is Application Proxy](https://docs.microsoft.com/azure/active-directory/manage-apps/application-proxy#what-is-application-proxy) for more details. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications. Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner. From 2770129c50ef8d2acf3eeb162938f616afbb3282 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 25 Jan 2021 09:14:23 +0200 Subject: [PATCH 04/28] Update windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../impersonate-a-client-after-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md index 893651d17e..14ce26e99b 100644 --- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md @@ -105,7 +105,7 @@ On member servers, ensure that only the Administrators and Service groups (Local In most cases, this configuration has no impact. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Impersonate a client after authentication** user right to additional accounts that are required by those components, such as IUSR\_*<ComputerName>*, IIS\_WPG, ASP.NET, or IWAM\_*<ComputerName>*. -In IIS 7.0 and later, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. More details [in this article](https://docs.microsoft.com/en-us/troubleshoot/iis/default-permissions-user-rights). +In IIS 7.0 and later, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. For more details, see [Default permissions and user rights for IIS 7.0 and later](https://docs.microsoft.com/en-us/troubleshoot/iis/default-permissions-user-rights). ## Related topics From f9428cbd5cf7917295207e3c69c9e0e563ec90df Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Tue, 26 Jan 2021 10:22:17 -0800 Subject: [PATCH 05/28] Update hello-key-trust-adfs.md added Cname required for enterpriseregistration entry for on-prem ADFS device registration --- .../hello-for-business/hello-key-trust-adfs.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index a908e96533..39091b5f6e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -298,8 +298,14 @@ Sign-in the domain controller or administrative workstation with domain administ 3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. 4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. 5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. +6. Right-click the domain_name node, and then click New Alias (CNAME). +7. In the New Resource Record dialog box, type enterpriseregistration in the Alias name box. +8. In the fully qualified domain name (FQDN) of the target host box, type federation_service_farm_name.domain_name.com, and then click OK. 6. Close the DNS Management console +Note: if your forest has multiple UPN suffix. please make sure, you have enterpriseregistration.upnsuffix.com present for each suffix + + ## Configure the Intranet Zone to include the federation service The Windows Hello provisioning presents web pages from the federation service. Configuring the intranet zone to include the federation service enables the user to authenticate to the federation service using integrated authentication. Without this setting, the connection to the federation service during Windows Hello provisioning prompts the user for authentication. From 864b9835560f3a80f91c2410bea96e124df57dd3 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Tue, 26 Jan 2021 11:10:58 -0800 Subject: [PATCH 06/28] Lockscreen PIN reset limitations Lock screen PIN reset limitations --- .../hello-for-business/hello-feature-pin-reset.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index b1fda98d52..e72d85ea29 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -109,6 +109,9 @@ On-premises deployments provide users with the ability to reset forgotten PINs e 3. Follow the instructions provided by the provisioning process 4. When finished, unlock your desktop using your newly created PIN. +you may find PIN reset only works from settings post login and This lock screen PIN reset will not work if you have any matching limitation of SSPR password reset from lock screen. refer the below doc +https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows#general-limitations + >[!NOTE] > Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. From fb39122a357fc459c0f5e7e6f2f3969ab327c81f Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Tue, 26 Jan 2021 11:42:07 -0800 Subject: [PATCH 07/28] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index e72d85ea29..f9da23b2f5 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -112,7 +112,7 @@ On-premises deployments provide users with the ability to reset forgotten PINs e you may find PIN reset only works from settings post login and This lock screen PIN reset will not work if you have any matching limitation of SSPR password reset from lock screen. refer the below doc https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows#general-limitations ->[!NOTE] +> [!NOTE] > Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. ## Related topics From fb183c6d238679212756dc4aba96fb11836e4a03 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Tue, 26 Jan 2021 11:45:20 -0800 Subject: [PATCH 08/28] Update hello-feature-pin-reset.md corrected --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index f9da23b2f5..a2bc31b02f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -109,7 +109,7 @@ On-premises deployments provide users with the ability to reset forgotten PINs e 3. Follow the instructions provided by the provisioning process 4. When finished, unlock your desktop using your newly created PIN. -you may find PIN reset only works from settings post login and This lock screen PIN reset will not work if you have any matching limitation of SSPR password reset from lock screen. refer the below doc +you may find PIN reset only works from settings post login and "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from lock screen. refer the below doc https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows#general-limitations > [!NOTE] From 7223dc7c6ae30baf2b9615fce0ae10a4d11cf0c7 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Tue, 26 Jan 2021 14:47:28 -0800 Subject: [PATCH 09/28] Update windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md looks good Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-key-trust-adfs.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 39091b5f6e..ebef5484a7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -303,8 +303,8 @@ Sign-in the domain controller or administrative workstation with domain administ 8. In the fully qualified domain name (FQDN) of the target host box, type federation_service_farm_name.domain_name.com, and then click OK. 6. Close the DNS Management console -Note: if your forest has multiple UPN suffix. please make sure, you have enterpriseregistration.upnsuffix.com present for each suffix - +> [!NOTE] +> If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.upnsuffix.com` is present for each suffix. ## Configure the Intranet Zone to include the federation service @@ -349,4 +349,3 @@ Before you continue with the deployment, validate your deployment progress by re 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) 5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) - From 6b03f05ca81841c738b96c4b707a48e2a185c966 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Tue, 26 Jan 2021 14:47:59 -0800 Subject: [PATCH 10/28] Update windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md accepted Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-key-trust-adfs.md | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index ebef5484a7..5eb6f6aa71 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -298,9 +298,9 @@ Sign-in the domain controller or administrative workstation with domain administ 3. In the navigation pane, select the node that has the name of your internal Active Directory domain name. 4. In the navigation pane, right-click the domain name node and click **New Host (A or AAAA)**. 5. In the **name** box, type the name of the federation service. In the **IP address** box, type the IP address of your federation server. Click **Add Host**. -6. Right-click the domain_name node, and then click New Alias (CNAME). -7. In the New Resource Record dialog box, type enterpriseregistration in the Alias name box. -8. In the fully qualified domain name (FQDN) of the target host box, type federation_service_farm_name.domain_name.com, and then click OK. +6. Right-click the `domain_name` node and select **New Alias (CNAME)**. +7. In the **New Resource Record** dialog box, type "enterpriseregistration" in the **Alias** name box. +8. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name.domain_name.com`, and click OK. 6. Close the DNS Management console > [!NOTE] @@ -348,4 +348,3 @@ Before you continue with the deployment, validate your deployment progress by re 3. Prepare and Deploy Windows Server 2016 Active Directory Federation Services (*You are here*) 4. [Validate and Deploy Multifactor Authentication Services (MFA)](hello-key-trust-validate-deploy-mfa.md) 5. [Configure Windows Hello for Business Policy settings](hello-key-trust-policy-settings.md) - From ea70ba9c7695da1f92bb4527c9032dcb8f5c1a30 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Tue, 26 Jan 2021 14:58:21 -0800 Subject: [PATCH 11/28] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md looks fine Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index a2bc31b02f..bfee1d6776 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -109,8 +109,7 @@ On-premises deployments provide users with the ability to reset forgotten PINs e 3. Follow the instructions provided by the provisioning process 4. When finished, unlock your desktop using your newly created PIN. -you may find PIN reset only works from settings post login and "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from lock screen. refer the below doc -https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows#general-limitations +You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows#general-limitations). > [!NOTE] > Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. From b20b80b83bb4647d25fecf5b126055c5596a4806 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Tue, 26 Jan 2021 15:13:10 -0800 Subject: [PATCH 12/28] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md looks good Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index bfee1d6776..7e82ff0181 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -109,7 +109,7 @@ On-premises deployments provide users with the ability to reset forgotten PINs e 3. Follow the instructions provided by the provisioning process 4. When finished, unlock your desktop using your newly created PIN. -You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows#general-limitations). +You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows#general-limitations). > [!NOTE] > Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. From dc4e543aceb17c20dc9ba5c820dc6966d1492564 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Wed, 27 Jan 2021 09:36:51 -0800 Subject: [PATCH 13/28] Update windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md number correction Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-key-trust-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md index 5eb6f6aa71..2a2c07e715 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md @@ -301,7 +301,7 @@ Sign-in the domain controller or administrative workstation with domain administ 6. Right-click the `domain_name` node and select **New Alias (CNAME)**. 7. In the **New Resource Record** dialog box, type "enterpriseregistration" in the **Alias** name box. 8. In the **fully qualified domain name (FQDN)** of the target host box, type `federation_service_farm_name.domain_name.com`, and click OK. -6. Close the DNS Management console +9. Close the DNS Management console. > [!NOTE] > If your forest has multiple UPN suffixes, please make sure that `enterpriseregistration.upnsuffix.com` is present for each suffix. From c58e0fc7489fe3351f1851f6e9e43519c890d028 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Wed, 27 Jan 2021 10:16:47 -0800 Subject: [PATCH 14/28] Update windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md accepted Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-pin-reset.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 7e82ff0181..2a553e3421 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -109,7 +109,7 @@ On-premises deployments provide users with the ability to reset forgotten PINs e 3. Follow the instructions provided by the provisioning process 4. When finished, unlock your desktop using your newly created PIN. -You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-windows#general-limitations). +You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations). > [!NOTE] > Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video. From 1741809281a26350598da038d85878d6ba283cfa Mon Sep 17 00:00:00 2001 From: Chad Simmons Date: Tue, 2 Feb 2021 12:04:49 -0600 Subject: [PATCH 15/28] update headers to support In This Article Update headers to support "In This Article" like newer documentation such as https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines-configure --- .../mdm/policy-csp-deviceinstallation.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 24c7b04cbf..16084a0b88 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -51,7 +51,7 @@ ms.localizationpriority: medium
-**DeviceInstallation/AllowInstallationOfMatchingDeviceIDs** +## DeviceInstallation/AllowInstallationOfMatchingDeviceIDs @@ -165,7 +165,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
-**DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs** +## DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
@@ -272,7 +272,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
-**DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses** +## DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
@@ -395,7 +395,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
-**DeviceInstallation/PreventDeviceMetadataFromNetwork** +## DeviceInstallation/PreventDeviceMetadataFromNetwork
@@ -474,7 +474,7 @@ ADMX Info:
-**DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings** +## DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
@@ -586,7 +586,7 @@ You can also block installation by using a custom profile in Intune.
-**DeviceInstallation/PreventInstallationOfMatchingDeviceIDs** +## DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
@@ -703,7 +703,7 @@ For example, this custom profile blocks installation and usage of USB devices wi
-**DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs** +## DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
@@ -830,7 +830,7 @@ with
-**DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses** +## DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses
From deec393d77ea8696fe861b2313117f313499a1c5 Mon Sep 17 00:00:00 2001 From: Inanimis <32716793+Quod-Heros-Tempus@users.noreply.github.com> Date: Sat, 6 Feb 2021 01:35:10 -0600 Subject: [PATCH 16/28] Fixed typo come > some Fixed a typo on line 56, changing come > some. --- .../prepare-for-windows-deployment-with-mdt.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index c4445493e4..09afd0edb5 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -53,7 +53,7 @@ Several client computers are referenced in this guide with hostnames of PC0001 t ### Storage requirements -MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:) you will need to adjust come procedures in this guide to specify the C: drive instead of the D: drive. +MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:) you will need to adjust some procedures in this guide to specify the C: drive instead of the D: drive. ### Hyper-V requirements @@ -259,4 +259,4 @@ When you have completed all the steps in this section to prepare for deployment, The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so that you can see how some tasks can be automated with Windows PowerShell. - [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. - [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. -- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. \ No newline at end of file +- [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. From d70609adfaa24d0bcea63bc9b729457e911522b8 Mon Sep 17 00:00:00 2001 From: Inanimis <32716793+Quod-Heros-Tempus@users.noreply.github.com> Date: Sun, 7 Feb 2021 00:48:44 -0600 Subject: [PATCH 17/28] Update windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../prepare-for-windows-deployment-with-mdt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 09afd0edb5..82f909de0b 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -53,7 +53,7 @@ Several client computers are referenced in this guide with hostnames of PC0001 t ### Storage requirements -MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:) you will need to adjust some procedures in this guide to specify the C: drive instead of the D: drive. +MDT01 and HV01 should have the ability to store up to 200 GB of files on a data drive (D:). If you use a computer with a single system partition (C:), you will need to adjust some procedures in this guide to specify the C: drive instead of the D: drive. ### Hyper-V requirements From 61af14350a234fa0639ab2cbe0cdee48be60a71d Mon Sep 17 00:00:00 2001 From: Inanimis <32716793+Quod-Heros-Tempus@users.noreply.github.com> Date: Sun, 7 Feb 2021 00:48:51 -0600 Subject: [PATCH 18/28] Update windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md Co-authored-by: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../prepare-for-windows-deployment-with-mdt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md index 82f909de0b..e2da8e687d 100644 --- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md +++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md @@ -256,7 +256,7 @@ When you have completed all the steps in this section to prepare for deployment, **Sample files** -The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so that you can see how some tasks can be automated with Windows PowerShell. +The following sample files are also available to help automate some MDT deployment tasks. This guide does not use these files, but they are made available here so you can see how some tasks can be automated with Windows PowerShell. - [Gather.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619361). This sample Windows PowerShell script performs the MDT Gather process in a simulated MDT environment. This allows you to test the MDT gather process and check to see if it is working correctly without performing a full Windows deployment. - [Set-OUPermissions.ps1](https://go.microsoft.com/fwlink/p/?LinkId=619362). This sample Windows PowerShell script creates a domain account and then configures OU permissions to allow the account to join machines to the domain in the specified OU. - [MDTSample.zip](https://go.microsoft.com/fwlink/p/?LinkId=619363). This sample web service shows you how to configure a computer name dynamically using MDT. From 51baad7ec46d7bce07a7347341e27891c5b529ec Mon Sep 17 00:00:00 2001 From: Bill Mcilhargey <19168174+computeronix@users.noreply.github.com> Date: Mon, 8 Feb 2021 11:58:20 -0500 Subject: [PATCH 19/28] note on per user licensing Add note on licensing for subscription activation; requires per user licensing and is not valid on per device based licenses --- windows/deployment/deploy-enterprise-licenses.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index d13e8feb57..2b174292d3 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -24,6 +24,7 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with >* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. >* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. >* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. +>* Requires Windows 10 Enterprise per user licensing, does not work on per device licensing. >[!IMPORTANT] >An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. From e43717ce30ad2bc85620d281fc8a30cd9ab00f2c Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 9 Feb 2021 15:17:15 +0200 Subject: [PATCH 20/28] add note about premium connectors licensing https://github.com/MicrosoftDocs/windows-itpro-docs/issues/8616 --- .../microsoft-defender-atp/api-microsoft-flow.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index 6daada5960..d59213e53b 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -33,6 +33,9 @@ Microsoft Defender API has an official Flow Connector with many capabilities. ![Image of edit credentials](images/api-flow-0.png) +> [!NOTE] +> More details about premium connectors licensing prerequisites [here](https://docs.microsoft.com/en-us/power-automate/triggers-introduction#licensing-for-premium-connectors) + ## Usage example The following example demonstrates how to create a Flow that is triggered any time a new Alert occurs on your tenant. From 1afee0e2fcd0cd076ebe7f8abd0e31ec12c8add1 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 10 Feb 2021 10:43:42 +0200 Subject: [PATCH 21/28] Update windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../impersonate-a-client-after-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md index 14ce26e99b..182a792244 100644 --- a/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/impersonate-a-client-after-authentication.md @@ -105,7 +105,7 @@ On member servers, ensure that only the Administrators and Service groups (Local In most cases, this configuration has no impact. If you have installed optional components such as ASP.NET or IIS, you may need to assign the **Impersonate a client after authentication** user right to additional accounts that are required by those components, such as IUSR\_*<ComputerName>*, IIS\_WPG, ASP.NET, or IWAM\_*<ComputerName>*. -In IIS 7.0 and later, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. For more details, see [Default permissions and user rights for IIS 7.0 and later](https://docs.microsoft.com/en-us/troubleshoot/iis/default-permissions-user-rights). +In IIS 7.0 and later, a built-in account (IUSR) replaces the IUSR_MachineName account. Additionally, a group that is named IIS_IUSRS replaces the IIS_WPG group. Because the IUSR account is a built-in account, the IUSR account no longer requires a password. The IUSR account resembles a network or local service account. For more details, see [Default permissions and user rights for IIS 7.0 and later](https://docs.microsoft.com/troubleshoot/iis/default-permissions-user-rights). ## Related topics From 5ed7fd9c2634305429fbafaf75b65df180d73154 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Wed, 10 Feb 2021 10:44:15 +0200 Subject: [PATCH 22/28] Update windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-atp/api-microsoft-flow.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md index d59213e53b..ac1cc1109c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-microsoft-flow.md @@ -34,7 +34,7 @@ Microsoft Defender API has an official Flow Connector with many capabilities. ![Image of edit credentials](images/api-flow-0.png) > [!NOTE] -> More details about premium connectors licensing prerequisites [here](https://docs.microsoft.com/en-us/power-automate/triggers-introduction#licensing-for-premium-connectors) +> For more details about premium connectors licensing prerequisites, see [Licensing for premium connectors](https://docs.microsoft.com/power-automate/triggers-introduction#licensing-for-premium-connectors). ## Usage example From 93e08dc071578b00235d49f7609b89d969b50607 Mon Sep 17 00:00:00 2001 From: Tina McNaboe <53281468+TinaMcN@users.noreply.github.com> Date: Wed, 10 Feb 2021 16:52:11 -0800 Subject: [PATCH 23/28] Update prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md tags are not valid in markdown and are probably leftover from migrating this content. This is causing a problem with the localized files. According to the markdown guidelines To format text as bold, enclose it in two asterisks This text is **bold**. https://review.docs.microsoft.com/en-us/help/contribute/markdown-reference?branch=master --- ...uch-installation-of-windows-10-with-configuration-manager.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 348d4fd07c..66c81b0a5b 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -77,7 +77,7 @@ ForEach($entry in $oulist){ } ``` -Next, copy the following list of OU names and paths into a text file and save it as C:\Setup\Scripts\oulist.txt +Next, copy the following list of OU names and paths into a text file and save it as **C:\Setup\Scripts\oulist.txt** ```text OUName,OUPath From d0b43483999f4d6f8f5c8d57bee3609f3f6ebc47 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 11 Feb 2021 14:15:03 +0530 Subject: [PATCH 24/28] removed invalid link added correct link as per the user report issue# 9106. so I removed invalid link and added correct link. **https://docs.microsoft.com/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities** --- .../hello-for-business/hello-deployment-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index 2c22e05685..178932ec34 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -55,7 +55,7 @@ Applies to: Windows Hello for Business uses smart card based authentication for many operations. Smart card has special guidelines when using a third-party CA for certificate issuance, some of which apply to the domain controllers. Not all Windows Hello for Business deployment types require these configurations. Accessing on-premises resources from an Azure AD Joined device does require special configuration when using a third-party CA to issue domain controller certificates. For more information, read [Guidelines for enabling smart card logon with third-party certification authorities]( -https://support.microsoft.com/topic/a34a400a-51d5-f2a1-c8c0-7a6c9c49cb78). +https://docs.microsoft.com/troubleshoot/windows-server/windows-security/enabling-smart-card-logon-third-party-certification-authorities). ### Identifying On-premises Resource Access Issues with Third-Party CAs From a3590d136161155454798e9f62939f39379e4aa8 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 16 Feb 2021 16:07:27 -0800 Subject: [PATCH 25/28] updating note --- .../microsoft-defender-atp/tvm-security-recommendation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index 80a2a4dd6c..d343ad8424 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -105,7 +105,7 @@ From the flyout, you can choose any of the following options: - [**Exception options**](tvm-exception.md) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet. >[!NOTE] ->When a change is made on a device, it typically takes two hours for the data to be reflected in the Microsoft Defender Security Center. However, it may sometimes take longer. +>When a software change is made on a device, it yypically takes 2 hours for the data to be reflected in the Microsoft Defender Security Center. Configuration changes can take 12 hours. However, it may sometimes take longer. ### Investigate changes in device exposure or impact From a4775e5bfbacebeb60949c7cd7350e1e4d5dcaa2 Mon Sep 17 00:00:00 2001 From: Beth Levin Date: Tue, 16 Feb 2021 16:08:37 -0800 Subject: [PATCH 26/28] grammar update --- .../microsoft-defender-atp/tvm-security-recommendation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md index d343ad8424..2c151888d9 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md +++ b/windows/security/threat-protection/microsoft-defender-atp/tvm-security-recommendation.md @@ -105,7 +105,7 @@ From the flyout, you can choose any of the following options: - [**Exception options**](tvm-exception.md) - Submit an exception, provide justification, and set exception duration if you can't remediate the issue yet. >[!NOTE] ->When a software change is made on a device, it yypically takes 2 hours for the data to be reflected in the Microsoft Defender Security Center. Configuration changes can take 12 hours. However, it may sometimes take longer. +>When a software change is made on a device, it typically takes 2 hours for the data to be reflected in the security portal. Configuration changes can take 12 hours. However, it may sometimes take longer. ### Investigate changes in device exposure or impact From 8408fc55c8c1daca13b2df3506797d2f9964b22a Mon Sep 17 00:00:00 2001 From: Bill Mcilhargey <19168174+computeronix@users.noreply.github.com> Date: Wed, 17 Feb 2021 11:57:28 -0500 Subject: [PATCH 27/28] Update windows/deployment/deploy-enterprise-licenses.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/deploy-enterprise-licenses.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md index 2b174292d3..71c908be85 100644 --- a/windows/deployment/deploy-enterprise-licenses.md +++ b/windows/deployment/deploy-enterprise-licenses.md @@ -24,7 +24,7 @@ This topic describes how to deploy Windows 10 Enterprise E3 or E5 licenses with >* Windows 10 Enterprise Subscription Activation (EA or MPSA) requires Windows 10 Pro, version 1703 or later. >* Windows 10 Enterprise E3 in CSP requires Windows 10 Pro, version 1607 or later. >* Automatic, non-KMS activation requires Windows 10, version 1803 or later, on a device with a firmware-embedded activation key. ->* Requires Windows 10 Enterprise per user licensing, does not work on per device licensing. +>* Windows 10 Enterprise Subscription Activation requires Windows 10 Enterprise per user licensing; it does not work on per device based licensing. >[!IMPORTANT] >An issue has been identified where devices can lose activation status or be blocked from upgrading to Windows Enterprise if the device is not able to connect to Windows Update. A workaround is to ensure that devices do not have the REG_DWORD present HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations and set to 1. If this REG_DWORD is present, it must be set to 0. From 9276f0533836103dd52ca2a343a568bbb4520487 Mon Sep 17 00:00:00 2001 From: Tina Burden Date: Wed, 17 Feb 2021 14:04:21 -0800 Subject: [PATCH 28/28] PR #4777 warning fixes --- .../mdm/policy-csp-deviceinstallation.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md index 16084a0b88..ba86d69fad 100644 --- a/windows/client-management/mdm/policy-csp-deviceinstallation.md +++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md @@ -22,28 +22,28 @@ ms.localizationpriority: medium
- DeviceInstallation/AllowInstallationOfMatchingDeviceIDs + DeviceInstallation/AllowInstallationOfMatchingDeviceIDs
- DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs + DeviceInstallation/AllowInstallationOfMatchingDeviceInstanceIDs
- DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses + DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
- DeviceInstallation/PreventDeviceMetadataFromNetwork + DeviceInstallation/PreventDeviceMetadataFromNetwork
- DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings + DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings
- DeviceInstallation/PreventInstallationOfMatchingDeviceIDs + DeviceInstallation/PreventInstallationOfMatchingDeviceIDs
- DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs + DeviceInstallation/PreventInstallationOfMatchingDeviceInstanceIDs
- DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses + DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses