Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into FromPrivateRepo

.openpublishing.redirection.json

@@ -11,13 +11,83 @@
 "redirect_document_id": true
 },
 {
-"source_path": "windows/deployment/update/waas-windows-insider-for-business.md",
-"redirect_url": "/windows-insider/at-work-pro/wip-4-biz-get-started",
+"source_path": "windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md",
+"redirect_url": "/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows",
 "redirect_document_id": true
 },
 {
-"source_path": "windows/security/hardware-protection/how-hardware-based-containers-help-protect-windows.md",
-"redirect_url": "/windows/security/identity-protection/how-hardware-based-containers-help-protect-windows",
+"source_path": "windows/security/hardware-protection/encrypted-hard-drive.md",
+"redirect_url": "/windows/security/information-protection/encrypted-hard-drive",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/secure-the-windows-10-boot-process.md",
+"redirect_url": "/windows/security/information-protection/secure-the-windows-10-boot-process",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md",
+"redirect_url": "/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/change-the-tpm-owner-password.md",
+"redirect_url": "/windows/security/information-protection/tpm/change-the-tpm-owner-password",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/how-windows-uses-the-tpm.md",
+"redirect_url": "/windows/security/information-protection/tpm/how-windows-uses-the-tpm",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md",
+"redirect_url": "/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/manage-tpm-commands.md",
+"redirect_url": "/windows/security/information-protection/tpm/manage-tpm-commands",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/manage-tpm-lockout.md",
+"redirect_url": "/windows/security/information-protection/tpm/manage-tpm-lockout",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md",
+"redirect_url": "/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/tpm-fundamentals.md",
+"redirect_url": "/windows/security/information-protection/tpm/tpm-fundamentals",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/tpm-recommendations.md",
+"redirect_url": "/windows/security/information-protection/tpm/tpm-recommendations",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-overview.md",
+"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-overview",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-services-group-policy-settings.md",
+"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/hardware-protection/tpm/trusted-platform-module-top-node.md",
+"redirect_url": "/windows/security/information-protection/tpm/trusted-platform-module-top-node",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deployment/update/waas-windows-insider-for-business.md",
+"redirect_url": "/windows-insider/at-work-pro/wip-4-biz-get-started",
 "redirect_document_id": true
 },
 {

windows/client-management/mdm/assignedaccess-csp.md

@@ -19,6 +19,9 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u
 
  In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).
 
+> [!Warning]  
+> You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.
+
 > [!Note]
 > The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
 

windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md

@@ -1638,6 +1638,13 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 </thead>
 <tbody>
 <tr>
+<td style="vertical-align:top">[AssignedAccess CSP](assignedaccess-csp.md)</td>
+<td style="vertical-align:top"><p>Added the following note:</p>
+<ul>
+<li>You can only assign one single app kiosk profile to an individual user account on a device. The single app profile does not support domain groups.</li>
+</ul>
+</td></tr>
+<tr>
 <td style="vertical-align:top">[PassportForWork  CSP](passportforwork-csp.md)</td>
 <td style="vertical-align:top"><p>Added new settings in Windows 10, next major version.</p>
 </td></tr>
@@ -1675,18 +1682,23 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <ul>
 <li>ApplicationManagement/LaunchAppAfterLogOn</li>
 <li>ApplicationManagement/ScheduleForceRestartForUpdateFailures </li>
+<li>Authentication/EnableFastFirstSignIn</li>
+<li>Authentication/EnableWebSignIn</li>
+<li>Authentication/PreferredAadTenantDomainName</li>
 <li>Defender/CheckForSignaturesBeforeRunningScan</li>
 <li>Defender/DisableCatchupFullScan </li>
 <li>Defender/DisableCatchupQuickScan </li>
 <li>Defender/EnableLowCPUPriority</li>
 <li>Defender/SignatureUpdateFallbackOrder</li>
 <li>Defender/SignatureUpdateFileSharesSources</li>
+<li>DeviceGuard/EnableSystemGuard</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceIDs</li>
 <li>DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses</li>
 <li>DeviceInstallation/PreventDeviceMetadataFromNetwork</li>
 <li>DeviceInstallation/PreventInstallationOfDevicesNotDescribedByOtherPolicySettings</li>
 <li>DmaGuard/DeviceEnumerationPolicy</li>
 <li>Experience/AllowClipboardHistory</li>
+<li>Security/RecoveryEnvironmentAuthentication</li>
 <li>TaskManager/AllowEndTask</li>
 <li>WindowsDefenderSecurityCenter/DisableClearTpmButton</li>
 <li>WindowsDefenderSecurityCenter/DisableTpmFirmwareUpdateWarning</li>

windows/security/TOC.md

@@ -1,7 +1,6 @@
 # [Security](index.yml)
 ## [Identity and access management](identity-protection/index.md)
 ## [Information protection](information-protection/index.md)
-## [Hardware-based protection](hardware-protection/index.md)
 ## [Threat protection](threat-protection/index.md)
 
 

windows/security/hardware-protection/TOC.md

@@ -1,21 +0,0 @@
-# [Hardware-based protection](index.md)
-
-## [Encrypted Hard Drive](encrypted-hard-drive.md)
-
-## [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md)
-
-## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
-
-## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
-### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
-### [TPM fundamentals](tpm/tpm-fundamentals.md)
-### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
-### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
-### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
-### [Manage TPM commands](tpm/manage-tpm-commands.md)
-### [Manage TPM lockout](tpm/manage-tpm-lockout.md)
-### [Change the TPM owner password](tpm/change-the-tpm-owner-password.md)
-### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md)
-### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
-### [TPM recommendations](tpm/tpm-recommendations.md)
-

windows/security/hardware-protection/index.md

@@ -1,21 +0,0 @@
----
-title: Hardware-based Protection (Windows 10)
-description: Learn more about how to help protect against threats in Windows 10 and Windows 10 Mobile.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 02/05/2018
----
-
-# Hardware-based protection
-
-Windows 10 leverages these hardware-based security features to protect and maintain system integrity.
-
-| Section | Description |
-|-|-|
-| [Encrypted Hard Drive](encrypted-hard-drive.md) | Provides information about Encrypted Hard Drive, which uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.|
-|[How hardware-based containers help protect Windows 10](how-hardware-based-containers-help-protect-windows.md) |Learn about how hardware-based containers can isolate sensitive system services and data, enabling them to remain secure even when the operating system has been compromised.|
-|[Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md) |Learn about the Windows 10 security features that help to protect your PC from malware, including rootkits and other applications.|
-| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Provides links to information about the Trusted Platform Module (TPM), which is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |

windows/security/identity-protection/TOC.md

@@ -28,7 +28,6 @@
 ### [Credential Guard: Additional mitigations](credential-guard/additional-mitigations.md)
 ### [Credential Guard: Known issues](credential-guard/credential-guard-known-issues.md)
 
-
 ## [Protect Remote Desktop credentials with Remote Credential Guard](remote-credential-guard.md)
 
 ## [Smart Cards](smart-cards/smart-card-windows-smart-card-technical-reference.md)

windows/security/identity-protection/how-hardware-based-containers-help-protect-windows.md

@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: justinha
-ms.date: 07/31/2018
+ms.date: 08/01/2018
 ---
 
 
@@ -26,13 +26,13 @@ Windows Defender System Guard reorganizes the existing Windows 10 system integri
 
 With Windows 7, one of the means attackers would use to persist and evade detection was to install what is often referred to as a bootkit or rootkit on the system. This malicious software would start before Windows started, or during the boot process itself, enabling it to start with the highest level of privilege.
 
-With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device’s [Secure Boot feature](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-8.1-and-8/hh824987), which is part of the Unified Extensible Firmware Interface (UEFI). 
+With Windows 10 running on modern hardware (that is, Windows 8-certified or greater) we have a hardware-based root of trust that helps us ensure that no unauthorized firmware or software (such as a bootkit) can start before the Windows bootloader. This hardware-based root of trust comes from the device’s Secure Boot feature, which is part of the Unified Extensible Firmware Interface (UEFI). 
 
 After successful verification and startup of the device’s firmware and Windows bootloader, the next opportunity for attackers to tamper with the system’s integrity is while the rest of the Windows operating system and defenses are starting. As an attacker, embedding your malicious code using a rootkit within the boot process enables you to gain the maximum level of privilege and gives you the ability to more easily persist and evade detection. 
 
 This is where Windows Defender System Guard protection begins with its ability to ensure that only properly signed and secure Windows files and drivers, including third party, can start on the device. At the end of the Windows boot process, System Guard will start the system’s antimalware solution, which scans all third party drivers, at which point the system boot process is completed. In the end, Windows Defender System Guard helps ensure that the system securely boots with integrity and that it hasn’t been compromised before the remainder of your system defenses start.
 
-![Boot time integrity](../hardware-protection/images/windows-defender-system-guard-boot-time-integrity.png)
+![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
 
 ## Maintaining integrity of the system after it’s running (run time)
 
@@ -48,5 +48,5 @@ While Windows Defender System Guard provides advanced protection that will help
 
 As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or System Center Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
 
-![Windows Defender System Guard](../hardware-protection/images/windows-defender-system-guard-validate-system-integrity.png)
+![Windows Defender System Guard](images/windows-defender-system-guard-validate-system-integrity.png)
 

windows/security/information-protection/TOC.md

@@ -28,6 +28,7 @@
 #### [Choose the Right BitLocker Countermeasure](bitlocker\choose-the-right-bitlocker-countermeasure.md)
 ### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
 
+## [Encrypted Hard Drive](encrypted-hard-drive.md)
 
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
@@ -53,3 +54,20 @@
 #### [Using Outlook Web Access with Windows Information Protection (WIP)](windows-information-protection\using-owa-with-wip.md)
 ### [Fine-tune Windows Information Protection (WIP) with WIP Learning](windows-information-protection\wip-learning.md)
 
+## [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)
+
+## [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)
+### [Trusted Platform Module Overview](tpm/trusted-platform-module-overview.md)
+### [TPM fundamentals](tpm/tpm-fundamentals.md)
+### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
+### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
+### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
+### [Manage TPM commands](tpm/manage-tpm-commands.md)
+### [Manage TPM lockout](tpm/manage-tpm-lockout.md)
+### [Change the TPM owner password](tpm/change-the-tpm-owner-password.md)
+### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md)
+### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
+### [TPM recommendations](tpm/tpm-recommendations.md)
+
+
+