From 5fd015e5033da38076c0a51445ff3460d34ed7e6 Mon Sep 17 00:00:00 2001 From: MatthewMWR Date: Thu, 7 Mar 2019 12:27:25 -0800 Subject: [PATCH 1/7] Add solution remove/re-add to DH troubleshooting steps --- .../windows-analytics-FAQ-troubleshooting.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md index de1e61231d..6be715e074 100644 --- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md +++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md @@ -79,12 +79,14 @@ If you have deployed images that have not been generalized, then many of them mi [![Device Reliability tile showing device count highlighted](images/device-reliability-device-count.png)](images/device-reliability-device-count.png) If you have devices that appear in other solutions, but not Device Health, follow these steps to investigate the issue: -1. Confirm that the devices are running Windows10. -2. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). -3. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). -4. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. -5. Wait 48 hours for activity to appear in the reports. -6. If you need additional troubleshooting, contact Microsoft Support. +1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again. +2. Confirm that the devices are running Windows 10. +3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551). +4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set). +5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information. +6. Remove the Device Health (appears as DeviceHealthProd on some pages) from your Log Analytics workspace +7. Wait 48 hours for activity to appear in the reports. +8. If you need additional troubleshooting, contact Microsoft Support. ### Device crashes not appearing in Device Health Device Reliability From 6b4807437539b15e0a7b0679efd172c8a2b9ffc3 Mon Sep 17 00:00:00 2001 From: Jose Ortega Date: Mon, 11 Mar 2019 10:42:38 -0600 Subject: [PATCH 2/7] Issue #2746 DC Certificate --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 4ddd3e27d4..064b6c491d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -68,13 +68,19 @@ Certificate authorities write CRL distribution points in certificates as they ar #### Why does Windows need to validate the domain controller certifcate? -Windows Hello for Business enforces the strict KDC validation security feature, which enforces a more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: +Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: - The domain controller has the private key for the certificate provided. - The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**. +- Use the **Kerberos Authentication certificate template** instead of any other older template. - The domain controller's certificate has the **KDC Authentication** enhanced key usage. - The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain. + +> [!Tip] +> If you are using windows server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing/re-issuing the certificate. + + ## Configuring a CRL Distribution Point for an issuing certificate authority Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point. From f89786f02a137f19ec86a77859527940a8bd39db Mon Sep 17 00:00:00 2001 From: TokyoScarab Date: Mon, 11 Mar 2019 12:07:17 -0600 Subject: [PATCH 3/7] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-Authored-By: j0rt3g4 --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 064b6c491d..3f8546ed0e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -78,7 +78,7 @@ Windows Hello for Business enforces the strict KDC validation security feature, > [!Tip] -> If you are using windows server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing/re-issuing the certificate. +> If you are using Windows Server 2008, **Kerberos Authentication** is not the default template, so make sure to use the correct template when issuing or re-issuing the certificate. ## Configuring a CRL Distribution Point for an issuing certificate authority From 72c7f7416995837e2ee53b722150a0a6aa5a94d0 Mon Sep 17 00:00:00 2001 From: Joyce Y <47188252+mypil@users.noreply.github.com> Date: Mon, 11 Mar 2019 13:09:14 -0600 Subject: [PATCH 4/7] Apply suggestions from code review done Co-Authored-By: j0rt3g4 --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 3f8546ed0e..a006babc6d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -66,7 +66,7 @@ If you are interested in configuring your environment to use the Windows Hello f Certificate authorities write CRL distribution points in certificates as they are issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD joined devices authenticating to Active Directory -#### Why does Windows need to validate the domain controller certifcate? +#### Why does Windows need to validate the domain controller certificate? Windows Hello for Business enforces the strict KDC validation security feature, which imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met: From 21798759651cbb2b5f2b51138c05c7f7408aaa20 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 11 Mar 2019 14:15:34 -0600 Subject: [PATCH 5/7] Changing some typos --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index a006babc6d..6b2ff4bb41 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -170,7 +170,7 @@ These procedures configure NTFS and share permissions on the web server to allow 9. Click **Close** in the **cdp Properties** dialog box. -### Configure the new CRL distribution point and Publishing location in the issuing certifcate authority +### Configure the new CRL distribution point and Publishing location in the issuing certifiate authority The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point From f183f71e1ada98945592404c1d3a1c8f3dc1a062 Mon Sep 17 00:00:00 2001 From: Jose Gabriel Ortega Castro Date: Mon, 11 Mar 2019 14:16:45 -0600 Subject: [PATCH 6/7] Fixed another typo --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 6b2ff4bb41..d231dc9a9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -170,7 +170,7 @@ These procedures configure NTFS and share permissions on the web server to allow 9. Click **Close** in the **cdp Properties** dialog box. -### Configure the new CRL distribution point and Publishing location in the issuing certifiate authority +### Configure the new CRL distribution point and Publishing location in the issuing certificate authority The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point From 3c2da6cfb2b926a17da34ef496b38dbba602d579 Mon Sep 17 00:00:00 2001 From: "H. Poulsen" Date: Tue, 12 Mar 2019 10:01:00 -0700 Subject: [PATCH 7/7] Update windows-as-a-service.md Added latest news as of 3/12/2019 --- windows/deployment/update/windows-as-a-service.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/update/windows-as-a-service.md b/windows/deployment/update/windows-as-a-service.md index 3f665bd4b4..f49645a75a 100644 --- a/windows/deployment/update/windows-as-a-service.md +++ b/windows/deployment/update/windows-as-a-service.md @@ -25,6 +25,8 @@ Everyone wins when transparency is a top priority. We want you to know when upda The latest news: