deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #2746 from MicrosoftDocs/repo_sync_working_branch

Browse Source 
Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)
This commit is contained in:
Gary Moore 2020-05-12 15:01:22 -07:00 committed by GitHub
commit cadddcc5c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 51 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
devices/hololens/holographic-store-apps.md
View File

@ -33,12 +33,18 @@ Open the Microsoft Store from the **Start** menu. Then browse for apps and games
## Install apps
To download apps, you'll need to be signed in with a Microsoft account. To buy them, you'll need a payment method associated with the Microsoft account you use on your HoloLens. To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**.
To download apps, you'll need to be signed in with a Microsoft account. Some apps are free and can be downloaded right away. Apps that require a purchase require you to be signed in to the Store with your Microsoft account and have a valid payment method.
> [!NOTE]
> The account you use on Microsoft Store does not have to be the same as the account you are signed in with. If you are using a Work or School account on your HoloLens then you'll need to sign in with your personal account in the Store App to make a purchase.
1. To open the [**Start** menu](holographic-home.md), perform a [bloom](hololens1-basic-usage.md) gesture or tap your wrist.
2. Select the Store app and then tap to place this tile into your world.
3. Once the Store app opens, use the search bar to look for any desired application.
4. Select **Get** or **Install** on the application's page (a purchase may be required).
To set up a payment method, go to [account.microsoft.com](https://account.microsoft.com/) and select **Payment & billing** > **Payment options** > **Add a payment option**.
1. To open the [**Start** menu](holographic-home.md), perform a [Start gesture](https://docs.microsoft.com/hololens/hololens2-basic-usage#start-gesture) or [bloom](hololens1-basic-usage.md) gesture on HoloLens 1.
1. Select the Store app. Once the Store app opens:
1. Use the search bar to look for any desired applications.
1. Select essential apps or apps made specifically for HoloLens from one of the curated categories.
1. On the top right of the Store app, select the **...** button and then select **My Library** to view any previously purchased apps.
1. Select **Get** or **Install** on the application's page (a purchase may be required).
## Uninstall apps
@ -46,7 +52,7 @@ There are two ways to uninstall applications. You can uninstall applications th
### Uninstall from the Start menu
On the **Start** menu or in the **All apps** list, gaze at the app. Tap and hold until the menu appears, then select **Uninstall**.
On the **Start** menu or in the **All apps** list, browse to the app. Air tap and hold until the menu appears, then select **Uninstall**.
### Uninstall from the Microsoft Store

2
devices/surface/surface-enterprise-management-mode.md
View File

@ -96,7 +96,7 @@ The following list shows all the available devices you can manage in SEMM:
|Enable Battery limit| Allows you to manage Battery limit functionality. If you do not configure this setting, Battery limit is enabled |
| Security | Displays the Surface UEFI **Security** page. If you do not configure this setting, the Security page is displayed. |
| Devices | Displays the Surface UEFI **Devices** page. If you do not configure this setting, the Devices page is displayed. |
| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the DateTime page is displayed. |
| Boot | Displays the Surface UEFI **Boot** page. If you do not configure this setting, the Boot page is displayed. |
| DateTime | Displays the Surface UEFI **DateTime** page. If you do not configure this setting, the DateTime page is displayed. |

2
windows/deployment/update/media-dynamic-update.md
View File

@ -42,7 +42,7 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png)
The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the s. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in <em>bold</em> the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in <em>bold</em> the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
|To find this Dynamic Update packages, search for or check the results here--> |Title |Product |Description (select the **Title** link to see **Details**) |

8
windows/security/identity-protection/access-control/active-directory-security-groups.md
View File

@ -1345,7 +1345,7 @@ This security group has not changed since Windows Server 2008.
Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario.
However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account.
However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
For information, see [DNS Record Ownership and the DnsUpdateProxy Group](https://technet.microsoft.com/library/dd334715.aspx).
@ -1365,7 +1365,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-1103</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-&lt;variable RID&gt;</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>
@ -1406,7 +1406,7 @@ This security group has not changed since Windows Server 2008.
### <a href="" id="bkmk-dnsadmins"></a>DnsAdmins
Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions.
Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain.
For more information about security and DNS, see [DNSSEC in Windows Server 2012](https://technet.microsoft.com/library/dn593694(v=ws.11).aspx).
@ -1426,7 +1426,7 @@ This security group has not changed since Windows Server 2008.
<tbody>
<tr class="odd">
<td><p>Well-Known SID/RID</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-1102</p></td>
<td><p>S-1-5-21-&lt;domain&gt;-&lt;variable RID&gt;</p></td>
</tr>
<tr class="even">
<td><p>Type</p></td>

6
windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
View File

@ -63,11 +63,11 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
| Phase | Description |
| :----: | :----------- |
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.|
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in.|
|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
|C | For the managed environment, the task creates an initial authentication credential in the form of a self-signed certificate. The task write the certificate to the userCertificate attribute on the computer object in Active Directory using LDAP.
|D |The computer cannot authenticate to Azure DRS until a device object representing the computer that includes the certificate on the userCertificate attribute is created in Azure Active Directory. Azure AD Connect detects an attribute change. On the next synchronization cycle, Azure AD Connect sends the userCertificate, object GUID, and computer SID to Azure DRS. Azure DRS uses the attribute information to create a device object in Azure Active Directory.|
|E | The Automatic Device Join task triggers with each user sign-in and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.|
|E | The Automatic Device Join task triggers with each user sign-in or every hour, and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.|
|F | The task creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).|
|G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
@ -78,7 +78,7 @@ Device Registration is a prerequisite to Windows Hello for Business provisioning
| Phase | Description |
| :----: | :----------- |
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.|
| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task. Note: the Automatic Device Join tasks is triggered on domain join as well as retried every hour. It does not solely depend on the user sign-in. |
|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
|C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task.
|D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).|

1
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
View File

@ -33,6 +33,7 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing
- Certificate Revocation List (CRL) Distribution Point (CDP)
- 2016 Domain Controllers
- Domain Controller certificate
- Network infrastructure in place to reach your on-premises domain controller. If the machines are external, this can be achieved using any VPN solution.
### Azure Active Directory Connect synchronization
Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect).

14
windows/security/identity-protection/vpn/vpn-office-365-optimization.md
View File

@ -239,12 +239,12 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".ps1")
# Extract the Profile XML from the ps1 file #
$regex = '(?sm).*^*.<VPNPROFILE>\r?\n(.*?)\r?\n</VPNProfile>.*'
$regex = '(?sm).*^*.<VPNProfile>\r?\n(.*?)\r?\n</VPNProfile>.*'
# Create xml format variable to compare with the optimize list #
$xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1'
[xml]$VPNprofilexml="<VPNPROFILE>"+$xmlbody+"</VPNPROFILE>"
[xml]$VPNprofilexml="<VPNProfile>"+$xmlbody+"</VPNProfile>"
# Loop through each address found in VPNPROFILE XML section #
foreach ($Route in $VPNprofilexml.VPNProfile.Route)
@ -349,7 +349,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
$In_VPN_Only=$null # Variable to hold IP Addresses that only appear in the VPN profile XML file #
# Extract the Profile XML from the XML file #
$regex = '(?sm).*^*.<VPNPROFILE>\r?\n(.*?)\r?\n</VPNProfile>.*'
$regex = '(?sm).*^*.<VPNProfile>\r?\n(.*?)\r?\n</VPNProfile>.*'
# Create xml format variable to compare with optimize list #
$xmlbody=(Get-Content -Raw $VPNprofilefile) -replace $regex, '$1'
@ -367,7 +367,7 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
# In VPN list only #
$In_VPN_only =$ARRVPN | Where {$optimizeIpsv4 -NotContains $_}
[array]$Inpfile = get-content $VPNprofilefile
[System.Collections.ArrayList]$Inpfile = get-content $VPNprofilefile
if ($In_Opt_Only.Count -gt 0 )
{
@ -377,10 +377,10 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
{
# Add the missing IP address(es) #
$IPInfo=$NewIP.Split("/")
$inspoint = $Inpfile[0].IndexOf("</VPNProfile")
$routes += "<Route>"+"<Address>"+$IPInfo[0].Trim()+"</Address>"+"<PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>"+"<ExclusionRoute>true</ExclusionRoute>"+"</Route>"
$routes += "<Route>`n"+"`t<Address>"+$IPInfo[0].Trim()+"</Address>`n"+"`t<PrefixSize>"+$IPInfo[1].Trim()+"</PrefixSize>`n"+"`t<ExclusionRoute>true</ExclusionRoute>`n"+"</Route>`n"
}
$Inpfile = $Inpfile[0].Insert($inspoint,$routes)
$inspoint = $Inpfile.IndexOf("</VPNProfile>")
$Inpfile.Insert($inspoint,$routes)
# Update filename and write new XML file #
$NewFileName=(Get-Item $VPNprofilefile).Basename + "-NEW.xml"

BIN
windows/security/threat-protection/microsoft-defender-atp/images/secconmgmt_baseline_intuneprofile2.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 31 KiB

22
windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
View File

@ -22,7 +22,7 @@ ms.custom: nextgen
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Block at first sight is a feature of next-generation protection that provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention.
Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are also enabled. In most cases, these prerequisite settings are also enabled by default, so the feature is running without any intervention.
You can [specify how long the file should be prevented from running](configure-cloud-block-timeout-period-windows-defender-antivirus.md) while the cloud-based protection service analyzes the file. And, you can [customize the message displayed on users' desktops](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information) when a file is blocked. You can change the company name, contact information, and message URL.
@ -117,14 +117,28 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev
If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
### Confirm block at first sight is enabled with the Windows Security app
### Confirm block at first sight is enabled with Registry editor
You can confirm that block at first sight is enabled in your Windows security settings.
1. Start Registry Editor.
Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
2. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Spynet**, and make sure that
1. **SpynetReporting** key is set to **1**
2. **SubmitSamplesConsent** key is set to either **1** (Send safe samples) or **3** (Send all samples)
3. Go to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection**, and make sure that
1. **DisableIOAVProtection** key is set to **0**
2. **DisableRealtimeMonitoring** key is set to **0**
### Confirm Block at First Sight is enabled on individual clients
You can confirm that block at first sight is enabled on individual clients using Windows security settings.
Block at first sight is automatically enabled as long as **Cloud-delivered protection** and **Automatic sample submission** are both turned on.
1. Open the Windows Security app.
2. Select **Virus & threat protection**, and then, under **Virus & threat protection settings**, select **Manage Settings**.

2
windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
View File

@ -284,8 +284,6 @@ The transaction log files are specified in the registry key `HKEY_LOCAL_MACHINE\
- %windir%\Ntds\Ntds*.pat
- %windir%\Ntds\EDB*.log
- %windir%\Ntds\TEMP.edb
#### The NTDS working folder

8
windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
View File

@ -74,8 +74,8 @@ Comma separated list of local addresses covered by the rule. Valid tokens includ
- \* indicates any local address. If present, this must be the only token included.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask nor a network prefix is specified, the subnet mask default is 255.255.255.255.
- A valid IPv6 address.
- An IPv4 address range in the format of "start address - end address" with no spaces included.
- An IPv6 address range in the format of "start address - end address" with no spaces included. Default is Any address.
- An IPv4 address range in the format of "start address-end address" with no spaces included.
- An IPv6 address range in the format of "start address-end address" with no spaces included. Default is Any address.
[Learn more](https://aka.ms/intunefirewalllocaladdressrule)
@ -93,8 +93,8 @@ List of comma separated tokens specifying the remote addresses covered by the ru
- LocalSubnet indicates any local address on the local subnet.
- A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
- A valid IPv6 address.
- An IPv4 address range in the format of "start address - end address" with no spaces included.
- An IPv6 address range in the format of "start address - end address" with no spaces included.
- An IPv4 address range in the format of "start address-end address" with no spaces included.
- An IPv6 address range in the format of "start address-end address" with no spaces included.
Default is Any address.