From 8882a626442d1663e244012dac1acf49416d8866 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 20 Jun 2019 11:02:18 -0700 Subject: [PATCH 01/13] Added table entries --- devices/surface/surface-system-sku-reference.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index b193b9e336..a9a489bb3c 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -31,6 +31,8 @@ System Model and System SKU are variables stored in System Management BIOS (SMBI | Surface Pro with LTE Advanced | Surface Pro | Surface_Pro_1807 | | Surface Book 2 13inch | Surface Book 2 | Surface_Book_1832 | | Surface Book 2 15inch | Surface Book 2 | Surface_Book_1793 | +| Surface Go LTE Consumer | Surface Go | Surface_Go_1825_Consumer | +| Surface Go LTE Commercial | System Go | Surface_Go_1825_Commercial | | Surface Go Consumer | Surface Go | Surface_Go_1824_Consumer | | Surface Go Commercial | Surface Go | Surface_Go_1824_Commercial | | Surface Pro 6 Consumer | Surface Pro 6 | Surface_Pro_6_1796_Consumer | From 88c7809f28fa0fcff6f221de205923f97bd069b2 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 20 Jun 2019 11:15:44 -0700 Subject: [PATCH 02/13] Copyedit to current standards --- .../surface/surface-system-sku-reference.md | 23 ++++++++++--------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index a9a489bb3c..1638cd801e 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -18,7 +18,7 @@ manager: dansimp This document provides a reference of System Model and System SKU names that you can use to quickly determine the machine state of a specific device using PowerShell or WMI. -System Model and System SKU are variables stored in System Management BIOS (SMBIOS) tables in the UEFI layer of Surface devices. The System SKU name is required to differentiate between devices with the same System Model name, such as Surface Pro and Surface Pro with LTE Advanced. +System Model and System SKU are variables that are stored in the System Management BIOS (SMBIOS) tables in the UEFI layer of Surface devices. The System SKU name is required to differentiate between devices that have the same System Model name, such as Surface Pro and Surface Pro with LTE Advanced. | Device | System Model | System SKU | | ---------- | ----------- | -------------- | @@ -42,22 +42,23 @@ System Model and System SKU are variables stored in System Management BIOS (SMBI ## Examples -**PowerShell** - Use the following PowerShell command to pull System SKU: +**PowerShell** +Use the following PowerShell command to pull the System SKU information: - ``` + ``` powershell gwmi -namespace root\wmi -class MS_SystemInformation | select SystemSKU ``` -**System Information** -You can also find the System SKU and System Model for a device in System Information. +**System information** +You can also find the System SKU and System Model for a device in **System Information**. To do this, follow these steps: -- Go to **Start** > **MSInfo32**. - -One example of how you could use this in Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager is as part of a Task Sequence WMI Condition. For example: - -**Task Sequence WMI Condition** +1. Select **Start** and then in the search box type **MSInfo32**. +1. Select **System Information**. +**Example: Using the SKU in a task sequence WMI condition** +You can use the System SKU information in Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager as part of a task sequence WMI condition. + ``` powershell - WMI Namespace – Root\WMI - WQL Query – SELECT * FROM MS_SystemInformation WHERE SystemSKU = "Surface_Pro_1796" + ``` From 98ea05cd7debe9cc1f925797099da2f6558d8fbb Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 20 Jun 2019 11:50:15 -0700 Subject: [PATCH 03/13] Edit --- devices/surface/surface-system-sku-reference.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index 1638cd801e..a3f8169d9a 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -42,20 +42,20 @@ System Model and System SKU are variables that are stored in the System Manageme ## Examples -**PowerShell** +**Retrieving the SKU by using PowerShell** Use the following PowerShell command to pull the System SKU information: ``` powershell gwmi -namespace root\wmi -class MS_SystemInformation | select SystemSKU ``` -**System information** +**Retrieving the SKU by using System Information** You can also find the System SKU and System Model for a device in **System Information**. To do this, follow these steps: 1. Select **Start** and then in the search box type **MSInfo32**. 1. Select **System Information**. -**Example: Using the SKU in a task sequence WMI condition** +**Using the SKU in a task sequence WMI condition** You can use the System SKU information in Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager as part of a task sequence WMI condition. ``` powershell From 116f8fec05d1f0a44b2a58d47c26b1a2628d555c Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 24 Jun 2019 13:33:30 -0700 Subject: [PATCH 04/13] add browser reqs --- .../microsoft-defender-atp/minimum-requirements.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 661633b8eb..038455d3d3 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -146,6 +146,10 @@ For more information on additional proxy configuration settings see, [Configure Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. +## Browser requirements +Internet Explorer and Microsoft Edge is supported. Any HTML5 compliant browsers are also supported. + + ## Windows Defender Antivirus configuration requirement The Microsoft Defender ATP agent depends on the ability of Windows Defender Antivirus to scan files and provide information about them. From 93bc822dab98812a576e115952ddba9b96f9edfb Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Mon, 24 Jun 2019 14:06:37 -0700 Subject: [PATCH 05/13] update supported browser --- .../microsoft-defender-atp/minimum-requirements.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 038455d3d3..1c8aebc6bc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -45,6 +45,11 @@ For a detailed comparison table of Windows 10 commercial edition comparison, see For more information about licensing requirements for Microsoft Defender ATP platform on Windows Server, see [Protecting Windows Servers with Microsoft Defender ATP](https://techcommunity.microsoft.com/t5/Windows-Defender-ATP/Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114). +## Browser requirements +- Internet Explorer 11 and Microsoft Edge are supported. +- The latest versions of Safari, Chrome, and Firefox are supported. +- Any HTML5 compliant browsers are also supported. + ## Hardware and software requirements ### Supported Windows versions - Windows 7 SP1 Enterprise @@ -146,8 +151,7 @@ For more information on additional proxy configuration settings see, [Configure Before you onboard machines, the diagnostic data service must be enabled. The service is enabled by default in Windows 10. -## Browser requirements -Internet Explorer and Microsoft Edge is supported. Any HTML5 compliant browsers are also supported. + ## Windows Defender Antivirus configuration requirement From 7b4695aa1a6c19c0c3fc6e4bd3aff945cb2372d7 Mon Sep 17 00:00:00 2001 From: ManikaDhiman Date: Thu, 27 Jun 2019 08:52:06 -0700 Subject: [PATCH 06/13] Added a note for WindowsLogon policy --- .../mdm/new-in-windows-mdm-enrollment-management.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md index c84377dbd7..f224b4242c 100644 --- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md @@ -1903,7 +1903,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o |[Policy CSP - System](policy-csp-system.md)|Added the following new policies:
AllowCommercialDataPipeline, TurnOffFileHistory.| |[Policy CSP - Troubleshooting](policy-csp-troubleshooting.md)|Added the following new policy:
AllowRecommendations.| |[Policy CSP - Update](policy-csp-update.md)|Added the following new policies:
AutomaticMaintenanceWakeUp, ConfigureDeadlineForFeatureUpdates, ConfigureDeadlineForQualityUpdates, ConfigureDeadlineGracePeriod, ConfigureDeadlineNoAutoReboot.| -|[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:
AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.| +|[Policy CSP - WindowsLogon](policy-csp-windowslogon.md)|Added the following new policies:
AllowAutomaticRestartSignOn, ConfigAutomaticRestartSignOn, EnableFirstLogonAnimation.

Removed the following policy:
SignInLastInteractiveUserAutomaticallyAfterASystemInitiatedRestart. This policy is replaced by AllowAutomaticRestartSignOn.| ### April 2019 From a8a2fd848dc0b7d557bc8dbaa59a3965fb9c690e Mon Sep 17 00:00:00 2001 From: przlplx <36421998+przlplx@users.noreply.github.com> Date: Thu, 27 Jun 2019 14:56:19 -0700 Subject: [PATCH 07/13] Edit pass per CI 103336 --- devices/surface/surface-system-sku-reference.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/devices/surface/surface-system-sku-reference.md b/devices/surface/surface-system-sku-reference.md index a3f8169d9a..6b6e75f7d4 100644 --- a/devices/surface/surface-system-sku-reference.md +++ b/devices/surface/surface-system-sku-reference.md @@ -16,7 +16,7 @@ manager: dansimp # System SKU reference -This document provides a reference of System Model and System SKU names that you can use to quickly determine the machine state of a specific device using PowerShell or WMI. +This document provides a reference of System Model and System SKU names that you can use to quickly determine the machine state of a specific device by using PowerShell or WMI. System Model and System SKU are variables that are stored in the System Management BIOS (SMBIOS) tables in the UEFI layer of Surface devices. The System SKU name is required to differentiate between devices that have the same System Model name, such as Surface Pro and Surface Pro with LTE Advanced. @@ -26,7 +26,7 @@ System Model and System SKU are variables that are stored in the System Manageme | Surface 3 LTE AT&T | Surface 3 | Surface_3_US1 | | Surface 3 LTE Verizon | Surface 3 | Surface_3_US2 | | Surface 3 LTE North America | Surface 3 | Surface_3_NAG | -| Surface 3 LTE Outside of North America and T-Mobile In Japan | Surface 3 | Surface_3_ROW | +| Surface 3 LTE Outside of North America and Y!mobile In Japan | Surface 3 | Surface_3_ROW | | Surface Pro | Surface Pro | Surface_Pro_1796 | | Surface Pro with LTE Advanced | Surface Pro | Surface_Pro_1807 | | Surface Book 2 13inch | Surface Book 2 | Surface_Book_1832 | @@ -52,11 +52,11 @@ gwmi -namespace root\wmi -class MS_SystemInformation | select SystemSKU **Retrieving the SKU by using System Information** You can also find the System SKU and System Model for a device in **System Information**. To do this, follow these steps: -1. Select **Start** and then in the search box type **MSInfo32**. +1. Select **Start**, and then type **MSInfo32** in the search box. 1. Select **System Information**. **Using the SKU in a task sequence WMI condition** -You can use the System SKU information in Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager as part of a task sequence WMI condition. +You can use the System SKU information in the Microsoft Deployment Toolkit (MDT) or System Center Configuration Manager as part of a task sequence WMI condition. ``` powershell - WMI Namespace – Root\WMI From 9af92cca9e9d2f7a60359bc477e1ae471d2edf6e Mon Sep 17 00:00:00 2001 From: Stephen Howard <40399169+stephow@users.noreply.github.com> Date: Thu, 27 Jun 2019 15:57:26 -0700 Subject: [PATCH 08/13] updates --- .../wip-learning.md | 32 ++++++++++++++++++- 1 file changed, 31 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 736efd6668..6cc8584732 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -62,7 +62,13 @@ Once you have WIP policies in place, by using the WIP section of Device Health, The information needed for the following steps can be found using Device Health, which you will first have to set up. Learn more about how you can [Monitor the health of devices with Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). -1. In **Device Health** click the app you want to add to your policy and copy the publisher information. +1. In **Device Health** click the app you want to add to your policy and copy the **WipAppId**. + + For example, if the app is Google Chrome, the WipAppId is: + + `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108` + + In the steps below, you separate the WipAppId by back slashes into the **PUBLISHER**, **PRODUCT NAME**, and **FILE** fields. 2. In Intune, click **App protection policies** and then choose the app policy you want to add an application to. @@ -74,12 +80,36 @@ The information needed for the following steps can be found using Device Health, 5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above. + For example, if the WipAppId is + + `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108` + + the text before the first back slash is the publisher: + + `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US` + ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png) 6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**). + For example, if the WipAppId is + + `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108` + + the text between the first and second back slashes is the publisher: + + `GOOGLE CHROME` + 7. Copy the name of the executable (for example, snippingtool.exe) and paste it in **FILE** (required). + For example, if the WipAppId is + + `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108` + + the text between the second and third back slashes is the file: + + `CHROME.EXE` + 8. Type the version number of the app into **MIN VERSION** in Intune (alternately, you can specify the max version, but one or the other is required), and then select the **ACTION**: **Allow** or **Deny** When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes) From e290626a3466ba39c245ec76dfcf64c94c9910d6 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 27 Jun 2019 17:00:07 -0700 Subject: [PATCH 09/13] Added edits --- ...ain-member-disable-machine-account-password-changes.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md index 1ce56378e4..6583fe2dc5 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md @@ -39,19 +39,19 @@ Verify that the **Domain member: Disable machine account password changes** opti ### Best practices 1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions. -2. Do not use this policy setting in an attempt to support dual-boot scenarios that use the same machine account. If you want to dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to make it easier for organizations that stockpile pre-built computers that are put into production months later; those devices do not have to be rejoined to the domain. -3. You may consider using this policy setting in particular environments, such as the following: +2. Do not use this policy setting to try to support dual-boot scenarios that use the same machine account. If you want to configure dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to help organizations that stockpile pre-built computers that are put into production months later. Those devices do not have to be rejoined to the domain. +3. You may want to consider using this policy setting in specific environments, such as the following: - Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image. - Embedded devices that do not have write access to the OS volume. - In either of these cases, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a particular OS volume, use the following command: + In either case, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a specific OS volume, run the following command: ``` Nltest /sc_change_pwd: ``` - In this command, **\** represents the domain of the local computer. For more information about maintenance windows and non-persistent VDI implementations, see [Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role: VDI optimization principles: Non-Persistent VDI](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-1803#vdi-optimization-principles). + In this command, \ represents the domain of the local computer. For more information about maintenance windows and non-persistent VDI implementations, see [Optimizing Windows 10, version 1803, for a Virtual Desktop Infrastructure (VDI) role: VDI optimization principles: Non-Persistent VDI](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations-1803#vdi-optimization-principles). ### Location From 49a7d0ff60541425dea498a71f5313bc756d24f6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Thu, 27 Jun 2019 17:11:32 -0700 Subject: [PATCH 10/13] add supported browsers --- .../microsoft-defender-atp/minimum-requirements.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md index 1c8aebc6bc..ba54f650be 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md +++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md @@ -46,9 +46,14 @@ For more information about licensing requirements for Microsoft Defender ATP pla ## Browser requirements -- Internet Explorer 11 and Microsoft Edge are supported. -- The latest versions of Safari, Chrome, and Firefox are supported. -- Any HTML5 compliant browsers are also supported. +Access to Microsoft Defender ATP is done through a browser, supporting the following browsers: +- Microsoft Edge +- Internet Explorer version 11 +- Google Chrome + +>[!NOTE] +>While other browsers might work, the mentioned browsers are the ones supported. + ## Hardware and software requirements ### Supported Windows versions From d499b82d47082beacab44231c01682f55b35f2f4 Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Thu, 27 Jun 2019 17:22:58 -0700 Subject: [PATCH 11/13] Added edits --- ...ber-disable-machine-account-password-changes.md | 2 +- ...-member-maximum-machine-account-password-age.md | 14 +++++++------- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md index 6583fe2dc5..af37ad2e44 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 06/27/2019 --- # Domain member: Disable machine account password changes diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index d34b8a9ce6..dce3ffde28 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/31/2018 +ms.date: 06/27/2019 --- # Domain member: Maximum machine account password age @@ -28,22 +28,22 @@ Describes the best practices, location, values, and security considerations for The **Domain member: Maximum machine account password age** policy setting determines when a domain member submits a password change. -In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the policy **Domain member: Disable machine account password changes** to disable the password change requirement altogether. However, before you consider this option, review the implications as described in [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md). +In Active Directory–based domains, each device has an account and password. By default, the domain members submit a password change every 30 days. You can extend or reduce this interval. Additionally, you can use the **Domain member: Disable machine account password changes** policy to disable the password change requirement completely. However, before you consider this option, review the implications as described in [Domain member: Disable machine account password changes](domain-member-disable-machine-account-password-changes.md). > [!IMPORTANT] -> Significantly increasing the password change interval (or disabling password changes) gives a malicious user more time to undertake a brute-force password-guessing attack against one of the machine accounts. +> Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts. For more information, see [Machine Account Password Process](https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/). ### Possible values -- User-defined number of days between 1 and 999 -- Not defined. +- User-defined number of days between 1 and 999, inclusive +- Not defined ### Best practices -1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites. -2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer starts after being offline more than 30 days, the Netlogon service will notice the password age and initiate a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer will not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days. +1. We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites. +2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer is turned on after being offline more than 30 days, the Netlogon service notices the password age and initiates a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer does not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and then configure the value for this policy setting to a greater number of days. ### Location From c0b8a00111c698129809f0347ff374cc2580d18d Mon Sep 17 00:00:00 2001 From: Teresa-Motiv Date: Fri, 28 Jun 2019 09:06:20 -0700 Subject: [PATCH 12/13] Replaced technet url with new techcommunity url --- .../domain-member-maximum-machine-account-password-age.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index dce3ffde28..b4f0324679 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -33,7 +33,7 @@ In Active Directory–based domains, each device has an account and password. By > [!IMPORTANT] > Significantly increasing the password change interval (or disabling password changes) gives an attacker more time to undertake a brute-force password-guessing attack against one of the machine accounts. -For more information, see [Machine Account Password Process](https://blogs.technet.microsoft.com/askds/2009/02/15/machine-account-password-process-2/). +For more information, see [Machine Account Password Process](https://techcommunity.microsoft.com/t5/Ask-the-Directory-Services-Team/Machine-Account-Password-Process/ba-p/396026). ### Possible values From 30d9ccebbfc98b2460aac9dfb8593d457058c4c0 Mon Sep 17 00:00:00 2001 From: Stephen Howard <40399169+stephow@users.noreply.github.com> Date: Fri, 28 Jun 2019 11:32:05 -0700 Subject: [PATCH 13/13] updates --- .../windows-information-protection/wip-learning.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md index 6cc8584732..5e113928fe 100644 --- a/windows/security/information-protection/windows-information-protection/wip-learning.md +++ b/windows/security/information-protection/windows-information-protection/wip-learning.md @@ -96,7 +96,7 @@ The information needed for the following steps can be found using Device Health, `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US\GOOGLE CHROME\CHROME.EXE\74.0.3729.108` - the text between the first and second back slashes is the publisher: + the text between the first and second back slashes is the product name: `GOOGLE CHROME`