Merged PR 3112: 9/8 PM Publish

devices/surface/support-solutions-surface.md

@@ -13,7 +13,7 @@ ms.date: 09/07/2017
 ms.localizationpriority: medium
 ---
 
-# Top support solutions Microsoft Surface Hub
+# Top support solutions for Surface devices
 
 Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated.  For a complete listing of the update history, see [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) and [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined).
 

mdop/mbam-v25/release-notes-for-mbam-25-sp1.md

@@ -128,6 +128,20 @@ If different encryption strengths are used, MBAM will report the machine as **no
 As of HF02, the MBAM Self-Service Portal automatically adds the '-' on Key ID entry.  
 **Note:** The Server has to be reconfigured for the Javascript to take effect.
 
+### MBAM 2.5 Sp1 Reports does not work / render properly
+Reports Page does not render properly when SSRS is hosted on SQL Server 2016 edition. 
+For example – Browsing to Helpdesk – Clicking on Reports –  ( Highlighted portion have “x”  on it )
+Digging this further with Fiddler – it does look like once we click on Reports – it calls the SSRS page with HTML 4.0 rendering format.
+
+**Workaround:** Looking at the site.master code and noticed the X-UA mode was dictated as IE8. As IE8 is WAY past the end of life, and customer is using IE11. Update the setting to the below code. This allows the site to utilize IE11 rendering technologies
+
+<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
+
+Original setting is: 
+<meta http-equiv="X-UA-Compatible" content="IE=8" />
+
+This is the reason why the issue was not seen with other browsers like Chrome, Firefox etc.
+
 ## Got a suggestion for MBAM?
 
 

windows/device-security/bitlocker/bitlocker-device-encryption-overview-windows-10.md

@@ -66,7 +66,7 @@ Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryp
 
 Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
 
-* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state).
+* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer.  The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
 * If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
 * If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
 * Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.

windows/device-security/security-policy-settings/password-must-meet-complexity-requirements.md

@@ -30,7 +30,9 @@ The **Passwords must meet complexity requirements** policy setting determines wh
     -   Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
     -   Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
     -   Base 10 digits (0 through 9)
-    -   Non-alphanumeric characters (special characters) (for example, !, $, \#, %)
+    -   Non-alphanumeric characters (special characters): 
+        (~!@#$%^&*_-+=`|\\(){}\[\]:;"'<>,.?/)
+        Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
     -   Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
 
 Complexity requirements are enforced when passwords are changed or created.

windows/device-security/tpm/tpm-recommendations.md

@@ -105,7 +105,6 @@ The following table defines which Windows features require TPM support.
 | Passport: Domain AADJ Join                   | Required                 | Required                 | Supports both versions of TPM, but requires TPM with HMAC and EK certificate for key attestation support.  |
 | Passport: MSA or Local Account               | Required                 | Required                 | TPM 2.0 is required with HMAC and EK certificate for key attestation support.      |
 | Device Encryption                            | Not Applicable           | Required                 | TPM 2.0 is required for all InstantGo devices.                |
-| Device Guard / Configurable Code Integrity   | Not Applicable          | Required              | Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.                   |
 | Credential Guard                             | Required                 | Required                 | For Windows 10, version 1511, TPM 1.2 or 2.0 is highly recommended. If you don't have a TPM installed, Credential Guard will still be enabled, but the keys used to encrypt Credential Guard will not be protected by the TPM.   |
 | Device Health Attestation                    | Required                 | Required                 |                    |
 | Windows Hello / Windows Hello for Business   | Not Required             | Recommended              | Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. [How keys are protected](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-how-it-works#how-keys-are-protected)                   |