| Autopilot Self-Deploying mode and Autopilot White Glove | Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips(including ones from any other manufacturer) come with these certificates preinstalled. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
+
Intel- https://ekop.intel.com/ekcertservice
+
Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
+
AMD- http://ftpm.amd.com/pki/aia
## Licensing requirements
From 6d22e1ac170c3fba911e3f22c23451069a27bc8d Mon Sep 17 00:00:00 2001
From: Rafael Rivera
Date: Thu, 12 Sep 2019 15:20:13 -0700
Subject: [PATCH 03/20] Add diagnostic events and fields for 1903
---
windows/deployment/update/windows-analytics-privacy.md | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/update/windows-analytics-privacy.md b/windows/deployment/update/windows-analytics-privacy.md
index 8e7a8558db..19e9520516 100644
--- a/windows/deployment/update/windows-analytics-privacy.md
+++ b/windows/deployment/update/windows-analytics-privacy.md
@@ -8,8 +8,10 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
-ms.audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
+ms.audience: itpro
+author: greg-lindsay
ms.localizationpriority: high
ms.collection: M365-analytics
ms.topic: article
@@ -43,6 +45,7 @@ See these topics for additional background information about related privacy iss
- [Windows 10 and the GDPR for IT Decision Makers](https://docs.microsoft.com/windows/privacy/gdpr-it-guidance)
- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
- [Windows 7, Windows 8, and Windows 8.1 Appraiser Telemetry Events, and Fields](https://go.microsoft.com/fwlink/?LinkID=822965)
+- [Windows 10, version 1903 basic level Windows diagnostic events and fields](https://docs.microsoft.com/en-us/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903)
- [Windows 10, version 1809 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809)
- [Windows 10, version 1803 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803)
- [Windows 10, version 1709 basic level Windows diagnostic events and fields](https://docs.microsoft.com/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709)
From 89b4eb9d639ec97b9ddb465c0c94370729993160 Mon Sep 17 00:00:00 2001
From: Thom McKiernan
Date: Wed, 18 Sep 2019 12:27:35 +0100
Subject: [PATCH 04/20] typo
corrected on-premise to on-premesis
---
windows/deployment/windows-autopilot/autopilot-faq.md | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md
index 01cdb3ef63..c97fb6e3bb 100644
--- a/windows/deployment/windows-autopilot/autopilot-faq.md
+++ b/windows/deployment/windows-autopilot/autopilot-faq.md
@@ -9,7 +9,8 @@ ms.mktglfcycl: deploy
ms.localizationpriority: low
ms.sitesec: library
ms.pagetype: deploy
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.author: greglin
ms.collection: M365-modern-desktop
ms.topic: article
@@ -109,7 +110,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
| --- | --- |
| Must we use Intune for our MDM? | No. No, any MDM will work with Autopilot, but others probably won’t have the same full suite of Windows Autopilot features as Intune. You’ll get the best experience from Intune. |
| Can Intune support Win32 app preinstalls? | Yes. Starting with the Windows 10 October Update (version 1809), Intune supports Win32 apps using .msi (and .msix) wrappers. |
-| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premise configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. |
+| What is co-management? | Co-management is when you use a combination of a cloud MDM tool (Intune) and an on-premises configuration tool like System Center Configuration Manager (SCCM). You only need to use SCCM if Intune can’t support what you want to do with your profile. If you choose to co-manage using Intune + SCCM, you do it by including an SCCM agent in your Intune profile. When that profile is pushed to the device, the device will see the SCCM agent and go out to SCCM to pull down any additional profile settings. |
| Must we use System Center Configuration Manager (SCCM) for Windows Autopilot | No. Co-management (described above) is optional. |
@@ -118,7 +119,7 @@ A [glossary](#glossary) of abbreviations used in this topic is provided at the e
| Question | Answer |
| --- | --- |
| Self-deploying mode | A new version of Windows Autopilot where the user only turns on the device, and nothing else. It’s useful for scenarios where a standard user account isn’t needed (e.g., shared devices, or KIOSK devices). |
-| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premise Active Directory domain controller (in addition to being Azure AD joined). |
+| Hybrid Azure Active Directory join | Allows Windows Autopilot devices to connect to an on-premises Active Directory domain controller (in addition to being Azure AD joined). |
| Windows Autopilot reset | Removes user apps and settings from a device, but maintains AAD domain join and MDM enrollment. Useful for when transferring a device from one user to another. |
| Personalization | Adds the following to the OOBE experience: A personalized welcome message can be created A username hint can be added Sign-in page text can be personalized The company’s logo can be included |
| [Autopilot for existing devices](existing-devices.md) | Offers an upgrade path to Windows Autopilot for all existing Win 7/8 devices. |
From c708351fcc994e28f2de2b955068cb8453a9746f Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Fri, 20 Sep 2019 17:13:42 +0500
Subject: [PATCH 05/20] Note addition
As per user recommendation, I have updated the note portion with additional required information.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4668
---
.../configure-wd-app-guard.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
index d79135d66a..990977f063 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md
@@ -28,6 +28,8 @@ These settings, located at **Computer Configuration\Administrative Templates\Net
>[!NOTE]
>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode.
+>Proxy servers must be a neutral resource listed in the "Domains categorized as both work and personal" policy.
+
|Policy name|Supported versions|Description|
From f30d3e62770f28ae7eb13be607431e9b0c606a74 Mon Sep 17 00:00:00 2001
From: Baard Hermansen
Date: Fri, 20 Sep 2019 14:19:01 +0200
Subject: [PATCH 06/20] Update
interactive-logon-message-text-for-users-attempting-to-log-on.md
Changed formatting to what i believe makes for easier reading.
Also corrected some minor formatting to better adhere to markdown standards.
---
...age-text-for-users-attempting-to-log-on.md | 43 ++++++++++---------
1 file changed, 23 insertions(+), 20 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
index dafe367748..8c438440b9 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md
@@ -19,15 +19,19 @@ ms.date: 04/19/2017
# Interactive logon: Message text for users attempting to log on
-**Applies to**
-- Windows 10
+## Applies to
+
+- Windows 10
Describes the best practices, location, values, management, and security considerations for the **Interactive logon: Message text for users attempting to log on** security policy setting.
## Reference
-The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on. Interactive logon: Message title for users attempting to log on specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn
-users about the ramifications of misusing company information, or to warn them that their actions might be audited.
+The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related.
+
+**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on.
+
+**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons — for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited.
Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers.
@@ -37,8 +41,8 @@ When these policy settings are configured, users will see a dialog box before th
The possible values for this setting are:
-- User-defined text
-- Not defined
+- User-defined text
+- Not defined
### Best practices
@@ -46,8 +50,9 @@ The possible values for this setting are:
1. IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION.
2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information.
- >**Important:** Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments.
-
+ > [!IMPORTANT]
+ > Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments.
+
### Location
Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options
@@ -58,13 +63,13 @@ The following table lists the actual and effective default values for this polic
| Server type or GPO | Default value |
| - | - |
-| Default Domain Policy| Not defined|
-| Default Domain Controller Policy | Not defined|
-| Stand-Alone Server Default Settings | Not defined|
-| DC Effective Default Settings | Not defined|
-| Member Server Effective Default Settings | Not defined|
-| Client Computer Effective Default Settings | Not defined|
-
+| Default Domain Policy| Not defined|
+| Default Domain Controller Policy | Not defined|
+| Stand-Alone Server Default Settings | Not defined|
+| DC Effective Default Settings | Not defined|
+| Member Server Effective Default Settings | Not defined|
+| Client Computer Effective Default Settings | Not defined|
+
## Policy management
This section describes different requirements to help you manage this policy.
@@ -79,8 +84,8 @@ This section describes how an attacker might exploit a feature or its configurat
There are two policy settings that relate to logon displays:
-- **Interactive logon: Message text for users attempting to log on**
-- [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)
+- **Interactive logon: Message text for users attempting to log on**
+- [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md)
The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited.
@@ -92,12 +97,10 @@ Users often do not understand the importance of security practices. However, the
Configure the **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) settings to an appropriate value for your organization.
->**Note:** Any warning message that displays should be approved by your organization's legal and human resources representatives.
-
### Potential impact
Users see a message in a dialog box before they can log on to the server console.
## Related topics
-- [Security Options](security-options.md)
+- [Security Options](security-options.md)
From 4ad287e1ac5b9acbf3a17b24efb43cf80c3327fb Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Fri, 20 Sep 2019 18:20:23 +0500
Subject: [PATCH 07/20] Updated the content
Updated the content as the Auto-Pilot reset is now available for Intune for education.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4695
---
education/windows/autopilot-reset.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index 2c11c122c4..5e9add10d7 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -36,8 +36,7 @@ You can set the policy using one of these methods:
- MDM provider
- - Autopilot Reset in Intune for Education is coming soon. In a future update of Intune for Education, new tenants will automatically have the Autopilot Reset setting enabled by default on the **All devices** group as part of initial tenant configuration. You will also be able to manage this setting to target different groups in the admin console.
- - If you're using an MDM provider other than Intune for Education, check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
+ -Check your MDM provider documentation on how to set this policy. If your MDM provider doesn't explicitly support this policy, you can manually set this policy if your MDM provider allows specific OMA-URIs to be manually set.
For example, in Intune, create a new configuration policy and add an OMA-URI.
- OMA-URI: ./Vendor/MSFT/Policy/Config/CredentialProviders/DisableAutomaticReDeploymentCredentials
@@ -93,6 +92,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
Once provisioning is complete, the device is again ready for use.
+
## Troubleshoot Autopilot Reset
Autopilot Reset will fail when the [Windows Recovery Environment (WinRE)](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference) is not enabled on the device. You will see `Error code: ERROR_NOT_SUPPORTED (0x80070032)`.
From 95f36b381fb79334f37582d88cfefd14a715eda6 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Fri, 20 Sep 2019 18:55:18 +0500
Subject: [PATCH 08/20] Added OMA-URI Path
OMA-URI path was not available in the document. As per the suggestion in the conversation, it has been updated.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4712
---
.../microsoft-defender-atp/configure-endpoints-mdm.md | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
index 9710f0d825..5a967ffd5a 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-mdm.md
@@ -69,7 +69,13 @@ For security reasons, the package used to Offboard machines will expire 30 days
2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding*.
-3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
+3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings.
+
+ OMA-URI: ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding
+ Date type: String
+ Value: [Copy and paste the value from the content of the WindowsDefenderATP_valid_until_YYYY-MM-DD.offboarding file]
+
+For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
> [!NOTE]
From e86e92d2567b8c3c28da38485b2ab71c464eb5bc Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Fri, 20 Sep 2019 19:01:08 +0500
Subject: [PATCH 09/20] Syntax was incorrect
Syntax has been updated.
Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4777
---
windows/deployment/usmt/usmt-loadstate-syntax.md | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/windows/deployment/usmt/usmt-loadstate-syntax.md b/windows/deployment/usmt/usmt-loadstate-syntax.md
index ea390e9871..3bbf83959b 100644
--- a/windows/deployment/usmt/usmt-loadstate-syntax.md
+++ b/windows/deployment/usmt/usmt-loadstate-syntax.md
@@ -8,7 +8,8 @@ ms.author: greglin
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-audience: itpro
author: greg-lindsay
+audience: itpro
+author: greg-lindsay
ms.date: 04/19/2017
ms.topic: article
---
@@ -247,7 +248,7 @@ USMT provides several command-line options that you can use to analyze problems
/progress:[Path</em>]FileName |
Creates the optional progress log. You cannot store any of the log files in StorePath. Path can be either a relative or full path. If you do not specify the Path variable, then FileName will be created in the current directory.
For example:
-loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:scanlog.log
|
+loadstate /i:migapp.xml /i:migdocs.xml \server\share\migration\mystore /progress:prog.log /l:loadlog.log
|