Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into manage-connections

2025-06-15 18:33:43 +00:00 · 2017-11-30 10:55:17 -08:00
parent 1e173338cf 5af21c824d
commit d24d93df45
19 changed files with 105 additions and 39 deletions
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@ -9,7 +9,7 @@ ms.pagetype: devices
 author: jdeckerms
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 10/17/2017
+ms.date: 11/28/2017
 ---

 # Connect to remote Azure Active Directory-joined PC
@ -19,7 +19,7 @@ ms.date: 10/17/2017

 -   Windows 10

-From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is joined to Azure Active Directory (Azure AD).
+From its release, Windows 10 has supported remote connections to PCs that are joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/device-management-azuread-joined-devices-setup).

 ![Remote Desktop Connection client](images/rdp.png)

--- a/windows/client-management/mdm/policy-csp-windowslogon.md
+++ b/windows/client-management/mdm/policy-csp-windowslogon.md
@ -189,9 +189,9 @@ ADMX Info:
 <!--StartDescription-->
 <p style="margin-left: 20px">Added in Windows 10, version 1703. This policy setting allows you to hide the Switch account button on the sign-in screen, Start, and the Task Manager. If you enable this policy setting, the Switch account button is hidden from the user who is attempting to sign-in or is signed in to the computer that has this policy applied. If you disable or do not configure this policy setting, the Switch account button is accessible to the user in the three locations.

-<p style="margin-left: 20px">Value type is bool. The following list shows the supported values:
+<p style="margin-left: 20px">Value type is int. The following list shows the supported values:

-   0 (default) - Diabled (visible).
+-   0 (default) - Disabled (visible).
 -   1 - Enabled (hidden).

 <p style="margin-left: 20px">To validate on Desktop, do the following:
--- a/windows/configuration/changes-to-start-policies-in-windows-10.md
+++ b/windows/configuration/changes-to-start-policies-in-windows-10.md
@ -8,6 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
+ms.date: 11/28/2017
 ---

 # Changes to Group Policy settings for Windows 10 Start
@ -92,10 +93,6 @@ These policy settings are available in **Administrative Templates\\Start Menu an
 <tr class="odd">
 <td align="left">Start Layout</td>
 <td align="left"><p>This applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in <strong>User Configuration</strong> or <strong>Computer Configuration</strong>.</p>
-<div class="alert">
-<strong>Note</strong>  
-<p>Start Layout policy setting applies only to Windows 10 Enterprise and Windows 10 Education.</p>
-</div>
 <div>
  
 </div></td>
--- a/windows/configuration/windows-diagnostic-data.md
+++ b/windows/configuration/windows-diagnostic-data.md
@ -37,7 +37,7 @@ Most diagnostic events contain a header of common data:

 | Category Name | Examples |
 | - | - |
-| Common Data | Information that is added to most diagnostic events, if relevant and available:<br><ul><li>OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)</li><li>User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data</li><li>Xbox UserID</li><li>Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.</li><li>The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags</li><li>HTTP header information including IP address. This is not the IP address of the device but the source address in the network packet header received by the diagnostics ingestion service.</li><li>Various IDs that are used to correlate and sequence related events together.</li><li>Device ID. This is not the user provided device name, but an ID that is unique for that device.</li><li>Device class -- Desktop, Server, or Mobile</li><li>Event collection time</li><li>Diagnostic level --  Basic or Full, Sample level -- for sampled data, what sample level is this device opted into</li></ul> |
+| Common Data | Information that is added to most diagnostic events, if relevant and available:<br><ul><li>OS name, version, build, and [locale](https://msdn.microsoft.com/library/windows/desktop/dd318716.aspx)</li><li>User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data</li><li>Xbox UserID</li><li>Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time such the period an app is running or between boots of the OS.</li><li>The diagnostic event name, Event ID, [ETW](https://msdn.microsoft.com/library/windows/desktop/bb968803.aspx) opcode, version, schema signature, keywords, and flags</li><li>HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service.</li><li>Various IDs that are used to correlate and sequence related events together.</li><li>Device ID. This is not the user provided device name, but an ID that is unique for that device.</li><li>Device class -- Desktop, Server, or Mobile</li><li>Event collection time</li><li>Diagnostic level --  Basic or Full, Sample level -- for sampled data, what sample level is this device opted into</li></ul> |

 ## Device, Connectivity, and Configuration data

--- a/windows/deployment/windows-10-auto-pilot.md
+++ b/windows/deployment/windows-10-auto-pilot.md
@ -40,6 +40,7 @@ Windows AutoPilot allows you to:

 * [Devices must be registered to the organization](#registering-devices-to-your-organization)
 * [Company branding needs to be configured](#configure-company-branding-for-oobe)
+* [Network connectivity to cloud services used by Windows AutoPilot](#network-connectivity-requirements)
 * Devices have to be pre-installed with Windows 10 Professional, Enterprise or Education, of version 1703 or later
 * Devices must have access to the internet
 * [Azure AD Premium P1 or P2](https://www.microsoft.com/cloud-platform/azure-active-directory-features)
@ -77,7 +78,13 @@ If you would like to capture that information by yourself, you can use the [Get-
 By uploading this information to the Microsoft Store for Business or Partner Center admin portal, you'll be able to assign devices to your organization.
 Additional options and customization is available through these portals to pre-configure the devices.

-Options available for Windows 10, starting with version 1703:
+For information on how to upload device information, see [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#add-devices-and-apply-autopilot-deployment-profile) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot) guidance.
+
+#### OOBE customization
+
+Deployment profiles are used to configure the Out-Of-the-Box-Experience (OOBE) on devices deployed through the Windows AutoPilot Deployment Program.
+
+These are the OOBE customization options available for Windows 10, starting with version 1703:
 * Skipping Work or Home usage selection (*Automatic*)
 * Skipping OEM registration, OneDrive and Cortana (*Automatic*)
 * Skipping privacy settings
@ -86,17 +93,43 @@ Options available for Windows 10, starting with version 1703:

 We are working to add additional options to further personalize and streamline the setup experience in future releases.

-To see additional details on how to customize the OOBE experience and how to follow this process, see guidance for [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices) or [Partner Center](https://msdn.microsoft.com/partner-center/autopilot).
+To configure and apply deployment profiles, see guidance for the various available administration options:
+* [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles)
+* [Microsoft Intune](https://docs.microsoft.com/intune/enrollment-autopilot)
+* [Microsoft 365 Business & Office 365 Admin](https://support.office.com/article/Create-and-edit-AutoPilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
+* [Partner Center](https://msdn.microsoft.com/partner-center/autopilot)

-#### Configure company branding for OOBE
+##### Configure company branding for OOBE

-In order for your company branding to appear during the Out-of-the-Box Experience, you'll need to configure it in Azure Active Directory first.
+In order for your company branding to appear during the OOBE, you'll need to configure it in Azure Active Directory first.

 See [Add company branding to your directory](https://docs.microsoft.com/azure/active-directory/customize-branding#add-company-branding-to-your-directory), to configure these settings. 

+#### Network connectivity requirements
+
+The Windows AutoPilot Deployment Program uses a number of cloud services to get your devices to a productive state. This means those services need to be accessible from devices registered as Windows Autopilot devices.
+
+To manage devices behind firewalls and proxy servers, the following URLs need to be accessible:
+
+* https://go.microsoft.com
+* https://login.microsoftonline.com
+* https://login.live.com
+* https://account.live.com
+* https://signup.live.com
+* https://licensing.mp.microsoft.com
+* https://licensing.md.mp.microsoft.com 
+* ctldl.windowsupdate.com
+* download.windowsupdate.com
+
+>[!NOTE]
+>Where not explicitly specified, both HTTPS (443) and HTTP (80) need to be accessible.
+
+>[!TIP]
+>If you're auto-enrolling your devices into Microsoft Intune, or deploying Microsoft Office, make sure you follow the networking guidlines for [Microsoft Intune](https://docs.microsoft.com/en-us/intune/network-bandwidth-use#network-communication-requirements) and [Office 365](https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2).
+
 ### IT-Driven

-If you are planning to use to configure these devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).
+If you are planning to configure devices with traditional on-premises or cloud-based solutions, the [Windows Configuration Designer](https://www.microsoft.com/store/p/windows-configuration-designer/9nblggh4tx22) can be used to help automate the process. This is more suited to scenarios in which you require a higher level of control over the provisioning process. For more information on creating provisioning packages with Windows Configuration Designer, see [Create a provisioning package for Windows 10](/windows/configuration/provisioning-packages/provisioning-create-package).

 ### Teacher-Driven

--- a/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/device-security/enable-virtualization-based-protection-of-code-integrity.md
@ -16,7 +16,7 @@ ms.date: 11/07/2017
 - Windows 10
 - Windows Server 2016 

-Virtualization-based protection of code integrity (herein refered to as HVCI) is a powerful system mitigation, which leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. 
+Virtualization-based protection of code integrity (herein referred to as HVCI) is a powerful system mitigation, which leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. 
 Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.  

 Some applications, including device drivers, may be incompatible with HVCI. 
@ -34,7 +34,9 @@ If your device already has a WDAC policy (SIPolicy.p7b), please contact your IT
 > You must be an administrator to perform this procedure. 

 1. Download the [Enable HVCI cabinet file](http://download.microsoft.com/download/7/A/F/7AFBCDD1-578B-49B0-9B27-988EAEA89A8B/EnableHVCI.cab).
+
 2. Open the cabinet file.
+
 3. Right-click the SIPolicy.p7b file and extract it. Then move it to the following location: 

   C:\Windows\System32\CodeIntegrity
--- a/windows/device-security/images/turn-windows-features-on-or-off.png
+++ b/windows/device-security/images/turn-windows-features-on-or-off.png
--- a/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
@ -30,6 +30,9 @@ ms.date: 10/17/2017

 The Windows Defender Advanced Threat Protection agent depends on Windows Defender Antivirus for some capabilities such as file scanning.

+>[!IMPORTANT]
+>Windows Defender ATP does not adhere to the Windows Defender Antivirus Exclusions settings. 
+
 You must configure the signature updates on the Windows Defender ATP endpoints whether Windows Defender Antivirus is the active antimalware or not. For more information, see [Manage Windows Defender Antivirus updates and apply baselines](../windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md).

 If an onboarded endpoint is protected by a third-party antimalware client, Windows Defender Antivirus on that endpoint will enter into passive mode.
--- a/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
+++ b/windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md
@ -69,7 +69,7 @@ If the portal dashboard, and other sections show an error message such as "Data

 ![Image of data currently isn't available](images/atp-data-not-available.png)

-You'll need to whitelist the `security.windows.com` and all sub-domains under it.
+You'll need to whitelist the `security.windows.com` and all sub-domains under it. For example `*security.windows.com`.


 ## Related topics