From 3f44b6c933dbf3c2e3590536f7faa431cf519413 Mon Sep 17 00:00:00 2001
From: Bill Mcilhargey <19168174+computeronix@users.noreply.github.com>
Date: Mon, 18 Jun 2018 09:51:06 -0400
Subject: [PATCH 1/6] Mention cost of solution

Similar to this page - Upgrade Readiness, we should mention the cost of Update Compliance
https://docs.microsoft.com/en-us/windows/deployment/upgrade/upgrade-readiness-get-started
---
 windows/deployment/update/update-compliance-get-started.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md
index 9d1b01ce0f..c2f19abb9c 100644
--- a/windows/deployment/update/update-compliance-get-started.md
+++ b/windows/deployment/update/update-compliance-get-started.md
@@ -27,6 +27,9 @@ Steps are provided in sections that follow the recommended setup process:
 
 Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
 
+>[!IMPORTANT]
+>Update Compliance is a free solution for Azure subscribers.
+
 If you are already using OMS, skip to step **6** to add Update Compliance to your workspace.
 
 >[!NOTE]
@@ -74,4 +77,4 @@ Once you've added Update Compliance to Microsoft Operations Management Suite, yo
 
 ## Use Update Compliance to monitor Windows Updates
 
-Once your devices are enrolled, you can starte to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md).
\ No newline at end of file
+Once your devices are enrolled, you can starte to [Use Update Compliance to monitor Windows Updates](update-compliance-using.md).

From d6daa45b0736029b1b56c0c4fd3439d7b9022806 Mon Sep 17 00:00:00 2001
From: Richard Zhang <zhangrupo2003@hotmail.com>
Date: Mon, 18 Jun 2018 08:56:06 -0700
Subject: [PATCH 2/6] Add support for Windows 10 IoT Enterprise SKU

MBAM team has completed the test for Windows 10 IoT Enterprise SKU. add this one to the supported list.
---
 mdop/mbam-v25/mbam-25-supported-configurations.md | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index 8c4076c276..7b603f1d3f 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -464,6 +464,12 @@ The following table lists the operating systems that are supported for MBAM Clie
 </tr>
 </thead>
 <tbody>
+<tr class="even">
+    <td align="left"><p>Windows 10 IoT</p></td>
+    <td align="left"><p>Enterprise</p></td>
+    <td align="left"><p></p></td>
+    <td align="left"><p>32-bit or 64-bit</p></td>
+</tr>  
 <tr class="odd">
 <td align="left"><p>Windows 10</p></td>
 <td align="left"><p>Enterprise</p></td>
@@ -518,6 +524,12 @@ The following table lists the operating systems that are supported for MBAM Grou
 </tr>
 </thead>
 <tbody>
+ <tr class="even">
+      <td align="left"><p>Windows 10 IoT</p></td>
+      <td align="left"><p>Enterprise</p></td>
+      <td align="left"><p></p></td>
+      <td align="left"><p>32-bit or 64-bit</p></td>
+ </tr>
 <tr class="odd">
 <td align="left"><p>Windows 10</p></td>
 <td align="left"><p>Enterprise</p></td>

From 5e3a6fadad5e0864310bdea0dbefe5f3b611e0ba Mon Sep 17 00:00:00 2001
From: Ryan Ries <ryanries09@gmail.com>
Date: Mon, 18 Jun 2018 14:13:38 -0500
Subject: [PATCH 3/6] Adding more detail about Kerberos service tickets

Adding more detail about Kerberos service tickets
---
 .../credential-guard/credential-guard-protection-limits.md       | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index 1f51382ce3..aad838b212 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -31,6 +31,7 @@ Some ways to store credentials are not protected by Windows Defender Credential
 -   Digest and CredSSP credentials
     -   When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
 -   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- 
+-  Kerberos service tickets are not encrypted, only the Kerberos Ticket Granting Ticket (TGT) is encrypted.
 -  When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
 -  Windows logon cached password verifiers (commonly called "cached credentials")
 do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.

From 9b1ea04133287f77cc41625faa2d70618290dc25 Mon Sep 17 00:00:00 2001
From: Ryan Ries <ryanries09@gmail.com>
Date: Mon, 18 Jun 2018 14:28:53 -0500
Subject: [PATCH 4/6] Update credential-guard-protection-limits.md

---
 .../credential-guard/credential-guard-protection-limits.md      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index aad838b212..a619cc000a 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -31,7 +31,7 @@ Some ways to store credentials are not protected by Windows Defender Credential
 -   Digest and CredSSP credentials
     -   When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
 -   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- 
--  Kerberos service tickets are not encrypted, only the Kerberos Ticket Granting Ticket (TGT) is encrypted.
+-  Kerberos service tickets are not protected by CredGuard, but the Kerberos Ticket Granting Ticket (TGT) is.
 -  When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
 -  Windows logon cached password verifiers (commonly called "cached credentials")
 do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.

From 44b76b0fa190384f9f8b78f661b36e6c71e737dd Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Mon, 18 Jun 2018 12:30:43 -0700
Subject: [PATCH 5/6] Update credential-guard-protection-limits.md

---
 .../credential-guard/credential-guard-protection-limits.md      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
index a619cc000a..1428ee92e3 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md
@@ -31,7 +31,7 @@ Some ways to store credentials are not protected by Windows Defender Credential
 -   Digest and CredSSP credentials
     -   When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
 -   Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- 
--  Kerberos service tickets are not protected by CredGuard, but the Kerberos Ticket Granting Ticket (TGT) is.
+-  Kerberos service tickets are not protected by Credential Guard, but the Kerberos Ticket Granting Ticket (TGT) is.
 -  When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
 -  Windows logon cached password verifiers (commonly called "cached credentials")
 do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.

From 91faf29dafb0028c1ae30cda88e85c81fa14f217 Mon Sep 17 00:00:00 2001
From: Richard Zhang <zhangrupo2003@hotmail.com>
Date: Mon, 18 Jun 2018 15:18:33 -0700
Subject: [PATCH 6/6] Update release-notes-for-mbam-25-sp1.md

---
 mdop/mbam-v25/release-notes-for-mbam-25-sp1.md | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
index 6fb8a41a78..a39802e24b 100644
--- a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
@@ -136,10 +136,12 @@ Digging this further with Fiddler – it does look like once we click on Reports
 
 **Workaround:** Looking at the site.master code and noticed the X-UA mode was dictated as IE8. As IE8 is WAY past the end of life, and customer is using IE11. Update the setting to the below code. This allows the site to utilize IE11 rendering technologies
 
-<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
+    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
 
 Original setting is: 
-<meta http-equiv="X-UA-Compatible" content="IE=8" />
+
+    <meta http-equiv="X-UA-Compatible" content="IE=8" />
+
 
 This is the reason why the issue was not seen with other browsers like Chrome, Firefox etc.