From 6fd5a0187152f2ed624d3e464c00cd5effcc8857 Mon Sep 17 00:00:00 2001 From: MSFTandrelom <54631941+MSFTandrelom@users.noreply.github.com> Date: Wed, 11 Sep 2019 14:01:44 +0300 Subject: [PATCH 01/30] Update credential-guard-manage.md Customer pointed out that while they were following steps outlined in the article, they ran into some errors. Validation revealed that step 3 in the feature installation procedure is outdated as of Windows 10 1607. Added a note about that --- .../credential-guard/credential-guard-manage.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index b8b2673d47..f1ac04eb7a 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -86,6 +86,8 @@ You can do this by using either the Control Panel or the Deployment Image Servic ``` dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` +> [!NOTE] +> In Windows 10 1607 or later versions, Isolated User Mode feature has been integrated into the core Operating system, so running the above command step 3 is no longer necessary > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. From 47670360a1d604cf8b6ad8bc223af22bd7941b02 Mon Sep 17 00:00:00 2001 From: MSFTandrelom <54631941+MSFTandrelom@users.noreply.github.com> Date: Thu, 12 Sep 2019 09:31:46 +0300 Subject: [PATCH 02/30] Update windows/security/identity-protection/credential-guard/credential-guard-manage.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index f1ac04eb7a..20e0057677 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -87,7 +87,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` > [!NOTE] -> In Windows 10 1607 or later versions, Isolated User Mode feature has been integrated into the core Operating system, so running the above command step 3 is no longer necessary +> In Windows 10 1607 and later versions, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. From e796b37f5601f860a5cbd2661430d22ad6949ad2 Mon Sep 17 00:00:00 2001 From: MSFTandrelom <54631941+MSFTandrelom@users.noreply.github.com> Date: Sat, 14 Sep 2019 09:44:52 +0300 Subject: [PATCH 03/30] Update windows/security/identity-protection/credential-guard/credential-guard-manage.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../credential-guard/credential-guard-manage.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md index 20e0057677..239a1d56a5 100644 --- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md +++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md @@ -87,7 +87,7 @@ You can do this by using either the Control Panel or the Deployment Image Servic dism /image: /Enable-Feature /FeatureName:IsolatedUserMode ``` > [!NOTE] -> In Windows 10 1607 and later versions, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. +> In Windows 10, version 1607 and later, the Isolated User Mode feature has been integrated into the core operating system. Running the command in step 3 above is therefore no longer required. > [!NOTE] > You can also add these features to an online image by using either DISM or Configuration Manager. From 2d0f31588b32b2e75ede7e4465e79b4ba4559124 Mon Sep 17 00:00:00 2001 From: NagaCSC Date: Thu, 12 Dec 2019 16:52:44 -0800 Subject: [PATCH 04/30] Delat CRL note add note for Delta CRL --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 060bf7e60a..8ed1157475 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -58,6 +58,8 @@ To resolve this issue, the CRL distribution point must be a location that is acc If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points. +Note: If your CA has both Base and Delta CRL published. please make sure. you have included publishing the delta CRL in the http path. Include web server to fetch delta crl by allowing doubleescaping in the (IIS) web server. + ### Windows Server 2016 Domain Controllers If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. @@ -151,6 +153,7 @@ These procedures configure NTFS and share permissions on the web server to allow ![CDP Share Permissions](images/aadj/cdp-share-permissions.png) 9. In the **Advanced Sharing** dialog box, click **OK**. + #### Disable Caching 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. From 5e900d9706bde6e25e0c431f080a4fa16b87622e Mon Sep 17 00:00:00 2001 From: NagaCSC Date: Fri, 13 Dec 2019 09:26:58 -0800 Subject: [PATCH 05/30] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Looks good, commit the changes Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 8ed1157475..37e65c43d4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -58,7 +58,7 @@ To resolve this issue, the CRL distribution point must be a location that is acc If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points. -Note: If your CA has both Base and Delta CRL published. please make sure. you have included publishing the delta CRL in the http path. Include web server to fetch delta crl by allowing doubleescaping in the (IIS) web server. +Note: If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server. ### Windows Server 2016 Domain Controllers If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. @@ -340,4 +340,3 @@ If you plan on using certificates for on-premises single-sign on, perform the ad - From f8ba6714c320ba76defb672f00c1de04441e77b1 Mon Sep 17 00:00:00 2001 From: NagaCSC Date: Mon, 16 Dec 2019 09:20:27 -0800 Subject: [PATCH 06/30] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md looks good, please proceed further Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 37e65c43d4..927449551f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -58,7 +58,8 @@ To resolve this issue, the CRL distribution point must be a location that is acc If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points. -Note: If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server. +> [!NOTE] +> If your CA has published both the Base and the Delta CRL, please make sure you have included publishing the Delta CRL in the HTTP path. Include web server to fetch the Delta CRL by allowing double escaping in the (IIS) web server. ### Windows Server 2016 Domain Controllers If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. @@ -339,4 +340,3 @@ Sign-in a workstation with access equivalent to a _domain user_. If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). - From a922ae24ab54104b41a6f1f8025e28a0f71ccc47 Mon Sep 17 00:00:00 2001 From: NagaCSC Date: Mon, 16 Dec 2019 14:25:15 -0800 Subject: [PATCH 07/30] Update windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-aadj-sso-base.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md index 927449551f..f6f3f40c4b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md @@ -154,7 +154,6 @@ These procedures configure NTFS and share permissions on the web server to allow ![CDP Share Permissions](images/aadj/cdp-share-permissions.png) 9. In the **Advanced Sharing** dialog box, click **OK**. - #### Disable Caching 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server). 2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**. @@ -339,4 +338,3 @@ Sign-in a workstation with access equivalent to a _domain user_. If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md). - From 37b207227c087b8932ee4f470c42cb370d67da84 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 18 Dec 2019 15:37:56 +0500 Subject: [PATCH 08/30] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 9633a7cf60..f6ea23a20f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -67,7 +67,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.| | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. | | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. | -| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection of enforcing user-writeability and only allowing admin-writeable locations. | +| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by administrator) for the path pecified in the FilePathRule parameter of the New-CIPolicyRule cmdlet. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. | ## Windows Defender Application Control file rule levels From 0b25985d2d073e5f94e45c2a1f342817de80cedb Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 21 Dec 2019 13:56:30 +0500 Subject: [PATCH 09/30] Update windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index f6ea23a20f..26bd6f527f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -67,7 +67,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru | **15 Enabled:Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically re-validate the reputation for files that were authorized by the ISG.| | **16 Enabled:Update Policy No Reboot** | Use this option to allow future WDAC policy updates to apply without requiring a system reboot. | | **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. | -| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by administrator) for the path pecified in the FilePathRule parameter of the New-CIPolicyRule cmdlet. | +| **18 Disabled:Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for the path specified in the FilePathRule parameter of the New-CIPolicyRule cmdlet. | | **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically-loaded libraries. | ## Windows Defender Application Control file rule levels From 22da5b497b272b6c0dcd2fec92ef690d33f9c070 Mon Sep 17 00:00:00 2001 From: Joyce Y <47188252+mypil@users.noreply.github.com> Date: Tue, 24 Dec 2019 09:21:01 -0400 Subject: [PATCH 10/30] fixed typo in line 65 Resolves #5742 --- devices/hololens/hololens2-setup.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/hololens/hololens2-setup.md b/devices/hololens/hololens2-setup.md index 319644824d..79189a7cf6 100644 --- a/devices/hololens/hololens2-setup.md +++ b/devices/hololens/hololens2-setup.md @@ -62,7 +62,7 @@ To turn on your HoloLens 2, press the Power button. The LED lights below the Po | To turn on | Single button press. | All five lights turn on, then change to indicate the battery level. After four seconds, a sound plays. | | To sleep | Single button press. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | | To wake from sleep | Single button press. | All five lights turn on, then change to indicate the battery level. A sound immediately plays. | -| To turn off | Press and for hold 5s. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | +| To turn off | Press and hold for 5s. | All five lights turn on, then fade off one at a time. After the lights turn off, a sound plays and the screen displays "Goodbye." | | To force the Hololens to restart if it is unresponsive | Press and hold for 10s. | All five lights turn on, then fade off one at a time. After the lights turn off. | ## HoloLens behavior reference From fe31b35f6cc3e0fb071ea8ab84f0c06e84c38731 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 26 Dec 2019 16:22:23 +0500 Subject: [PATCH 11/30] Update hello-hybrid-cert-whfb-settings-dir-sync.md --- .../hello-hybrid-cert-whfb-settings-dir-sync.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index e2d7d4fc9c..5e12221702 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -31,7 +31,7 @@ In hybrid deployments, users register the public portion of their Windows Hello The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. > [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. +> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use pre-created group KeyAdmins in step 3 of "Group Memberships for the Azure AD Connect Service Account" section of this article. ### Configure Permissions for Key Synchronization @@ -56,9 +56,6 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva 1. Open **Active Directory Users and Computers**. 2. Click the **Users** container in the navigation pane. - >[!IMPORTANT] - > If you already have a Windows Server 2016 domain controller in your domain, use the Keyadmins group in the next step, otherwise use the KeyCredential admins group you previously created. - 3. Right-click either the **KeyAdmins** or **KeyCredential Admins** in the details pane and click **Properties**. 4. Click the **Members** tab and click **Add** 5. In the **Enter the object names to select** text box, type the name of the Azure AD Connect service account. Click **OK**. From 1a6c5fb26245909bcf1fe22db0c414271b10c69e Mon Sep 17 00:00:00 2001 From: coffeemade <39417823+coffeemade@users.noreply.github.com> Date: Thu, 26 Dec 2019 14:21:03 -0500 Subject: [PATCH 12/30] modification of the importance to make it a bubble Sorry didn't see the code, so I changed it so that it will make a bubble instead of just important text. Hope this works. --- .../on-premises-deployment-surface-hub-device-accounts.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 7f3793ed3f..8043e93501 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -49,7 +49,7 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 ```PowerShell New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` -[!IMPORTANT] ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. +> [!IMPORTANT] ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. 3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. From 7074d6d509ab180f8468aab7f55222e5f57961b0 Mon Sep 17 00:00:00 2001 From: Chris Jackson Date: Thu, 26 Dec 2019 16:06:14 -0600 Subject: [PATCH 13/30] Update the group policy path The path in local group policy is now "Computer Configuration\Administrative Templates\System\Device Guard" (at least in 10.0.19041), updating docs to match what is in local group policy. --- .../audit-windows-defender-application-control-policies.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 133cd1426f..8f28ada884 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -40,7 +40,7 @@ Before you begin this process, you need to create a WDAC policy binary file. If > > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor. -3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. +3. Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1. > [!Note] > From c93e01abda1e75b4c300cb2881b5e8c6ecd6f04b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 28 Dec 2019 08:56:36 +0500 Subject: [PATCH 14/30] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-hybrid-cert-whfb-settings-dir-sync.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md index 5e12221702..16c17aa3f9 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md @@ -31,7 +31,7 @@ In hybrid deployments, users register the public portion of their Windows Hello The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually. > [!IMPORTANT] -> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use pre-created group KeyAdmins in step 3 of "Group Memberships for the Azure AD Connect Service Account" section of this article. +> If you already have a Windows Server 2016 domain controller in your domain, you can skip **Configure Permissions for Key Synchronization**. In this case, you should use the pre-created group KeyAdmins in step 3 of the "Group Memberships for the Azure AD Connect Service Account" section of this article. ### Configure Permissions for Key Synchronization From 215b1a5009872dba78db67f616c1d6e9aa7d5f7d Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Wed, 1 Jan 2020 16:41:29 +0500 Subject: [PATCH 15/30] Minor changes in heading Minor changes in heading as this should go with key trust deployment guide. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5695 --- .../hello-for-business/hello-key-trust-validate-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 5f6fb9480c..2a02be9899 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -196,7 +196,7 @@ Alternatively, you can forcefully trigger automatic certificate enrollment using Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. -## Follow the Windows Hello for Business on premises certificate trust deployment guide +## Follow the Windows Hello for Business on premises certificate key trust deployment guide 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) 2. Validate and Configure Public Key Infrastructure (*You are here*) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) From 4a774dcd816cb488009a831c3f8d8f9fafb6e5cf Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 7 Jan 2020 04:43:59 +0500 Subject: [PATCH 16/30] Update windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md Co-Authored-By: mapalko --- .../hello-for-business/hello-key-trust-validate-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 2a02be9899..57a2493e4c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -196,7 +196,7 @@ Alternatively, you can forcefully trigger automatic certificate enrollment using Use the event logs to monitor certificate enrollment and archive. Review the configuration, such as publishing certificate templates to issuing certificate authority and the allow auto enrollment permissions. -## Follow the Windows Hello for Business on premises certificate key trust deployment guide +## Follow the Windows Hello for Business on premises key trust deployment guide 1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md) 2. Validate and Configure Public Key Infrastructure (*You are here*) 3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md) From 443c156df824878c9521d51b8cfee613ae47bd20 Mon Sep 17 00:00:00 2001 From: mestew Date: Wed, 8 Jan 2020 12:26:25 -0800 Subject: [PATCH 17/30] Add link for WIP limitations per CSS request. Rebrand of SCCM edits --- .../create-wip-policy-using-sccm.md | 33 +++++++++++-------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 61ce1a5f3b..288347b3aa 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -1,9 +1,9 @@ --- -title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10) -description: Configuration Manager (version 1606 or later) helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. +title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager (Windows 10) +description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529 ms.reviewer: -keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager, MEMCM, Microsoft Endpoint Configuration Manager ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -15,26 +15,29 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 05/13/2019 +ms.date: 01/09/2020 --- -# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager +# Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager **Applies to:** - Windows 10, version 1607 and later - Windows 10 Mobile, version 1607 and later -- System Center Configuration Manager +- Microsoft Endpoint Configuration Manager -System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ## Add a WIP policy -After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. +After you’ve installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. + +>[!TIP] +> Review the [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) article before creating a new configuration item to avoid common issues. **To create a configuration item for WIP** -1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. +1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. - ![System Center Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) + ![Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png) 2. Click the **Create Configuration Item** button.

The **Create Configuration Item Wizard** starts. @@ -43,7 +46,7 @@ The **Create Configuration Item Wizard** starts. 3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**. +4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**. - **Settings for devices managed with the Configuration Manager client:** Windows 10 @@ -62,7 +65,7 @@ The **Create Configuration Item Wizard** starts. The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. ## Add app rules to your policy -During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. +During the policy-creation process in Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. @@ -295,9 +298,9 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* ``` -12. After you’ve created your XML file, you need to import it by using System Center Configuration Manager. +12. After you’ve created your XML file, you need to import it by using Configuration Manager. -**To import your Applocker policy file app rule using System Center Configuration Manager** +**To import your Applocker policy file app rule using Configuration Manager** 1. From the **App rules** area, click **Add**. The **Add app rule** box appears. @@ -506,3 +509,5 @@ After you’ve created your WIP policy, you'll need to deploy it to your organiz - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) + +- [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) From b859de871e1289e96d8d19f8ad4e5955aaa67c06 Mon Sep 17 00:00:00 2001 From: illfated Date: Mon, 30 Dec 2019 00:12:51 +0100 Subject: [PATCH 18/30] Do not require CTRL+ALT+DEL: remove duplicate text Description: As discussed with jvsam (Jo) in issue ticket #5559 (Is the guidance around CTRL-ALT-DEL still valid?), this improvement suggestion is based on already noted redundant or duplicated sentences in the article. Changes proposed: - Remove 2 redundant sentences repeated 2 paragraphs below. - Remove redundant whitespace in a few MarkDown bullet lists. issue ticket closure or reference: Ref. #5559 (issue not resolved yet) --- .../interactive-logon-do-not-require-ctrl-alt-del.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index 802f0fdc28..92ffe6cd6c 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -19,7 +19,7 @@ ms.date: 04/19/2017 # Interactive logon: Do not require CTRL+ALT+DEL **Applies to** -- Windows 10 +- Windows 10 Describes the best practices, location, values, and security considerations for the **Interactive logon: Do not require CTRL+ALT+DEL** security policy setting. @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. -If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. Not having to press CTRL+ALT+DEL leaves users susceptible to attacks that attempt to intercept the users' passwords. Requiring CTRL+ALT+DEL before users log on ensures that users are communicating by means of a trusted path when entering their passwords. +If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon). @@ -37,13 +37,13 @@ A malicious user might install malware that looks like the standard logon dialog ### Possible values -- Enabled -- Disabled -- Not defined +- Enabled +- Disabled +- Not defined ### Best practices -- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**. +- It is advisable to set **Disable CTRL+ALT+DEL requirement for logon** to **Not configured**. ### Location From a9f1192d612a9f1340b6d77d99ec6d04713c53d1 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Fri, 10 Jan 2020 10:12:26 -0800 Subject: [PATCH 19/30] Update hello-deployment-guide.md Added a note for the provisioning flow --- .../hello-for-business/hello-deployment-guide.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 72257804e5..b32e951f47 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -68,3 +68,6 @@ Following are the various deployment guides and models included in this topic: Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. +> [!NOTE] +> You need to allow access to account.microsoft.com URL to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. + From f20450f7dc687f2206c4882b40f692f984a5eea2 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Fri, 10 Jan 2020 11:06:00 -0800 Subject: [PATCH 20/30] Update hello-hybrid-key-trust-prereqs.md Added provisioniong prereq for account.microsoft.com --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index d2694a48af..1eb7a19f07 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -125,7 +125,11 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth ## Device Registration Organizations wanting to deploy hybrid key trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory. - + +## Provisioning + +You need to allow access to account.microsoft.com URL to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. + ### Section Checklist From 259117e6401135bfdd77596e446bb942c2081089 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Fri, 10 Jan 2020 11:07:39 -0800 Subject: [PATCH 21/30] Update hello-hybrid-cert-trust-prereqs.md Added prereq for account.microsoft.com --- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 8ed6db6fb4..1e84b38026 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -118,6 +118,11 @@ Hybrid certificate trust deployments need the device write back feature. Authen > [!NOTE] > Windows Hello for Business is tied between a user and a device. Both the user and device need to be synchronized between Azure Active Directory and Active Directory, and therefore the device writeback is used to update the msDS-KeyCredentialLink on the computer object. +## Provisioning + +You need to allow access to account.microsoft.com URL to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. + + ### Section Checklist ### > [!div class="checklist"] > * Azure Active Directory Device writeback From f600fe3317c030e2809c781acc70134b4d4350b3 Mon Sep 17 00:00:00 2001 From: Chad Simmons Date: Mon, 13 Jan 2020 08:47:34 -0600 Subject: [PATCH 22/30] ConfigMgr and DO In the "Table 1" I added Delivery Optimization as an option to Configuration Manager along with references to product documentation. --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 4f6bf5db20..faa199e831 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -174,7 +174,7 @@ With all these options, which an organization chooses depends on the resources, | Windows Update | Yes (manual) | No | Delivery Optimization | None| | Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects | | WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability | -| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache | Distribution points, multiple deployment options | +| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization [[1](https://docs.microsoft.com/en-us/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution)][[2](https://docs.microsoft.com/en-us/windows/deployment/update/waas-optimize-windows-10-updates)] | Distribution points, multiple deployment options | >[!NOTE] >Due to [naming changes](#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. From f993e38720b8108bddc71f0843ada7826d191f55 Mon Sep 17 00:00:00 2001 From: Jaime Ondrusek Date: Mon, 13 Jan 2020 11:12:30 -0800 Subject: [PATCH 23/30] Update waas-overview.md Restyled links. --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index faa199e831..55b7b5a0eb 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -174,7 +174,7 @@ With all these options, which an organization chooses depends on the resources, | Windows Update | Yes (manual) | No | Delivery Optimization | None| | Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects | | WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability | -| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization [[1](https://docs.microsoft.com/en-us/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution)][[2](https://docs.microsoft.com/en-us/windows/deployment/update/waas-optimize-windows-10-updates)] | Distribution points, multiple deployment options | +| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization. For the latter, see [peer-to-peer content distribution](https://docs.microsoft.com/en-us/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution) and [Optimize Windows 10 Update Delivery](https://docs.microsoft.com/en-us/windows/deployment/update/waas-optimize-windows-10-updates) | Distribution points, multiple deployment options | >[!NOTE] >Due to [naming changes](#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel. From dc3fab22d44a1b2fb761c03639c9ec1606f42c7f Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Mon, 13 Jan 2020 12:06:24 -0800 Subject: [PATCH 24/30] Update windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index 1eb7a19f07..d57a2b162d 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -128,7 +128,7 @@ Organizations wanting to deploy hybrid key trust need their domain joined device ## Provisioning -You need to allow access to account.microsoft.com URL to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. +You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. ### Section Checklist From fd059290325835617526bca61cc7d29525b3818d Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Mon, 13 Jan 2020 12:06:32 -0800 Subject: [PATCH 25/30] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cert-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md index 1e84b38026..f7a5eed854 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md @@ -120,7 +120,7 @@ Hybrid certificate trust deployments need the device write back feature. Authen ## Provisioning -You need to allow access to account.microsoft.com URL to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. +You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. ### Section Checklist ### From 573d87f8d3a699f03dbaf9b36b64e1a7ab6c82c8 Mon Sep 17 00:00:00 2001 From: RavennMSFT <37601656+RavennMSFT@users.noreply.github.com> Date: Mon, 13 Jan 2020 12:06:40 -0800 Subject: [PATCH 26/30] Update windows/security/identity-protection/hello-for-business/hello-deployment-guide.md Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../hello-for-business/hello-deployment-guide.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index b32e951f47..d1efe88759 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -69,5 +69,4 @@ Following are the various deployment guides and models included in this topic: Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. > [!NOTE] -> You need to allow access to account.microsoft.com URL to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. - +> You need to allow access to the URL account.microsoft.com to initiate Windows Hello for Business provisioning. This URL launches the subsequent steps in the provisioning process and is required to successfully complete Windows Hello for Business provisioning. This URL does not require any authentication and as such, does not collect any user data. From 8ee324fb0fd4f686bef88f99d5fa23a90fe3f985 Mon Sep 17 00:00:00 2001 From: Meera Krishna Date: Mon, 13 Jan 2020 13:57:54 -0800 Subject: [PATCH 27/30] Update microsoft-surface-brightness-control.md This update is a high pri request from Tod Edwards, Sr. Technical Advisor for Devices. Here is what he requested in the work item he filed with the CSS Content team: ----------------------------------------------------------------------------------------------------------------------------------------------------- Update https://docs.microsoft.com/en-us/surface/microsoft-surface-brightness-control Version 1.16.137 uses this registry location now: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Surface\Surface Brightness Control We need to keep information on the page that says previous versions of the tool use: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Surface\Surface Brightness Control If customer doesn't know which version they have, they will know which place they need to edit based on if the registry path exists or not, since the registry location is created when the app is installed. --- devices/surface/microsoft-surface-brightness-control.md | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/devices/surface/microsoft-surface-brightness-control.md b/devices/surface/microsoft-surface-brightness-control.md index 47c2ffed10..1761581ced 100644 --- a/devices/surface/microsoft-surface-brightness-control.md +++ b/devices/surface/microsoft-surface-brightness-control.md @@ -46,9 +46,14 @@ documentation](https://docs.microsoft.com/windows/desktop/sysinfo/registry). 1. Run regedit from a command prompt to open the Windows Registry Editor. - - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Surface\Surface + - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Surface\Surface Brightness Control\ - + + If you're running an older version of Surface Brightness control, run the following command instead: + + - Computer\HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Surface\Surface + Brightness Control\ + | Registry Setting | Data| Description |-----------|------------|--------------- From 96ee029738e0251f4f3d5f15e7f7529c953b32af Mon Sep 17 00:00:00 2001 From: Rami Date: Tue, 14 Jan 2020 17:18:45 +0800 Subject: [PATCH 28/30] Update 2016 to 2016 or later domain controllers --- .../hello-for-business/hello-hybrid-key-trust-prereqs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md index d2694a48af..f1644244bf 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md @@ -40,7 +40,7 @@ Hybrid Windows Hello for Business needs two directories: on-premises Active Dire A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. The hybrid key trust deployment, does not need a premium Azure Active Directory subscription. -You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. +You can deploy Windows Hello for Business in any environment with Windows Server 2008 R2 or later domain controllers. However, the key trust deployment needs an ***adequate*** number of Windows Server 2016 or later domain controllers at each site where users authenticate using Windows Hello for Business. Read the [Planning an adequate number of Windows Server 2016 or later Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more. Review these requirements and those from the Windows Hello for Business planning guide and worksheet. Based on your deployment decisions you may need to upgrade your on-premises Active Directory or your Azure Active Directory subscription to meet your needs. From 0975acc69ecffefef385b75f5ca6b0c4b42dcfa0 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 14 Jan 2020 06:23:34 -0800 Subject: [PATCH 29/30] Update on-premises-deployment-surface-hub-device-accounts.md --- .../on-premises-deployment-surface-hub-device-accounts.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md index 8043e93501..88b0653b00 100644 --- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md +++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md @@ -49,7 +49,8 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013 ```PowerShell New-Mailbox -UserPrincipalName HUB01@contoso.com -Alias HUB01 -Name "Hub-01" -Room -EnableRoomMailboxAccount $true -RoomMailboxPassword (ConvertTo-SecureString -String -AsPlainText -Force) ``` -> [!IMPORTANT] ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. +> [!IMPORTANT] +> ActiveSync Virtual Directory Basic Authentication is required to be enabled as the Surface Hub is unable to authenticate using other authentication methods. 3. After setting up the mailbox, you will need to either create a new Exchange ActiveSync policy, or use a compatible existing policy. From d9c792abdd75770afd1fdf1ec29406ecf5aa56e9 Mon Sep 17 00:00:00 2001 From: Thomas Raya Date: Tue, 14 Jan 2020 18:36:29 -0800 Subject: [PATCH 30/30] Remove en-us locale --- windows/deployment/update/waas-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md index 55b7b5a0eb..1b1a144c38 100644 --- a/windows/deployment/update/waas-overview.md +++ b/windows/deployment/update/waas-overview.md @@ -174,7 +174,7 @@ With all these options, which an organization chooses depends on the resources, | Windows Update | Yes (manual) | No | Delivery Optimization | None| | Windows Update for Business | Yes | No | Delivery Optimization | Other Group Policy objects | | WSUS | Yes | Yes | BranchCache or Delivery Optimization | Upstream/downstream server scalability | -| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization. For the latter, see [peer-to-peer content distribution](https://docs.microsoft.com/en-us/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution) and [Optimize Windows 10 Update Delivery](https://docs.microsoft.com/en-us/windows/deployment/update/waas-optimize-windows-10-updates) | Distribution points, multiple deployment options | +| Configuration Manager | Yes | Yes | BranchCache, Client Peer Cache, or Delivery Optimization. For the latter, see [peer-to-peer content distribution](https://docs.microsoft.com/configmgr/sum/deploy-use/optimize-windows-10-update-delivery#peer-to-peer-content-distribution) and [Optimize Windows 10 Update Delivery](https://docs.microsoft.com/windows/deployment/update/waas-optimize-windows-10-updates) | Distribution points, multiple deployment options | >[!NOTE] >Due to [naming changes](#naming-changes), older terms like CB and CBB might still be displayed in some of our products, such as in Group Policy. If you encounter these terms, "CB" refers to the Semi-Annual Channel (Targeted)--which is no longer used--while "CBB" refers to the Semi-Annual Channel.